Canonical CVE OVAL Generator 2 5.11.1 2026-05-22T09:23:28 operator new[] sometimes returns pointers to heap blocks whichare too small. When a new array is allocated, the C++ run-timehas to calculate its size. The product may exceed the maximumvalue which can be stored in a machine register. This error isignored, and the truncated value is used for the heap allocation.This may lead to heap overflows and therefore security bugs.(See http://cert.uni-stuttgart.de/advisories/calloc.php for furtherreferences.) Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-10-23 18:15:00 UTC http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351 https://bugzilla.redhat.com/show_bug.cgi?id=850911 CVE-2002-2439 A carefully crafted If: request header can cause a memory read, or write ofa single zero byte, in a pool (heap) memory location beyond the headervalue sent. This could cause the process to crash.This issue affects Apache HTTP Server 2.4.54 and earlier. Update Instructions: Run `sudo pro fix CVE-2006-20001` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.55-1ubuntu1 apache2-bin - 2.4.55-1ubuntu1 apache2-data - 2.4.55-1ubuntu1 apache2-suexec-custom - 2.4.55-1ubuntu1 apache2-suexec-pristine - 2.4.55-1ubuntu1 apache2-utils - 2.4.55-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 20:15:00 UTC 2023-01-17 20:15:00 UTC https://ubuntu.com/security/notices/USN-5834-1 https://ubuntu.com/security/notices/USN-5839-1 CVE-2006-20001 XINE 0.99.4 allows user-assisted remote attackers to cause a denial ofservice (application crash) and possibly execute arbitrary code via acertain M3U file that contains a long #EXTINF line and contains formatstring specifiers in an invalid udp:// URI, possibly a variant ofCVE-2007-0017. Ubuntu 26.04 LTS Medium Copyright (C) 2007 Canonical Ltd. 2007-01-16 23:28:00 UTC CVE-2007-0255 Cross-site request forgery (CSRF) vulnerability in index.php in FlatNuke2.6, and possibly 3, allows remote attackers to change the password andprivilege level of arbitrary accounts via the user parameter and modified(1) regpass and (2) level parameters in a none_Login action, asdemonstrated by using a Flash object to automatically make the request. Ubuntu 26.04 LTS Low Copyright (C) 2007 Canonical Ltd. 2007-09-26 23:17:00 UTC CVE-2007-5109 dnscache in Daniel J. Bernstein djbdns 1.05 does not prevent simultaneousidentical outbound DNS queries, which makes it easier for remote attackersto spoof DNS responses, as demonstrated by a spoofed A record in theAdditional section of a response to a Start of Authority (SOA) query. Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-02-19 16:30:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394 CVE-2008-4392 nvidia-cg-toolkit-installer in nvidia-cg-toolkit 2.0.0015 allows localusers to overwrite arbitrary files via a symlink attack on the/tmp/nvidia-cg-toolkit-manifest temporary file. Ubuntu 26.04 LTS Negligible Copyright (C) 2008 Canonical Ltd. 2008-11-18 16:00:00 UTC CVE-2008-5144 add-accession-numbers in ctn 3.0.6 allows local users to overwritearbitrary files via a symlink attack on the /tmp/accession temporary file. Ubuntu 26.04 LTS Negligible Copyright (C) 2008 Canonical Ltd. 2008-11-18 16:00:00 UTC CVE-2008-5146 sample.sh in maildirsync 1.1 allows local users to append data to arbitraryfiles via a symlink attack on a /tmp/maildirsync-*.#####.log temporaryfile. Ubuntu 26.04 LTS Negligible Copyright (C) 2008 Canonical Ltd. 2008-11-18 16:00:00 UTC CVE-2008-5150 inmail-show in mh-book 200605 allows local users to overwrite arbitraryfiles via a symlink attack on a (1) /tmp/inmail#####.log or (2)/tmp/inmail#####.stdin temporary file. Ubuntu 26.04 LTS Negligible Copyright (C) 2008 Canonical Ltd. 2008-11-18 16:00:00 UTC CVE-2008-5152 The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, asused in the XML-Twig module for Perl, allows context-dependent attackers tocause a denial of service (application crash) via an XML document withmalformed UTF-8 sequences that trigger a buffer over-read, related to thedoProlog function in lib/xmlparse.c, a different vulnerability thanCVE-2009-2625 and CVE-2009-3720. Update Instructions: Run `sudo pro fix CVE-2009-3560` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.0.1-7ubuntu1 libexpat1 - 2.0.1-7ubuntu1 No subscription required libxmlrpc-c++9 - 1.06.27-1ubuntu7 libxmlrpc-core-c3t64 - 1.06.27-1ubuntu7 libxmlrpc-util4 - 1.06.27-1ubuntu7 xmlrpc-api-utils - 1.06.27-1ubuntu7 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-12-04 2009-12-04 https://ubuntu.com/security/notices/USN-890-1 https://ubuntu.com/security/notices/USN-890-2 https://ubuntu.com/security/notices/USN-890-3 https://ubuntu.com/security/notices/USN-890-4 https://ubuntu.com/security/notices/USN-890-5 https://ubuntu.com/security/notices/USN-890-6 CVE-2009-3560 Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.xbefore 3.02pl4 and Poppler before 0.12.1 might allow remote attackers toexecute arbitrary code via a crafted PDF document that triggers aheap-based buffer overflow. NOTE: some of these details are obtained fromthird party information. NOTE: this issue reportedly exists because of anincomplete fix for CVE-2009-1188. Update Instructions: Run `sudo pro fix CVE-2009-3603` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-poppler-0.18 - 0.12.2-2.1ubuntu1 libpoppler-cpp2 - 0.12.2-2.1ubuntu1 libpoppler-glib8t64 - 0.12.2-2.1ubuntu1 libpoppler-qt5-1t64 - 0.12.2-2.1ubuntu1 libpoppler-qt6-3t64 - 0.12.2-2.1ubuntu1 libpoppler147 - 0.12.2-2.1ubuntu1 poppler-utils - 0.12.2-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-10-21 2009-10-21 https://ubuntu.com/security/notices/USN-850-1 https://ubuntu.com/security/notices/USN-850-3 CVE-2009-3603 The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does notproperly allocate memory, which allows remote attackers to cause a denialof service (application crash) or possibly execute arbitrary code via acrafted PDF document that triggers a NULL pointer dereference or aheap-based buffer overflow. Update Instructions: Run `sudo pro fix CVE-2009-3604` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-poppler-0.18 - 0.12.2-2.1ubuntu1 libpoppler-cpp2 - 0.12.2-2.1ubuntu1 libpoppler-glib8t64 - 0.12.2-2.1ubuntu1 libpoppler-qt5-1t64 - 0.12.2-2.1ubuntu1 libpoppler-qt6-3t64 - 0.12.2-2.1ubuntu1 libpoppler147 - 0.12.2-2.1ubuntu1 poppler-utils - 0.12.2-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-10-21 2009-10-21 https://ubuntu.com/security/notices/USN-850-1 https://ubuntu.com/security/notices/USN-850-3 CVE-2009-3604 Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remoteattackers to execute arbitrary code via a crafted PDF document thattriggers a heap-based buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-10-21 2009-10-21 https://ubuntu.com/security/notices/USN-973-1 CVE-2009-3606 Integer overflow in the ObjectStream::ObjectStream function in XRef.cc inXpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf,kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers toexecute arbitrary code via a crafted PDF document that triggers aheap-based buffer overflow. Update Instructions: Run `sudo pro fix CVE-2009-3608` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-poppler-0.18 - 0.12.2-2.1ubuntu1 libpoppler-cpp2 - 0.12.2-2.1ubuntu1 libpoppler-glib8t64 - 0.12.2-2.1ubuntu1 libpoppler-qt5-1t64 - 0.12.2-2.1ubuntu1 libpoppler-qt6-3t64 - 0.12.2-2.1ubuntu1 libpoppler147 - 0.12.2-2.1ubuntu1 poppler-utils - 0.12.2-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-10-21 2009-10-21 https://ubuntu.com/security/notices/USN-850-1 https://ubuntu.com/security/notices/USN-850-3 https://ubuntu.com/security/notices/USN-973-1 CVE-2009-3608 Integer overflow in the ImageStream::ImageStream function in Stream.cc inXpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphicsKPDF, and CUPS pdftops, allows remote attackers to cause a denial ofservice (application crash) via a crafted PDF document that triggers a NULLpointer dereference or buffer over-read. Update Instructions: Run `sudo pro fix CVE-2009-3609` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-poppler-0.18 - 0.12.2-2.1ubuntu1 libpoppler-cpp2 - 0.12.2-2.1ubuntu1 libpoppler-glib8t64 - 0.12.2-2.1ubuntu1 libpoppler-qt5-1t64 - 0.12.2-2.1ubuntu1 libpoppler-qt6-3t64 - 0.12.2-2.1ubuntu1 libpoppler147 - 0.12.2-2.1ubuntu1 poppler-utils - 0.12.2-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2009 Canonical Ltd. 2009-10-21 2009-10-21 https://ubuntu.com/security/notices/USN-850-1 https://ubuntu.com/security/notices/USN-850-3 https://ubuntu.com/security/notices/USN-973-1 CVE-2009-3609 The updatePosition function in lib/xmltok_impl.c in libexpat in Expat2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allowscontext-dependent attackers to cause a denial of service (applicationcrash) via an XML document with crafted UTF-8 sequences that trigger abuffer over-read, a different vulnerability than CVE-2009-2625. Update Instructions: Run `sudo pro fix CVE-2009-3720` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.0.1-7ubuntu1 libexpat1 - 2.0.1-7ubuntu1 No subscription required libxmlrpc-c++9 - 1.06.27-1ubuntu7 libxmlrpc-core-c3t64 - 1.06.27-1ubuntu7 libxmlrpc-util4 - 1.06.27-1ubuntu7 xmlrpc-api-utils - 1.06.27-1ubuntu7 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2009 Canonical Ltd. 2009-11-03 2009-11-03 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936 https://ubuntu.com/security/notices/USN-890-1 https://ubuntu.com/security/notices/USN-890-2 https://ubuntu.com/security/notices/USN-890-3 https://ubuntu.com/security/notices/USN-890-4 https://ubuntu.com/security/notices/USN-890-5 https://ubuntu.com/security/notices/USN-890-6 CVE-2009-3720 Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to executearbitrary code via a .blend file that contains Python statements in theonLoad action of a ScriptLink SDNA. Ubuntu 26.04 LTS Low Copyright (C) 2009 Canonical Ltd. 2009-11-06 15:30:00 UTC CVE-2009-3850 mini_httpd 1.19 writes data to a log file without sanitizing non-printablecharacters, which might allow remote attackers to modify a window's title,or possibly execute arbitrary commands or overwrite files, via an HTTPrequest containing an escape sequence for a terminal emulator. Ubuntu 26.04 LTS Negligible Copyright (C) 2010 Canonical Ltd. 2010-01-13 20:30:00 UTC CVE-2009-4490 Yaws 1.85 writes data to a log file without sanitizing non-printablecharacters, which might allow remote attackers to modify a window's title,or possibly execute arbitrary commands or overwrite files, via an HTTPrequest containing an escape sequence for a terminal emulator. Ubuntu 26.04 LTS Negligible Copyright (C) 2010 Canonical Ltd. 2010-01-13 20:30:00 UTC CVE-2009-4495 PubSub in Apple Safari before 4.0.5 does not properly implement use of theAccept Cookies preference to block cookies, which makes it easier forremote web servers to track users by setting a cookie in a (1) RSS or (2)Atom feed. Ubuntu 26.04 LTS Low Copyright (C) 2010 Canonical Ltd. 2010-03-15 13:28:00 UTC CVE-2010-0044 The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, andpossibly other products allows context-dependent attackers to cause adenial of service (crash) via unknown vectors that trigger an uninitializedpointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2010 Canonical Ltd. 2010-10-13 2010-10-13 Joel Voss http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599165 https://bugs.edge.launchpad.net/ubuntu/+source/xpdf/+bug/701220 https://ubuntu.com/security/notices/USN-1005-1 CVE-2010-3702 The PostScriptFunction::PostScriptFunction function in poppler/Function.ccin the PDF parser in poppler 0.8.7 and possibly other versions up to0.15.1, and possibly other products, allows context-dependent attackers tocause a denial of service (crash) via a PDF file that triggers anuninitialized pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2010 Canonical Ltd. 2010-10-13 2010-10-13 Joel Voss http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599165 https://ubuntu.com/security/notices/USN-1005-1 CVE-2010-3703 The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser inxpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to0.15.1, kdegraphics, and possibly other products allows context-dependentattackers to cause a denial of service (crash) and possibly executearbitrary code via a PDF file with a crafted PostScript Type1 font thatcontains a negative array index, which bypasses input validation andtriggers memory corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2010 Canonical Ltd. 2010-10-13 2010-10-13 Joel Voss http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599165 https://bugs.edge.launchpad.net/ubuntu/+source/xpdf/+bug/701220 https://ubuntu.com/security/notices/USN-1005-1 CVE-2010-3704 Cross-site scripting (XSS) vulnerability in the Flash componentinfrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, andother products, allows remote attackers to inject arbitrary web script orHTML via vectors related to charts/assets/charts.swf. Ubuntu 26.04 LTS Medium Copyright (C) 2010 Canonical Ltd. 2010-11-07 22:00:00 UTC CVE-2010-4207 Cross-site scripting (XSS) vulnerability in the Flash componentinfrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, andother products, allows remote attackers to inject arbitrary web script orHTML via vectors related to uploader/assets/uploader.swf. Ubuntu 26.04 LTS Medium Copyright (C) 2010 Canonical Ltd. 2010-11-07 22:00:00 UTC CVE-2010-4208 Cross-site scripting (XSS) vulnerability in the Flash componentinfrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1through 3.7.3 and 4.1, allows remote attackers to inject arbitrary webscript or HTML via vectors related to swfstore/swfstore.swf. Ubuntu 26.04 LTS Medium Copyright (C) 2010 Canonical Ltd. 2010-11-07 22:00:00 UTC CVE-2010-4209 poppler before 0.16.3 has malformed commands that may cause corruption ofthe internal stack. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-13 20:15:00 UTC Dan Rosenberg CVE-2010-4654 The undo save quit routine in the kernel in Blender 2.5, 2.63a, and earlierallows local users to overwrite arbitrary files via a symlink attack on thequit.blend temporary file. NOTE: this issue might be a regression ofCVE-2008-1103. Ubuntu 26.04 LTS Low Copyright (C) 2014 Canonical Ltd. 2014-04-27 20:55:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621 CVE-2010-5105 sys/sys_unix.c in the ioQuake3 engine on Unix and Linux, as used in Worldof Padman 1.5.x before 1.5.1.1 and OpenArena 0.8.x-15 and 0.8.x-16, allowsremote game servers to execute arbitrary commands via shell metacharactersin a long fs_game variable. Ubuntu 26.04 LTS Medium Copyright (C) 2011 Canonical Ltd. 2011-08-04 02:45:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=725951 CVE-2011-1412 The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in theioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin' Guns,OpenArena, Tremulous, and ioUrbanTerror, does not properly determinedangerous file extensions, which allows remote attackers to executearbitrary code via a crafted third-party addon that creates a Trojan horseDLL file. Ubuntu 26.04 LTS Medium Copyright (C) 2011 Canonical Ltd. 2011-08-04 02:45:00 UTC CVE-2011-2764 The LZW decompressor in the LWZReadByte function in giftoppm.c in the DavidKoblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function infilter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function inplug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadBytefunction in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, andother products, does not properly handle code words that are absent fromthe decompression table when encountered, which allows remote attackers totrigger an infinite loop or a heap-based buffer overflow, and possiblyexecute arbitrary code, via a crafted compressed stream, a related issue toCVE-2006-1168 and CVE-2011-2895. Ubuntu 26.04 LTS Medium Copyright (C) 2011 Canonical Ltd. 2011-08-19 2011-08-19 Tomas Hoger http://cups.org/str.php?L3867 http://cups.org/str.php?L3869 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2896 https://ubuntu.com/security/notices/USN-1207-1 https://ubuntu.com/security/notices/USN-1214-1 CVE-2011-2896 The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous1.1.0, and ioUrbanTerror 2007-12-20, does not check for dangerous fileextensions before writing to the quake3 directory, which allows remoteattackers to execute arbitrary code via a crafted third-party addon thatcreates a Trojan horse DLL file, a different vulnerability thanCVE-2011-2764. Ubuntu 26.04 LTS Medium Copyright (C) 2011 Canonical Ltd. 2011-08-09 20:55:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=725951 CVE-2011-3012 The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlierdoes not properly handle the first code word in an LZW stream, which allowsremote attackers to trigger a heap-based buffer overflow, and possiblyexecute arbitrary code, via a crafted stream, a different vulnerabilitythan CVE-2011-2896. Ubuntu 26.04 LTS Medium Copyright (C) 2011 Canonical Ltd. 2011-08-19 2011-08-19 Tomas Hoger http://cups.org/str.php?L3914 https://ubuntu.com/security/notices/USN-1207-1 CVE-2011-3170 John Lim ADOdb Library for PHP 5.11 allows remote attackers to obtainsensitive information via a direct request to a .php file, which revealsthe installation path in an error message, as demonstrated bytests/test-active-record.php and certain other files. Ubuntu 26.04 LTS Low Copyright (C) 2011 Canonical Ltd. 2011-09-23 23:55:00 UTC CVE-2011-3699 DokuWiki 2009-12-25c allows remote attackers to obtain sensitiveinformation via a direct request to a .php file, which reveals theinstallation path in an error message, as demonstrated by lib/tpl/index.phpand certain other files. Ubuntu 26.04 LTS Low Copyright (C) 2011 Canonical Ltd. 2011-09-23 23:55:00 UTC CVE-2011-3727 HTML Purifier 4.2.0 allows remote attackers to obtain sensitive informationvia a direct request to a .php file, which reveals the installation path inan error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php andcertain other files. Ubuntu 26.04 LTS Low Copyright (C) 2011 Canonical Ltd. 2011-09-23 23:55:00 UTC CVE-2011-3744 WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitiveinformation via a direct request to a .php file, which reveals theinstallation path in an error message, as demonstrated bywp-admin/includes/user.php and certain other files. Ubuntu 26.04 LTS Low Copyright (C) 2011 Canonical Ltd. 2011-09-24 00:55:00 UTC CVE-2011-3818 Parallel::ForkManager module before 1.0.0 for Perl does not properly handletemporary files. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-31 18:15:00 UTC CVE-2011-4115 The bat_socket_read function in net/batman-adv/icmp_socket.c in the Linuxkernel before 3.3 allows remote attackers to cause a denial of service(memory corruption) or possibly have unspecified other impact via a craftedbatman-adv ICMP packet. Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-06-07 14:03:00 UTC CVE-2011-4604 gpw generates shorter passwords than required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-10-29 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651510 CVE-2011-4931 The XML parser (xmlparse.c) in expat before 2.1.0 computes hash valueswithout restricting the ability to trigger hash collisions predictably,which allows context-dependent attackers to cause a denial of service (CPUconsumption) via an XML file with many identifiers with the same value. Update Instructions: Run `sudo pro fix CVE-2012-0876` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxmlrpc-c++9 - 1.16.33-3.1ubuntu6 libxmlrpc-core-c3t64 - 1.16.33-3.1ubuntu6 libxmlrpc-util4 - 1.16.33-3.1ubuntu6 xmlrpc-api-utils - 1.16.33-3.1ubuntu6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2012 Canonical Ltd. 2012-07-03 2012-07-03 http://sourceforge.net/tracker/?func=detail&atid=110127&aid=3496608&group_id=10127 https://bugzilla.redhat.com/show_bug.cgi?id=786617 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663579 http://bugs.python.org/issue14234 https://ubuntu.com/security/notices/USN-1527-1 https://ubuntu.com/security/notices/USN-1527-2 https://ubuntu.com/security/notices/USN-1613-1 https://ubuntu.com/security/notices/USN-1613-2 CVE-2012-0876 Apache Xerces-C++ allows remote attackers to cause a denial of service (CPUconsumption) via a crafted message sent to an XML service that causes hashtable collisions. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-08-08 21:29:00 UTC Juraj Somorovsky https://bugzilla.redhat.com/show_bug.cgi?id=787103 https://access.redhat.com/security/cve/cve-2012-0880 CVE-2012-0880 Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause adenial of service (CPU consumption) via a crafted message to an XMLservice, which triggers hash table collisions. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-10-30 16:29:00 UTC CVE-2012-0881 NetworkManager 0.9 and earlier allows local users to use other users'certificates or private keys when making a connection via the file pathwhen adding a new connection. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-10 17:15:00 UTC Ludwig Nussel https://bugzilla.novell.com/show_bug.cgi?id=738073 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684259 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1096 https://bugzilla.gnome.org/show_bug.cgi?id=793329 CVE-2012-1096 Memory leak in the poolGrow function in expat/lib/xmlparse.c in expatbefore 2.1.0 allows context-dependent attackers to cause a denial ofservice (memory consumption) via a large number of crafted XML files thatcause improperly-handled reallocation failures when expanding entities. Update Instructions: Run `sudo pro fix CVE-2012-1148` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxmlrpc-c++9 - 1.16.33-3.1ubuntu6 libxmlrpc-core-c3t64 - 1.16.33-3.1ubuntu6 libxmlrpc-util4 - 1.16.33-3.1ubuntu6 xmlrpc-api-utils - 1.16.33-3.1ubuntu6 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2012 Canonical Ltd. 2012-07-03 2012-07-03 Tim Boddy http://sourceforge.net/tracker/?func=detail&atid=110127&aid=2958794&group_id=10127 https://bugzilla.redhat.com/show_bug.cgi?id=801648 https://ubuntu.com/security/notices/USN-1527-1 https://ubuntu.com/security/notices/USN-1527-2 https://ubuntu.com/security/notices/USN-1613-1 https://ubuntu.com/security/notices/USN-1613-2 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7307-1 CVE-2012-1148 The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overwritescached server names and TTL values in NS records during the processing of aresponse to an A record query, which allows remote attackers to triggercontinued resolvability of revoked domain names via a "ghost domain names"attack. Ubuntu 26.04 LTS Medium Copyright (C) 2012 Canonical Ltd. 2012-02-17 22:55:00 UTC CVE-2012-1191 block/scsi_ioctl.c in the Linux kernel through 3.8 does not properlyconsider the SCSI device class during authorization of SCSI commands, whichallows local users to bypass intended access restrictions via an SG_IOioctl call that leverages overlapping opcodes. Ubuntu 26.04 LTS Low Copyright (C) 2013 Canonical Ltd. 2013-02-28 19:55:00 UTC Paolo Bonzini https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4542 https://launchpad.net/bugs/1131331 https://bugzilla.suse.com/show_bug.cgi?id=807154 CVE-2012-4542 libuser 0.56 and 0.57 has a TOCTOU (time-of-check time-of-use) racecondition when copying and removing directory trees. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-25 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=928846 CVE-2012-5630 libuser has information disclosure when moving user's home directory Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-25 15:15:00 UTC CVE-2012-5644 x3270 before 3.3.12ga12 does not verify that the server hostname matches adomain name in the subject's Common Name (CN) or subjectAltName field ofthe X.509 certificate, which allows man-in-the-middle attackers to spoofSSL servers via an arbitrary valid certificate. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-05-27 14:55:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706547 CVE-2012-5662 HT Editor 2.0.20 has a Remote Stack Buffer Overflow Vulnerability Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-23 15:15:00 UTC CVE-2012-5867 The ff_ass_split_override_codes function in libavcodec/ass_split.c inFFmpeg before 1.0.2 allows remote attackers to cause a denial of service(NULL pointer dereference and crash) via a subtitle dialog without text. Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-12-24 20:55:00 UTC CVE-2012-6615 The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpegbefore 1.0.2 allows remote attackers to cause a denial of service(out-of-bounds read and crash) via crafted 3GPP TS 26.245 data. Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-12-24 20:55:00 UTC CVE-2012-6616 The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2allows remote attackers to cause a denial of service (crash) via vectorsrelated to the rtp format. Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-12-24 20:55:00 UTC CVE-2012-6617 The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before1.0.2, when running with certain -probesize values, allows remote attackersto cause a denial of service (crash) via a crafted MP3 file, possiblyrelated to frame size or lack of sufficient "frames to estimate rate." Ubuntu 26.04 LTS Low Copyright (C) 2013 Canonical Ltd. 2013-12-24 20:55:00 UTC CVE-2012-6618 Expat, when used in a parser that has not called XML_SetHashSalt or passedit a seed of 0, makes it easier for context-dependent attackers to defeatcryptographic protection mechanisms via vectors involving use of the srandfunction. Ubuntu 26.04 LTS Medium Copyright (C) 2012 Canonical Ltd. 2012-12-31 2012-12-31 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6702 https://bugzilla.redhat.com/show_bug.cgi?id=1197087 https://sourceforge.net/p/expat/bugs/499/ https://ubuntu.com/security/notices/USN-3013-1 https://ubuntu.com/security/notices/USN-3010-1 CVE-2012-6702 The CreateID function in packet.py in pyrad before 2.1 uses sequentialpacket IDs, which makes it easier for remote attackers to spoof packets bypredicting the next ID, a different vulnerability than CVE-2013-0294. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-09 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701151 CVE-2013-0342 Apache::Session versions through 1.94 for Perl re-creates deleted sessions.The session stores Apache::Session::Store::File andApache::Session::Store::DB_File will create a session that does not exist.This can lead to sessions being revived, potentially with data that was tobe deleted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 08:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136206 CVE-2013-10075 Unspecified vulnerability in dcraw 0.8.x through 0.8.9, as used in libraw,ufraw, shotwell, and other products, allows context-dependent attackers tocause a denial of service via a crafted photo file that triggers a (1)divide-by-zero, (2) infinite loop, or (3) NULL pointer dereference. Update Instructions: Run `sudo pro fix CVE-2013-1438` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libraw-bin - 0.15.3-1ubuntu1 libraw23t64 - 0.15.3-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-08-30 2013-08-30 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721235 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721239 (libkdcraw) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721232 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721233 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721234 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721231 (libraw) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721237 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721236 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721238 https://ubuntu.com/security/notices/USN-1964-1 https://ubuntu.com/security/notices/USN-1978-1 CVE-2013-1438 OS command injection vulnerability in the "qs" procedure from the "utils"module in Chicken before 4.9.0. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-31 20:15:00 UTC Florian Zumbiehl CVE-2013-2024 Format string vulnerability in the rrdtool module 1.4.7 for Python, as usedin Zenoss, allows context-dependent attackers to cause a denial of service(crash) via format string specifiers to the rrdtool.graph function. Update Instructions: Run `sudo pro fix CVE-2013-2131` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: librrd8t64 - 1.7.2-3ubuntu5 librrdp-perl - 1.7.2-3ubuntu5 librrds-perl - 1.7.2-3ubuntu5 lua-rrd - 1.7.2-3ubuntu5 python3-rrdtool - 1.7.2-3ubuntu5 rrdcached - 1.7.2-3ubuntu5 rrdtool - 1.7.2-3ubuntu5 rrdtool-tcl - 1.7.2-3ubuntu5 ruby-rrd - 1.7.2-3ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-01-04 21:59:00 UTC Thomas Pollet http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708866 https://github.com/oetiker/rrdtool-1.x/issues/396 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2131 CVE-2013-2131 OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary filesvia a symlink attack on (1) ibdiagnet.db, (2) ibdiagnet.fdbs, (3)ibdiagnet_ibis.log, (4) ibdiagnet.log, (5) ibdiagnet.lst, (6)ibdiagnet.mcfdbs, (7) ibdiagnet.pkey, (8) ibdiagnet.psl, (9)ibdiagnet.slvl, or (10) ibdiagnet.sm in /tmp/. Ubuntu 26.04 LTS Low Copyright (C) 2013 Canonical Ltd. 2013-11-23 18:55:00 UTC Larry W. Cashdollar CVE-2013-2561 smokeping before 2.6.9 has XSS (incomplete fix for CVE-2012-0790) Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-11 13:15:00 UTC CVE-2013-4158 The guestfish command in libguestfs 1.20.12, 1.22.7, and earlier, whenusing the --remote or --listen option, does not properly check theownership of /tmp/.guestfish-$UID/ when creating a temporary socket file inthis directory, which allows local users to write to the socket and executearbitrary commands by creating /tmp/.guestfish-$UID/ in advance. Ubuntu 26.04 LTS Low Copyright (C) 2013 Canonical Ltd. 2013-11-05 20:55:00 UTC Michael Scherer CVE-2013-4419 libgadu before 1.12.0 does not verify X.509 certificates from SSL servers,which allows man-in-the-middle attackers to spoof servers. Ubuntu 26.04 LTS Low Copyright (C) 2014 Canonical Ltd. 2014-10-10 01:55:00 UTC https://bugzilla.novell.com/show_bug.cgi?id=848653 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4488 CVE-2013-4488 Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gembefore 0.6.6 for Ruby allows remote attackers to inject arbitrary webscript or HTML via a crafted I18n::MissingTranslationData.new call. Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-12-07 00:55:00 UTC CVE-2013-4492 Perdition before 2.2 may have weak security when handling outboundconnections, caused by an error in the STARTTLS IMAP and POP server.ssl_outgoing_ciphers not being applied to STARTTLS connections Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-15 15:15:00 UTC Daniel Kahn Gillmor CVE-2013-4584 The MSM camera driver for the Linux kernel 3.x, as used in QualcommInnovation Center (QuIC) Android contributions for MSM devices and otherproducts, allows attackers to obtain sensitive information from kernelstack memory via (1) a crafted MSM_MCR_IOCTL_EVT_GET ioctl call, related todrivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c, or (2) acrafted MSM_JPEG_IOCTL_EVT_GET ioctl call, related todrivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c. Ubuntu 26.04 LTS Low Copyright (C) 2014 Canonical Ltd. 2014-02-03 03:55:00 UTC Jonathan Salwan https://launchpad.net/bugs/1244804 CVE-2013-4739 (1) movescu.cc and (2) storescp.cc in dcmnet/apps/, (3)dcmnet/libsrc/scp.cc, (4) dcmwlm/libsrc/wlmactmg.cc, (5) dcmprscp.cc and(6) dcmpsrcv.cc in dcmpstat/apps/, (7) dcmpstat/tests/msgserv.cc, and (8)dcmqrdb/apps/dcmqrscp.cc in DCMTK 3.6.1 and earlier does not check thereturn value of the setuid system call, which allows local users to gainprivileges by creating a large number of processes. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-06-10 14:55:00 UTC Hector Marco CVE-2013-6825 Cross-site request forgery (CSRF) vulnerability in the retrospam componentin wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allowsremote attackers to hijack the authentication of administrators forrequests that move comments to the moderation list. Ubuntu 26.04 LTS Low Copyright (C) 2013 Canonical Ltd. 2013-12-30 04:53:00 UTC CVE-2013-7233 The parse_request function in request.c in c-icap 0.2.x allows remoteattackers to cause a denial of service (crash) via a URI without a " " or"?" character in an ICAP request, as demonstrated by use of the OPTIONSmethod. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-12-19 20:59:00 UTC CVE-2013-7401 Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allowremote attackers to cause a denial of service (crash) via a crafted ICAPrequest. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-12-17 19:59:00 UTC CVE-2013-7402 The Direct Rendering Manager (DRM) subsystem in the Linux kernel through4.x mishandles requests for Graphics Execution Manager (GEM) objects, whichallows context-dependent attackers to cause a denial of service (memoryconsumption) via an application that processes graphics data, asdemonstrated by JavaScript code that creates many CANVAS elements forrendering by Chrome or Firefox. Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-10-16 01:59:00 UTC https://bugzilla.kernel.org/show_bug.cgi?id=60533 https://launchpad.net/bugs/1508323 https://bugs.freedesktop.org/show_bug.cgi?id=106136 https://gitlab.freedesktop.org/drm/intel/-/issues/110 CVE-2013-7445 Integer overflow in the gdk_cairo_set_source_pixbuf function ingdk/gdkcairo.c in GTK+ before 3.9.8, as used in eom, gnome-photos, eog,gambas3, thunar, pinpoint, and possibly other applications, allows remoteattackers to cause a denial of service (crash) via a large image file,which triggers a large memory allocation. Update Instructions: Run `sudo pro fix CVE-2013-7447` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: eog - 3.18.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2013 Canonical Ltd. 2013-12-31 2013-12-31 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799275 https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1540811 https://bugzilla.gnome.org/show_bug.cgi?id=703220 https://github.com/mate-desktop/eom/issues/93 https://ubuntu.com/security/notices/USN-2898-1 https://ubuntu.com/security/notices/USN-2898-2 CVE-2013-7447 Seafile through 6.2.11 always uses the same Initialization Vector (IV) withCipher Block Chaining (CBC) Mode to encrypt private data, making it easierto conduct chosen-plaintext attacks or dictionary attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-21 03:29:00 UTC CVE-2013-7469 The Beaker library through 1.11.0 for Python is affected by deserializationof untrusted data, which could lead to arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-26 20:15:00 UTC CVE-2013-7489 The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHApasswords. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-21 14:15:00 UTC Pierre Carrier https://bugzilla.redhat.com/show_bug.cgi?id=1065086 CVE-2014-0083 A vulnerability was found in java-xmlbuilder up to 1.1. It has been ratedas problematic. Affected by this issue is some unknown functionality. Themanipulation leads to xml external entity reference. Upgrading to version1.2 is able to address this issue. The name of the patch ise6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade theaffected component. The identifier of this vulnerability is VDB-221480. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-19 17:15:00 UTC CVE-2014-125087 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-siteScripting (XSS). The function 'naughtyHref' doesn't properly validate thehyperreference (`href`) attribute in anchor tags (`<a>`), allowing bypassesthat contain different casings, whitespace characters, or hexadecimalencodings. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-08 11:15:00 UTC CVE-2014-125128 MediaWiki 1.18.0 allows remote attackers to obtain the installation pathvia vectors related to thumbnail creation. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-04-16 09:58:00 UTC CVE-2014-1686 9base 1:6-6 and 1:6-7 insecurely creates temporary files which results inpredictable filenames. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-21 15:15:00 UTC Jakub Wilk http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737206 CVE-2014-1935 Cross-site scripting (XSS) vulnerability in www/make_subset.php in PHP FontLib before 0.3.1 allows remote attackers to inject arbitrary web script orHTML via the name parameter. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-08-31 18:59:00 UTC CVE-2014-2570 The default configuration for the Xerces SAX Parser in Castor before 1.3.3allows context-dependent attackers to conduct XML External Entity (XXE)attacks via a crafted XML document. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-06-11 14:55:00 UTC Ron Gutierrez and Adam Bixby CVE-2014-3004 lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users tooverwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppmtemporary file. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-05-08 10:55:00 UTC Steve Kemp http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100 CVE-2014-3421 The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products,uses nondeterministic CBC padding, which makes it easier forman-in-the-middle attackers to obtain cleartext data via a padding-oracleattack, aka the "POODLE" issue. Update Instructions: Run `sudo pro fix CVE-2014-3566` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 1.0.1f-1ubuntu9 openssl - 1.0.1f-1ubuntu9 openssl-provider-legacy - 1.0.1f-1ubuntu9 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-10-14 2014-10-14 Bodo Möller, Thai Duong, Krzysztof Kotowicz https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765649 https://ubuntu.com/security/notices/USN-2486-1 https://ubuntu.com/security/notices/USN-2487-1 CVE-2014-3566 The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDPdisplay driver for the Linux kernel 3.x, as used in Qualcomm InnovationCenter (QuIC) Android contributions for MSM devices and other products,does not validate certain start and length values within an ioctl call,which allows attackers to gain privileges via a crafted application. Ubuntu 26.04 LTS High Copyright (C) 2014 Canonical Ltd. 2014-12-12 11:59:00 UTC Gal Beniamini https://launchpad.net/bugs/1403851 CVE-2014-4323 Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 andlzo-2 before 2.07 on 32-bit platforms might allow remote attackers toexecute arbitrary code via a crafted Literal Run. Update Instructions: Run `sudo pro fix CVE-2014-4607` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: liblzo2-2 - 2.06-1.2ubuntu2 No subscription required krfb - 4:4.13.97-0ubuntu2 No subscription required grub-common - 2.04-1ubuntu37 grub-coreboot - 2.04-1ubuntu37 grub-coreboot-bin - 2.04-1ubuntu37 grub-efi - 2.04-1ubuntu37 grub-efi-amd64-signed-template - 2.04-1ubuntu37 grub-efi-arm - 2.04-1ubuntu37 grub-efi-arm-bin - 2.04-1ubuntu37 grub-efi-arm-unsigned - 2.04-1ubuntu37 grub-efi-arm64-signed-template - 2.04-1ubuntu37 grub-efi-ia32 - 2.04-1ubuntu37 grub-efi-ia32-bin - 2.04-1ubuntu37 grub-efi-ia32-unsigned - 2.04-1ubuntu37 grub-efi-riscv64 - 2.04-1ubuntu37 grub-efi-riscv64-bin - 2.04-1ubuntu37 grub-efi-riscv64-unsigned - 2.04-1ubuntu37 grub-emu - 2.04-1ubuntu37 grub-firmware-qemu - 2.04-1ubuntu37 grub-ieee1275 - 2.04-1ubuntu37 grub-ieee1275-bin - 2.04-1ubuntu37 grub-linuxbios - 2.04-1ubuntu37 grub-pc - 2.04-1ubuntu37 grub-pc-bin - 2.04-1ubuntu37 grub-rescue-pc - 2.04-1ubuntu37 grub-theme-starfield - 2.04-1ubuntu37 grub-uboot - 2.04-1ubuntu37 grub-uboot-bin - 2.04-1ubuntu37 grub-xen - 2.04-1ubuntu37 grub-xen-bin - 2.04-1ubuntu37 grub-xen-host - 2.04-1ubuntu37 grub2 - 2.04-1ubuntu37 grub2-common - 2.04-1ubuntu37 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-07-09 2014-07-09 Don A. Bailey http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752861 https://bugzilla.redhat.com/show_bug.cgi?id=1112418 https://bugs.launchpad.net/ubuntu/+source/krfb/+bug/1352421 (krfb) https://ubuntu.com/security/notices/USN-2300-1 CVE-2014-4607 resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP1.4.1 and earlier, does not use random values for ID fields and sourceports of DNS query packets, which makes it easier for man-in-the-middleattackers to conduct cache-poisoning attacks via spoofed reply packets. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-11-28 02:59:00 UTC CVE-2014-4883 Buffer overflow in ACME micro_httpd, as used in D-Link DSL2750U andDSL2740U and NetGear WGR614 and MR-ADSL-DG834 routers allows remoteattackers to cause a denial of service (crash) via a long string in the URIin a GET request. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-07-24 14:55:00 UTC CVE-2014-4927 The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows localusers to write to arbitrary files via a symlink attack on a (1)rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to theretrieveCacheFirst and useLocalCache functions. Ubuntu 26.04 LTS Negligible Copyright (C) 2014 Canonical Ltd. 2014-09-27 10:55:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759282 https://pear.php.net/bugs/bug.php?id=18056 CVE-2014-5459 The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c inLibVNCServer 0.9.9 and earlier does not properly handle attempts to send alarge amount of ClientCutText data, which allows remote attackers to causea denial of service (memory consumption or daemon crash) via a craftedmessage that is processed by using a single unchecked malloc. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-09-24 2014-09-24 Nicolas Ruff https://ubuntu.com/security/notices/USN-2365-1 https://ubuntu.com/security/notices/USN-4573-1 https://ubuntu.com/security/notices/USN-4587-1 CVE-2014-6053 generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable filenames in the /tmp directory which allows attackers to gain elevatedprivileges. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-22 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760709 CVE-2014-6311 The Express web framework before 3.11 and 4.x before 4.5 for Node.js doesnot provide a charset field in HTTP Content-Type headers in 400 levelresponses, which might allow remote attackers to conduct cross-sitescripting (XSS) attacks via characters in a non-standard encoding. Update Instructions: Run `sudo pro fix CVE-2014-6393` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: node-express - 4.16.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-09 18:29:00 UTC CVE-2014-6393 OpenJPEG before r2908, as used in PDFium in Google Chrome before40.0.2214.91, allows remote attackers to cause a denial of service(out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c,and t2.c. Update Instructions: Run `sudo pro fix CVE-2014-7945` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 40.0.2214.94-0ubuntu1.1120 chromium-browser-l10n - 40.0.2214.94-0ubuntu1.1120 chromium-chromedriver - 40.0.2214.94-0ubuntu1.1120 chromium-codecs-ffmpeg - 40.0.2214.94-0ubuntu1.1120 chromium-codecs-ffmpeg-extra - 40.0.2214.94-0ubuntu1.1120 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-01-22 22:59:00 UTC CVE-2014-7945 OpenJPEG before r2944, as used in PDFium in Google Chrome before40.0.2214.91, allows remote attackers to cause a denial of service(out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c,pi.c, t1.c, t2.c, and tcd.c. Update Instructions: Run `sudo pro fix CVE-2014-7947` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 40.0.2214.94-0ubuntu1.1120 chromium-browser-l10n - 40.0.2214.94-0ubuntu1.1120 chromium-chromedriver - 40.0.2214.94-0ubuntu1.1120 chromium-codecs-ffmpeg - 40.0.2214.94-0ubuntu1.1120 chromium-codecs-ffmpeg-extra - 40.0.2214.94-0ubuntu1.1120 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-01-22 22:59:00 UTC CVE-2014-7947 Multiple SQL injection vulnerabilities in Zoph (aka Zoph Organizes Photos)0.9.1 and earlier allow remote authenticated users to execute arbitrary SQLcommands via the (1) _action parameter to group.php or (2) user.php or the(3) location_id parameter to photos.php in php/. Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-12-03 21:59:00 UTC CVE-2014-9235 Cross-site scripting (XSS) vulnerability in php/edit_photos.php in Zoph(aka Zoph Organizes Photos) 0.9.1 and earlier allows remote attackers toinject arbitrary web script or HTML via the (1) photographer_id or (2)_crumb parameter. Ubuntu 26.04 LTS Low Copyright (C) 2014 Canonical Ltd. 2014-12-03 21:59:00 UTC CVE-2014-9236 Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versionsbefore 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versionsbefore 08-12-2014; and JGit all versions before 08-12-2014 allow remote Gitservers to execute arbitrary commands via a tree containing a crafted.git/config file with (1) an ignorable Unicode codepoint, (2) agit~1/config representation, or (3) mixed case that is improperly handledon a case-insensitive filesystem. Update Instructions: Run `sudo pro fix CVE-2014-9390` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: git - 1:2.1.4-2 git-all - 1:2.1.4-2 git-cvs - 1:2.1.4-2 git-email - 1:2.1.4-2 git-gui - 1:2.1.4-2 git-man - 1:2.1.4-2 git-svn - 1:2.1.4-2 gitk - 1:2.1.4-2 gitweb - 1:2.1.4-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2014 Canonical Ltd. 2014-12-19 2014-12-19 Matt Mackall and Augie Fackler https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035 https://ubuntu.com/security/notices/USN-2470-1 CVE-2014-9390 X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before1.17.1 allows remote attackers to obtain sensitive information from processmemory or cause a denial of service (crash) via a crafted string lengthvalue in a XkbSetGeometry request. Update Instructions: Run `sudo pro fix CVE-2015-0255` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:1.16.2.901-1ubuntu4 xorg-server-source - 2:1.16.2.901-1ubuntu4 xserver-common - 2:1.16.2.901-1ubuntu4 xserver-xephyr - 2:1.16.2.901-1ubuntu4 xserver-xorg-core - 2:1.16.2.901-1ubuntu4 xserver-xorg-legacy - 2:1.16.2.901-1ubuntu4 xvfb - 2:1.16.2.901-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-02-11 2015-02-11 Olivier Fourdan https://ubuntu.com/security/notices/USN-2500-1 https://ubuntu.com/security/notices/USN-4772-1 CVE-2015-0255 A vulnerability was found in markdown-it up to 2.x. It has been classifiedas problematic. Affected is an unknown function of the filelib/common/html_re.js. The manipulation leads to inefficient regularexpression complexity. Upgrading to version 3.0.0 is able to address thisissue. The name of the patch is 89c8620157d6e38f9872811620d25138fc9d1b0d.It is recommended to upgrade the affected component. The identifier of thisvulnerability is VDB-216852. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 09:15:00 UTC CVE-2015-10005 An unauthenticated OS command injection vulnerability exists within Xdebugversions 2.5.5 and earlier, a PHP debugging extension developed by DerickRethans. When remote debugging is enabled, Xdebug listens on port 9000 andaccepts debugger protocol commands without authentication. An attacker cansend a crafted eval command over this interface to execute arbitrary PHPcode, which may invoke system-level functions such as system() orpassthru(). This results in full compromise of the host under theprivileges of the web server user. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-23 14:15:00 UTC CVE-2015-10141 Multiple directory traversal vulnerabilities in pax 1:20140703 allow remoteattackers to write to arbitrary files via a (1) full pathname or (2) ..(dot dot) in an archive. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-01-21 18:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774716 CVE-2015-1193 pax 1:20140703 allows remote attackers to write to arbitrary files via asymlink attack in an archive. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-01-21 18:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774716 CVE-2015-1194 Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used inPDFium in Google Chrome before 44.0.2403.89, allows remote attackers tocause a denial of service or possibly have unspecified other impact viainvalid JPEG2000 data in a PDF document. Update Instructions: Run `sudo pro fix CVE-2015-1273` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 44.0.2403.89-0ubuntu1.1195 chromium-browser-l10n - 44.0.2403.89-0ubuntu1.1195 chromium-chromedriver - 44.0.2403.89-0ubuntu1.1195 chromium-codecs-ffmpeg - 44.0.2403.89-0ubuntu1.1195 chromium-codecs-ffmpeg-extra - 44.0.2403.89-0ubuntu1.1195 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-07-23 00:59:00 UTC https://code.google.com/p/chromium/issues/detail?id=459215 CVE-2015-1273 Multiple integer overflows in the XML_GetBuffer function in Expat through2.1.0, as used in Google Chrome before 44.0.2403.89 and other products,allow remote attackers to cause a denial of service (heap-based bufferoverflow) or possibly have unspecified other impact via crafted XML data, arelated issue to CVE-2015-2716. Update Instructions: Run `sudo pro fix CVE-2015-1283` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 44.0.2403.89-0ubuntu1.1195 chromium-browser-l10n - 44.0.2403.89-0ubuntu1.1195 chromium-chromedriver - 44.0.2403.89-0ubuntu1.1195 chromium-codecs-ffmpeg - 44.0.2403.89-0ubuntu1.1195 chromium-codecs-ffmpeg-extra - 44.0.2403.89-0ubuntu1.1195 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-07-22 2015-07-22 https://code.google.com/p/chromium/issues/detail?id=492052 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793484 https://ubuntu.com/security/notices/USN-2677-1 https://ubuntu.com/security/notices/USN-2726-1 https://ubuntu.com/security/notices/USN-3013-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-4772-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2015-1283 kgb-bot 1.33-2 allows remote attackers to cause a denial of service(crash). Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-28 19:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776424 CVE-2015-1554 Integer overflow in the regcomp implementation in the Henry Spencer BSDregex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used inNetBSD through 6.1.5 and other products, might allow context-dependentattackers to execute arbitrary code via a large regular expression thatleads to a heap-based buffer overflow. Update Instructions: Run `sudo pro fix CVE-2015-2305` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: clamav - 0.98.7+dfsg-0ubuntu1 clamav-base - 0.98.7+dfsg-0ubuntu1 clamav-daemon - 0.98.7+dfsg-0ubuntu1 clamav-freshclam - 0.98.7+dfsg-0ubuntu1 clamav-milter - 0.98.7+dfsg-0ubuntu1 clamav-testfiles - 0.98.7+dfsg-0ubuntu1 clamdscan - 0.98.7+dfsg-0ubuntu1 libclamav12 - 0.98.7+dfsg-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-03-30 2015-03-30 https://bugs.php.net/bug.php?id=69248 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778404 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778397 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778392 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778391 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778393 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778408 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778410 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778403 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778389 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778409 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778406 (clamav) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778412 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778413 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778398 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778394 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778402 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778396 (cups) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778393 (llvm-toolchain-3.6) https://ubuntu.com/security/notices/USN-2572-1 https://ubuntu.com/security/notices/USN-2594-1 CVE-2015-2305 The GIF encoder in Byzanz allows remote attackers to cause a denial ofservice (out-of-bounds heap write and crash) or possibly execute arbitrarycode via a crafted Byzanz debug data recording (ByzanzRecording file) tothe byzanz-playback command. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-03-29 21:59:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=852481 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778261 CVE-2015-2785 Off-by-one error in the dwarf_to_unw_regnum function in include/dwarf_i.hin libunwind 1.1 allows local users to have unspecified impact via invaliddwarf opcodes. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-08-26 19:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790830 CVE-2015-3239 Incomplete blacklist vulnerability in the chfn function in libuser before0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in theusermode package, allows local users to cause a denial of service(/etc/passwd corruption) via a newline character in the GECOS field. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-08-11 14:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793465 CVE-2015-3245 libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelperprogram in the usermode package, directly modifies /etc/passwd, whichallows local users to cause a denial of service (inconsistent file state)by causing an error during the modification. NOTE: this issue can becombined with CVE-2015-3245 to gain privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-08-11 14:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793465 CVE-2015-3246 Integer overflow in the ljpeg_start function in dcraw 7.00 and earlierallows remote attackers to cause a denial of service (crash) via a craftedimage, which triggers a buffer overflow, related to the len variable. Ubuntu 26.04 LTS Negligible Copyright (C) 2015 Canonical Ltd. 2015-05-19 2015-05-19 Eduardo Castellanos https://bugzilla.redhat.com/show_bug.cgi?id=1221249 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785019 (dcraw) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767180 (kodi) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786788 (libraw) https://ubuntu.com/security/notices/USN-3492-1 CVE-2015-3885 FreeIPA might display user data improperly via vectors involvingnon-printable characters. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-09-20 16:29:00 UTC https://fedorahosted.org/freeipa/ticket/5153 https://bugzilla.redhat.com/show_bug.cgi?id=1252567 CVE-2015-5179 It was discovered that the IcedTea-Web used codebase attribute of the<applet> tag on the HTML page that hosts Java applet in the Same OriginPolicy (SOP) checks. As the specified codebase does not have to match theapplet's actual origin, this allowed malicious site to bypass SOP viaspoofed codebase value. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-07-07 16:15:00 UTC CVE-2015-5236 Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid(JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise ApplicationPlatform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x;Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x;Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat SubscriptionAsset Manager 1.3 allow remote attackers to execute arbitrary commands viaa crafted serialized Java object, related to the Apache Commons Collections(ACC) library. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-11-09 17:29:00 UTC CVE-2015-7501 The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, andEnterprise MRG 2 and when booted with UEFI Secure Boot enabled, allowslocal users to bypass intended securelevel/secureboot restrictions byleveraging improper handling of secure_boot flag across kexec reboot. Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-10-15 2015-10-15 https://launchpad.net/bugs/1509563 https://ubuntu.com/security/notices/USN-3405-1 https://ubuntu.com/security/notices/USN-3405-2 CVE-2015-7837 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through4.6.x, allows guest OS users to cause a denial of service (host OS panic orhang) by triggering many #DB (aka Debug) exceptions, related to svm.c. Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-11-16 2015-11-16 Jan Beulich https://launchpad.net/bugs/1520184 https://ubuntu.com/security/notices/USN-2841-2 https://ubuntu.com/security/notices/USN-2841-1 https://ubuntu.com/security/notices/USN-2843-1 https://ubuntu.com/security/notices/USN-2842-1 https://ubuntu.com/security/notices/USN-2842-2 https://ubuntu.com/security/notices/USN-2844-1 https://ubuntu.com/security/notices/USN-2840-1 https://ubuntu.com/security/notices/USN-2843-2 CVE-2015-8104 Array index error in smal_decode_segment function in LibRaw before 0.17.1allows context-dependent attackers to cause memory errors and possiblyexecute arbitrary code via vectors related to indexes. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-12-02 2015-12-02 ChenQin http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806809 https://ubuntu.com/security/notices/USN-3492-1 CVE-2015-8366 The phase_one_correct function in Libraw before 0.17.1 allows attackers tocause memory errors and possibly execute arbitrary code, related to memoryobject initialization. Ubuntu 26.04 LTS Low Copyright (C) 2015 Canonical Ltd. 2015-12-02 2015-12-02 ChenQin http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806809 https://ubuntu.com/security/notices/USN-3492-1 CVE-2015-8367 Xen, when used on a system providing PV backends, allows local guest OSadministrators to cause a denial of service (host OS crash) or gainprivileges by writing to memory shared between the frontend and backend,aka a double fetch vulnerability. Update Instructions: Run `sudo pro fix CVE-2015-8550` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxencall1 - 4.6.0-1ubuntu2 libxendevicemodel1 - 4.6.0-1ubuntu2 libxenevtchn1 - 4.6.0-1ubuntu2 libxenforeignmemory1 - 4.6.0-1ubuntu2 libxengnttab1 - 4.6.0-1ubuntu2 libxenhypfs1 - 4.6.0-1ubuntu2 libxenmisc4.20 - 4.6.0-1ubuntu2 libxenstore4 - 4.6.0-1ubuntu2 libxentoolcore1 - 4.6.0-1ubuntu2 libxentoollog1 - 4.6.0-1ubuntu2 xen-hypervisor-4.20-amd64 - 4.6.0-1ubuntu2 xen-hypervisor-4.20-arm64 - 4.6.0-1ubuntu2 xen-hypervisor-common - 4.6.0-1ubuntu2 xen-system-amd64 - 4.6.0-1ubuntu2 xen-system-arm64 - 4.6.0-1ubuntu2 xen-utils-4.20 - 4.6.0-1ubuntu2 xen-utils-common - 4.6.0-1ubuntu2 xenstore-utils - 4.6.0-1ubuntu2 No subscription required qemu-block-extra - 1:2.5+dfsg-1ubuntu5 qemu-block-supplemental - 1:2.5+dfsg-1ubuntu5 qemu-guest-agent - 1:2.5+dfsg-1ubuntu5 qemu-system - 1:2.5+dfsg-1ubuntu5 qemu-system-arm - 1:2.5+dfsg-1ubuntu5 qemu-system-common - 1:2.5+dfsg-1ubuntu5 qemu-system-data - 1:2.5+dfsg-1ubuntu5 qemu-system-gui - 1:2.5+dfsg-1ubuntu5 qemu-system-mips - 1:2.5+dfsg-1ubuntu5 qemu-system-misc - 1:2.5+dfsg-1ubuntu5 qemu-system-modules-opengl - 1:2.5+dfsg-1ubuntu5 qemu-system-modules-spice - 1:2.5+dfsg-1ubuntu5 qemu-system-ppc - 1:2.5+dfsg-1ubuntu5 qemu-system-riscv - 1:2.5+dfsg-1ubuntu5 qemu-system-s390x - 1:2.5+dfsg-1ubuntu5 qemu-system-sparc - 1:2.5+dfsg-1ubuntu5 qemu-system-x86 - 1:2.5+dfsg-1ubuntu5 qemu-system-x86-xen - 1:2.5+dfsg-1ubuntu5 qemu-system-xen - 1:2.5+dfsg-1ubuntu5 qemu-user - 1:2.5+dfsg-1ubuntu5 qemu-user-binfmt - 1:2.5+dfsg-1ubuntu5 qemu-utils - 1:2.5+dfsg-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2015 Canonical Ltd. 2015-12-17 2015-12-17 Felix Wilhelm https://launchpad.net/bugs/1530403 https://ubuntu.com/security/notices/USN-2846-1 https://ubuntu.com/security/notices/USN-2847-1 https://ubuntu.com/security/notices/USN-2848-1 https://ubuntu.com/security/notices/USN-2849-1 https://ubuntu.com/security/notices/USN-2850-1 https://ubuntu.com/security/notices/USN-2851-1 https://ubuntu.com/security/notices/USN-2853-1 https://ubuntu.com/security/notices/USN-2854-1 https://ubuntu.com/security/notices/USN-2886-2 https://ubuntu.com/security/notices/USN-2891-1 CVE-2015-8550 Xen allows guest OS users to obtain sensitive information fromuninitialized locations in host OS kernel memory by not enabling memory andI/O decoding control bits. NOTE: this vulnerability exists because of anincomplete fix for CVE-2015-0777. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-04-13 15:59:00 UTC https://launchpad.net/bugs/1530958 CVE-2015-8553 stalin 0.11-5 allows local users to write to arbitrary files. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-06-27 20:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808730 CVE-2015-8697 The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) isvulnerable to Cross-Site Request Forgery when used as part of the Ruby onRails framework, allowing accounts to be connected without user intent,user interaction, or feedback to the user. This permits a secondary accountto be able to sign into the web application as the primary account. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-26 15:29:00 UTC CVE-2015-9284 Expat allows context-dependent attackers to cause a denial of service(crash) or possibly execute arbitrary code via a malformed input document,which triggers a buffer overflow. Update Instructions: Run `sudo pro fix CVE-2016-0718` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.1.1-1ubuntu1 libexpat1 - 2.1.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-05-17 19:00:00 UTC 2016-05-17 19:00:00 UTC Gustavo Grieco https://ubuntu.com/security/notices/USN-2983-1 https://ubuntu.com/security/notices/USN-3013-1 https://ubuntu.com/security/notices/USN-3044-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2016-0718 gdm3 3.14.2 and possibly later has an information leak before screen lock Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-05 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1391126 https://bugzilla.gnome.org/show_bug.cgi?id=753678 CVE-2016-1000002 A security Bypass vulnerability exists in the FcgidPassHeader Proxy inmod_fcgid through 2016-07-07. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-03 22:15:00 UTC CVE-2016-1000104 In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (atag that supports style with active content), you could bypass the libraryprotections and supply executable code. The impact is XSS. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-12-24 18:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014981 CVE-2016-10006 The mail transport (aka Swift_Transport_MailTransport) in Swift Mailerbefore 5.4.5 might allow remote attackers to pass extra parameters to themail command and consequently execute arbitrary code via a \" (backslashdouble quote) in a crafted e-mail address in the (1) From, (2) ReturnPath,or (3) Sender header. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-12-30 19:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849626 CVE-2016-10074 The E-book viewer in calibre before 2.75 allows remote attackers to readarbitrary files via a crafted epub file with JavaScript. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-03-16 15:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853004 CVE-2016-10187 Insufficient sanitization of the query parameter intemplates/html/search_opensearch.php could lead to reflected cross-sitescripting or iframe injection. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-24 2019-05-24 https://ubuntu.com/security/notices/USN-4002-1 CVE-2016-10245 negotiator is an HTTP content negotiator for Node.js and is used by manymodules and frameworks including Express and Koa. The header for"Accept-Language", when parsed by negotiator 0.6.0 and earlier isvulnerable to Regular Expression Denial of Service via a specially craftedstring. Update Instructions: Run `sudo pro fix CVE-2016-10539` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: node-negotiator - 0.6.1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-31 20:29:00 UTC CVE-2016-10539 In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS ispossible in the data-target attribute, a different vulnerability thanCVE-2018-14041. Update Instructions: Run `sudo pro fix CVE-2016-10735` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: fonts-glyphicons-halflings - 1.009~3.4.1+dfsg-6 libjs-bootstrap - 3.4.1+dfsg-6 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-09 05:29:00 UTC CVE-2016-10735 lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does notverify server X.509 certificates if a certificate bundle cannot be found,which allows man-in-the-middle attackers to spoof servers and obtainsensitive information. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-24 20:15:00 UTC CVE-2016-11086 In all versions of Unity8 a running but not active application on alarge-screen device could talk with Maliit and consume keyboard input. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-04-22 16:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyboard/+bug/1594863 CVE-2016-1584 In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo,the initscript allows the smokeping user to gain ownership of any file,allowing for the smokeping user to gain root privileges. There is a racecondition involving /var/lib/smokeping and chown. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-20 18:15:00 UTC CVE-2016-20015 xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflowvulnerability that allows local attackers to execute arbitrary code bysupplying overly long input strings that exceed buffer boundaries.Attackers can craft malicious command-line arguments with 262 bytes of junkdata followed by shellcode to overwrite the instruction pointer and achievecode execution or denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:15:00 UTC CVE-2016-20037 yTree 1.94-1.1 contains a stack-based buffer overflow vulnerability thatallows local attackers to execute arbitrary code by supplying anexcessively long argument to the application. Attackers can craft amalicious command-line argument containing shellcode and a return addressto overwrite the stack and execute code in the application context. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:15:00 UTC CVE-2016-20038 Yasr 0.6.9-5 contains a buffer overflow vulnerability that allows localattackers to crash the application or execute arbitrary code by supplyingan oversized argument to the -p parameter. Attackers can invoke yasr with acrafted payload containing junk data, shellcode, and a return address tooverwrite the stack and trigger code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:15:00 UTC CVE-2016-20041 PInfo 0.6.9-5.1 contains a local buffer overflow vulnerability that allowslocal attackers to execute arbitrary code by supplying an oversizedargument to the -m parameter. Attackers can craft a malicious input stringwith 564 bytes of padding followed by a return address to overwrite theinstruction pointer and execute shellcode with user privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:16:00 UTC CVE-2016-20044 iSelect 1.4.0-2+b1 contains a local buffer overflow vulnerability thatallows local attackers to execute arbitrary code by supplying an oversizedvalue to the -k/--key parameter. Attackers can craft a malicious argumentcontaining a NOP sled, shellcode, and return address to overflow a1024-byte stack buffer and gain code execution with user privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:16:00 UTC CVE-2016-20048 A flaw was found in the way samba implemented SMB1 authentication. Anattacker could use this flaw to retrieve the plaintext password sent overthe wire even if Kerberos authentication was required. Update Instructions: Run `sudo pro fix CVE-2016-2124` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-09 2021-11-09 Stefan Metzmacher https://bugzilla.samba.org/show_bug.cgi?id=12444 https://ubuntu.com/security/notices/USN-5142-1 https://ubuntu.com/security/notices/USN-5174-1 CVE-2016-2124 It was found that JGroups did not require necessary headers for encrypt andauth protocols from new nodes joining the cluster. An attacker could usethis flaw to bypass security restrictions, and use this vulnerability tosend and receive messages within the cluster, leading to informationdisclosure, message spoofing, or further possible attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-06-30 16:59:00 UTC Dennis Reed CVE-2016-2141 Integer overflow in the string_appends function in cplus-dem.c in libibertyallows remote attackers to execute arbitrary code via a crafted executable,which triggers a buffer overflow. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840358 (ht) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840360 (libiberty) https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-2226 pkexec, when used with --user nonpriv, allows local users to escape to theparent session via a crafted TIOCSTI ioctl call, which pushes characters tothe terminal's input buffer. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-13 18:59:00 UTC Federico Manuel Bento https://bugzilla.redhat.com/show_bug.cgi?id=1299955 https://bugzilla.redhat.com/show_bug.cgi?id=1300746 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=816062 https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1535768 CVE-2016-2568 The aufs module for the Linux kernel 3.x and 4.x does not properly restrictthe mount namespace, which allows local users to gain privileges bymounting an aufs filesystem on top of a FUSE filesystem, and then executinga crafted setuid program. Ubuntu 26.04 LTS Low Copyright (C) 2016 Canonical Ltd. 2016-05-02 10:59:00 UTC 2016-05-02 10:59:00 UTC https://launchpad.net/bugs/1547400 https://ubuntu.com/security/notices/USN-5343-1 CVE-2016-2853 The aufs module for the Linux kernel 3.x and 4.x does not properly maintainPOSIX ACL xattr data, which allows local users to gain privileges byleveraging a group-writable setgid directory. Ubuntu 26.04 LTS Low Copyright (C) 2016 Canonical Ltd. 2016-05-02 10:59:00 UTC 2016-05-02 10:59:00 UTC https://launchpad.net/bugs/1554262 https://ubuntu.com/security/notices/USN-5343-1 CVE-2016-2854 The spice-gtk widget allows remote authenticated users to obtaininformation from the host clipboard. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-06-06 18:29:00 UTC Daniel P. Berrange CVE-2016-3066 XMPCore in Adobe XMP Toolkit for Java before 5.1.3 allows remote attackersto read arbitrary files via XML data containing an external entitydeclaration in conjunction with an entity reference, related to an XMLExternal Entity (XXE) issue. Update Instructions: Run `sudo pro fix CVE-2016-4216` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxmpcore-java - 5.1.3-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-07-13 02:00:00 UTC CVE-2016-4216 The overflow protection in Expat is removed by compilers with certainoptimization settings, which allows remote attackers to cause a denial ofservice (crash) or possibly execute arbitrary code via crafted XML data.NOTE: this vulnerability exists because of an incomplete fix forCVE-2015-1283 and CVE-2015-2716. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-05-18 2016-05-18 https://ubuntu.com/security/notices/USN-3013-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2016-4472 Use-after-free vulnerability in libiberty allows remote attackers to causea denial of service (segmentation fault and crash) via a crafted binary,related to "btypevec." Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840358 (ht) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840360 (libiberty) https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4487 Use-after-free vulnerability in libiberty allows remote attackers to causea denial of service (segmentation fault and crash) via a crafted binary,related to "ktypevec." Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840358 (ht) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840360 (libiberty) https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4488 Integer overflow in the gnu_special function in libiberty allows remoteattackers to cause a denial of service (segmentation fault and crash) via acrafted binary, related to the "demangling of virtual tables." Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840358 (ht) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840360 (libiberty) https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4489 Integer overflow in cp-demangle.c in libiberty allows remote attackers tocause a denial of service (segmentation fault and crash) via a craftedbinary, related to inconsistent use of the long and int types for lengths. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840358 (ht) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840360 (libiberty) https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4490 The d_print_comp function in cp-demangle.c in libiberty allows remoteattackers to cause a denial of service (segmentation fault and crash) via acrafted binary, which triggers infinite recursion and a buffer overflow,related to a node having "itself as ancestor more than once." Update Instructions: Run `sudo pro fix CVE-2016-4491` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: valgrind - 1:3.12.0-1.1ubuntu2 valgrind-mpi - 1:3.12.0-1.1ubuntu2 No subscription required gdb - 8.0-0ubuntu3 gdb-minimal - 8.0-0ubuntu3 gdb-multiarch - 8.0-0ubuntu3 gdb-source - 8.0-0ubuntu3 gdbserver - 8.0-0ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909 https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4491 Buffer overflow in the do_type function in cplus-dem.c in libiberty allowsremote attackers to cause a denial of service (segmentation fault andcrash) via a crafted binary. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840358 (ht) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840360 (libiberty) https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4492 The demangle_template_value_parm and do_hpacc_template_literal functions incplus-dem.c in libiberty allow remote attackers to cause a denial ofservice (out-of-bounds read and crash) via a crafted binary. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-24 2017-02-24 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926 https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-4493 Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as inMediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allowsremote attackers to inject arbitrary web script or HTML via an obfuscatedform of the jsinitfunction parameter, as demonstrated by"jsinitfunctio%gn." Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-05-22 01:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823649 CVE-2016-4567 Binaries compiled against targets that use the libssp library in GCC forstack smashing protection (SSP) might allow local users to perform bufferoverflow attacks by leveraging lack of the Object Size Checking feature. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-06-07 20:29:00 UTC Yaakov Selkowitz https://bugzilla.redhat.com/show_bug.cgi?id=1324759 CVE-2016-4973 389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, RedHat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allowsremote attackers to infer the existence of RDN component objects. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-06-08 19:29:00 UTC Petr Spacek and Martin Basti CVE-2016-4992 The XML parser in Expat does not use sufficient entropy for hashinitialization, which allows context-dependent attackers to cause a denialof service (CPU consumption) via crafted identifiers in an XML document.NOTE: this vulnerability exists because of an incomplete fix forCVE-2012-0876. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-06-06 2016-06-06 https://ubuntu.com/security/notices/USN-3013-1 https://ubuntu.com/security/notices/USN-3010-1 CVE-2016-5300 The restore_tqb_pixels function in libbpg 0.9.5 through 0.9.7 mishandlesthe transquant_bypass_enable_flag value, which allows remote attackers toexecute arbitrary code or cause a denial of service (out-of-bounds write)via a crafted BPG image, related to a "type confusion" issue. Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-07-15 18:59:00 UTC CVE-2016-5637 libical 1.0 allows remote attackers to cause a denial of service(use-after-free) via a crafted ics file. Update Instructions: Run `sudo pro fix CVE-2016-5824` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: thunderbird - 1:60.5.1+build2-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-01-27 2017-01-27 https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 https://ubuntu.com/security/notices/USN-3897-1 CVE-2016-5824 The demangler in GNU Libiberty allows remote attackers to cause a denial ofservice (infinite loop, stack overflow, and crash) via a cycle in thereferences of remembered mangled types. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-07 2017-02-07 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71696 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840889 https://ubuntu.com/security/notices/USN-3337-1 https://ubuntu.com/security/notices/USN-3368-1 https://ubuntu.com/security/notices/USN-3367-1 https://ubuntu.com/security/notices/USN-4336-2 CVE-2016-6131 Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allowsremote authenticated users to obtain sensitive information by reading thefields in the (1) ics or (2) XML calendar feeds. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-02-17 17:59:00 UTC Jens Erat https://sogo.nu/bugs/view.php?id=3695 CVE-2016-6189 Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as areverse-proxy with default buffer sizes, allows remote attackers to cause adenial of service (CPU and disk consumption) via a long URL. Ubuntu 26.04 LTS Low Copyright (C) 2016 Canonical Ltd. 2016-10-03 21:59:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7046 CVE-2016-7046 Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a readmemory access) in X86_insn_reg_intel in arch/X86/X86Mapping.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-15 14:29:00 UTC CVE-2016-7151 SkPath.cpp in Skia, as used in Google Chrome before 53.0.2785.89 on Windowsand OS X and before 53.0.2785.92 on Linux, does not properly validate thereturn values of ChopMonoAtY calls, which allows remote attackers to causea denial of service (uninitialized memory access and application crash) orpossibly have unspecified other impact via crafted graphics data. Update Instructions: Run `sudo pro fix CVE-2016-7395` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 55.0.2883.87-0ubuntu1 chromium-browser-l10n - 55.0.2883.87-0ubuntu1 chromium-chromedriver - 55.0.2883.87-0ubuntu1 chromium-codecs-ffmpeg - 55.0.2883.87-0ubuntu1 chromium-codecs-ffmpeg-extra - 55.0.2883.87-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-09-11 10:59:00 UTC CVE-2016-7395 X.org libXtst before 1.2.3 allows remote X servers to cause a denial ofservice (infinite loop) via a reply in the (1) XRecordStartOfData, (2)XRecordEndOfData, or (3) XRecordClientDied category without a clientsequence and with attached data. Update Instructions: Run `sudo pro fix CVE-2016-7952` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxtst6 - 2:1.2.3-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2016 Canonical Ltd. 2016-12-13 20:59:00 UTC Tobias Stoeckmann CVE-2016-7952 Buffer underflow in X.org libXvMC before 1.0.10 allows remote X servers tohave unspecified impact via an empty string. Update Instructions: Run `sudo pro fix CVE-2016-7953` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxvmc1 - 2:1.0.10-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2016 Canonical Ltd. 2016-12-13 20:59:00 UTC Tobias Stoeckmann https://launchpad.net/bugs/1691532 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840445 CVE-2016-7953 The XFS subsystem in the Linux kernel through 4.8.2 allows local users tocause a denial of service (fdatasync failure and system hang) by using thevfs syscall group in the trinity program, related to a "page lock order bugin the XFS seek hole/data implementation." Ubuntu 26.04 LTS Medium Copyright (C) 2016 Canonical Ltd. 2016-10-16 21:59:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1384851 CVE-2016-8660 In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function in"tools/parser/l2cap.c" source file. This issue can be triggered byprocessing a corrupted dump file and will result in hcidump crash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9797 In BlueZ 5.42, a use-after-free was identified in "conf_opt" function in"tools/parser/l2cap.c" source file. This issue can be triggered byprocessing a corrupted dump file and will result in hcidump crash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9798 In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci" functionin "btsnoop.c" source file. This issue can be triggered by processing acorrupted dump file and will result in btmon crash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9799 In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump"function in "tools/parser/hci.c" source file. The issue exists because"pin" array is overflowed by supplied parameter due to lack of boundarychecks on size of the buffer from frame "pin_code_reply_cp *cp" parameter. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9800 In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl" function in"tools/parser/l2cap.c" source file when processing corrupted dump file. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9801 In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" functionin "monitor/packet.c" source file. This issue can be triggered byprocessing a corrupted dump file and will result in btmon crash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9802 In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump"function in "tools/parser/hci.c" source file. This issue exists because'subevent' (which is used to read correct element from 'ev_le_meta_str'array) is overflowed. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9803 In BlueZ 5.42, a buffer overflow was observed in "commands_dump" functionin "tools/parser/csr.c" source file. The issue exists because "commands"array is overflowed by supplied parameter due to lack of boundary checks onsize of the buffer from frame "frm->ptr" parameter. This issue can betriggered by processing a corrupted dump file and will result in hcidumpcrash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-03 06:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9804 Off-by-one error in the gst_h264_parse_set_caps function in GStreamerbefore 1.10.2 allows remote attackers to have unspecified impact via acrafted file, which triggers an out-of-bounds read. Update Instructions: Run `sudo pro fix CVE-2016-9809` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gst-plugins-bad-1.0 - 1.10.2-1ubuntu1 gstreamer1.0-opencv - 1.10.2-1ubuntu1 gstreamer1.0-plugins-bad - 1.10.2-1ubuntu1 gstreamer1.0-plugins-bad-apps - 1.10.2-1ubuntu1 libgstreamer-opencv1.0-0 - 1.10.2-1ubuntu1 libgstreamer-plugins-bad1.0-0 - 1.10.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-01-13 16:59:00 UTC Hanno Boeck https://bugzilla.gnome.org/show_bug.cgi?id=774896 CVE-2016-9809 The gst_mpegts_section_new function in the mpegts decoder in GStreamerbefore 1.10.2 allows remote attackers to cause a denial of service(out-of-bounds read) via a too small section. Update Instructions: Run `sudo pro fix CVE-2016-9812` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gst-plugins-bad-1.0 - 1.10.2-1ubuntu1 gstreamer1.0-opencv - 1.10.2-1ubuntu1 gstreamer1.0-plugins-bad - 1.10.2-1ubuntu1 gstreamer1.0-plugins-bad-apps - 1.10.2-1ubuntu1 libgstreamer-opencv1.0-0 - 1.10.2-1ubuntu1 libgstreamer-plugins-bad1.0-0 - 1.10.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-01-13 16:59:00 UTC Hanno Böck https://bugzilla.gnome.org/show_bug.cgi?id=775048 CVE-2016-9812 The _parse_pat function in the mpegts parser in GStreamer before 1.10.2allows remote attackers to cause a denial of service (NULL pointerdereference and crash) via a crafted file. Update Instructions: Run `sudo pro fix CVE-2016-9813` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gst-plugins-bad-1.0 - 1.10.2-1ubuntu1 gstreamer1.0-opencv - 1.10.2-1ubuntu1 gstreamer1.0-plugins-bad - 1.10.2-1ubuntu1 gstreamer1.0-plugins-bad-apps - 1.10.2-1ubuntu1 libgstreamer-opencv1.0-0 - 1.10.2-1ubuntu1 libgstreamer-plugins-bad1.0-0 - 1.10.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-01-13 16:59:00 UTC Hanno Böck https://bugzilla.gnome.org/show_bug.cgi?id=775120 CVE-2016-9813 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to haveunspecified impact by leveraging improper pointer arithmetic. Update Instructions: Run `sudo pro fix CVE-2016-9840` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.1.3-6 No subscription required klibc-utils - 2.0.13-4ubuntu1 libklibc - 2.0.13-4ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-23 04:29:00 UTC 2017-05-23 04:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270 https://bugs.launchpad.net/ubuntu/+source/zsync/+bug/2111106 (zync) https://ubuntu.com/security/notices/USN-4246-1 https://ubuntu.com/security/notices/USN-4292-1 https://ubuntu.com/security/notices/USN-6736-1 https://ubuntu.com/security/notices/USN-6736-2 CVE-2016-9840 inffast.c in zlib 1.2.8 might allow context-dependent attackers to haveunspecified impact by leveraging improper pointer arithmetic. Update Instructions: Run `sudo pro fix CVE-2016-9841` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.1.3-6 No subscription required klibc-utils - 2.0.13-4ubuntu1 libklibc - 2.0.13-4ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-23 04:29:00 UTC 2017-05-23 04:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270 https://bugs.launchpad.net/ubuntu/+source/zsync/+bug/2111106 (zync) https://ubuntu.com/security/notices/USN-4246-1 https://ubuntu.com/security/notices/USN-4292-1 https://ubuntu.com/security/notices/USN-6736-1 https://ubuntu.com/security/notices/USN-6736-2 CVE-2016-9841 The inflateMark function in inflate.c in zlib 1.2.8 might allowcontext-dependent attackers to have unspecified impact via vectorsinvolving left shifts of negative integers. Update Instructions: Run `sudo pro fix CVE-2016-9842` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.1.3-6 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-23 04:29:00 UTC 2017-05-23 04:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847274 https://bugs.launchpad.net/ubuntu/+source/zsync/+bug/2111106 (zync) https://ubuntu.com/security/notices/USN-4246-1 https://ubuntu.com/security/notices/USN-4292-1 CVE-2016-9842 The crc32_big function in crc32.c in zlib 1.2.8 might allowcontext-dependent attackers to have unspecified impact via vectorsinvolving big-endian CRC calculation. Update Instructions: Run `sudo pro fix CVE-2016-9843` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.1.3-6 No subscription required klibc-utils - 2.0.14-1ubuntu2 libklibc - 2.0.14-1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-23 04:29:00 UTC 2017-05-23 04:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847275 https://bugs.launchpad.net/ubuntu/+source/zsync/+bug/2111106 (zync) https://ubuntu.com/security/notices/USN-4246-1 https://ubuntu.com/security/notices/USN-4292-1 https://ubuntu.com/security/notices/USN-7959-1 CVE-2016-9843 In BlueZ 5.42, a buffer overflow was observed in "read_n" function in"tools/hcidump.c" source file. This issue can be triggered by processing acorrupted dump file and will result in hcidump crash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-08 08:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9917 In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump"function in "monitor/packet.c" source file. This issue can be triggered byprocessing a corrupted dump file and will result in btmon crash. Ubuntu 26.04 LTS Negligible Copyright (C) 2016 Canonical Ltd. 2016-12-08 08:59:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847837 CVE-2016-9918 An information disclosure vulnerability in the kernel USB gadget drivercould enable a local malicious application to access data outside of itspermission levels. This issue is rated as Moderate because it firstrequires compromising a privileged process. Product: Android. Versions:Kernel-3.18. Android ID: A-31614969. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-03-08 01:59:00 UTC Alexander Potapenko CVE-2017-0537 RubyGems version 2.6.12 and earlier is vulnerable to maliciously craftedgem specifications that include terminal escape characters. Printing thegem specification would execute terminal escape sequences. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-08-31 2017-08-31 Yusuke Endoh http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873802 https://ubuntu.com/security/notices/USN-3439-1 https://ubuntu.com/security/notices/USN-3685-1 CVE-2017-0899 RubyGems version 2.6.12 and earlier is vulnerable to maliciously craftedgem specifications to cause a denial of service attack against RubyGemsclients who have issued a `query` command. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-08-31 2017-08-31 Yusuke Endoh http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873802 https://ubuntu.com/security/notices/USN-3439-1 https://ubuntu.com/security/notices/USN-3685-1 CVE-2017-0900 RubyGems version 2.6.12 and earlier fails to validate specification names,allowing a maliciously crafted gem to potentially overwrite any file on thefilesystem. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-31 2017-08-31 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873802 https://ubuntu.com/security/notices/USN-3439-1 https://ubuntu.com/security/notices/USN-3553-1 https://ubuntu.com/security/notices/USN-3685-1 CVE-2017-0901 RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijackingvulnerability that allows a MITM attacker to force the RubyGems client todownload and install gems from a server that the attacker controls. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-31 2017-08-31 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873802 https://ubuntu.com/security/notices/USN-3553-1 https://ubuntu.com/security/notices/USN-3685-1 CVE-2017-0902 GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 before3.20.7, 3.18 before 3.18.11, and prior versions, is vulnerable to apassword manager sweep attack resulting in the remote exfiltration ofstored passwords for a selected set of websites. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-07-17 13:18:00 UTC CVE-2017-1000025 rbenv (all current versions) is vulnerable to Directory Traversal in thespecification of Ruby version resulting in arbitrary code execution Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-17 13:18:00 UTC https://github.com/rbenv/rbenv/issues/977 CVE-2017-1000047 unrarlib.c in unrar-free 0.0.1 might allow remote attackers to cause adenial of service (NULL pointer dereference and application crash), whichcould be relevant if unrarlib is used as library code for a long-runningapplication. NOTE: one of the several test cases in the references may bethe same as what was separately reported as CVE-2017-14121. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-12 16:29:00 UTC CVE-2017-11189 The wav_open function in oggenc/audio.c in Xiph.Org vorbis-tools 1.4.0allows remote attackers to cause a denial of service (memory allocationerror) via a crafted wav file. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-31 13:29:00 UTC CVE-2017-11331 The _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 allowsremote attackers to cause a denial of service (memory corruption) via acrafted MP3 file. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-31 13:29:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608 CVE-2017-11548 The play_midi function in playmidi.c in TiMidity++ 2.14.0 allows remoteattackers to cause a denial of service (large loop and CPU consumption) viaa crafted mid file. NOTE: CPU consumption might be relevant when using the--background option. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-07-31 13:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870338 CVE-2017-11549 FontForge 20161012 is vulnerable to a buffer over-read in umodenc(parsettf.c) resulting in DoS or code execution via a crafted otf file. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-23 22:29:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873587 CVE-2017-11570 FontForge 20161012 is vulnerable to a buffer over-read inValidatePostScriptFontName (parsettf.c) resulting in DoS or code executionvia a crafted otf file. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-23 22:29:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873588 CVE-2017-11573 An out-of-bounds read and write flaw was found in the way SIPcrack 0.2processed SIP traffic, because 0x00 termination of a payload array wasmishandled. A remote attacker could potentially use this flaw to crash thesipdump process by generating specially crafted SIP traffic. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-07-26 14:29:00 UTC Dhiru Kholia http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869803 CVE-2017-11654 A memory leak was found in the way SIPcrack 0.2 handled processing of SIPtraffic, because a lines array was mismanaged. A remote attacker couldpotentially use this flaw to crash long-running sipdump network sniffingsessions. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-07-26 14:29:00 UTC Dhiru Kholia http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869803 CVE-2017-11655 Under certain circumstances, the ix86_expand_builtin function in i386.c inGNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and6 before 6.4 will generate instruction sequences that clobber the statusflag of the RDRAND and RDSEED intrinsics before it can be read, potentiallycausing failures of these instructions to go unreported. This couldpotentially lead to less randomness in random number generation. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-07-26 21:29:00 UTC 2017-07-26 21:29:00 UTC Todd Eisenberger https://ubuntu.com/security/notices/USN-5770-1 CVE-2017-11671 In libquicktime 1.2.4, an allocation failure was found in the functionquicktime_read_info in lqt_quicktime.c, which allows attackers to cause adenial of service via a crafted file. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-08-02 05:29:00 UTC CVE-2017-12143 In libquicktime 1.2.4, an allocation failure was found in the functionquicktime_read_ftyp in ftyp.c, which allows attackers to cause a denial ofservice via a crafted file. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-08-02 05:29:00 UTC CVE-2017-12145 It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processeshttp request headers with unusual whitespaces which can cause possible httprequest smuggling. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-27 15:29:00 UTC CVE-2017-12165 It was found that FreeIPA 4.2.0 and later could disclose password hashes tousers having the 'System: Read Stage Users' permission. A remote,authenticated attacker could potentially use this flaw to disclose thepassword hashes belonging to Stage Users. This security issue does notresult in disclosure of password hashes belonging to active standard users.NOTE: some developers feel that this report is a suggestion for a designchange to Stage User activation, not a statement of a vulnerability. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-01-10 15:29:00 UTC CVE-2017-12169 A flaw was found in the way spice-client processed certain messages sentfrom the server. An attacker, having control of malicious spice-server,could use this flaw to crash the client or execute arbitrary code withpermissions of the user running the client. spice-gtk versions through 0.34are believed to be vulnerable. Update Instructions: Run `sudo pro fix CVE-2017-12194` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libspice-server1 - 0.14.0-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-14 2018-03-14 Frediano Ziglio https://bugzilla.redhat.com/show_bug.cgi?id=1501200 https://bugzilla.redhat.com/show_bug.cgi?id=1240165 https://ubuntu.com/security/notices/USN-3659-1 CVE-2017-12194 The row_is_empty function in base/4bitmap.c:274 in minidjvu 0.8 can cause adenial of service (invalid memory read and application crash) via a crafteddjvu file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-17 16:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871495 CVE-2017-12441 The row_is_empty function in base/4bitmap.c:272 in minidjvu 0.8 can cause adenial of service (invalid memory read and application crash) via a crafteddjvu file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-17 16:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871495 CVE-2017-12442 The mdjvu_bitmap_pack_row function in base/4bitmap.c in minidjvu 0.8 cancause a denial of service (invalid memory read and application crash) via acrafted djvu file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-17 16:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871495 CVE-2017-12443 The mdjvu_bitmap_get_bounding_box function in base/4bitmap.c in minidjvu0.8 can cause a denial of service (invalid memory read and applicationcrash) via a crafted djvu file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-17 16:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871495 CVE-2017-12444 The JB2BitmapCoder::code_row_by_refinement function in jb2/bmpcoder.cpp inminidjvu 0.8 can cause a denial of service (invalid memory read andapplication crash) via a crafted djvu file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-17 16:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871495 CVE-2017-12445 The AP4_AtomSampleTable::GetSample function in Core/Ap4AtomSampleTable.cppin Bento4 mp42ts before 1.5.0-616 allows remote attackers to cause a denialof service (NULL pointer dereference and application crash) via a craftedmp4 file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-06 08:29:00 UTC CVE-2017-12474 The AP4_Processor::Process function in Core/Ap4Processor.cpp in Bento4mp4encrypt before 1.5.0-616 allows remote attackers to cause a denial ofservice (NULL pointer dereference and application crash) via a crafted mp4file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-06 08:29:00 UTC CVE-2017-12475 The AP4_AvccAtom::InspectFields function in Core/Ap4AvccAtom.cpp in Bento4mp4dump before 1.5.0-616 allows remote attackers to cause a denial ofservice (NULL pointer dereference and application crash) via a crafted mp4file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-06 08:29:00 UTC CVE-2017-12476 The find_option function in option.cc in Ledger 3.1.1 allows remoteattackers to cause a denial of service (stack-based buffer overflow andapplication crash) or possibly have unspecified other impact via a craftedfile. Update Instructions: Run `sudo pro fix CVE-2017-12481` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ledger - 3.1.2+dfsg1-1 python3-ledger - 3.1.2+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-04 19:29:00 UTC Gwan Yeong Kim CVE-2017-12481 The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1.1allows remote attackers to cause a denial of service (stack-based bufferoverflow and application crash) or possibly have unspecified other impactvia a crafted file. Update Instructions: Run `sudo pro fix CVE-2017-12482` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ledger - 3.1.2+dfsg1-1 python3-ledger - 3.1.2+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-04 19:29:00 UTC Gwan Yeong Kim CVE-2017-12482 An elevation of privilege vulnerability in the kernel file system. Product:Android. Versions: Android kernel. Android ID A-31269937. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-12-06 14:29:00 UTC CVE-2017-13165 The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c inthe Linux kernel through 4.12.9 does not flush the operand cache and causesa kernel stack dump, which allows local users to obtain sensitiveinformation from kernel memory and bypass the KASLR protection mechanism(in the kernel through 4.9) via a crafted ACPI table. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-08-25 08:29:00 UTC Seunghun Han CVE-2017-13693 The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.cin the Linux kernel through 4.12.9 does not flush the node and node_extcaches and causes a kernel stack dump, which allows local users to obtainsensitive information from kernel memory and bypass the KASLR protectionmechanism (in the kernel through 4.9) via a crafted ACPI table. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-08-25 08:29:00 UTC Seunghun Han CVE-2017-13694 The C++ symbol demangler routine in cplus-dem.c in libiberty, asdistributed in GNU Binutils 2.29, allows remote attackers to cause a denialof service (excessive memory allocation and application crash) via acrafted file, as demonstrated by a call from the Binary File Descriptor(BFD) library (aka libbfd). Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-08-28 21:29:00 UTC Adhokshaj Mishra https://sourceware.org/bugzilla/show_bug.cgi?id=22009 CVE-2017-13716 There is a floating point exception in the kodak_radc_load_raw function indcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial ofservice attack. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-29 2017-08-29 https://github.com/LibRaw/LibRaw/issues/96 https://bugzilla.redhat.com/show_bug.cgi?id=1483988 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874729 https://ubuntu.com/security/notices/USN-3492-1 CVE-2017-13735 There are lots of memory leaks in the GMCommand function inmagick/command.c in GraphicsMagick 1.3.26 that will lead to a remote denialof service attack. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-08-29 06:29:00 UTC CVE-2017-13736 libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to cause adenial of service (CPU consumption) via a file that begins with many '\0'characters. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-09-05 06:29:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875311 CVE-2017-14108 Scrapy 1.4 allows remote attackers to cause a denial of service (memoryconsumption) via large files because arbitrarily many files are read intomemory, which is especially problematic if the files are then individuallywritten in a separate thread to a slow storage resource, as demonstrated byinteraction between dataReceived (in core/downloader/handlers/http11.py)and S3FilesStore. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-09-05 17:29:00 UTC Mikhail Korobov CVE-2017-14158 In the SDK in Bento4 1.5.0-616, AP4_AtomSampleTable::GetSample inCore/Ap4AtomSampleTable.cpp contains a Read Memory Access Violationvulnerability. It is possible to exploit this vulnerability by opening acrafted .MP4 file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-11 09:29:00 UTC CVE-2017-14257 In the SDK in Bento4 1.5.0-616, SetItemCount in Core/Ap4StscAtom.h filecontains a Write Memory Access Violation vulnerability. It is possible toexploit this vulnerability and possibly execute arbitrary code by opening acrafted .MP4 file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-11 09:29:00 UTC CVE-2017-14258 In the SDK in Bento4 1.5.0-616, the AP4_StscAtom class in Ap4StscAtom.cppcontains a Write Memory Access Violation vulnerability. It is possible toexploit this vulnerability and possibly execute arbitrary code by opening acrafted .MP4 file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-11 09:29:00 UTC CVE-2017-14259 In the SDK in Bento4 1.5.0-616, the AP4_StssAtom class in Ap4StssAtom.cppcontains a Write Memory Access Violation vulnerability. It is possible toexploit this vulnerability and possibly execute arbitrary code by opening acrafted .MP4 file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-11 09:29:00 UTC CVE-2017-14260 In the SDK in Bento4 1.5.0-616, the AP4_StszAtom class in Ap4StszAtom.cppfile contains a Read Memory Access Violation vulnerability. It is possibleto exploit this vulnerability by opening a crafted .MP4 file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-11 09:29:00 UTC CVE-2017-14261 A Stack-based Buffer Overflow was discovered in xtrans_interpolate ininternal/dcraw_common.cpp in LibRaw before 0.18.3. It could allow a remotedenial of service or code execution attack. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-11 2017-09-11 https://github.com/LibRaw/LibRaw/issues/99 https://ubuntu.com/security/notices/USN-3492-1 CVE-2017-14265 LibRaw before 0.18.4 has a heap-based Buffer Overflow in theprocessCanonCameraInfo function via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-12 2017-09-12 Henri Salo https://github.com/LibRaw/LibRaw/issues/100 https://ubuntu.com/security/notices/USN-3492-1 CVE-2017-14348 In LibRaw through 0.18.4, an out of bounds read flaw related tokodak_65000_load_raw has been reported in dcraw/dcraw.c andinternal/dcraw_common.cpp. An attacker could possibly exploit this flaw todisclose potentially sensitive memory or cause an application crash. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-20 2017-09-20 https://github.com/LibRaw/LibRaw/issues/101 https://ubuntu.com/security/notices/USN-3492-1 CVE-2017-14608 The server daemons in Kannel 1.5.0 and earlier create a PID file afterdropping privileges to a non-root account, which might allow local users tokill arbitrary processes by leveraging access to this non-root account forPID file modification before a root script executes a "kill `cat/pathname`" command, as demonstrated by bearerbox. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-09-20 18:29:00 UTC CVE-2017-14609 AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp in Bento4version 1.5.0-617 has missing NULL checks, leading to a NULL pointerdereference, segmentation fault, and application crash in AP4_Atom::SetTypein Core/Ap4Atom.h. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14638 AP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento41.5.0-617 uses incorrect character data types, which causes a stack-basedbuffer underflow and out-of-bounds write, leading to denial of service(application crash) or possibly unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14639 A NULL pointer dereference was discovered in AP4_AtomSampleTable::GetSamplein Core/Ap4AtomSampleTable.cpp in Bento4 version 1.5.0-617. Thevulnerability causes a segmentation fault and application crash, whichleads to remote denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14640 A NULL pointer dereference was discovered in the AP4_DataAtom class inMetaData/Ap4MetaData.cpp in Bento4 version 1.5.0-617. The vulnerabilitycauses a segmentation fault and application crash, which leads to remotedenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14641 A NULL pointer dereference was discovered in the AP4_HdlrAtom class inBento4 version 1.5.0-617. The vulnerability causes a segmentation fault andapplication crash in AP4_StdcFileByteStream::ReadPartial inSystem/StdC/Ap4StdCFileByteStream.cpp, which leads to remote denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14642 The AP4_HdlrAtom class in Core/Ap4HdlrAtom.cpp in Bento4 version 1.5.0-617uses an incorrect character data type, leading to a heap-based bufferover-read and application crash in AP4_BytesToUInt32BE in Core/Ap4Utils.h. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14643 A heap-based buffer overflow was discovered in the AP4_HdlrAtom class inBento4 1.5.0-617. The vulnerability causes an out-of-bounds write, whichleads to remote denial of service or possibly code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14644 A heap-based buffer over-read was discovered in AP4_BitStream::ReadBytes inCodecs/Ap4BitStream.cpp in Bento4 version 1.5.0-617. The vulnerabilitycauses an application crash, which leads to remote denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14645 The AP4_AvccAtom and AP4_HvccAtom classes in Bento4 version 1.5.0-617 donot properly validate data sizes, leading to a heap-based buffer over-readand application crash in AP4_DataBuffer::SetData in Core/Ap4DataBuffer.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14646 A heap-based buffer overflow was discovered inAP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento41.5.0-617. The vulnerability causes an out-of-bounds write, which leads toremote denial of service or possibly code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-21 17:29:00 UTC CVE-2017-14647 OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstratedby use of &colon; to construct a javascript: URL. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-25 21:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014981 CVE-2017-14735 spice-vdagent up to and including 0.17.0 does not properly escape savedirectory before passing to shell, allowing local attacker with access tothe session the agent runs in to inject arbitrary commands to be executed. Update Instructions: Run `sudo pro fix CVE-2017-15108` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: spice-vdagent - 0.17.0-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-01-20 00:29:00 UTC Seth Arnold https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15108 A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.xbefore 1.3.6.13, 1.3.7.x before 1.3.7.9, 1.4.x before 1.4.0.5 handledcertain LDAP search filters. A remote, unauthenticated attacker couldpotentially use this flaw to make ns-slapd crash via a specially craftedLDAP request, thus resulting in denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-01 22:29:00 UTC CVE-2017-15134 A vulnerability was found in openstack-cinder releases up to and includingQueens, allowing newly created volumes in certain storage volumeconfigurations to contain previous data. It specifically affects ScaleIOvolumes using thin volumes and zero padding. This could lead to leakage ofsensitive information between tenants. Update Instructions: Run `sudo pro fix CVE-2017-15139` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cinder-api - 2:13.0.0~rc1-0ubuntu2 cinder-backup - 2:13.0.0~rc1-0ubuntu2 cinder-common - 2:13.0.0~rc1-0ubuntu2 cinder-scheduler - 2:13.0.0~rc1-0ubuntu2 cinder-volume - 2:13.0.0~rc1-0ubuntu2 python3-cinder - 2:13.0.0~rc1-0ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-08-27 17:29:00 UTC https://bugs.launchpad.net/ossn/+bug/1699573 CVE-2017-15139 An error related to the "LibRaw::panasonic_load_raw()" function(dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can be exploited tocause a heap-based buffer overflow and subsequently cause a crash via aspecially crafted TIFF image. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-12-13 2017-12-13 https://ubuntu.com/security/notices/USN-3615-1 CVE-2017-16909 An error within the "LibRaw::xtrans_interpolate()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.6 can beexploited to cause an invalid read memory access and subsequently a Denialof Service condition. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-12-13 2017-12-13 https://ubuntu.com/security/notices/USN-3615-1 CVE-2017-16910 The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 2.3 and 3.4does not properly validate widths and heights, which allows remoteattackers to cause a denial of service (integer signedness error andout-of-array read) via a crafted MPEG file. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-11-30 21:29:00 UTC https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3516#c1 CVE-2017-17081 TeX Live through 20170524 does not validate strings before launching theprogram specified by the BROWSER environment variable, which might allowremote attackers to conduct argument-injection attacks via a crafted URL,related to linked_scripts/context/stubs/unix/mtxrun,texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, andtexmf-dist/tex/luatex/lualibs/lualibs-os.lua. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17513 batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) 2.6does not validate strings before launching the program specified by theBROWSER environment variable, which might allow remote attackers to conductargument-injection attacks via a crafted URL. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17519 uiutil.c in FontForge through 20170731 does not validate strings beforelaunching the program specified by the BROWSER environment variable, whichmight allow remote attackers to conduct argument-injection attacks via acrafted URL, a different vulnerability than CVE-2017-17534. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17521 library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings beforelaunching the program specified by the BROWSER environment variable, whichmight allow remote attackers to conduct argument-injection attacks via acrafted URL. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17524 Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings beforelaunching the program specified by the BROWSER environment variable, whichmight allow remote attackers to conduct argument-injection attacks via acrafted URL. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17526 backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not validatestrings before launching the program specified by the BROWSER environmentvariable, which might allow remote attackers to conduct argument-injectionattacks via a crafted URL. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17528 af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate stringsbefore launching the program specified by the BROWSER environment variable,which might allow remote attackers to conduct argument-injection attacksvia a crafted URL. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17529 examples/framework/news/news3.py in Kiwi 1.9.22 does not validate stringsbefore launching the program specified by the BROWSER environment variable,which might allow remote attackers to conduct argument-injection attacksvia a crafted URL. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17532 lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings beforelaunching the program specified by the BROWSER environment variable, whichmight allow remote attackers to conduct argument-injection attacks via acrafted URL. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-12-14 16:29:00 UTC CVE-2017-17535 Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. Anattacker can inject a crafted key and value into an HTTP response for theHTTP server of WEBrick. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-03 2018-04-03 https://ubuntu.com/security/notices/USN-3685-1 CVE-2017-17742 In LXC 2.0, many template scripts download code over cleartext HTTP, andomit a digital-signature check, before running it to bootstrap containers. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-10 01:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 CVE-2017-18641 A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 couldallow a local attacker to trick it into descending into unintendeddirectories via symlink attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-15 15:15:00 UTC CVE-2017-18869 It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did notproperly decode certain WebSocket frames. A malicious attacker couldexploit this by sending specially crafted WebSocket frames to a server,causing a heap-based buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-30 11:15:00 UTC 2020-06-30 11:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1852356 https://ubuntu.com/security/notices/USN-4407-1 CVE-2017-18922 In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo,the initscript uses a PID file that is writable by the smokeping user. Bywriting arbitrary PIDs to that file, the smokeping user can cause a denialof service to arbitrary PIDs when the service is stopped. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-20 18:15:00 UTC CVE-2017-20147 In the ebuild package through logcheck-1.3.23.ebuild for Logcheck onGentoo, it is possible to achieve root privilege escalation from thelogcheck user because of insecure recursive chown calls. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-20 18:15:00 UTC https://bugs.gentoo.org/630752 CVE-2017-20148 A vulnerability classified as problematic was found in iText RUPS. Thisvulnerability affects unknown code of the filesrc/main/java/com/itextpdf/rups/model/XfaFile.java. The manipulation leadsto xml external entity reference. The patch is identified asac5590925874ef810018a6b60fec216eee54fb32. It is recommended to apply apatch to fix this issue. VDB-217054 is the identifier assigned to thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-30 12:15:00 UTC CVE-2017-20151 A vulnerability, which was classified as problematic, has been found invercel ms up to 1.x. This issue affects the function parse of the fileindex.js. The manipulation of the argument str leads to inefficient regularexpression complexity. The attack may be initiated remotely. The exploithas been disclosed to the public and may be used. Upgrading to version2.0.0 is able to address this issue. The patch is namedcaae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade theaffected component. The associated identifier of this vulnerability isVDB-217451. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-05 12:15:00 UTC CVE-2017-20162 389-ds-base before version 1.3.6 is vulnerable to an improperly NULLterminated array in the uniqueness_entry_to_config() function in the"attribute uniqueness" plugin of 389 Directory Server. An authenticated, orpossibly unauthenticated, attacker could use this flaw to force anout-of-bound heap memory read, possibly triggering a crash of the LDAPservice. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-30 12:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851769 CVE-2017-2591 An accessibility flaw was found in the OpenStack Workflow (mistral) servicewhere a service log directory was improperly made world readable. Amalicious system user could exploit this flaw to access sensitiveinformation. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-27 13:29:00 UTC CVE-2017-2622 389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to aninvalid pointer dereference in the way LDAP bind requests are handled. Aremote unauthenticated attacker could use this flaw to make ns-slapd crashvia a specially crafted LDAP bind request, resulting in denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-22 13:29:00 UTC Joachim Jabs http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860125 CVE-2017-2668 An exploitable buffer overflow vulnerability exists in the tag parsingfunctionality of Ledger-CLI 3.1.1. A specially crafted journal file cancause an integer underflow resulting in code execution. An attacker canconstruct a malicious journal file to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2017-2807` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ledger - 3.1.2+dfsg1-1 python3-ledger - 3.1.2+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-05 18:29:00 UTC CVE-2017-2807 An exploitable use-after-free vulnerability exists in the account parsingcomponent of the Ledger-CLI 3.1.1. A specially crafted ledger file cancause a use-after-free vulnerability resulting in arbitrary code execution.An attacker can convince a user to load a journal file to trigger thisvulnerability. Update Instructions: Run `sudo pro fix CVE-2017-2808` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ledger - 3.1.2+dfsg1-1 python3-ledger - 3.1.2+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-09-05 18:29:00 UTC Cory Duplantis CVE-2017-2808 An exploitable Out-of-bounds Write vulnerability exists in the xls_addCellfunction of libxls 2.0. A specially crafted xls file can cause a memorycorruption resulting in remote code execution. An attacker can sendmalicious xls file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-02 18:15:00 UTC CVE-2017-2910 Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6(inclusive). Since the "shards" parameter does not have a correspondingwhitelist mechanism, a remote attacker with access to the server could makeSolr perform an HTTP GET request to any reachable URL. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-03-08 21:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922242 CVE-2017-3164 The Go SSH library (x/crypto/ssh) by default does not verify host keys,facilitating man-in-the-middle attacks. Default behavior changed in commite4e2799 to require explicitly registering a hostkey verification mechanism. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-04-04 14:59:00 UTC Phil Pennock http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655 https://github.com/golang/go/issues/19767 CVE-2017-3204 PECL in the download utility class in the Installer in PEAR Base Systemv1.10.1 does not validate file types and filenames after a redirect, whichallows remote HTTP servers to overwrite files via crafted responses, asdemonstrated by a .htaccess overwrite. Ubuntu 26.04 LTS Negligible Copyright (C) 2017 Canonical Ltd. 2017-02-01 23:59:00 UTC http://pear.php.net/bugs/bug.php?id=21171 CVE-2017-5630 The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2 allowsremote attackers to cause a denial of service (NULL pointer dereference andcrash) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-03-01 15:59:00 UTC Agostino Sarubbo CVE-2017-5665 The free_options function in options_manager.c in mp3splt 2.6.2 allowsremote attackers to cause a denial of service (invalid free and crash) viaa crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-03-01 15:59:00 UTC Agostino Sarubbo CVE-2017-5666 The free_options function in options_manager.c in mp3splt 2.6.2 allowsremote attackers to cause a denial of service (NULL pointer dereference andcrash) via a crafted file. NOTE: this typically has no risk; this crash ofthis command-line program has no further consequences for availability. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-03-01 15:59:00 UTC Agostino Sarubbo CVE-2017-5851 Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodiallows remote attackers to read arbitrary files via a %2E%2E%252e (encodeddot dot slash) in the image path, as demonstrated byimage/image%3A%2F%2F%2e%2e%252fetc%252fpasswd. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-02-28 18:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855225 CVE-2017-5982 WordPress 4.7.2 mishandles listings of post authors, which allows remoteattackers to obtain sensitive information (Path Disclosure) via a/wp-json/oembed/1.0/embed?url= request, related to the "author_name":"substring. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-05-22 18:29:00 UTC CVE-2017-6514 An error within the "parse_tiff_ifd()" function (internal/dcraw_common.cpp)in LibRaw versions before 0.18.2 can be exploited to corrupt memory. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-16 2017-05-16 Jakub Jirasek https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864183 https://ubuntu.com/security/notices/USN-3492-1 CVE-2017-6886 A boundary error within the "parse_tiff_ifd()" function(internal/dcraw_common.cpp) in LibRaw versions before 0.18.2 can beexploited to cause a memory corruption via e.g. a specially crafted KDCfile with model set to "DSLR-A100" and containing multiple sequences of0x100 and 0x14A TAGs. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-16 2017-05-16 Jakub Jirasek https://ubuntu.com/security/notices/USN-3492-1 CVE-2017-6887 An error in the "read_metadata_vorbiscomment_()" function(src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited tocause a memory leak via a specially crafted FLAC file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-25 21:29:00 UTC 2018-04-25 21:29:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897015 https://ubuntu.com/security/notices/USN-5733-1 CVE-2017-6888 An issue was discovered in apng2gif 1.7. There is improper sanitization ofuser input causing huge memory allocations, resulting in a crash. This isrelated to the read_chunk function using the pChunk->size value (within thePNG file) to determine the amount of memory to allocate. Update Instructions: Run `sudo pro fix CVE-2017-6961` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apng2gif - 1.8-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-03-17 09:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854441 CVE-2017-6961 An issue was discovered in apng2gif 1.7. There is an integer overflowresulting in a heap-based buffer overflow. This is related to theread_chunk function making an unchecked addition of 12. Update Instructions: Run `sudo pro fix CVE-2017-6962` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apng2gif - 1.8-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-03-17 09:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854447 CVE-2017-6962 Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related tothe FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-05-19 20:29:00 UTC Jiaqi Peng and Bingchang Liu https://gitlab.freedesktop.org/cairo/cairo/issues/80 (main bug) https://bugs.freedesktop.org/show_bug.cgi?id=100763 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870264 CVE-2017-7475 389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to passwordbrute-force attacks during account lockout due to different return codesreturned on password attempts. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-08-16 18:29:00 UTC CVE-2017-7551 Stack-based buffer overflow in DMitry (Deepmagic Information GatheringTool) version 1.3a (Unix) allows attackers to cause a denial of service(application crash) or possibly have unspecified other impact via a longargument. An example threat model is automated execution of DMitry withhostname strings found in local log files. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-04-20 14:59:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070370 CVE-2017-7938 XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XMLParser Library) allows attackers to put the parser in an infinite loopusing a malformed external entity definition from an external DTD. Ubuntu 26.04 LTS Medium Copyright (C) 2017 Canonical Ltd. 2017-06-21 2017-06-21 https://ubuntu.com/security/notices/USN-3356-1 https://ubuntu.com/security/notices/USN-3356-2 https://ubuntu.com/security/notices/USN-4825-1 CVE-2017-9233 In the open build service before 201707022 the wipetrigger and rebuildactions checked the wrong project for permissions, allowing authenticatedusers to cause operations on projects where they did not have permissionsleading to denial of service (resource consumption). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-01 20:29:00 UTC CVE-2017-9268 The commandline package update tool zypper writes HTTP proxy credentialsinto its logfile, allowing local attackers to gain access to proxies used. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-01 20:29:00 UTC CVE-2017-9271 Stack-based buffer overflow in dnstracer through 1.9 allows attackers tocause a denial of service (application crash) or possibly have unspecifiedother impact via a command line with a long name argument that ismishandled in a strcpy call for argv[0]. An example threat model is a webapplication that launches dnstracer with an untrusted name string. Ubuntu 26.04 LTS Low Copyright (C) 2017 Canonical Ltd. 2017-06-05 11:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/dnstracer/+bug/1734279 CVE-2017-9430 remctld in remctl before 3.14, when an attacker is authorized to execute acommand that uses the sudo option, has a use-after-free that leads to adaemon crash, memory corruption, or arbitrary command execution. Update Instructions: Run `sudo pro fix CVE-2018-0493` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnet-remctl-perl - 3.13-1+deb9u1 libremctl1t64 - 3.13-1+deb9u1 php-remctl - 3.13-1+deb9u1 python3-pyremctl - 3.13-1+deb9u1 remctl-client - 3.13-1+deb9u1 remctl-server - 3.13-1+deb9u1 ruby-remctl - 3.13-1+deb9u1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-03 07:29:00 UTC CVE-2018-0493 Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Overflowvulnerability in All vorbis decoding paths. that can result in memorycorruption, denial of service, comprised execution of host program. Thisattack appear to be exploitable via Victim must open a specially craftedOgg Vorbis file. This vulnerability appears to have been fixed in 1.13. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-09 23:29:00 UTC CVE-2018-1000050 Mingw-w64 version 5.0.3 and earlier, 5.0.4, 6.0.0 and 7.0.0 contains anImproper Null Termination (CWE-170) vulnerability in mingw-w64-crt(libc)->(v)snprintf that can result in The bug may be used to corruptsubsequent string functions. This attack appear to be exploitable viaDepending on the usage, worst case: network. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-06 17:29:00 UTC CVE-2018-1000101 ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite AllowsIncorrectly Signed Certificates vulnerability inmbedtls_ssl_get_verify_result() that can result in ECDSA-signedcertificates are accepted, when only RSA-signed ones should be.. Thisattack appear to be exploitable via Peers negotiate a TLS-ECDH-RSA-*ciphersuite. Any of the peers can then provide an ECDSA-signed certificate,when only an RSA-signed one should be accepted.. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-26 16:29:00 UTC CVE-2018-1000520 Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE)vulnerability in Importing game data that can result in Possibleinformation disclosure, server-side request forgery, or remote codeexecution. This attack appear to be exploitable via Specially crafted gamedata file (XML). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-26 16:29:00 UTC CVE-2018-1000546 Umlet version < 14.3 contains a XML External Entity (XXE) vulnerability inFile parsing that can result in disclosure of confidential data, denial ofservice, server side request forgery. This attack appear to be exploitablevia Specially crafted UXF file. This vulnerability appears to have beenfixed in 14.3. Update Instructions: Run `sudo pro fix CVE-2018-1000548` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: umlet - 15.1+ds-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-26 16:29:00 UTC CVE-2018-1000548 WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerabilityin plugins.php or core wordpress on delete function that can result in Anattacker can perform client side attacks which could be from stealing acookie to code injection. This attack appear to be exploitable via anattacker must craft an URL with payload and send to the user. Victim needto open the link to be affected by reflected XSS. . Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-26 16:29:00 UTC CVE-2018-1000556 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injectionvulnerability in Class: Element. Methods: addElement, addAttribute that canresult in an attacker tampering with XML documents through XML injection.This attack appear to be exploitable via an attacker specifying attributesor elements in the XML document. This vulnerability appears to have beenfixed in 2.1.1 or later. Update Instructions: Run `sudo pro fix CVE-2018-1000632` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libdom4j-java - 2.1.1-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-08-20 19:31:00 UTC 2018-08-20 19:31:00 UTC https://ubuntu.com/security/notices/USN-4619-1 CVE-2018-1000632 LatexDraw version <=4.0 contains a XML External Entity (XXE) vulnerabilityin SVG parsing functionality that can result in disclosure of data, serverside request forgery, port scanning, possible rce. This attack appear to beexploitable via Specially crafted SVG file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-20 19:31:00 UTC CVE-2018-1000639 WordPress version 4.9.8 and earlier contains a CWE-20 Input Validationvulnerability in thumbnail processing that can result in remote codeexecution due to an incomplete fix for CVE-2017-1000600. This attackappears to be exploitable via thumbnail upload by an authenticated user andmay require additional plugins in order to be exploited however this hasnot been confirmed at this time. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-09-06 16:29:00 UTC CVE-2018-1000773 Processing Foundation Processing version 3.4 and earlier contains a XMLExternal Entity (XXE) vulnerability in loadXML() function that can resultin An attacker can read arbitrary files and exfiltrate their contents viaHTTP requests. This attack appear to be exploitable via The victim must useProcessing to parse a crafted XML document. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-20 15:29:00 UTC CVE-2018-1000840 OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399:Resource Management Errors (similar issue to CVE-2015-5262) vulnerabilityin PyKMIP server that can result in DOS: the server can be made unavailableby one or more clients opening all of the available sockets. This attackappear to be exploitable via A client or clients open sockets with theserver and then never close them. This vulnerability appears to have beenfixed in 0.8.0. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-20 17:29:00 UTC CVE-2018-1000872 Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper InputValidation vulnerability in Jackson-Modules-Java8 that can result in Causesa denial-of-service (DoS). This attack appear to be exploitable via Thevictim deserializes malicious input, specifically very large values in thenanoseconds field of a time value. This vulnerability appears to have beenfixed in 2.9.8. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-20 17:29:00 UTC CVE-2018-1000873 An issue was discovered in GEGL through 0.3.32. The render_rectanglefunction in process/gegl-processor.c has unbounded memory allocation,leading to a denial of service (application crash) upon allocation failure. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-16 09:58:00 UTC CVE-2018-10111 An issue was discovered in GEGL through 0.3.32. Thegegl_tile_backend_swap_constructed function inbuffer/gegl-tile-backend-swap.c allows remote attackers to cause a denialof service (write access violation) or possibly have unspecified otherimpact via a malformed PNG file that is mishandled during a call to thebabl_format_get_bytes_per_pixel function in babl-format.c in babl 0.1.46. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-16 09:58:00 UTC https://bugzilla.gnome.org/show_bug.cgi?id=795249 CVE-2018-10112 An issue was discovered in GEGL through 0.3.32. The process function inoperations/external/ppm-load.c has unbounded memory allocation, leading toa denial of service (application crash) upon allocation failure. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-16 09:58:00 UTC CVE-2018-10113 An issue was discovered in GEGL through 0.3.32. Thegegl_buffer_iterate_read_simple function in buffer/gegl-buffer-access.callows remote attackers to cause a denial of service (write accessviolation) or possibly have unspecified other impact via a malformed PPMfile, related to improper restrictions on memory allocation in theppm_load_read_header function in operations/external/ppm-load.c. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-16 09:58:00 UTC https://bugzilla.gnome.org/show_bug.cgi?id=795248 CVE-2018-10114 ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and otherproducts, does not check for a NULL pointer at a certain place injpeg_fdct_16x16 in jfdctint.c. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-21 21:29:00 UTC http://bugzilla.maptools.org/show_bug.cgi?id=2786 (old) https://gitlab.com/libtiff/libtiff/issues/128 CVE-2018-10126 In radare2 2.5.0, there is a heap-based buffer over-read in ther_hex_bin2str function (libr/util/hex.c). Remote attackers could leveragethis vulnerability to cause a denial of service via a crafted DEX file.This issue is different from CVE-2017-15368. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-17 20:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-10186 In radare2 2.5.0, there is a heap-based buffer over-read in the dalvik_opfunction (libr/anal/p/anal_dalvik.c). Remote attackers could leverage thisvulnerability to cause a denial of service via a crafted DEX file. Notethat this issue is different from CVE-2018-8809, which was patched earlier. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-17 20:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-10187 In versions of mruby up to and including 1.4.0, a use-after-freevulnerability exists in src/io.c::File#initilialize_copy(). An attackerthat can cause Ruby code to be run can possibly use this to executearbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-18 15:29:00 UTC CVE-2018-10199 htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26 allowsremote attackers to cause a heap-based buffer over-read via anauthorization digest header. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-04 16:29:00 UTC CVE-2018-10243 Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in thedisasm function of the disasm/disasm.c file. Remote attackers couldleverage this vulnerability to cause a denial of service or possibly haveunspecified other impact via a crafted ELF file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-21 16:29:00 UTC https://sourceforge.net/p/nasm/bugs/561/ https://bugzilla.nasm.us/show_bug.cgi?id=3392475 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896523 CVE-2018-10254 A flaw was found in Wildfly 9.x. A path traversal vulnerability through theorg.wildfly.extension.undertow.deployment.ServletResourceManager.getResourcemethod could lead to information disclosure of arbitrary local files. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-01-24 23:29:00 UTC CVE-2018-1047 It was found that the AJP connector in undertow, as shipped in Jboss EAP7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow thethe slash / anti-slash characters encoded in the url which may lead to pathtraversal and result in the information disclosure of arbitrary localfiles. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-01-24 23:29:00 UTC CVE-2018-1048 An issue was discovered in LibRaw 0.18.9. There is a stack-based bufferoverflow in the utf2char function in libraw_cxx.cpp. Update Instructions: Run `sudo pro fix CVE-2018-10528` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libraw-bin - 0.18.8-2ubuntu1 libraw23t64 - 0.18.8-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-28 2018-04-28 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897185 https://ubuntu.com/security/notices/USN-3639-1 CVE-2018-10528 An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds readaffecting the X3F property table list implementation in libraw_x3f.cpp andlibraw_cxx.cpp. Update Instructions: Run `sudo pro fix CVE-2018-10529` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libraw-bin - 0.18.8-2ubuntu1 libraw23t64 - 0.18.8-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-28 2018-04-28 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897186 https://ubuntu.com/security/notices/USN-3639-1 CVE-2018-10529 An out-of-bounds memory read flaw was found in the way 389-ds-base handledcertain LDAP search filters, affecting all versions including 1.4.x. Aremote, unauthenticated attacker could potentially use this flaw to makens-slapd crash via a specially crafted LDAP request, thus resulting indenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-07 13:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892124 CVE-2018-1054 The DPDK vhost-user interface does not check to verify that all therequested guest physical range is mapped and contiguous when performingGuest Physical Addresses to Host Virtual Addresses translations. This maylead to a malicious guest exposing vhost-user backend process memory. Allversions before 18.02.1 are vulnerable. Update Instructions: Run `sudo pro fix CVE-2018-1059` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dpdk - 17.11.2-1 librte-acl25 - 17.11.2-1 librte-argparse25 - 17.11.2-1 librte-baseband-acc25 - 17.11.2-1 librte-baseband-fpga-5gnr-fec25 - 17.11.2-1 librte-baseband-fpga-lte-fec25 - 17.11.2-1 librte-baseband-la12xx25 - 17.11.2-1 librte-baseband-null25 - 17.11.2-1 librte-baseband-turbo-sw25 - 17.11.2-1 librte-bbdev25 - 17.11.2-1 librte-bitratestats25 - 17.11.2-1 librte-bpf25 - 17.11.2-1 librte-bus-auxiliary25 - 17.11.2-1 librte-bus-cdx25 - 17.11.2-1 librte-bus-dpaa25 - 17.11.2-1 librte-bus-fslmc25 - 17.11.2-1 librte-bus-ifpga25 - 17.11.2-1 librte-bus-pci25 - 17.11.2-1 librte-bus-platform25 - 17.11.2-1 librte-bus-uacce25 - 17.11.2-1 librte-bus-vdev25 - 17.11.2-1 librte-bus-vmbus25 - 17.11.2-1 librte-cfgfile25 - 17.11.2-1 librte-cmdline25 - 17.11.2-1 librte-common-cnxk25 - 17.11.2-1 librte-common-cpt25 - 17.11.2-1 librte-common-dpaax25 - 17.11.2-1 librte-common-iavf25 - 17.11.2-1 librte-common-idpf25 - 17.11.2-1 librte-common-ionic25 - 17.11.2-1 librte-common-mlx5-25 - 17.11.2-1 librte-common-nfp25 - 17.11.2-1 librte-common-nitrox25 - 17.11.2-1 librte-common-octeontx25 - 17.11.2-1 librte-common-qat25 - 17.11.2-1 librte-common-sfc-efx25 - 17.11.2-1 librte-compress-isal25 - 17.11.2-1 librte-compress-mlx5-25 - 17.11.2-1 librte-compress-nitrox25 - 17.11.2-1 librte-compress-octeontx25 - 17.11.2-1 librte-compress-zlib25 - 17.11.2-1 librte-compressdev25 - 17.11.2-1 librte-crypto-bcmfs25 - 17.11.2-1 librte-crypto-caam-jr25 - 17.11.2-1 librte-crypto-ccp25 - 17.11.2-1 librte-crypto-cnxk25 - 17.11.2-1 librte-crypto-dpaa-sec25 - 17.11.2-1 librte-crypto-dpaa2-sec25 - 17.11.2-1 librte-crypto-ionic25 - 17.11.2-1 librte-crypto-ipsec-mb25 - 17.11.2-1 librte-crypto-mlx5-25 - 17.11.2-1 librte-crypto-nitrox25 - 17.11.2-1 librte-crypto-null25 - 17.11.2-1 librte-crypto-octeontx25 - 17.11.2-1 librte-crypto-openssl25 - 17.11.2-1 librte-crypto-scheduler25 - 17.11.2-1 librte-crypto-virtio25 - 17.11.2-1 librte-cryptodev25 - 17.11.2-1 librte-dispatcher25 - 17.11.2-1 librte-distributor25 - 17.11.2-1 librte-dma-cnxk25 - 17.11.2-1 librte-dma-dpaa2-25 - 17.11.2-1 librte-dma-dpaa25 - 17.11.2-1 librte-dma-hisilicon25 - 17.11.2-1 librte-dma-idxd25 - 17.11.2-1 librte-dma-ioat25 - 17.11.2-1 librte-dma-odm25 - 17.11.2-1 librte-dma-skeleton25 - 17.11.2-1 librte-dmadev25 - 17.11.2-1 librte-eal25 - 17.11.2-1 librte-efd25 - 17.11.2-1 librte-ethdev25 - 17.11.2-1 librte-event-cnxk25 - 17.11.2-1 librte-event-dlb2-25 - 17.11.2-1 librte-event-dpaa2-25 - 17.11.2-1 librte-event-dpaa25 - 17.11.2-1 librte-event-dsw25 - 17.11.2-1 librte-event-octeontx25 - 17.11.2-1 librte-event-opdl25 - 17.11.2-1 librte-event-skeleton25 - 17.11.2-1 librte-event-sw25 - 17.11.2-1 librte-eventdev25 - 17.11.2-1 librte-fib25 - 17.11.2-1 librte-gpudev25 - 17.11.2-1 librte-graph25 - 17.11.2-1 librte-gro25 - 17.11.2-1 librte-gso25 - 17.11.2-1 librte-hash25 - 17.11.2-1 librte-ip-frag25 - 17.11.2-1 librte-ipsec25 - 17.11.2-1 librte-jobstats25 - 17.11.2-1 librte-kvargs25 - 17.11.2-1 librte-latencystats25 - 17.11.2-1 librte-log25 - 17.11.2-1 librte-lpm25 - 17.11.2-1 librte-mbuf25 - 17.11.2-1 librte-member25 - 17.11.2-1 librte-mempool-bucket25 - 17.11.2-1 librte-mempool-cnxk25 - 17.11.2-1 librte-mempool-dpaa2-25 - 17.11.2-1 librte-mempool-dpaa25 - 17.11.2-1 librte-mempool-octeontx25 - 17.11.2-1 librte-mempool-ring25 - 17.11.2-1 librte-mempool-stack25 - 17.11.2-1 librte-mempool25 - 17.11.2-1 librte-meta-all - 17.11.2-1 librte-meta-allpmds - 17.11.2-1 librte-meta-baseband - 17.11.2-1 librte-meta-bus - 17.11.2-1 librte-meta-common - 17.11.2-1 librte-meta-compress - 17.11.2-1 librte-meta-crypto - 17.11.2-1 librte-meta-dma - 17.11.2-1 librte-meta-event - 17.11.2-1 librte-meta-mempool - 17.11.2-1 librte-meta-net - 17.11.2-1 librte-meta-raw - 17.11.2-1 librte-meter25 - 17.11.2-1 librte-metrics25 - 17.11.2-1 librte-ml-cnxk25 - 17.11.2-1 librte-mldev25 - 17.11.2-1 librte-net-af-packet25 - 17.11.2-1 librte-net-af-xdp25 - 17.11.2-1 librte-net-ark25 - 17.11.2-1 librte-net-atlantic25 - 17.11.2-1 librte-net-avp25 - 17.11.2-1 librte-net-axgbe25 - 17.11.2-1 librte-net-bnx2x25 - 17.11.2-1 librte-net-bnxt25 - 17.11.2-1 librte-net-bond25 - 17.11.2-1 librte-net-cnxk25 - 17.11.2-1 librte-net-cpfl25 - 17.11.2-1 librte-net-cxgbe25 - 17.11.2-1 librte-net-dpaa2-25 - 17.11.2-1 librte-net-dpaa25 - 17.11.2-1 librte-net-e1000-25 - 17.11.2-1 librte-net-ena25 - 17.11.2-1 librte-net-enetc25 - 17.11.2-1 librte-net-enetfec25 - 17.11.2-1 librte-net-enic25 - 17.11.2-1 librte-net-failsafe25 - 17.11.2-1 librte-net-fm10k25 - 17.11.2-1 librte-net-gve25 - 17.11.2-1 librte-net-hinic25 - 17.11.2-1 librte-net-hns3-25 - 17.11.2-1 librte-net-i40e25 - 17.11.2-1 librte-net-iavf25 - 17.11.2-1 librte-net-ice25 - 17.11.2-1 librte-net-idpf25 - 17.11.2-1 librte-net-igc25 - 17.11.2-1 librte-net-ionic25 - 17.11.2-1 librte-net-ipn3ke25 - 17.11.2-1 librte-net-ixgbe25 - 17.11.2-1 librte-net-mana25 - 17.11.2-1 librte-net-memif25 - 17.11.2-1 librte-net-mlx4-25 - 17.11.2-1 librte-net-mlx5-25 - 17.11.2-1 librte-net-netvsc25 - 17.11.2-1 librte-net-nfp25 - 17.11.2-1 librte-net-ngbe25 - 17.11.2-1 librte-net-ntnic25 - 17.11.2-1 librte-net-null25 - 17.11.2-1 librte-net-octeon-ep25 - 17.11.2-1 librte-net-octeontx25 - 17.11.2-1 librte-net-pcap25 - 17.11.2-1 librte-net-pfe25 - 17.11.2-1 librte-net-qede25 - 17.11.2-1 librte-net-r8169-25 - 17.11.2-1 librte-net-ring25 - 17.11.2-1 librte-net-sfc25 - 17.11.2-1 librte-net-softnic25 - 17.11.2-1 librte-net-tap25 - 17.11.2-1 librte-net-thunderx25 - 17.11.2-1 librte-net-txgbe25 - 17.11.2-1 librte-net-vdev-netvsc25 - 17.11.2-1 librte-net-vhost25 - 17.11.2-1 librte-net-virtio25 - 17.11.2-1 librte-net-vmxnet3-25 - 17.11.2-1 librte-net-zxdh25 - 17.11.2-1 librte-net25 - 17.11.2-1 librte-node25 - 17.11.2-1 librte-pcapng25 - 17.11.2-1 librte-pci25 - 17.11.2-1 librte-pdcp25 - 17.11.2-1 librte-pdump25 - 17.11.2-1 librte-pipeline25 - 17.11.2-1 librte-port25 - 17.11.2-1 librte-power-acpi25 - 17.11.2-1 librte-power-amd-pstate25 - 17.11.2-1 librte-power-cppc25 - 17.11.2-1 librte-power-intel-pstate25 - 17.11.2-1 librte-power-intel-uncore25 - 17.11.2-1 librte-power-kvm-vm25 - 17.11.2-1 librte-power25 - 17.11.2-1 librte-raw-cnxk-bphy25 - 17.11.2-1 librte-raw-cnxk-gpio25 - 17.11.2-1 librte-raw-cnxk-rvu-lf25 - 17.11.2-1 librte-raw-dpaa2-cmdif25 - 17.11.2-1 librte-raw-gdtc25 - 17.11.2-1 librte-raw-ifpga25 - 17.11.2-1 librte-raw-ntb25 - 17.11.2-1 librte-raw-skeleton25 - 17.11.2-1 librte-rawdev25 - 17.11.2-1 librte-rcu25 - 17.11.2-1 librte-regex-cn9k25 - 17.11.2-1 librte-regex-mlx5-25 - 17.11.2-1 librte-regexdev25 - 17.11.2-1 librte-reorder25 - 17.11.2-1 librte-rib25 - 17.11.2-1 librte-ring25 - 17.11.2-1 librte-sched25 - 17.11.2-1 librte-security25 - 17.11.2-1 librte-stack25 - 17.11.2-1 librte-table25 - 17.11.2-1 librte-telemetry25 - 17.11.2-1 librte-timer25 - 17.11.2-1 librte-vdpa-ifc25 - 17.11.2-1 librte-vdpa-mlx5-25 - 17.11.2-1 librte-vdpa-nfp25 - 17.11.2-1 librte-vdpa-sfc25 - 17.11.2-1 librte-vhost25 - 17.11.2-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-24 2018-04-24 Maxime Coquelin https://bugzilla.redhat.com/show_bug.cgi?id=1544298 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896688 https://ubuntu.com/security/notices/USN-3642-1 https://ubuntu.com/security/notices/USN-3642-2 CVE-2018-1059 There is a heap-based buffer over-read in the function ft_font_face_hash ofgxps-fonts.c in libgxps through 0.3.0. A crafted input will lead to aremote denial of service attack. Update Instructions: Run `sudo pro fix CVE-2018-10733` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gxps-0.1 - 0.3.0-3 libgxps-utils - 0.3.0-3 libgxps2t64 - 0.3.0-3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-04 17:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897954 https://bugzilla.redhat.com/show_bug.cgi?id=1574844 https://bugs.launchpad.net/ubuntu/+source/libgxps/+bug/1797785 CVE-2018-10733 Use-after-free in libtransmission/variant.c in Transmission before 3.00allows remote attackers to cause a denial of service (crash) or possiblyexecute arbitrary code via a crafted torrent file. Update Instructions: Run `sudo pro fix CVE-2018-10756` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: transmission - 3.00-1 transmission-cli - 3.00-1 transmission-common - 3.00-1 transmission-daemon - 3.00-1 transmission-gtk - 3.00-1 transmission-qt - 3.00-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-05-15 16:15:00 UTC CVE-2018-10756 NULL pointer deference in the addsn function in serialno.c in libbibcore.ain bibutils through 6.2 allows remote attackers to cause a denial ofservice (application crash), as demonstrated by copac2xml. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-07 07:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898135 CVE-2018-10773 Read access violation in the isiin_keyword function in isiin.c inlibbibutils.a in bibutils through 6.2 allows remote attackers to cause adenial of service (application crash), as demonstrated by isi2xml. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-07 07:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898135 CVE-2018-10774 NULL pointer dereference in the _fields_add function in fields.c inlibbibcore.a in bibutils through 6.2 allows remote attackers to cause adenial of service (application crash), as demonstrated by end2xml. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-07 07:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898135 CVE-2018-10775 The AP4_CttsAtom class in Core/Ap4CttsAtom.cpp in Bento4 1.5.1.0 allowsremote attackers to cause a denial of service (application crash), relatedto a memory allocation failure, as demonstrated by mp2aac. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-25 14:15:00 UTC CVE-2018-10790 389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a racecondition in the way 389-ds-base handles persistent search, resulting in acrash if the server is under load. An anonymous attacker could use thisflaw to trigger a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-13 20:29:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1588056 CVE-2018-10850 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a CleartextStorage of Sensitive Information. By default, when the Replica and/orretroChangeLog plugins are enabled, 389-ds-base stores passwords inplaintext format in their respective changelog files. An attacker withsufficiently high privileges, such as root or Directory Manager, can querythese files in order to retrieve plaintext passwords. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-10871 A vulnerability was discovered in SPICE before version 0.14.1 where thegenerated code used for demarshalling messages lacked sufficient boundschecks. A malicious client or server, after authentication, could sendspecially crafted messages to its peer which would result in a crash or,potentially, other impacts. Update Instructions: Run `sudo pro fix CVE-2018-10873` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libspice-server1 - 0.14.0-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-17 2018-08-17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906316 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315 https://ubuntu.com/security/notices/USN-3751-1 CVE-2018-10873 389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properlyhandle long search filters with characters needing escapes, possiblyleading to buffer overflows. A remote, unauthenticated attacker couldpotentially use this flaw to make ns-slapd crash via a specially craftedLDAP request, thus resulting in denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-09 15:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898138 CVE-2018-1089 Multiple integer overflow and buffer overflow issues were discovered inspice-client's handling of LZ compressed frames. A malicious server couldcause the client to crash or, potentially, execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-11 15:29:00 UTC CVE-2018-10893 A flaw was found in the 389 Directory Server that allows users to cause acrash in the LDAP server using ldapsearch with server side sort. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-11 15:29:00 UTC CVE-2018-10935 A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. Anattacker can set up a website that tries to send a POST request to the etcdserver and modify a key. Adding a key is done with PUT so it istheoretically safe (can't PUT from an HTML form or such) but POST allowscreating in-order keys that an attacker can send. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-03 16:29:00 UTC CVE-2018-1098 DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attackercan control his DNS records to direct to localhost, and trick the browserinto sending requests to localhost (or any other address). Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-04-03 16:29:00 UTC CVE-2018-1099 The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdfbefore 4.00 allows remote attackers to cause a denial of service(application crash) or possibly have unspecified other impact via craftedJPEG data. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-05-14 00:29:00 UTC CVE-2018-11033 procps-ng, procps is vulnerable to a process hiding through race condition.Since the kernel's proc_pid_readdir() returns PID entries in ascendingnumeric order, a process occupying a high PID can use inotify events todetermine when the process list is being scanned, and fork/exec to obtain alower PID, thus avoiding enumeration. An unprivileged attacker can hide aprocess from procps-ng's utilities by exploiting a race condition inreading /proc/PID entries. This vulnerability affects procps and procps-ngup to version 3.3.15, newer versions might be affected also. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-17 17:00:00 UTC CVE-2018-1121 An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function injmemmgr.c allows remote attackers to cause a denial of service(divide-by-zero error) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-16 2018-05-16 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902176 https://ubuntu.com/security/notices/USN-3706-1 https://ubuntu.com/security/notices/USN-3706-2 https://ubuntu.com/security/notices/USN-5497-1 https://ubuntu.com/security/notices/USN-5497-2 https://ubuntu.com/security/notices/USN-5336-1 CVE-2018-11212 An issue was discovered in libjpeg 9a. The get_text_gray_row function inrdppm.c allows remote attackers to cause a denial of service (Segmentationfault) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-16 2018-05-16 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902176 https://ubuntu.com/security/notices/USN-3706-1 https://ubuntu.com/security/notices/USN-3706-2 https://ubuntu.com/security/notices/USN-5497-1 https://ubuntu.com/security/notices/USN-5497-2 https://ubuntu.com/security/notices/USN-5336-1 CVE-2018-11213 An issue was discovered in libjpeg 9a. The get_text_rgb_row function inrdppm.c allows remote attackers to cause a denial of service (Segmentationfault) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-16 2018-05-16 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902176 https://ubuntu.com/security/notices/USN-3706-1 https://ubuntu.com/security/notices/USN-3706-2 https://ubuntu.com/security/notices/USN-5497-1 https://ubuntu.com/security/notices/USN-5497-2 https://ubuntu.com/security/notices/USN-5336-1 CVE-2018-11214 jbig2_add_page in jbig2enc.cc in libjbig2enc.a in jbig2enc 0.29 allowsremote attackers to cause a denial of service (use-after-free) or possiblyhave unspecified other impact via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-17 12:29:00 UTC https://github.com/agl/jbig2enc/issues/61 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059282 CVE-2018-11230 PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackersto cause a denial of service (double free), limit the ability of a malwarescanner to operate on the entire original data, or possibly haveunspecified other impact via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-18 17:29:00 UTC CVE-2018-11243 sav_parse_machine_integer_info_record in spss/readstat_sav_read.c inlibreadstat.a in ReadStat 0.1.1 has a memory leak related to an iconv_opencall. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-22 04:29:00 UTC CVE-2018-11364 sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has aninfinite loop. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-22 04:29:00 UTC CVE-2018-11365 The _inst__lds() function in radare2 2.5.0 allows remote attackers to causea denial of service (heap-based out-of-bounds read and application crash)via a crafted binary file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11375 The r_read_le32() function in radare2 2.5.0 allows remote attackers tocause a denial of service (heap-based out-of-bounds read and applicationcrash) via a crafted ELF file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11376 The avr_op_analyze() function in radare2 2.5.0 allows remote attackers tocause a denial of service (heap-based out-of-bounds read and applicationcrash) via a crafted binary file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11377 The wasm_dis() function in libr/asm/arch/wasm/wasm.c in or possibly haveunspecified other impact via a crafted WASM file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11378 The get_debug_info() function in radare2 2.5.0 allows remote attackers tocause a denial of service (heap-based out-of-bounds read and applicationcrash) via a crafted PE file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11379 The parse_import_ptr() function in radare2 2.5.0 allows remote attackers tocause a denial of service (heap-based out-of-bounds read and applicationcrash) via a crafted Mach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11380 The string_scan_range() function in radare2 2.5.0 allows remote attackersto cause a denial of service (heap-based out-of-bounds read and applicationcrash) via a crafted binary file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11381 The _inst__sts() function in radare2 2.5.0 allows remote attackers to causea denial of service (heap-based out-of-bounds read and application crash)via a crafted binary file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11382 The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers tocause a denial of service (invalid free and application crash) via acrafted ELF file because of an uninitialized variable in the CPSE handlerin libr/anal/p/anal_avr.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11383 The sh_op() function in radare2 2.5.0 allows remote attackers to cause adenial of service (heap-based out-of-bounds read and application crash) viaa crafted ELF file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-22 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-11384 jpegoptim.c in jpegoptim 1.4.5 (fixed in 1.4.6) has an invalid use ofrealloc() and free(), which allows remote attackers to cause a denial ofservice (application crash) or possibly have unspecified other impact. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-05-24 20:29:00 UTC CVE-2018-11416 The mobi_parse_mobiheader function in read.c in Libmobi 0.3 allows remoteattackers to cause information disclosure (heap-based buffer over-read) viaa crafted mobi file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-30 13:29:00 UTC CVE-2018-11432 The mobi_decompress_huffman_internal function in compression.c in Libmobi0.3 allows remote attackers to cause information disclosure (read accessviolation) via a crafted mobi file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-30 13:29:00 UTC CVE-2018-11435 An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was foundin the function ntfs_fix_idxrec in tsk/fs/ntfs_dent.cpp which could beleveraged by an attacker to disclose information or manipulated to readfrom unmapped memory causing a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-05 11:29:00 UTC CVE-2018-11737 An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was foundin the function ntfs_make_data_run in tsk/fs/ntfs.c which could beleveraged by an attacker to disclose information or manipulated to readfrom unmapped memory causing a denial of service attack. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-05 11:29:00 UTC CVE-2018-11738 An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from release4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was foundin the function raw_read in tsk/img/raw.c which could be leveraged by anattacker to disclose information or manipulated to read from unmappedmemory causing a denial of service attack. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-05 11:29:00 UTC CVE-2018-11739 An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) fromrelease 4.0.2 through to 4.6.1. An out-of-bounds read of a memory regionwas found in the function tsk_UTF16toUTF8 in tsk/base/tsk_unicode.c whichcould be leveraged by an attacker to disclose information or manipulated toread from unmapped memory causing a denial of service attack. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-05 11:29:00 UTC CVE-2018-11740 The init_copy function in kernel.c in mruby 1.4.1 makes initialize_copycalls for TT_ICLASS objects, which allows attackers to cause a denial ofservice (mrb_hash_keys uninitialized pointer and application crash) orpossibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-05 13:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900845 CVE-2018-11743 In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limitentity expansion. They were therefore vulnerable to an entity expansionvulnerability which can lead to a denial of service attack. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-09-19 14:29:00 UTC CVE-2018-11761 In Apache Tika 0.9 to 1.18, in a rare edge case where a user does notspecify an extract directory on the commandline (--extract-dir=) and theinput file has an embedded file with an absolute path, such as"C:/evil.bat", tika-app would overwrite that file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-19 14:29:00 UTC CVE-2018-11762 When reading a specially crafted ZIP archive, the read method of ApacheCommons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return thecorrect EOF indication after the end of the stream has been reached. Whencombined with a java.io.InputStreamReader this can lead to an infinitestream, which can be used to mount a denial of service attack againstservices that use Compress' zip package. Update Instructions: Run `sudo pro fix CVE-2018-11771` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libcommons-compress-java - 1.18-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-08-16 15:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906301 https://issues.apache.org/jira/browse/COMPRESS-463 CVE-2018-11771 In Apache Solr, the cluster can be partitioned into multiple collectionsand only a subset of nodes actually host any given collection. However, ifa node receives a request for a collection it does not host, it proxies therequest to a relevant node and serves the request. Solr bypasses allauthorization settings for such requests. This affects all Solr versionsprior to 7.7 that use the default authorization mechanism of Solr(RuleBasedAuthorizationPlugin). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-01 22:15:00 UTC CVE-2018-11802 libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-06 03:29:00 UTC 2018-06-06 03:29:00 UTC https://ubuntu.com/security/notices/USN-5497-1 https://ubuntu.com/security/notices/USN-5553-1 https://ubuntu.com/security/notices/USN-5631-1 https://ubuntu.com/security/notices/USN-5497-2 https://ubuntu.com/security/notices/USN-5336-1 CVE-2018-11813 mainproc.c in GnuPG before 2.2.8 mishandles the original filename duringdecryption and verification actions, which allows remote attackers to spoofthe output that GnuPG sends on file descriptor 2 to other programs that usethe "--status-fd 2" option. For example, the OpenPGP data might representan original filename that contains line feed characters in conjunction withGOODSIG or VALIDSIG status codes. Update Instructions: Run `sudo pro fix CVE-2018-12020` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dirmngr - 2.2.8-1ubuntu1 gnupg - 2.2.8-1ubuntu1 gnupg-agent - 2.2.8-1ubuntu1 gnupg-l10n - 2.2.8-1ubuntu1 gnupg-utils - 2.2.8-1ubuntu1 gnupg2 - 2.2.8-1ubuntu1 gpg - 2.2.8-1ubuntu1 gpg-agent - 2.2.8-1ubuntu1 gpg-wks-client - 2.2.8-1ubuntu1 gpg-wks-server - 2.2.8-1ubuntu1 gpgconf - 2.2.8-1ubuntu1 gpgsm - 2.2.8-1ubuntu1 gpgv - 2.2.8-1ubuntu1 gpgv-static - 2.2.8-1ubuntu1 scdaemon - 2.2.8-1ubuntu1 tpm2daemon - 2.2.8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-08 2018-06-08 Marcus Brinkmann http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901088 https://ubuntu.com/security/notices/USN-3675-1 https://ubuntu.com/security/notices/USN-3675-2 https://ubuntu.com/security/notices/USN-3675-3 https://ubuntu.com/security/notices/USN-3964-1 https://ubuntu.com/security/notices/USN-4839-1 CVE-2018-12020 tinyexr 0.9.5 has a heap-based buffer over-read viatinyexr::ReadChannelInfo in tinyexr.h. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-08 12:29:00 UTC CVE-2018-12064 An issue was discovered in mruby 1.4.1. There is a NULL pointer dereferencein mrb_class, related to certain .clone usage, because mrb_obj_clone inkernel.c copies flags other than the MRB_FLAG_IS_FROZEN flag (e.g., theembedded flag). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-12 14:29:00 UTC CVE-2018-12247 An issue was discovered in mruby 1.4.1. There is a heap-based bufferover-read associated with OP_ENTER because mrbgems/mruby-fiber/src/fiber.cdoes not extend the stack in cases of many arguments to fiber. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-12 14:29:00 UTC CVE-2018-12248 An issue was discovered in mruby 1.4.1. There is a NULL pointer dereferencein mrb_class_real because "class BasicObject" is not properly supported inclass.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-12 14:29:00 UTC CVE-2018-12249 There is a use after free in radare2 2.6.0 in r_anal_bb_free() inlibr/anal/bb.c via a crafted Java binary file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-13 16:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901630 CVE-2018-12320 There is a heap out of bounds read in radare2 2.6.0 in java_switch_op() inlibr/anal/p/anal_java.c via a crafted Java binary file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-13 16:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901629 CVE-2018-12321 There is a heap out of bounds read in radare2 2.6.0 in _6502_op() inlibr/anal/p/anal_6502.c via a crafted iNES ROM binary file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-13 16:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901628 CVE-2018-12322 wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cacheside-channel attack on ECDSA signatures, aka the Return Of the HiddenNumber Problem or ROHNP. To discover an ECDSA key, the attacker needsaccess to either the local machine or a different virtual machine on thesame physical host. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-15 02:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901627 CVE-2018-12436 openSUSE openbuildservice before 9.2.4 allowed authenticated users todelete packages on specific projects with project links. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-01 15:29:00 UTC CVE-2018-12466 Authorized users of the openbuildservice before 2.9.4 could delete packagesby using a malicious request against projects having theOBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-01 15:29:00 UTC CVE-2018-12467 A Externally Controlled Reference to a Resource in Another Spherevulnerability in obs-service-download_files of openSUSE Open Build Serviceallows authenticated users to generate HTTP request against internalnetworks and potentially downloading data that is exposed there. This issueaffects: openSUSE Open Build Service . Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-01 12:15:00 UTC CVE-2018-12475 A Improper Input Validation vulnerability in Open Build Service allowsremote attackers to cause DoS by specifying crafted request IDs. Affectedreleases are openSUSE Open Build Service: versions prior to01b015ca2a320afc4fae823465d1e72da8bd60df. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 13:29:00 UTC CVE-2018-12479 The signature verification routine in install.sh in yarnpkg/website through2018-06-05 only verifies that the yarn release is signed by any (arbitrary)key in the local keyring of the user, and does not pin the signature to theyarn release key, which allows remote attackers to sign tampered yarnrelease packages with their own key. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-16 17:29:00 UTC Marcus Brinkmann CVE-2018-12556 An issue was discovered in the Linux kernel through 4.17.2.vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c readsthe same user data twice with copy_from_user. The header part of the userdata is double-fetched, and a malicious user thread can tamper with thecritical variables (hdr.size_in and hdr.size_out) in the header between thetwo fetches because of a race condition, leading to severe kernel errors,such as buffer over-accesses. This bug can cause a local denial of serviceand information leakage. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-22 00:29:00 UTC CVE-2018-12633 tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-22 19:29:00 UTC CVE-2018-12687 phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameterin a cmd.php?cmd=login_form request, or a crafted username and password inthe login panel. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-22 20:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902186 CVE-2018-12689 GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporaryfilenames, which may result in a filename that already exists, asdemonstrated by the gimp_write_and_read_file function inapp/tests/test-xcf.c. This might be leveraged by attackers to overwritefiles or read file content that was intended to be private. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-06-24 22:29:00 UTC https://gitlab.gnome.org/GNOME/gimp/issues/1689 https://bugs.launchpad.net/ubuntu/jammy/+source/gimp/+bug/1982422 CVE-2018-12713 In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI based),jmeter server binds RMI Registry to wildcard host. This could allow anattacker to get Access to JMeterEngine and send unauthorized code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-14 14:29:00 UTC CVE-2018-1287 stack_protect_prologue in cfgexpand.c and stack_protect_epilogue infunction.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certaincircumstances) generate instruction sequences when targeting ARM targetsthat spill the address of the stack protector guard, which allows anattacker to bypass the protection of -fstack-protector,-fstack-protector-all, -fstack-protector-strong, and-fstack-protector-explicit against stack overflow by controlling what thestack canary is compared against. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-05-22 19:29:00 UTC https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434 CVE-2018-12886 In the Linux kernel 4.15.0, a NULL pointer dereference was discovered inhfs_ext_read_extent in hfs.ko. This can occur during a mount of a craftedhfs filesystem. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-06-28 14:29:00 UTC Sergej Schumilo https://launchpad.net/bugs/1763384 CVE-2018-12928 ntfs_read_locked_inode in the ntfs.ko filesystem driver in the Linux kernel4.15.0 allows attackers to trigger a use-after-free read and possibly causea denial of service (kernel oops or panic) via a crafted ntfs filesystem. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-28 14:29:00 UTC Sergej Schumilo and Cornelius Aschermann https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763403 https://launchpad.net/bugs/1763403 CVE-2018-12929 ntfs_end_buffer_async_read in the ntfs.ko filesystem driver in the Linuxkernel 4.15.0 allows attackers to trigger a stack-based out-of-bounds writeand cause a denial of service (kernel oops or panic) or possibly haveunspecified other impact via a crafted ntfs filesystem. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-28 14:29:00 UTC Sergej Schumilo and Cornelius Aschermann https://launchpad.net/bugs/1763403 CVE-2018-12930 ntfs_attr_find in the ntfs.ko filesystem driver in the Linux kernel 4.15.0allows attackers to trigger a stack-based out-of-bounds write and cause adenial of service (kernel oops or panic) or possibly have unspecified otherimpact via a crafted ntfs filesystem. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-06-28 14:29:00 UTC Sergej Schumilo and Cornelius Aschermann https://launchpad.net/bugs/1763403 CVE-2018-12931 PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers tocause a denial of service (heap-based buffer overflow) or possibly haveunspecified other impact by triggering a large pAlphaBlend->cbBitsSrcvalue. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-28 14:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/wine/+bug/1764719 CVE-2018-12932 PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers tocause a denial of service (out-of-bounds write) or possibly haveunspecified other impact because the attacker controls thepCreatePen->ihPen array index. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-28 14:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/wine/+bug/1764719 CVE-2018-12933 When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.xuses an unsecured RMI connection. This could allow an attacker to getAccess to JMeterEngine and send unauthorized code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-13 12:29:00 UTC CVE-2018-1297 A specially crafted ZIP archive can be used to cause an infinite loopinside of Apache Commons Compress' extra field parser used by the ZipFileand ZipArchiveInputStream classes in versions 1.11 to 1.15. This can beused to mount a denial of service attack against services that useCompress' zip package. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-03-16 13:29:00 UTC CVE-2018-1324 Mediawiki 1.31 before 1.31.1 misses .htaccess files in the provided tarballused to protect some directories that shouldn't be web accessible. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-04 20:29:00 UTC CVE-2018-13258 In FFmpeg 3.2 and 4.0.1, an improper argument (AVCodecParameters) passed tothe avpriv_request_sample function in the handle_eac3 function inlibavformat/movenc.c may trigger an out-of-array read while converting acrafted AVI file to MPEG4, leading to a denial of service and possibly aninformation disclosure. Update Instructions: Run `sudo pro fix CVE-2018-13300` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ffmpeg - 7:4.0.2-1ubuntu6 libavcodec-extra - 7:4.0.2-1ubuntu6 libavcodec-extra61 - 7:4.0.2-1ubuntu6 libavcodec61 - 7:4.0.2-1ubuntu6 libavdevice61 - 7:4.0.2-1ubuntu6 libavfilter-extra - 7:4.0.2-1ubuntu6 libavfilter-extra10 - 7:4.0.2-1ubuntu6 libavfilter10 - 7:4.0.2-1ubuntu6 libavformat-extra - 7:4.0.2-1ubuntu6 libavformat-extra61 - 7:4.0.2-1ubuntu6 libavformat61 - 7:4.0.2-1ubuntu6 libavutil59 - 7:4.0.2-1ubuntu6 libpostproc58 - 7:4.0.2-1ubuntu6 libswresample5 - 7:4.0.2-1ubuntu6 libswscale8 - 7:4.0.2-1ubuntu6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-05 17:29:00 UTC CVE-2018-13300 In FFmpeg 4.0.1, due to a missing check of a profile value before settingit, the ff_mpeg4_decode_picture_header function inlibavcodec/mpeg4videodec.c may trigger a NULL pointer dereference whileconverting a crafted AVI file to MPEG4, leading to a denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-07-05 17:29:00 UTC CVE-2018-13301 In FFmpeg 4.0.1, improper handling of frame types (other thanEAC3_FRAME_TYPE_INDEPENDENT) that have multiple independent substreams inthe handle_eac3 function in libavformat/movenc.c may trigger anout-of-array access while converting a crafted AVI file to MPEG4, leadingto a denial of service or possibly unspecified other impact. Update Instructions: Run `sudo pro fix CVE-2018-13302` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ffmpeg - 7:4.0.2-1ubuntu6 libavcodec-extra - 7:4.0.2-1ubuntu6 libavcodec-extra61 - 7:4.0.2-1ubuntu6 libavcodec61 - 7:4.0.2-1ubuntu6 libavdevice61 - 7:4.0.2-1ubuntu6 libavfilter-extra - 7:4.0.2-1ubuntu6 libavfilter-extra10 - 7:4.0.2-1ubuntu6 libavfilter10 - 7:4.0.2-1ubuntu6 libavformat-extra - 7:4.0.2-1ubuntu6 libavformat-extra61 - 7:4.0.2-1ubuntu6 libavformat61 - 7:4.0.2-1ubuntu6 libavutil59 - 7:4.0.2-1ubuntu6 libpostproc58 - 7:4.0.2-1ubuntu6 libswresample5 - 7:4.0.2-1ubuntu6 libswscale8 - 7:4.0.2-1ubuntu6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-05 17:29:00 UTC CVE-2018-13302 In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bits8()in the avpriv_ac3_parse_header function in libavcodec/ac3_parser.c maytrigger a NULL pointer dereference while converting a crafted AVI file toMPEG4, leading to a denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-07-05 17:29:00 UTC CVE-2018-13303 In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistencybetween the context profile field and studio_profile in libavcodec maytrigger an assertion failure while converting a crafted AVI file to MPEG4,leading to a denial of service, related to error_resilience.c, h263dec.c,and mpeg4videodec.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-05 17:29:00 UTC CVE-2018-13304 In FFmpeg 4.0.1, due to a missing check for negative values of the mquantvariable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c maytrigger an out-of-array access while converting a crafted AVI file toMPEG4, leading to an information disclosure or a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-05 17:29:00 UTC CVE-2018-13305 From Apache Tika versions 1.7 to 1.17, clients could send carefully craftedheaders to tika-server that could be used to inject commands into thecommand line of the server running tika-server. This vulnerability onlyaffects those running tika-server on a server that is open to untrustedclients. The mitigation is to upgrade to Tika 1.18. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-25 21:29:00 UTC CVE-2018-1335 A carefully crafted (or fuzzed) file can trigger an infinite loop in ApacheTika's BPGParser in versions of Apache Tika before 1.18. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-25 21:29:00 UTC CVE-2018-1338 A carefully crafted (or fuzzed) file can trigger an infinite loop in ApacheTika's ChmParser in versions of Apache Tika before 1.18. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-25 21:29:00 UTC CVE-2018-1339 An issue has been found in Bento4 1.5.1-624.AP4_Mpeg2TsVideoSampleStream::WriteSample in Core/Ap4Mpeg2Ts.cpp has aheap-based buffer over-read after a call from Mp42Ts.cpp, a related issueto CVE-2018-14532. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-10 18:29:00 UTC CVE-2018-13846 An issue has been found in Bento4 1.5.1-624. It is a SEGV inAP4_StcoAtom::AdjustChunkOffsets in Core/Ap4StcoAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-10 18:29:00 UTC CVE-2018-13847 An issue has been found in Bento4 1.5.1-624. It is a SEGV inAP4_StszAtom::GetSampleSize in Core/Ap4StszAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-10 18:29:00 UTC CVE-2018-13848 The sdb_set_internal function in sdb.c in radare2 2.7.0 allows remoteattackers to cause a denial of service (invalid read and application crash)via a crafted ELF file because of missing input validation inr_bin_dwarf_parse_comp_unit in libr/bin/dwarf.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-12 20:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-14015 The r_bin_mdmp_init_directory_entry function in mdmp.c in radare2 2.7.0allows remote attackers to cause a denial of service (heap-based bufferover-read and application crash) via a crafted Mini Crash Dump file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-12 20:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-14016 The r_bin_java_annotation_new function in shlr/java/class.c in radare22.7.0 allows remote attackers to cause a denial of service (heap-basedbuffer over-read and application crash) via a crafted .class file becauseof missing input validation in r_bin_java_line_number_table_attr_new. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-12 20:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-14017 In WordPress 4.9.7, plugins uploaded via the admin area are not verified asbeing ZIP files. This allows for PHP files to be uploaded. Once a PHP fileis uploaded, the plugin extraction fails, but the PHP file remains in apredictable wp-content/uploads location, allowing for an attacker to thenexecute the file. This represents a security risk in limited scenarioswhere an attacker (who does have the required capabilities for pluginuploads) cannot simply place arbitrary PHP code into a valid plugin ZIPfile and upload that plugin, because a machine's wp-content/pluginsdirectory permissions were set up to block all new plugins. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-10 16:29:00 UTC CVE-2018-14028 In HTSlib 1.8, a race condition in cram/cram_io.c might allow local usersto overwrite arbitrary files via a symlink attack. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-07-17 02:29:00 UTC CVE-2018-14329 An issue was discovered in Clementine Music Player 1.3.1. Clementine.exe isvulnerable to a user mode write access violation due to a NULL pointerdereference in the Init call in the MoodbarPipeline::NewPadCallbackfunction in moodbar/moodbarpipeline.cpp. The vulnerability is triggeredwhen the user opens a malformed mp3 file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-19 15:29:00 UTC CVE-2018-14332 The getLocalePrefix function in ResourceManager.java in Eclipse Mojarrabefore 2.3.7 is affected by Directory Traversal via the loc parameter. Aremote attacker can download configuration files or Java bytecodes fromapplications. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 12:29:00 UTC CVE-2018-14371 libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause adenial of service (application crash caused by a divide-by-zero error) witha user crafted Waveform audio file. Update Instructions: Run `sudo pro fix CVE-2018-14394` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ffmpeg - 7:4.0.2-1ubuntu6 libavcodec-extra - 7:4.0.2-1ubuntu6 libavcodec-extra61 - 7:4.0.2-1ubuntu6 libavcodec61 - 7:4.0.2-1ubuntu6 libavdevice61 - 7:4.0.2-1ubuntu6 libavfilter-extra - 7:4.0.2-1ubuntu6 libavfilter-extra10 - 7:4.0.2-1ubuntu6 libavfilter10 - 7:4.0.2-1ubuntu6 libavformat-extra - 7:4.0.2-1ubuntu6 libavformat-extra61 - 7:4.0.2-1ubuntu6 libavformat61 - 7:4.0.2-1ubuntu6 libavutil59 - 7:4.0.2-1ubuntu6 libpostproc58 - 7:4.0.2-1ubuntu6 libswresample5 - 7:4.0.2-1ubuntu6 libswscale8 - 7:4.0.2-1ubuntu6 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-07-19 05:29:00 UTC CVE-2018-14394 The daemon in GDM through 3.29.1 does not properly unexport display objectsfrom its D-Bus interface when they are destroyed, which allows a localattacker to trigger a use-after-free via a specially crafted sequence ofD-Bus method calls, resulting in a denial of service or potential codeexecution. Update Instructions: Run `sudo pro fix CVE-2018-14424` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gdm3 - 3.29.91-1ubuntu1 gir1.2-gdm-1.0 - 3.29.91-1ubuntu1 libgdm1 - 3.29.91-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-13 2018-08-13 https://gitlab.gnome.org/GNOME/gdm/issues/401 https://ubuntu.com/security/notices/USN-3737-1 CVE-2018-14424 In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp allows remoteattackers to cause a denial of service (infinite loop) via a crafted MP4file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 13:29:00 UTC CVE-2018-14445 An issue was discovered in libgig 4.1.0. There is an out of bounds read ingig::File::UpdateChunks in gig.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14449 An issue was discovered in libgig 4.1.0. There is an out-of-bounds read inthe "update dimension region's chunks" feature of the functiongig::Region::UpdateChunks in gig.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14450 An issue was discovered in libgig 4.1.0. There is a heap-based bufferoverflow in the function RIFF::Chunk::Read in RIFF.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14451 An issue was discovered in libgig 4.1.0. There is an out-of-bounds read inthe "always assign the sample of the first dimension region of this region"feature of the function gig::Region::UpdateChunks in gig.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14452 An issue was discovered in libgig 4.1.0. There is a heap-based bufferoverflow in pData[1] access in the function store16 in helper.h. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14453 An issue was discovered in libgig 4.1.0. There is an out-of-bounds read inthe function RIFF::Chunk::Read in RIFF.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14454 An issue was discovered in libgig 4.1.0. There is an out-of-bounds write inpData[0] access in the function store32 in helper.h. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14455 An issue was discovered in libgig 4.1.0. There is an out-of-bounds write inthe function DLS::Info::SaveString in DLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14456 An issue was discovered in libgig 4.1.0. There is an out-of-bounds write inthe function DLS::Info::UpdateChunks in DLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14457 An issue was discovered in libgig 4.1.0. There is a heap-based bufferoverflow in pData[1] access in the function store32 in helper.h. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14458 An issue was discovered in libgig 4.1.0. There is an out-of-bounds write inpData[0] access in the function store16 in helper.h. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-20 15:29:00 UTC CVE-2018-14459 mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related totools/web/app.py. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-22 18:29:00 UTC CVE-2018-14505 An issue was discovered in aubio 0.4.6. A SEGV signal can occur inaubio_source_avcodec_readframe in io/source_avcodec.c, as demonstrated byaubiomfcc. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14521 An issue was discovered in aubio 0.4.6. A SEGV signal can occur inaubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14522 An issue was discovered in aubio 0.4.6. A buffer over-read can occur innew_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated byaubionotes. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14523 An issue was discovered in Bento4 1.5.1-624. There is an unspecified"heap-buffer-overflow" crash in the AP4_HvccAtom class inCore/Ap4HvccAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14531 An issue was discovered in Bento4 1.5.1-624. There is a heap-based bufferover-read in AP4_Mpeg2TsVideoSampleStream::WriteSample inCore/Ap4Mpeg2Ts.cpp after a call from Mp42Hls.cpp, a related issue toCVE-2018-13846. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14532 There exists one NULL pointer dereference vulnerability inAP4_JsonInspector::AddField in Ap4Atom.cpp in Bento4 1.5.1-624, which canallow attackers to cause a denial-of-service via a crafted mp4 file. Thisvulnerability can be triggered by the executable mp4dump. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14543 There exists one invalid memory read bug inAP4_SampleDescription::GetFormat() in Ap4SampleDescription.h in Bento41.5.1-624, which can allow attackers to cause a denial-of-service via acrafted mp4 file. This vulnerability can be triggered by the executablemp42ts. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14544 There exists one invalid memory read bug inAP4_SampleDescription::GetType() in Ap4SampleDescription.h in Bento41.5.1-624, which can allow attackers to cause a denial-of-service via acrafted mp4 file. This vulnerability can be triggered by the executablemp42ts. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 08:29:00 UTC CVE-2018-14545 gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointerdereference allowing attackers to crash an application via a specificfunction call sequence. Only affects PHP when linked with an external libgd(not bundled). Update Instructions: Run `sudo pro fix CVE-2018-14553` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libgd-tools - 2.2.5-5.2ubuntu1 libgd3 - 2.2.5-5.2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-02-11 13:15:00 UTC 2020-02-11 13:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1599032 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951287 https://ubuntu.com/security/notices/USN-4316-2 https://ubuntu.com/security/notices/USN-4316-1 CVE-2018-14553 An issue has been discovered in Bento4 1.5.1-624. AP4_AvccAtom::Create inCore/Ap4AvccAtom.cpp has a heap-based buffer over-read. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14584 An issue has been discovered in Bento4 1.5.1-624. AP4_BytesToUInt16BE inCore/Ap4Utils.h has a heap-based buffer over-read after a call from theAP4_Stz2Atom class. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14585 An issue has been discovered in Bento4 1.5.1-624. A SEGV can occur inAP4_Mpeg2TsAudioSampleStream::WriteSample in Core/Ap4Mpeg2Ts.cpp, adifferent vulnerability than CVE-2018-14532. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14586 An issue has been discovered in Bento4 1.5.1-624.AP4_MemoryByteStream::WritePartial in Core/Ap4ByteStream.cpp has a bufferover-read. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14587 An issue has been discovered in Bento4 1.5.1-624. A NULL pointerdereference can occur in AP4_DataBuffer::SetData in Core/Ap4DataBuffer.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14588 An issue has been discovered in Bento4 1.5.1-624.AP4_Mp4AudioDsiParser::ReadBits in Codecs/Ap4Mp4AudioInfo.cpp has aheap-based buffer over-read. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14589 An issue has been discovered in Bento4 1.5.1-624. A SEGV can occur inAP4_Processor::ProcessFragments in Core/Ap4Processor.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-24 16:29:00 UTC CVE-2018-14590 A vulnerability was discovered in 389-ds-base through versions 1.3.7.10,1.3.8.8 and 1.4.0.16. The lock controlling the error log was not correctlyused when re-opening the log file in log__error_emergency(). An attackercould send a flood of modifications to a very large DN, which would causeslapd to crash. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-06 14:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907778 CVE-2018-14624 An information leak vulnerability was discovered in Samba's LDAP server.Due to missing access control checks, an authenticated but unprivilegedattacker could discover the names and preserved attributes of deletedobjects in the LDAP store. Update Instructions: Run `sudo pro fix CVE-2018-14628` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-01-17 18:15:00 UTC Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=13595 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034803 CVE-2018-14628 A flaw was found in 389-ds-base before version 1.3.8.4-13. The processns-slapd crashes in delete_passwdPolicy function when persistent searchconnections are terminated unexpectedly leading to remote denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-14 19:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908859 CVE-2018-14638 An information leak vulnerability was found in Undertow. If all headers arenot written out in the first write() call then the code that handlesflushing the buffer will always write out the full contents of thewritevBuffer buffer, which may contain data from previous requests. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-18 13:29:00 UTC CVE-2018-14642 A flaw was found in 389 Directory Server. A specially crafted search querycould lead to excessive CPU consumption in the do_search() function. Anunauthenticated attacker could use this flaw to provoke a denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-28 13:29:00 UTC CVE-2018-14648 An issue was discovered in evaluate_auto_mountpoint inbtrfsmaintenance-functions in btrfsmaintenance through 0.4.1. Codeexecution as root can occur via a specially crafted filesystem label ifbtrfs-{scrub,balance,trim} are set to auto in/etc/sysconfig/btrfsmaintenance (this is not the default, though). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-15 18:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906131 CVE-2018-14722 GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being spoofedfor arbitrary messages using a specially crafted email that contains avalid signature from the entity to be impersonated as an attachment. Update Instructions: Run `sudo pro fix CVE-2018-15587` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: evolution - 3.31.90-1 evolution-common - 3.31.90-1 evolution-plugin-bogofilter - 3.31.90-1 evolution-plugin-pstimport - 3.31.90-1 evolution-plugin-spamassassin - 3.31.90-1 evolution-plugins - 3.31.90-1 evolution-plugins-experimental - 3.31.90-1 libevolution - 3.31.90-1 No subscription required evolution-data-server - 3.31.90-1 evolution-data-server-common - 3.31.90-1 evolution-data-server-tests - 3.31.90-1 gir1.2-camel-1.2 - 3.31.90-1 gir1.2-ebackend-1.2 - 3.31.90-1 gir1.2-ebook-1.2 - 3.31.90-1 gir1.2-ebookcontacts-1.2 - 3.31.90-1 gir1.2-ecal-2.0 - 3.31.90-1 gir1.2-edatabook-1.2 - 3.31.90-1 gir1.2-edatacal-2.0 - 3.31.90-1 gir1.2-edataserver-1.2 - 3.31.90-1 gir1.2-edataserverui-1.2 - 3.31.90-1 gir1.2-edataserverui4-1.0 - 3.31.90-1 libcamel-1.2-64t64 - 3.31.90-1 libebackend-1.2-11t64 - 3.31.90-1 libebook-1.2-21t64 - 3.31.90-1 libebook-contacts-1.2-4t64 - 3.31.90-1 libecal-2.0-3 - 3.31.90-1 libedata-book-1.2-27t64 - 3.31.90-1 libedata-cal-2.0-2t64 - 3.31.90-1 libedataserver-1.2-27t64 - 3.31.90-1 libedataserverui-1.2-4t64 - 3.31.90-1 libedataserverui4-1.0-0t64 - 3.31.90-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-11 2019-02-11 Hanno Böck (1) and Marcus Brinkmann (2) https://gitlab.gnome.org/GNOME/evolution/issues/120 https://bugzilla.gnome.org/show_bug.cgi?id=796424 https://gitlab.gnome.org/GNOME/evolution-data-server/issues/3 https://gitlab.gnome.org/GNOME/evolution-data-server/issues/75 https://dev.gnupg.org/T4000 https://ubuntu.com/security/notices/USN-3998-1 CVE-2018-15587 An Amazon Web Services (AWS) developer who does not specify the --ownersflag when describing images via AWS CLI, and therefore not properlyvalidating source software per AWS recommended security best practices, mayunintentionally load an undesired and potentially malicious Amazon MachineImage (AMI) from the uncurated public community AMI catalog. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-25 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907298 CVE-2018-15869 SplashXPath::strokeAdjust in splash/SplashXPath.cc in Xpdf 4.00 allowsremote attackers to cause a denial of service (heap-based buffer over-read)via a crafted pdf file, as demonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-09-03 00:29:00 UTC CVE-2018-16368 XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause adenial of service (stack consumption) via a crafted pdf file, related toAcroForm::scanField, as demonstrated by pdftohtml. NOTE: this might overlapCVE-2018-7453. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-09-03 00:29:00 UTC CVE-2018-16369 Netwide Assembler (NASM) 2.14rc15 has a buffer over-read in x86/regflags.c. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-09-03 02:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907866 https://bugzilla.nasm.us/show_bug.cgi?id=3392503 https://bugzilla.nasm.us/show_bug.cgi?id=3392447 CVE-2018-16382 A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity CoreRule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is aspecial function name (such as "if") and b is the SQL statement to beexecuted. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-03 02:29:00 UTC CVE-2018-16384 asm/labels.c in Netwide Assembler (NASM) is prone to NULL PointerDereference, which allows the attacker to cause a denial of service via acrafted file. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-09-06 23:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392513 https://fakhrizulkifli.github.io/CVE-2018-16517.html CVE-2018-16517 An issue has been found in PowerDNS Recursor before version 4.1.8 where aremote attacker sending a DNS query can trigger an out-of-bounds memoryread while computing the hash of the query for a packet cache lookup,possibly leading to a crash. Update Instructions: Run `sudo pro fix CVE-2018-16855` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: pdns-recursor - 4.1.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-03 14:29:00 UTC CVE-2018-16855 In a default Red Hat Openstack Platform Director installation,openstack-octavia before versions openstack-octavia 2.0.2-5 andopenstack-octavia-3.0.1-0.20181009115732 creates log files that arereadable by all users. Sensitive information such as private keys canappear in these log files allowing for information exposure. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-26 18:29:00 UTC CVE-2018-16856 Gitolite before 3.6.9 does not (in certain configurations involving @all ora regex) properly restrict access to a Git repository that is in theprocess of being migrated until the full set of migration steps has beencompleted. This can allow valid users to obtain unintended access. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-12 22:29:00 UTC CVE-2018-16976 stb stb_image.h 2.19, as used in catimg, Emscripten, and other products,has a heap-based buffer overflow in the stbi__out_gif_code function. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-12 23:29:00 UTC 2018-09-12 23:29:00 UTC https://ubuntu.com/security/notices/USN-7913-1 CVE-2018-16981 A carefully crafted or corrupt sqlite file can cause an infinite loop inApache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-24 14:29:00 UTC CVE-2018-17197 A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in theHDF HDF5 through 1.10.3 library allows attackers to cause a denial ofservice via a crafted HDF5 file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-09-24 14:29:00 UTC CVE-2018-17432 Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers tooverwrite arbitrary files via a .. (dot dot) in a zip file, because of thefunction unzzip_cat in the bins/unzzipcat-mem.c file. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-01 08:29:00 UTC https://github.com/gdraheim/zziplib/issues/62 CVE-2018-17828 The Linux kernel 4.14.67 mishandles certain interaction among XFRM Netlinkmessages, IPPROTO_AH packets, and IPPROTO_IP packets, which allows localusers to cause a denial of service (memory consumption and system hang) byleveraging root access to execute crafted applications, as demonstrated onCentOS 7. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-08 17:29:00 UTC CVE-2018-17977 cairo through 1.15.14 has an out-of-bounds stack-memory write duringprocessing of a crafted document by WebKitGTK+ because of the interactionbetween cairo-rectangular-scan-converter.c (the generate and render_rowsfunctions) and cairo-image-compositor.c (the _cairo_image_spans_and_zerofunction). Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-10-08 18:29:00 UTC https://gitlab.freedesktop.org/cairo/cairo/issues/341 CVE-2018-18064 The Requests package before 2.20.0 for Python sends an HTTP Authorizationheader to an http URI upon receiving a same-hostname https-to-httpredirect, which makes it easier for remote attackers to discovercredentials by sniffing the network. Update Instructions: Run `sudo pro fix CVE-2018-18074` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-requests - 2.18.4-2ubuntu0.18.10.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 2018-10-09 https://ubuntu.com/security/notices/USN-3790-1 https://ubuntu.com/security/notices/USN-3790-2 CVE-2018-18074 An issue was discovered in libgig 4.1.0. There is a NULL pointerdereference in the function DLS::File::GetFirstSample() in DLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 20:29:00 UTC CVE-2018-18192 An issue was discovered in libgig 4.1.0. There is operator new[] failure(due to a big pWavePoolTable heap request) in DLS::File::File in DLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 20:29:00 UTC CVE-2018-18193 An issue was discovered in libgig 4.1.0. There is a heap-based bufferover-read in DLS::Region::GetSample() in DLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 20:29:00 UTC CVE-2018-18194 An issue was discovered in libgig 4.1.0. There is an FPE (divide-by-zeroerror) in DLS::Sample::Sample in DLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 20:29:00 UTC CVE-2018-18195 An issue was discovered in libgig 4.1.0. There is a heap-based bufferover-read in RIFF::List::GetListTypeString in RIFF.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 20:29:00 UTC CVE-2018-18196 An issue was discovered in libgig 4.1.0. There is an operator new[] failure(due to a big pSampleLoops heap request) in DLS::Sampler::Sampler inDLS.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-09 20:29:00 UTC CVE-2018-18197 Icinga Web 2 before 2.6.2 has CSRF via/icingaweb2/config/moduledisable?name=monitoring to disable the monitoringmodule, or via /icingaweb2/config/moduleenable?name=setup to enable thesetup module. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-17 15:29:00 UTC CVE-2018-18246 Icinga Web 2 before 2.6.2 has XSS via the /icingaweb2/navigation/add iconparameter. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-17 15:29:00 UTC CVE-2018-18247 Icinga Web 2 has XSS via the /icingaweb2/monitoring/list/services dirparameter, the /icingaweb2/user/list query string, the/icingaweb2/monitoring/timeline query string, or the /icingaweb2/setupquery string. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-17 15:29:00 UTC CVE-2018-18248 Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives viavectors involving environment variables as the channel to send informationto the attacker, such as aname=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to/icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-17 15:29:00 UTC CVE-2018-18249 Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets,as demonstrated by a single '$' character as the Name of a Navigation item. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-17 15:29:00 UTC CVE-2018-18250 Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikeyinput method for file searches within File Manager, leading to anout-of-bounds read and SEGV. This could potentially be exploited by anarbitrary local user who creates files in /tmp before the victim uses thisinput method. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-19 22:29:00 UTC CVE-2018-18398 CCITTFaxStream::readRow() in Stream.cc in Xpdf 4.00 allows remote attackersto cause a denial of service (heap-based buffer over-read) via a craftedpdf file, as demonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-18 06:29:00 UTC CVE-2018-18454 The GfxImageColorMap class in GfxState.cc in Xpdf 4.00 allows remoteattackers to cause a denial of service (heap-based buffer over-read) via acrafted pdf file, as demonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-18 06:29:00 UTC CVE-2018-18455 The function Object::isName() in Object.h (called fromGfx::opSetFillColorN) in Xpdf 4.00 allows remote attackers to cause adenial of service (stack-based buffer over-read) via a crafted pdf file, asdemonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-18 06:29:00 UTC CVE-2018-18456 The function DCTStream::readScan in Stream.cc in Xpdf 4.00 allows remoteattackers to cause a denial of service (NULL pointer dereference) via acrafted pdf file, as demonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-18 06:29:00 UTC CVE-2018-18457 The function DCTStream::decodeImage in Stream.cc in Xpdf 4.00 allows remoteattackers to cause a denial of service (NULL pointer dereference) via acrafted pdf file, as demonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-18 06:29:00 UTC CVE-2018-18458 The function DCTStream::getBlock in Stream.cc in Xpdf 4.00 allows remoteattackers to cause a denial of service (NULL pointer dereference) via acrafted pdf file, as demonstrated by pdftoppm. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-10-18 06:29:00 UTC CVE-2018-18459 An issue was discovered in Xpdf 4.00. XRef::readXRefStream in XRef.ccallows attackers to launch a denial of service (Integer Overflow) via acrafted /Size value in a pdf file, as demonstrated by pdftohtml. This ismainly caused by the program attempting a malloc operation for a largeamount of memory. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-25 13:29:00 UTC CVE-2018-18650 An issue was discovered in Xpdf 4.00. catalog->getNumPages() in AcroForm.ccallows attackers to launch a denial of service (hang caused by large loop)via a specific pdf file, as demonstrated by pdftohtml. This is mainlycaused by a large number after the /Count field in the file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-10-25 13:29:00 UTC CVE-2018-18651 There exists a heap-based buffer overflow in vc1_decode_p_mb_intfi invc1_block.c in Libav 12.3, which allows attackers to cause adenial-of-service via a crafted aac file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-30 06:29:00 UTC CVE-2018-18826 There exists a heap-based buffer over-read in ff_vc1_pred_dc in vc1_block.cin Libav 12.3, which allows attackers to cause a denial-of-service via acrafted aac file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-30 06:29:00 UTC CVE-2018-18827 There exists a heap-based buffer overflow in vc1_decode_i_block_adv invc1_block.c in Libav 12.3, which allows attackers to cause adenial-of-service via a crafted aac file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-30 06:29:00 UTC CVE-2018-18828 There exists a NULL pointer dereference in ff_vc1_parse_frame_header_adv invc1.c in Libav 12.3, which allows attackers to cause a denial-of-servicethrough a crafted aac file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-30 06:29:00 UTC CVE-2018-18829 The HTML thumbnailer plugin in KDE Applications before 18.12.0 allowsattackers to trigger outbound TCP connections to arbitrary IP addresses,leading to disclosure of the source IP address. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-29 21:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913596 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913595 CVE-2018-19120 In libwebm through 2018-10-03, there is an abort caused bylibwebm::Webm2Pes::InitWebmParser() that will lead to a DoS attack. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-11-12 19:29:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1644196 CVE-2018-19212 Netwide Assembler (NASM) through 2.14rc16 has memory leaks that may lead toDoS, related to nasm_malloc in nasmlib/malloc.c. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-11-12 19:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392524 CVE-2018-19213 Netwide Assembler (NASM) 2.14rc15 has a heap-based buffer over-read inexpand_mmac_params in asm/preproc.c for insufficient input. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-11-12 19:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392521 CVE-2018-19214 Netwide Assembler (NASM) 2.14rc16 has a heap-based buffer over-read inexpand_mmac_params in asm/preproc.c for the special cases of the % and $and ! characters. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-11-12 19:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392525 CVE-2018-19215 Netwide Assembler (NASM) before 2.13.02 has a use-after-free in detoken atasm/preproc.c. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-11-12 19:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392425 CVE-2018-19216 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to haveunspecified impact by leveraging failure to block the axis2-transport-jmsclass from polymorphic deserialization. Update Instructions: Run `sudo pro fix CVE-2018-19360` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjackson2-databind-java - 2.9.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-02 18:29:00 UTC 2019-01-02 18:29:00 UTC https://ubuntu.com/security/notices/USN-4813-1 CVE-2018-19360 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to haveunspecified impact by leveraging failure to block the openjpa class frompolymorphic deserialization. Update Instructions: Run `sudo pro fix CVE-2018-19361` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjackson2-databind-java - 2.9.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-02 18:29:00 UTC 2019-01-02 18:29:00 UTC https://ubuntu.com/security/notices/USN-4813-1 CVE-2018-19361 FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to haveunspecified impact by leveraging failure to block the jboss-common-coreclass from polymorphic deserialization. Update Instructions: Run `sudo pro fix CVE-2018-19362` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjackson2-databind-java - 2.9.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-02 18:29:00 UTC 2019-01-02 18:29:00 UTC https://ubuntu.com/security/notices/USN-4813-1 CVE-2018-19362 ARM Trusted Firmware-A allows information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-30 15:29:00 UTC CVE-2018-19440 The client in Tryton 5.x before 5.0.1 tries to make a connection to the busin cleartext instead of encrypted under certain circumstances in bus.py andjsonrpc.py. This connection attempt fails, but it contains in the headerthe current session of the user. This session could then be stolen by aman-in-the-middle. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-22 19:29:00 UTC CVE-2018-19443 A buffer over-read in crop_masked_pixels in dcraw through 9.28 could beused by attackers able to supply malicious files to crash an applicationthat bundles the dcraw code or leak private information. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-26 20:29:00 UTC CVE-2018-19565 A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could beused by attackers able to supply malicious files to crash an applicationthat bundles the dcraw code or leak private information. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-26 20:29:00 UTC CVE-2018-19566 A floating point exception in parse_tiff_ifd in dcraw through 9.28 could beused by attackers able to supply malicious files to crash an applicationthat bundles the dcraw code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-26 20:29:00 UTC CVE-2018-19567 A floating point exception in kodak_radc_load_raw in dcraw through 9.28could be used by attackers able to supply malicious files to crash anapplication that bundles the dcraw code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-26 20:29:00 UTC CVE-2018-19568 A stack-based buffer overflow in the find_green() function of dcraw through9.28, as used in ufraw-batch and many other products, may allow a remoteattacker to cause a control-flow hijack, denial-of-service, or unspecifiedother impact via a maliciously crafted raw photo file. Update Instructions: Run `sudo pro fix CVE-2018-19655` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dcraw - 9.28-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-29 05:29:00 UTC CVE-2018-19655 A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x,5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-05 11:29:00 UTC CVE-2018-19865 An issue was discovered in Qt before 5.11.3. There is QTgaFile UncontrolledResource Consumption. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-26 21:29:00 UTC CVE-2018-19871 FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 containsmultiple out of array access vulnerabilities in the mms protocol that canresult in attackers accessing out of bound data. This attack appear to beexploitable via network connectivity. This vulnerability appears to havebeen fixed in cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 15:29:00 UTC CVE-2018-1999010 FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains aBuffer Overflow vulnerability in asf_o format demuxer that can result inheap-buffer-overflow that may result in remote code execution. This attackappears to be exploitable via specially crafted ASF file that has to beprovided as input to FFmpeg. This vulnerability appears to have been fixedin 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 15:29:00 UTC CVE-2018-1999011 FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains aCWE-835: Infinite loop vulnerability in pva format demuxer that can resultin a Vulnerability that allows attackers to consume excessive amount ofresources like CPU and RAM. This attack appear to be exploitable viaspecially crafted PVA file has to be provided as input. This vulnerabilityappears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 andlater. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 15:29:00 UTC CVE-2018-1999012 FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains ause-after-free vulnerability in the realmedia demuxer that can result invulnerability allows attacker to read heap memory. This attack appear to beexploitable via specially crafted RM file has to be provided as input. Thisvulnerability appears to have been fixed ina7e032a277452366771951e29fd0bf2bd5c029f0 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 15:29:00 UTC CVE-2018-1999013 FFmpeg before commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 contains anout of array access vulnerability in MXF format demuxer that can result inDoS. This attack appear to be exploitable via specially crafted MXF filewhich has to be provided as input. This vulnerability appears to have beenfixed in bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 15:29:00 UTC CVE-2018-1999014 FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains anout of array read vulnerability in ASF_F format demuxer that can result inheap memory reading. This attack appear to be exploitable via speciallycrafted ASF file that has to provided as input. This vulnerability appearsto have been fixed in 5aba5b89d0b1d73164d3b81764828bb8b20ff32a and later. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-23 15:29:00 UTC CVE-2018-1999015 An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after-freein mxmlWalkNext in mxml-search.c, as demonstrated by mxmldoc. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-10 06:29:00 UTC CVE-2018-20005 LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heapout-of-bound write vulnerability inside structure in VNC client code thatcan result remote code execution Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-19 2018-12-19 https://github.com/LibVNC/libvncserver/issues/250 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916941 https://ubuntu.com/security/notices/USN-3877-1 https://ubuntu.com/security/notices/USN-4547-1 https://ubuntu.com/security/notices/USN-4547-2 https://ubuntu.com/security/notices/USN-4587-1 CVE-2018-20020 LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains aCWE-835: Infinite loop vulnerability in VNC client code. Vulnerabilityallows attacker to consume excessive amount of resources like CPU and RAM Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-19 2018-12-19 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916941 https://github.com/LibVNC/libvncserver/issues/251 https://ubuntu.com/security/notices/USN-3877-1 https://ubuntu.com/security/notices/USN-4547-1 https://ubuntu.com/security/notices/USN-4547-2 https://ubuntu.com/security/notices/USN-4587-1 CVE-2018-20021 LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multipleweaknesses CWE-665: Improper Initialization vulnerability in VNC clientcode that allows attacker to read stack memory and can be abuse forinformation disclosure. Combined with another vulnerability, it can be usedto leak stack memory layout and in bypassing ASLR Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-19 2018-12-19 https://github.com/LibVNC/libvncserver/issues/252 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916941 https://ubuntu.com/security/notices/USN-3877-1 https://ubuntu.com/security/notices/USN-4547-1 https://ubuntu.com/security/notices/USN-4547-2 https://ubuntu.com/security/notices/USN-4587-1 CVE-2018-20022 An issue was discovered in EnsureCapacity in Core/Ap4Array.h in Bento41.5.1-627. Crafted MP4 input triggers an attempt at excessive memoryallocation, as demonstrated by mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-12 10:29:00 UTC CVE-2018-20095 An issue was discovered in Bento4 1.5.1-627. AP4_Sample::ReadData inCore/Ap4Sample.cpp allows attackers to trigger an attempted excessivememory allocation, related to AP4_DataBuffer::SetDataSize andAP4_DataBuffer::ReallocateBuffer in Core/Ap4DataBuffer.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-17 19:29:00 UTC CVE-2018-20186 There is a stack-based buffer overflow in the parse_makernote function ofdcraw_common.cpp in LibRaw 0.19.1. Crafted input will lead to a denial ofservice or possibly unspecified other impact. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-21 2018-12-21 https://github.com/LibRaw/LibRaw/issues/192 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917080 https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-20337 LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointerdereference. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-22 2018-12-22 https://github.com/LibRaw/LibRaw/issues/193 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917113 https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-20363 LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointerdereference. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-22 2018-12-22 https://github.com/LibRaw/LibRaw/issues/194 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917112 https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-20364 LibRaw::raw2image() in libraw_cxx.cpp has a heap-based buffer overflow. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-22 2018-12-22 https://github.com/LibRaw/LibRaw/issues/195 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917111 https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-20365 An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27.Compiling a crafted source file leads to an 8 byte out of bounds write inthe use_section1 function in tccasm.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-23 18:29:00 UTC CVE-2018-20374 An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27.Compiling a crafted source file leads to an 8 byte out of bounds write inthe sym_pop function in tccgen.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-23 18:29:00 UTC CVE-2018-20375 An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27.Compiling a crafted source file leads to an 8 byte out of bounds write inthe asm_parse_directive function in tccasm.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-23 18:29:00 UTC CVE-2018-20376 An issue was discovered in Bento4 1.5.1-627. There is a memory leak inAP4_DescriptorFactory::CreateDescriptorFromStream inCore/Ap4DescriptorFactory.cpp, as demonstrated by mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-23 23:29:00 UTC CVE-2018-20407 An issue was discovered in Bento4 1.5.1-627. There is a memory leak inAP4_StdcFileByteStream::Create in System/StdC/Ap4StdCFileByteStream.cpp, asdemonstrated by mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-23 23:29:00 UTC CVE-2018-20408 An issue was discovered in Bento4 1.5.1-627. There is a heap-based bufferover-read in AP4_AvccAtom::Create in Core/Ap4AvccAtom.cpp, as demonstratedby mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-23 23:29:00 UTC CVE-2018-20409 The read_MSAT function in ole.c in libxls 1.4.0 has a double free thatallows attackers to cause a denial of service (application crash) via acrafted file, a different vulnerability than CVE-2017-2897. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-25 17:29:00 UTC CVE-2018-20450 The process_file function in reader.c in libdoc through 2017-10-23 has aheap-based buffer over-read that allows attackers to cause a denial ofservice (application crash) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-25 17:29:00 UTC CVE-2018-20451 The read_MSAT_body function in ole.c in libxls 1.4.0 has an invalid freethat allows attackers to cause a denial of service (application crash) orpossibly have unspecified other impact via a crafted file, because ofinconsistent memory management (new versus free) in ole2_read_header inole.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-25 17:29:00 UTC CVE-2018-20452 The getlong function in numutils.c in libdoc through 2017-10-23 has aheap-based buffer over-read that allows attackers to cause a denial ofservice (application crash) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-25 17:29:00 UTC CVE-2018-20453 In radare2 through 3.1.3, the assemble function insidelibr/asm/p/asm_arm_cs.c allows attackers to cause a denial-of-service(application crash via an r_num_calc out-of-bounds read) by crafting an armassembly input because a loop uses an incorrect index in armass.c andcertain length validation is missing in armass64.c, a related issue toCVE-2018-20459. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-25 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917322 CVE-2018-20457 In radare2 through 3.1.3, the armass_assemble function inlibr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service(application crash by out-of-bounds read) by crafting an arm assembly inputbecause a loop uses an incorrect index in armass.c and certain lengthvalidation is missing in armass64.c, a related issue to CVE-2018-20457. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-25 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917322 CVE-2018-20459 An issue was discovered in Bento4 1.5.1-627. There is an attempt atexcessive memory allocation in the AP4_DataBuffer class when called fromAP4_HvccAtom::Create in Core/Ap4HvccAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-26 23:29:00 UTC CVE-2018-20502 There is a use-after-free at asm/preproc.c (function pp_getline) in NetwideAssembler (NASM) 2.14rc16 that will cause a denial of service duringcertain finishes tests. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-28 16:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918269 https://bugzilla.nasm.us/show_bug.cgi?id=3392531 CVE-2018-20538 In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAddfunction of the mxml-node.c file. Remote attackers could leverage thisvulnerability to cause a denial-of-service via a crafted xml file, asdemonstrated by mxmldoc. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-30 18:29:00 UTC CVE-2018-20592 In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in thescan_file function in mxmldoc.c. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-30 18:29:00 UTC CVE-2018-20593 An issue was discovered in Bento4 1.5.1-627. The AP4_StcoAtom class inCore/Ap4StcoAtom.cpp has an attempted excessive memory allocation whencalled from AP4_AtomFactory::CreateAtomFromStream inCore/Ap4AtomFactory.cpp, as demonstrated by mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-02 17:29:00 UTC CVE-2018-20659 In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewportattribute. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-09 05:29:00 UTC CVE-2018-20676 In Bootstrap before 3.4.0, XSS is possible in the affix configurationtarget property. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-09 05:29:00 UTC CVE-2018-20677 LibVNC before 0.9.12 contains multiple heap out-of-bounds writevulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 wasincomplete. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-30 2019-01-30 https://github.com/LibVNC/libvncserver/issues/273 https://ubuntu.com/security/notices/USN-3877-1 https://ubuntu.com/security/notices/USN-4547-1 https://ubuntu.com/security/notices/USN-4587-1 CVE-2018-20748 libvterm through 0+bzr726, as used in Vim and other products, mishandlescertain out-of-memory conditions, leading to a denial of service(application crash), related to screen.c, state.c, and vterm.c. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-24 14:29:00 UTC 2019-02-24 14:29:00 UTC https://github.com/vim/vim/issues/3711 https://ubuntu.com/security/notices/USN-4309-1 CVE-2018-20786 In libexpat in Expat before 2.2.7, XML input including XML names thatcontain a large number of colons could make the XML parser consume a highamount of RAM and CPU resources while processing (enough to be usable fordenial-of-service attacks). Update Instructions: Run `sudo pro fix CVE-2018-20843` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.2.6-2 libexpat1 - 2.2.6-2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-06-24 2019-06-24 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031 https://github.com/libexpat/libexpat/issues/186 https://ubuntu.com/security/notices/USN-4040-1 https://ubuntu.com/security/notices/USN-4040-2 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-4852-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2018-20843 Division-by-zero vulnerabilities in the functions pi_next_pcrl,pi_next_cprl, and pi_next_rpcl in openmj2/pi.c in OpenJPEG through 2.3.0allow remote attackers to cause a denial of service (application crash). Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-26 18:15:00 UTC 2019-06-26 18:15:00 UTC https://ubuntu.com/security/notices/USN-4782-1 CVE-2018-20845 Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp,pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.cin OpenJPEG through 2.3.0 allow remote attackers to cause a denial ofservice (application crash). Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-26 18:15:00 UTC CVE-2018-20846 An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the functionopj_get_encoding_parameters in openjp2/pi.c in OpenJPEG through 2.3.0 canlead to an integer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-26 18:15:00 UTC 2019-06-26 18:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931294 https://ubuntu.com/security/notices/USN-4497-1 CVE-2018-20847 In Univa Grid Engine before 8.6.3, when configured for Docker jobs andexecd spooling on root_squash, weak file permissions ("other" write access)occur in certain cases (GE-6890). Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-30 19:15:00 UTC CVE-2018-20871 OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_profilein bin/common/color.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-05 13:15:00 UTC 2019-09-05 13:15:00 UTC https://ubuntu.com/security/notices/USN-4497-1 CVE-2018-21010 re2c before 2.0 has uncontrolled recursion that causes stack consumption infind_fixed_tags. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-29 14:15:00 UTC Sergei Trofimovich https://github.com/skvadrik/re2c/issues/219 CVE-2018-21232 An issue was discovered in LibVNCServer before 0.9.13. There is aninformation leak (of uninitialized memory contents) in thelibvncclient/rfbproto.c ConnectToRFBRepeater function. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC https://github.com/LibVNC/libvncserver/issues/253 CVE-2018-21247 ADMesh through 0.98.4 has a heap-based buffer over-read instl_update_connects_remove_1 (called from stl_remove_degenerate) inconnect.c in libadmesh.a. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-08 06:15:00 UTC CVE-2018-25033 In Smarty before 3.1.47 and 4.x before 4.2.1,libs/plugins/function.mailto.php allows XSS. A web page that usessmarty_function_mailto, and that could be parameterized using GET or POSTinput parameters, could allow injection of JavaScript code by a user. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-15 00:15:00 UTC 2022-09-15 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019897 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019896 https://ubuntu.com/security/notices/USN-7158-1 CVE-2018-25047 A vulnerability, which was classified as problematic, has been found inHarvest Chosen up to 1.8.6. Affected by this issue is the functionAbstractChosen of the file coffee/lib/abstract-chosen.coffee. Themanipulation of the argument group_label leads to cross site scripting. Theattack may be launched remotely. Upgrading to version 1.8.7 is able toaddress this issue. The name of the patch is77fd031d541e77510268d1041ed37798fdd1017e. It is recommended to upgrade theaffected component. The identifier of this vulnerability is VDB-216956. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-28 10:15:00 UTC CVE-2018-25050 GNU Barcode 0.99 contains a buffer overflow vulnerability in its code 93encoding process that allows attackers to trigger memory corruption.Attackers can exploit boundary errors during input file processing topotentially execute arbitrary code on the affected system. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-24 20:15:00 UTC CVE-2018-25154 Bochs 2.6-5 contains a stack-based buffer overflow vulnerability thatallows attackers to execute arbitrary code by supplying an oversized inputstring to the application. Attackers can craft a malicious payload with1200 bytes of padding followed by a return-oriented programming chain tooverwrite the instruction pointer and execute shell commands withapplication privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:16:00 UTC CVE-2018-25220 SC v7.16 contains a stack-based buffer overflow vulnerability that allowslocal attackers to execute arbitrary code by supplying oversized input thatexceeds buffer boundaries. Attackers can craft malicious input stringsexceeding 1052 bytes to overwrite the instruction pointer and executeshellcode in the application context. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:16:00 UTC CVE-2018-25222 Crashmail 1.6 contains a stack-based buffer overflow vulnerability thatallows remote attackers to execute arbitrary code by sending maliciousinput to the application. Attackers can craft payloads with ROP chains toachieve code execution in the application context, with failed attemptspotentially causing denial of service. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:16:00 UTC CVE-2018-25223 PMS 0.42 contains a stack-based buffer overflow vulnerability that allowslocal unauthenticated attackers to execute arbitrary code by supplyingmalicious values in the configuration file. Attackers can craftconfiguration files with oversized input that overflows the stack bufferand execute shell commands via return-oriented programming gadgets. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-28 12:16:00 UTC CVE-2018-25224 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox.Successful attacks require human interaction from a person other than theattacker and while the vulnerability is in Oracle VM VirtualBox, attacksmay significantly impact additional products. Successful attacks of thisvulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 BaseScore 8.2 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC CVE-2018-2830 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle VM VirtualBox accessibledata. CVSS 3.0 Base Score 3.8 (Confidentiality impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Roman Fiedler CVE-2018-2831 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox.Successful attacks require human interaction from a person other than theattacker and while the vulnerability is in Oracle VM VirtualBox, attacksmay significantly impact additional products. Successful attacks of thisvulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 BaseScore 8.2 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Vasily Vasiliev CVE-2018-2835 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox.Successful attacks require human interaction from a person other than theattacker and while the vulnerability is in Oracle VM VirtualBox, attacksmay significantly impact additional products. Successful attacks of thisvulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 BaseScore 8.2 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Vasily Vasiliev CVE-2018-2836 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox.Successful attacks require human interaction from a person other than theattacker and while the vulnerability is in Oracle VM VirtualBox, attacksmay significantly impact additional products. Successful attacks of thisvulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 BaseScore 8.2 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Vasily Vasiliev CVE-2018-2837 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Reno Robert CVE-2018-2842 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Reno Robert CVE-2018-2843 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Reno Robert CVE-2018-2844 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows low privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox.Successful attacks of this vulnerability can result in unauthorized abilityto cause a hang or frequently repeatable crash (complete DOS) of Oracle VMVirtualBox as well as unauthorized update, insert or delete access to someof Oracle VM VirtualBox accessible data and unauthorized read access to asubset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.6(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Reno Robert CVE-2018-2845 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). Supported versions that are affectedare Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerabilityallows high privileged attacker with logon to the infrastructure whereOracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-19 02:29:00 UTC Niklas Baumstark CVE-2018-2860 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of Oracle VM VirtualBox. CVSS 3.0 Base Score 4.0(Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3005 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result inunauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of Oracle VM VirtualBox and unauthorized read access to asubset of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 7.1(Confidentiality and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3055 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data orall Oracle VM VirtualBox accessible data as well as unauthorized readaccess to a subset of Oracle VM VirtualBox accessible data and unauthorizedability to cause a hang or frequently repeatable crash (complete DOS) ofOracle VM VirtualBox. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrityand Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3085 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3086 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3087 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3088 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3089 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3090 Vulnerability in the Oracle VM VirtualBox component of OracleVirtualization (subcomponent: Core). The supported version that is affectedis Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticatedattacker with logon to the infrastructure where Oracle VM VirtualBoxexecutes to compromise Oracle VM VirtualBox. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products. Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle VMVirtualBox accessible data. CVSS 3.0 Base Score 6.3 (Confidentialityimpacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-18 13:29:00 UTC CVE-2018-3091 Systems with microprocessors utilizing speculative execution andspeculative execution of memory reads before the addresses of all priormemory writes are known may allow unauthorized disclosure of information toan attacker with local user access via a side-channel analysis, akaSpeculative Store Bypass (SSB), Variant 4. Update Instructions: Run `sudo pro fix CVE-2018-3639` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:2.11+dfsg-1ubuntu10 qemu-block-supplemental - 1:2.11+dfsg-1ubuntu10 qemu-guest-agent - 1:2.11+dfsg-1ubuntu10 qemu-system - 1:2.11+dfsg-1ubuntu10 qemu-system-arm - 1:2.11+dfsg-1ubuntu10 qemu-system-common - 1:2.11+dfsg-1ubuntu10 qemu-system-data - 1:2.11+dfsg-1ubuntu10 qemu-system-gui - 1:2.11+dfsg-1ubuntu10 qemu-system-mips - 1:2.11+dfsg-1ubuntu10 qemu-system-misc - 1:2.11+dfsg-1ubuntu10 qemu-system-modules-opengl - 1:2.11+dfsg-1ubuntu10 qemu-system-modules-spice - 1:2.11+dfsg-1ubuntu10 qemu-system-ppc - 1:2.11+dfsg-1ubuntu10 qemu-system-riscv - 1:2.11+dfsg-1ubuntu10 qemu-system-s390x - 1:2.11+dfsg-1ubuntu10 qemu-system-sparc - 1:2.11+dfsg-1ubuntu10 qemu-system-x86 - 1:2.11+dfsg-1ubuntu10 qemu-system-x86-xen - 1:2.11+dfsg-1ubuntu10 qemu-system-xen - 1:2.11+dfsg-1ubuntu10 qemu-user - 1:2.11+dfsg-1ubuntu10 qemu-user-binfmt - 1:2.11+dfsg-1ubuntu10 qemu-utils - 1:2.11+dfsg-1ubuntu10 No subscription required libnss-libvirt - 4.0.0-1ubuntu11 libvirt-clients - 4.0.0-1ubuntu11 libvirt-clients-qemu - 4.0.0-1ubuntu11 libvirt-common - 4.0.0-1ubuntu11 libvirt-daemon - 4.0.0-1ubuntu11 libvirt-daemon-common - 4.0.0-1ubuntu11 libvirt-daemon-config-network - 4.0.0-1ubuntu11 libvirt-daemon-config-nwfilter - 4.0.0-1ubuntu11 libvirt-daemon-driver-interface - 4.0.0-1ubuntu11 libvirt-daemon-driver-lxc - 4.0.0-1ubuntu11 libvirt-daemon-driver-network - 4.0.0-1ubuntu11 libvirt-daemon-driver-nodedev - 4.0.0-1ubuntu11 libvirt-daemon-driver-nwfilter - 4.0.0-1ubuntu11 libvirt-daemon-driver-qemu - 4.0.0-1ubuntu11 libvirt-daemon-driver-secret - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-disk - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-gluster - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-iscsi - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-iscsi-direct - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-logical - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-mpath - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-rbd - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-scsi - 4.0.0-1ubuntu11 libvirt-daemon-driver-storage-zfs - 4.0.0-1ubuntu11 libvirt-daemon-driver-vbox - 4.0.0-1ubuntu11 libvirt-daemon-driver-xen - 4.0.0-1ubuntu11 libvirt-daemon-lock - 4.0.0-1ubuntu11 libvirt-daemon-log - 4.0.0-1ubuntu11 libvirt-daemon-plugin-lockd - 4.0.0-1ubuntu11 libvirt-daemon-plugin-sanlock - 4.0.0-1ubuntu11 libvirt-daemon-system - 4.0.0-1ubuntu11 libvirt-daemon-system-systemd - 4.0.0-1ubuntu11 libvirt-daemon-system-sysv - 4.0.0-1ubuntu11 libvirt-l10n - 4.0.0-1ubuntu11 libvirt-login-shell - 4.0.0-1ubuntu11 libvirt-sanlock - 4.0.0-1ubuntu11 libvirt-ssh-proxy - 4.0.0-1ubuntu11 libvirt-wireshark - 4.0.0-1ubuntu11 libvirt0 - 4.0.0-1ubuntu11 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-05-21 21:00:00 UTC 2018-05-21 21:00:00 UTC Jann Horn and Ken Johnson https://ubuntu.com/security/notices/USN-3652-1 https://ubuntu.com/security/notices/USN-3653-1 https://ubuntu.com/security/notices/USN-3653-2 https://ubuntu.com/security/notices/USN-3654-1 https://ubuntu.com/security/notices/USN-3654-2 https://ubuntu.com/security/notices/USN-3655-1 https://ubuntu.com/security/notices/USN-3655-2 https://ubuntu.com/security/notices/USN-3651-1 https://ubuntu.com/security/notices/USN-3680-1 https://ubuntu.com/security/notices/USN-3679-1 https://ubuntu.com/security/notices/USN-3756-1 https://ubuntu.com/security/notices/USN-3777-3 CVE-2018-3639 mixin-deep node module before 1.3.1 suffers from a Modification ofAssumed-Immutable Data (MAID) vulnerability, which allows a malicious userto modify the prototype of "Object" via __proto__, causing the addition ormodification of an existing property that will exist on all objects. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-06-07 02:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898315 CVE-2018-3719 hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from aModification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and'applyToDefaults' functions, which allows a malicious user to modify theprototype of "Object" via __proto__, causing the addition or modificationof an existing property that will exist on all objects. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-30 19:29:00 UTC CVE-2018-3728 A remote denial-of-service vulnerability exists in the way the NouveauDisplay Driver (the default Ubuntu Nvidia display driver) handles GPUshader execution. A specially crafted pixel shader can cause remotedenial-of-service issues. An attacker can provide a specially craftedwebsite to trigger this vulnerability. This vulnerability can be triggeredremotely after the user visits a malformed website. No further userinteraction is required. Vulnerable versions include Ubuntu 18.04 LTS(linux 4.15.0-29-generic x86_64), Nouveau Display Driver NV117 (vermagic:4.15.0-29-generic SMP mod_unload). Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-04-01 21:30:00 UTC CVE-2018-3979 A use-after-free vulnerability exists in the way MKVToolNix MKVINFO v25.0.0handles the MKV (matroska) file format. A specially crafted MKV file cancause arbitrary code execution in the context of the current user. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-10-26 17:29:00 UTC CVE-2018-4022 The AP4_FtypAtom class in Core/Ap4FtypAtom.cpp in Bento4 1.5.1.0 has anInfinite loop via a crafted MP4 file that triggers size mishandling. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-01-05 21:29:00 UTC CVE-2018-5253 mingw-w64 version 5.0.4 by default produces executables that opt in toASLR, but are not compatible with ASLR. ASLR is an exploit mitigationtechnique used by modern Windows platforms. For ASLR to function, Windowsexecutables must contain a relocations table. Despite containing the"Dynamic base" PE header, which indicates ASLR compatibility, Windowsexecutables produced by mingw-w64 have the relocations table stripped fromthem by default. This means that executables produced by mingw-w64 arevulnerable to return-oriented programming (ROP) attacks. Windowsexecutables generated by mingw-w64 claim to be ASLR compatible, but arenot. Vulnerabilities in such executables are more easily exploitable as aresult. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-08-14 16:29:00 UTC CVE-2018-5392 WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement(under wp-includes/js/mediaelement). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-01-18 22:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887596 CVE-2018-5776 An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.7 can beexploited to cause a heap-based buffer overflow and subsequently cause acrash. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-12 2018-03-12 https://ubuntu.com/security/notices/USN-3615-1 CVE-2018-5800 An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) inLibRaw versions prior to 0.18.7 can be exploited to trigger a NULL pointerdereference. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-12 2018-03-12 Laurent Delosieres https://ubuntu.com/security/notices/USN-3615-1 CVE-2018-5801 An error within the "kodak_radc_load_raw()" function(internal/dcraw_common.cpp) related to the "buf" variable in LibRawversions prior to 0.18.7 can be exploited to cause an out-of-bounds readmemory access and subsequently cause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-12 2018-03-12 Laurent Delosieres https://ubuntu.com/security/notices/USN-3615-1 CVE-2018-5802 A type confusion error within the "identify()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can beexploited to trigger a division by zero. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-07 22:29:00 UTC Laurent Delosieres CVE-2018-5804 A boundary error within the "quicktake_100_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can beexploited to cause a stack-based buffer overflow and subsequently cause acrash. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-07 22:29:00 UTC Laurent Delosieres CVE-2018-5805 An error within the "leaf_hdr_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.8 can beexploited to trigger a NULL pointer dereference. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-12-07 22:29:00 UTC Laurent Delosieres CVE-2018-5806 An error within the "samsung_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can beexploited to cause an out-of-bounds read memory access and subsequentlycause a crash. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-08-02 2018-08-02 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5807 An error within the "find_green()" function (internal/dcraw_common.cpp) inLibRaw versions prior to 0.18.9 can be exploited to cause a stack-basedbuffer overflow and subsequently execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-07 22:29:00 UTC https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5808 An error within the "LibRaw::parse_exif()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can beexploited to cause a stack-based buffer overflow and subsequently executearbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-12-07 22:29:00 UTC https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5809 An error within the "rollei_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can beexploited to cause a heap-based buffer overflow and subsequently cause acrash. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-02 2018-08-02 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5810 An error within the "nikon_coolscan_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can beexploited to cause an out-of-bounds read memory access and subsequentlycause a crash. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-08-02 2018-08-02 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5811 An error within the "nikon_coolscan_load_raw()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.9 can beexploited to trigger a NULL pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-08-02 2018-08-02 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5812 An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibRawversions prior to 0.18.11 can be exploited to trigger an infinite loop viaa specially crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-31 2018-07-31 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5813 An integer overflow error within the "parse_qt()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can beexploited to trigger an infinite loop via a specially crafted AppleQuickTime file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-31 2018-07-31 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5815 An integer overflow error within the "identify()" function(internal/dcraw_common.cpp) in LibRaw versions prior to 0.18.12 can beexploited to trigger a division by zero via specially crafted NOKIARAW file(Note: This vulnerability is caused due to an incomplete fix ofCVE-2018-5804). Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-07-31 2018-07-31 https://ubuntu.com/security/notices/USN-3838-1 CVE-2018-5816 A type confusion error within the "unpacked_load_raw()" function withinLibRaw versions prior to 0.19.1 (internal/dcraw_common.cpp) can beexploited to trigger an infinite loop. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-20 2019-02-20 Laurent Delosieres https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-5817 An error within the "parse_rollei()" function (internal/dcraw_common.cpp)within LibRaw versions prior to 0.19.1 can be exploited to trigger aninfinite loop. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-20 2019-02-20 Laurent Delosieres https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-5818 An error within the "parse_sinar_ia()" function (internal/dcraw_common.cpp)within LibRaw versions prior to 0.19.1 can be exploited to exhaustavailable CPU resources. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-20 2019-02-20 Laurent Delosieres https://ubuntu.com/security/notices/USN-3989-1 CVE-2018-5819 mpv through 0.28.0 allows remote attackers to execute arbitrary code via acrafted web site, because it reads HTML documents containing VIDEOelements, and accepts arbitrary URLs in a src attribute without a protocolwhitelist in player/lua/ytdl_hook.lua. For example, anav://lavfi:ladspa=file= URL signifies that the product should call dlopenon a shared object file located at an arbitrary local pathname. The issueexists because the product does not consider that youtube-dl can provide apotentially unsafe URL. Update Instructions: Run `sudo pro fix CVE-2018-6360` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmpv2 - 0.27.2-1ubuntu1 mpv - 0.27.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-01-28 02:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888654 CVE-2018-6360 In WordPress through 4.9.2, unauthenticated attackers can cause a denial ofservice (resource consumption) by using the large list of registered .jsfiles (from wp-includes/script-loader.php) to construct a series ofrequests to load every file many times. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-02-06 17:29:00 UTC CVE-2018-6389 Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remoteexecution bug when a specially crafted string was passed into thefacter_task or puppet_conf tasks. This vulnerability only affects tasks inthe affected modules, if you are not using puppet tasks you are notaffected by this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-09 20:29:00 UTC CVE-2018-6508 An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates anicinga2.pid file after dropping privileges to a non-root account, whichmight allow local users to kill arbitrary processes by leveraging access tothis non-root account for icinga2.pid modification before a root scriptexecutes a "kill `cat /pathname/icinga2.pid`" command, as demonstrated byicinga2.init.d.cmake. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-02 09:29:00 UTC CVE-2018-6536 dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of anSVG element. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-02 15:29:00 UTC CVE-2018-6561 SBLIM Small Footprint CIM Broker (SFCB) 1.4.9 has a null pointer (DoS)vulnerability via a crafted POST request to the /cimom URI. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-08 23:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754493 CVE-2018-6644 A double free exists in the another_hunk function in pch.c in GNU patchthrough 2.7.6. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-13 19:29:00 UTC https://savannah.gnu.org/bugs/index.php?53133 https://savannah.gnu.org/bugs/index.php?56683 (regression) CVE-2018-6952 A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows anattacker to cause denial of service via a specific file due toinappropriate decoding. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-15 21:29:00 UTC CVE-2018-7173 An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref allowsan attacker to cause denial of service because loop detection exists onlyfor tables, not streams. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-15 21:29:00 UTC CVE-2018-7174 An issue was discovered in xpdf 4.00. A NULL pointer dereference inreadCodestream allows an attacker to cause denial of service via a JPXimage with zero components. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-15 21:29:00 UTC CVE-2018-7175 An issue was discovered in LibVNCServer through 0.9.11.rfbProcessClientNormalMessage() in rfbserver.c does not sanitizemsg.cct.length, leading to access to uninitialized and potentiallysensitive data or possibly unspecified other impact (e.g., an integeroverflow) via specially crafted VNC packets. Update Instructions: Run `sudo pro fix CVE-2018-7225` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvncclient1 - 0.9.11+dfsg-1ubuntu1 libvncserver1 - 0.9.11+dfsg-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-19 2018-02-19 https://github.com/LibVNC/libvncserver/issues/218 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894045 https://ubuntu.com/security/notices/USN-3618-1 https://ubuntu.com/security/notices/USN-4547-1 https://ubuntu.com/security/notices/USN-4573-1 https://ubuntu.com/security/notices/USN-4587-1 CVE-2018-7225 The mad_decoder_run() function in decoder.c in Underbit libmad through0.15.1b allows remote attackers to cause a denial of service (SIGABRTbecause of double free or corruption) or possibly have unspecified otherimpact via a crafted file. NOTE: this may overlap CVE-2017-11552. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-20 21:29:00 UTC CVE-2018-7263 Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might allowlocal users to overwrite arbitrary files or have unspecified other impactby creating files in advance or winning a race condition, as demonstratedby /tmp/junk_split_image.ps in prog/splitimage2pdf.c. Update Instructions: Run `sudo pro fix CVE-2018-7441` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: leptonica-progs - 1.76.0-1 libleptonica6 - 1.76.0-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-02-23 21:29:00 UTC CVE-2018-7441 An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutputfunction does not block '/' characters in the gplot rootname argument,potentially leading to path traversal and arbitrary file overwrite. Update Instructions: Run `sudo pro fix CVE-2018-7442` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: leptonica-progs - 1.76.0-1 libleptonica6 - 1.76.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-02-23 21:29:00 UTC CVE-2018-7442 A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc inxpdf 4.00 allows attackers to launch denial of service via a specific pdffile, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-24 06:29:00 UTC CVE-2018-7452 Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00allows attackers to launch denial of service via a specific pdf file due tolack of loop checking, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-24 06:29:00 UTC CVE-2018-7453 A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpdf4.00 allows attackers to launch denial of service via a specific pdf file,as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-24 06:29:00 UTC CVE-2018-7454 An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in xpdf4.00 allows attackers to launch denial of service via a specific pdf file,as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-02-24 06:29:00 UTC CVE-2018-7455 The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2allows remote attackers to cause a denial of service (Infinite Loop) via acrafted XML file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-24 06:29:00 UTC CVE-2018-7751 gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load onimported bookmark data, which allows remote attackers to execute arbitrarycode via a crafted .pickle file, as demonstrated by Python code thatcontains an os.system call. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-08 21:29:00 UTC https://bugs.launchpad.net/calibre/+bug/1753870 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892242 CVE-2018-7889 In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger aninfinite loop in the IptcAnpaParser. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-09-19 14:29:00 UTC CVE-2018-8017 This vulnerability relates to the user's browser processing of DUCC webpageinput data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runsin the user's browser does not sufficiently filter user supplied inputs,which may result in unintended execution of user supplied javascript code. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-01 21:29:00 UTC CVE-2018-8035 The JPXStream::readTilePart function in JPXStream.cc in xpdf 4.00 allowsattackers to launch denial of service (heap-based buffer overflow andapplication crash) or possibly have unspecified other impact via a specificpdf file, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8100 The JPXStream::inverseTransformLevel function in JPXStream.cc in xpdf 4.00allows attackers to launch denial of service (heap-based buffer over-readand application crash) via a specific pdf file, as demonstrated bypdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8101 The JBIG2MMRDecoder::getBlackCode function in JBIG2Stream.cc in xpdf 4.00allows attackers to launch denial of service (buffer over-read andapplication crash) via a specific pdf file, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8102 The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf 4.00allows attackers to launch denial of service (heap-based buffer over-readand application crash) via a specific pdf file, as demonstrated bypdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8103 The BufStream::lookChar function in Stream.cc in xpdf 4.00 allows attackersto launch denial of service (heap-based buffer over-read and applicationcrash) via a specific pdf file, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8104 The JPXStream::fillReadBuf function in JPXStream.cc in xpdf 4.00 allowsattackers to launch denial of service (heap-based buffer over-read andapplication crash) via a specific pdf file, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8105 The JPXStream::readTilePartData function in JPXStream.cc in xpdf 4.00allows attackers to launch denial of service (heap-based buffer over-readand application crash) via a specific pdf file, as demonstrated bypdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8106 The JPXStream::close function in JPXStream.cc in xpdf 4.00 allows attackersto launch denial of service (heap-based buffer over-read and applicationcrash) via a specific pdf file, as demonstrated by pdftohtml. Ubuntu 26.04 LTS Negligible Copyright (C) 2018 Canonical Ltd. 2018-03-14 03:29:00 UTC CVE-2018-8107 A tampering vulnerability exists when .NET Core improperly handlesspecially crafted files, aka ".NET Core Tampering Vulnerability." Thisaffects .NET Core 2.1. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-11-14 01:29:00 UTC CVE-2018-8416 In radare2 2.4.0, there is a heap-based buffer over-read in ther_asm_disassemble function of asm.c. Remote attackers could leverage thisvulnerability to cause a denial of service via a crafted dex file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-20 05:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-8808 In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik_opfunction of anal_dalvik.c. Remote attackers could leverage thisvulnerability to cause a denial of service via a crafted dex file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-20 05:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-8809 In radare2 2.4.0, there is a heap-based buffer over-read in theget_ivar_list_t function of mach0_classes.c. Remote attackers couldleverage this vulnerability to cause a denial of service via a craftedMach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-03-20 05:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2018-8810 A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6that allows the execution of arbitrary HTML/script code in the context ofthe victim user's browser via a playlist. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-04-18 17:29:00 UTC CVE-2018-8831 Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in theparse_line function in asm/parser.c via uncontrolled access tonasm_reg_flags. Ubuntu 26.04 LTS Low Copyright (C) 2018 Canonical Ltd. 2018-03-20 23:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392447 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894847 CVE-2018-8883 In numerous functions of libFDK, there are possible out of bounds writesdue to incorrect bounds checks. This could lead to remote code executionwith no additional execution privileges needed. User interaction is neededfor exploitation. Product: Android. Versions: Android-9. Android ID:A-112662184 Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-14 18:29:00 UTC CVE-2018-9536 In trim_device of f2fs_format_utils.c, it is possible that the datapartition is not wiped during a factory reset. This could lead to localinformation disclosure after factory reset with no additional executionprivileges needed. User interaction is not needed for exploitation.Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2Android-8.0 Android-8.1 Android-9. Android ID: A-112868088. Ubuntu 26.04 LTS Medium Copyright (C) 2018 Canonical Ltd. 2018-11-14 18:29:00 UTC CVE-2018-9543 Unauthenticated RCE is possible when JMeter is used in distributed mode (-ror -R command line options). Attacker can establish a RMI connection to ajmeter-server using RemoteJMeterEngine and proceed with an attack usinguntrusted data deserialization. This only affect tests running inDistributed mode. Note that versions before 4.0 are not able to encrypttraffic between the nodes, nor authenticate the participating nodes soupgrade to JMeter 5.1 is also advised. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-06 17:29:00 UTC CVE-2019-0187 In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config APIallows to configure the JMX server via an HTTP POST request. By pointing itto a malicious RMI server, an attacker could take advantage of Solr'sunsafe deserialization to trigger remote code execution on the Solr side. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-07 21:29:00 UTC CVE-2019-0192 In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame canlead to broker Out of Memory exception making it unresponsive. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-28 22:29:00 UTC 2019-03-28 22:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925964 https://ubuntu.com/security/notices/USN-6685-1 CVE-2019-0222 A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis1.4 distribution that was last released in 2006. Security and bug commitscommits continue in the projects Axis 1.x Subversion repository, legacyusers are encouraged to build from source. The successor to Axis 1.x isAxis2, the latest version is 1.7.9 and is not vulnerable to this issue. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-05-01 21:29:00 UTC CVE-2019-0227 slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416contains an incorrect Access Control vulnerability in XEP-0223 plugin(Persistent Storage of Private Data via PubSub) options profile, used forthe configuration of default access model that can result in all of thecontacts of the victim can see private data having been published to a PEPnode. This attack appears to be exploitable if the user of this librarypublishes any private data on PEP, the node isn't configured to be private.This vulnerability appears to have been fixed in commit7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp1.4.2. Update Instructions: Run `sudo pro fix CVE-2019-1000021` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-slixmpp - 1.4.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 21:29:00 UTC CVE-2019-1000021 In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured withmod_rewrite that were intended to be self-referential might be fooled byencoded newlines and redirect instead to an unexpected URL within therequest URL. Update Instructions: Run `sudo pro fix CVE-2019-10098` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.41-1ubuntu1 apache2-bin - 2.4.41-1ubuntu1 apache2-data - 2.4.41-1ubuntu1 apache2-suexec-custom - 2.4.41-1ubuntu1 apache2-suexec-pristine - 2.4.41-1ubuntu1 apache2-utils - 2.4.41-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-14 2019-08-14 Yukitsugu Sasaki https://ubuntu.com/security/notices/USN-4113-1 CVE-2019-10098 libnmap < v0.6.3 is affected by: XML Injection. The impact is: Denial ofservice (DoS) by consuming resources. The component is: XML Parsing. Theattack vector is: Specially crafted XML payload. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-15 03:15:00 UTC CVE-2019-1010017 Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possiblecode execution and denial of service. The component is: Argument stringcreation. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-07-16 14:15:00 UTC CVE-2019-1010043 nfdump 1.6.16 and earlier is affected by: Buffer Overflow. The impact is:The impact could range from a denial of service to local code execution.The component is: nfx.c:546, nffile_inline.c:83, minilzo.c (redistributed).The attack vector is: nfdump must read and process a specially craftedfile. The fixed version is: after commit9f0fe9563366f62a71d34c92229da3432ec5cf0e. Update Instructions: Run `sudo pro fix CVE-2019-1010057` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nfdump - 1.6.17-1 nfdump-sflow - 1.6.17-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-16 13:15:00 UTC CVE-2019-1010057 mgetty prior to version 1.2.1 is affected by: Infinite Loop. The impact is:DoS, the program does never terminates. The component is: g3/g32pbm.c. Theattack vector is: Local, the user should open a specially crafted file. Thefixed version is: 1.2.1. Update Instructions: Run `sudo pro fix CVE-2019-1010189` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mgetty - 1.2.1-1 mgetty-fax - 1.2.1-1 mgetty-pvftools - 1.2.1-1 mgetty-viewfax - 1.2.1-1 mgetty-voice - 1.2.1-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-24 14:15:00 UTC CVE-2019-1010189 mgetty prior to 1.2.1 is affected by: out-of-bounds read. The impact is:DoS, the program may crash if the memory is not mapped. The component is:putwhitespan() in g3/pbm2g3.c. The attack vector is: Local, the victim mustopen a specially crafted file. The fixed version is: 1.2.1. Update Instructions: Run `sudo pro fix CVE-2019-1010190` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mgetty - 1.2.1-1 mgetty-fax - 1.2.1-1 mgetty-pvftools - 1.2.1-1 mgetty-viewfax - 1.2.1-1 mgetty-voice - 1.2.1-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-24 13:15:00 UTC CVE-2019-1010190 Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control.The impact is: allow attackers to bypass authentication by providing atoken by crafting with hmac(). The component is: JWT.pm, line 614. Theattack vector is: network connectivity. The fixed version is: after commitb98a59b42ded9f9e51b2560410106207c2152d6c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-17 21:15:00 UTC CVE-2019-1010263 helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation.The impact is: Unauthorized clients could connect to the server becauseself-signed client certs were aloowed. The component is: helm (many filesupdated, seehttps://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50).The attack vector is: A malicious client could connect to the server overthe network. The fixed version is: 2.7.2. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-17 21:15:00 UTC CVE-2019-1010275 JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVMServer) IDE Template were resolving Gradle artifacts using an httpconnection, potentially allowing an MITM attack. This issue, which wasfixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-03 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2019-10103 In several JetBrains IntelliJ IDEA Ultimate versions, an Application Serverrun configuration (for Tomcat, Jetty, Resin, or CloudBees) with the defaultsetting allowed a remote attacker to execute code when the configuration isrunning, because a JMX server listened on all interfaces instead oflocalhost only. The issue has been fixed in the following versions:2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-03 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2019-10104 It was discovered freeradius up to and including version 3.0.19 does notcorrectly configure logrotate, allowing a local attacker who already hascontrol of the radiusd user to escalate his privileges to root, by trickinglogrotate into writing a radiusd-writable file to a directory normallyinaccessible by the radiusd user. NOTE: the upstream software maintainerhas stated "there is simply no way for anyone to gain privileges throughthis alleged issue." Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-05-24 17:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929466 CVE-2019-10143 The Libreswan Project has found a vulnerability in the processing of IKEv1informational exchange packets which are encrypted and integrity protectedusing the established IKE SA encryption and integrity keys, but as areceiver, the integrity check value was not verified. This issue affectsversions before 3.29. Update Instructions: Run `sudo pro fix CVE-2019-10155` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libreswan - 3.27-6 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-06-12 14:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930338 CVE-2019-10155 It was found that in icedtea-web up to and including 1.7.2 and 1.8.2executable code could be injected in a JAR file without compromising thesignature verification. An attacker could use this flaw to inject code in atrusted JAR. The code would be executed inside the sandbox. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 23:15:00 UTC CVE-2019-10181 It was found that icedtea-web though 1.7.2 and 1.8.2 did not properlysanitize paths from <jar/> elements in JNLP files. An attacker could tricka victim into running a specially crafted application and use this flaw toupload arbitrary files to arbitrary locations in the context of the user. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 22:15:00 UTC CVE-2019-10182 undertow before version 2.0.23.Final is vulnerable to an information leakissue. Web apps may have their directory structures predicted throughrequests without trailing slashes via the api. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-25 21:15:00 UTC CVE-2019-10184 It was found that icedtea-web up to and including 1.7.2 and 1.8.2 wasvulnerable to a zip-slip attack during auto-extraction of a JAR file. Anattacker could use this flaw to write files to arbitrary locations. Thiscould also be used to replace the main running application and, possibly,break out of the sandbox. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 23:15:00 UTC CVE-2019-10185 A flaw was found in, all under 2.0.20, in the Undertow DEBUG log forio.undertow.request.security. If enabled, an attacker could abuse this flawto obtain the user's credentials from the log files. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-02 19:15:00 UTC CVE-2019-10212 The containers/image library used by the container tools Podman, Buildah,and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShiftContainer Platform, does not enforce TLS connections to the containerregistry authorization service. An attacker could use this vulnerability tolaunch a MiTM attack and steal login credentials or bearer tokens. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-25 11:15:00 UTC CVE-2019-10214 A vulnerability was found in Hibernate-Validator. The SafeHtml validatorannotation fails to properly sanitize payloads consisting of potentiallymalicious code in HTML comments and instructions. This vulnerability canresult in an XSS attack. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-08 15:15:00 UTC CVE-2019-10219 A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. Whenexecuted in verbose mode, the dscreate and dsconf commands may displaysensitive information, such as the Directory Manager password. An attacker,able to see the screen or record the terminal standard error output, coulduse this flaw to gain sensitive information. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-25 16:15:00 UTC CVE-2019-10224 In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and9.4.16 and older, the server running on any OS and Jetty versioncombination will reveal the configured fully qualified directory baseresource location on the output of the 404 error for not finding a Contextthat matches the requested path. The default server behavior onjetty-distribution and jetty-home will include at the end of the Handlertree a DefaultHandler, which is responsible for reporting this 404 error,it presents the various configured contexts as HTML for users to clickthrough to. This produced HTML includes output that contains the configuredfully qualified directory base resource location for each context. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-22 20:29:00 UTC CVE-2019-10247 The lzo1x_decompress function in liblzo2.so.2 in LZO 2.10, as used in LongRange Zip (aka lrzip) 0.631, allows remote attackers to cause a denial ofservice (invalid memory read and application crash) via a crafted archive,a different vulnerability than CVE-2017-8845. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-03-30 15:29:00 UTC https://github.com/ckolivas/lrzip/issues/108 CVE-2019-10654 In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encryptedemails can wrap them as sub-parts within a crafted multipart email. Theencrypted part(s) can further be hidden using HTML/CSS or ASCII newlinecharacters. This modified multipart email can be re-sent by the attacker tothe intended receiver. If the receiver replies to this (benign looking)email, they unknowingly leak the plaintext of the encrypted message part(s)back to the attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-07 15:29:00 UTC CVE-2019-10735 In all versions prior to version 3.9.6 for eclipse-wtp, all versions priorto version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1for eclipse-groovy, Spotless was resolving dependencies over an insecurechannel (http). If the build occurred over an insecure connection, amalicious user could have perform a Man-in-the-Middle attack during thebuild and alter the build artifacts that were produced. In case that any ofthese artifacts were compromised, any developers using these could bealtered. **Note:** In order to validate that this artifact was notcompromised, the maintainer would need to confirm that none of theartifacts published to the registry were not altered with. Until thishappens, we can not guarantee that this artifact was not compromised eventhough the probability that this happened is low. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-09-05 20:15:00 UTC CVE-2019-10753 phppgadmin through 7.12.1 allows sensitive actions to be performed withoutvalidating that the request originated from the application. One such area,"database.php" does not verify the source of an HTTP request. This can beleveraged by a remote attacker to trick a logged-in administrator to visita malicious page with a CSRF exploit and execute arbitrary system commandson the server. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-04 19:15:00 UTC CVE-2019-10784 In Jupyter Notebook before 5.7.8, an open redirect can occur via an emptynetloc. This issue exists because of an incomplete fix for CVE-2019-10255. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-04 16:29:00 UTC 2019-04-04 16:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/jupyter-notebook/+bug/1982670 https://ubuntu.com/security/notices/USN-5585-1 CVE-2019-10856 In Teeworlds 0.7.2, there is an integer overflow in CMap::Load() inengine/shared/map.cpp that can lead to a buffer overflow, becausemultiplication of width and height is mishandled. Update Instructions: Run `sudo pro fix CVE-2019-10877` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: teeworlds - 0.7.2-5 teeworlds-data - 0.7.2-5 teeworlds-server - 0.7.2-5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-05 06:29:00 UTC CVE-2019-10877 In Teeworlds 0.7.2, there is a failed bounds check inCDataFileReader::GetData() and CDataFileReader::ReplaceData() and relatedfunctions in engine/shared/datafile.cpp that can lead to an arbitrary freeand out-of-bounds pointer write, possibly resulting in remote codeexecution. Update Instructions: Run `sudo pro fix CVE-2019-10878` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: teeworlds - 0.7.2-5 teeworlds-data - 0.7.2-5 teeworlds-server - 0.7.2-5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-05 05:29:00 UTC CVE-2019-10878 In Teeworlds 0.7.2, there is an integer overflow in CDataFileReader::Open()in engine/shared/datafile.cpp that can lead to a buffer overflow andpossibly remote code execution, because size-related multiplications aremishandled. Update Instructions: Run `sudo pro fix CVE-2019-10879` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: teeworlds - 0.7.2-5 teeworlds-data - 0.7.2-5 teeworlds-server - 0.7.2-5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-05 05:29:00 UTC CVE-2019-10879 TSX Asynchronous Abort condition on some CPUs utilizing speculativeexecution may allow an authenticated user to potentially enable informationdisclosure via a side channel with local access. Update Instructions: Run `sudo pro fix CVE-2019-11135` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: intel-microcode - 3.20191115.1ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2019 Canonical Ltd. 2019-11-12 18:00:00 UTC 2019-11-12 18:00:00 UTC Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck https://ubuntu.com/security/notices/USN-4182-1 https://ubuntu.com/security/notices/USN-4182-2 https://ubuntu.com/security/notices/USN-4183-1 https://ubuntu.com/security/notices/USN-4184-1 https://ubuntu.com/security/notices/USN-4185-1 https://ubuntu.com/security/notices/USN-4185-2 https://ubuntu.com/security/notices/USN-4186-1 https://ubuntu.com/security/notices/USN-4186-2 https://ubuntu.com/security/notices/USN-4187-1 https://ubuntu.com/security/notices/USN-4188-1 CVE-2019-11135 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products,mishandles jQuery.extend(true, {}, ...) because of Object.prototypepollution. If an unsanitized source object contained an enumerable__proto__ property, it could extend the native Object.prototype. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-04-20 00:29:00 UTC 2019-04-20 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927385 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927466 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927330 https://ubuntu.com/security/notices/USN-7622-1 CVE-2019-11358 BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow via along prefix that is mishandled in bns_fasta2bntseq and bns_dump atbtnseq.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-20 18:29:00 UTC CVE-2019-11371 The tiff_document_render() and tiff_document_get_thumbnail() functions inthe TIFF document backend in GNOME Evince through 3.32.0 did not handleerrors from TIFFReadRGBAImageOriented(), leading to uninitialized memoryuse when processing certain TIFF image files. Update Instructions: Run `sudo pro fix CVE-2019-11459` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: evince - 3.32.0-1ubuntu1 evince-common - 3.32.0-1ubuntu1 gir1.2-evince-3.0 - 3.32.0-1ubuntu1 libevdocument3-4t64 - 3.32.0-1ubuntu1 libevview3-3t64 - 3.32.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-22 2019-04-22 https://ubuntu.com/security/notices/USN-3959-1 https://ubuntu.com/security/notices/USN-7274-1 CVE-2019-11459 Kevin Backhouse discovered an integer overflow in bson_ensure_space, asused in whoopsie. Update Instructions: Run `sudo pro fix CVE-2019-11484` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libwhoopsie0 - 0.2.68 whoopsie - 0.2.68 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-29 2019-10-29 Kevin Backhouse of Semmle Security Research Team https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830865 https://ubuntu.com/security/notices/USN-4170-1 CVE-2019-11484 An issue was discovered in the supplementary Go cryptography library,golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw wasfound in the amd64 implementation of the golang.org/x/crypto/salsa20 andgolang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB ofkeystream is generated, or if the counter otherwise grows greater than 32bits, the amd64 implementation will first generate incorrect output, andthen cycle back to previously generated keystream. Repeated keystream bytescan lead to loss of confidentiality in encryption applications, or topredictability in CSPRNG applications. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-09 16:29:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1691529 https://github.com/golang/go/issues/30965 CVE-2019-11840 Golang Facebook Thrift servers would not error upon receiving messagesdeclaring containers of sizes larger than the payload. As a result,malicious clients could send short messages which would result in a largememory allocation, potentially leading to denial of service. This issueaffects Facebook Thrift prior to v2020.03.16.00. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-18 01:15:00 UTC CVE-2019-11939 The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers tocause a denial of service (NULL dereference) when the command header'ad->cur_cmd' is null. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-02 15:15:00 UTC CVE-2019-12067 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.xbefore 2.9.9. When Default Typing is enabled (either globally or for aspecific property) for an externally exposed JSON endpoint, the service hasthe mysql-connector-java jar (8.0.14 or earlier) in the classpath, and anattacker can host a crafted MySQL server reachable by the victim, anattacker can send a crafted JSON message that allows them to read arbitrarylocal files on the server. This occurs because of missingcom.mysql.cj.jdbc.admin.MiniAdmin validation. Update Instructions: Run `sudo pro fix CVE-2019-12086` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjackson2-databind-java - 2.9.8-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-17 17:29:00 UTC 2019-05-17 17:29:00 UTC https://ubuntu.com/security/notices/USN-4813-1 CVE-2019-12086 In FreeImage 3.18.0, an out-of-bounds access occurs because of mishandlingof the OpenJPEG j2k_read_ppm_v3 function in j2k.c. The value of l_N_ppmcomes from the file read in, and the code does not consider that l_N_ppmmay be greater than the size of p_header_data. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-20 16:29:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947478 CVE-2019-12214 Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submittedauthorization token from OAuth and uses it to authenticate a user. If anattacker has a token allowing them to read the user details of a victim,they can login as the victim. Update Instructions: Run `sudo pro fix CVE-2019-12300` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: buildbot - 2.3.1-1 buildbot-worker - 2.3.1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-23 15:30:00 UTC CVE-2019-12300 A stack-based buffer over-read exists in FoFiTrueType::dumpString infofi/FoFiTrueType.cc in Xpdf 4.01.01. It can, for example, be triggered bysending crafted TrueType data in a PDF document to the pdftops tool. Itmight allow an attacker to cause Denial of Service or leak memory data intodump content. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-05-27 23:29:00 UTC CVE-2019-12360 FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to havea variety of impacts by leveraging failure to block the logback-core classfrom polymorphic deserialization. Depending on the classpath content,remote code execution may be possible. Update Instructions: Run `sudo pro fix CVE-2019-12384` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjackson2-databind-java - 2.9.8-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-24 16:15:00 UTC 2019-06-24 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750 https://ubuntu.com/security/notices/USN-4813-1 CVE-2019-12384 In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convertuser-provided Microsoft Excel documents, a specially crafted document canallow an attacker to read files from the local filesystem or from internalnetwork resources via XML External Entity (XXE) Processing. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-23 20:15:00 UTC CVE-2019-12415 Wikimedia MediaWiki through 1.32.1 allows CSRF. Update Instructions: Run `sudo pro fix CVE-2019-12466` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 16:15:00 UTC CVE-2019-12466 MediaWiki through 1.32.1 has Incorrect Access Control (issue 1 of 3). Aspammer can use Special:ChangeEmail to send out spam with no rate limitingor ability to block them. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12467` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-10 15:15:00 UTC CVE-2019-12467 An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allowfor bypassing re-authentication, allowing for potential account takeover. Update Instructions: Run `sudo pro fix CVE-2019-12468` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 15:15:00 UTC CVE-2019-12468 MediaWiki through 1.32.1 has Incorrect Access Control. Suppressed usernameor log in Special:EditTags are exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12469` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 17:15:00 UTC CVE-2019-12469 Wikimedia MediaWiki through 1.32.1 has Incorrect Access Control. Suppressedlog in RevisionDelete page is exposed. Fixed in 1.32.2, 1.31.2, 1.30.2 and1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12470` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 17:15:00 UTC CVE-2019-12470 Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScriptfrom a non-existent account allows anyone to create the account, andperform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2and 1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12471` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 16:15:00 UTC CVE-2019-12471 An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki1.18.0 through 1.32.1. It is possible to bypass the limits on IP rangeblocks ($wgBlockCIDRLimit) by using the API. Fixed in 1.32.2, 1.31.2,1.30.2 and 1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12472` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 16:15:00 UTC CVE-2019-12472 Wikimedia MediaWiki 1.27.0 through 1.32.1 might allow DoS. Passing invalidtitles to the API could cause a DoS by querying the entire watchlist table.Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12473` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 16:15:00 UTC CVE-2019-12473 Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak.Privileged API responses that include whether a recent change has beenpatrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and1.27.6. Update Instructions: Run `sudo pro fix CVE-2019-12474` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.2-1 mediawiki-classes - 1:1.31.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 16:15:00 UTC CVE-2019-12474 A stack-based buffer over-read exists in PostScriptFunction::transform inFunction.cc in Xpdf 4.01.01 because GfxSeparationColorSpace andGfxDeviceNColorSpace mishandle tint transform functions. It can, forexample, be triggered by sending a crafted PDF document to the pdftopstool. It might allow an attacker to cause Denial of Service or leak memorydata. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-05-31 02:29:00 UTC Mike Zhang CVE-2019-12493 An issue was discovered in Squid through 4.7. When Squid is run as root, itspawns its child processes as a lesser user, by default the user nobody.This is done via the leave_suid call. leave_suid leaves the Saved UID as 0.This makes it trivial for an attacker who has compromised the child processto escalate their privileges back to root. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-15 19:15:00 UTC CVE-2019-12522 In Firejail before 0.9.60, seccomp filters are writable inside the jail,leading to a lack of intended seccomp restrictions for a process that isjoined to the jail after a filter has been modified by an attacker. Update Instructions: Run `sudo pro fix CVE-2019-12589` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firejail - 0.9.58.2-2 firejail-profiles - 0.9.58.2-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-03 03:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929732 CVE-2019-12589 In radare2 through 3.5.1, there is a heap-based buffer over-read in ther_egg_lang_parsechar function of egg_lang.c. This allows remote attackersto cause a denial of service (application crash) or possibly haveunspecified other impact because of missing length validation inlibr/egg/egg.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-10 19:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930344 CVE-2019-12790 In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lang.cmishandles changing context. This allows remote attackers to cause a denialof service (application crash) or possibly have unspecified other impact(invalid memory access in r_egg_lang_parsechar; invalid free inrcc_pusharg). Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-13 21:29:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930510 CVE-2019-12802 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.xthrough 2.9.9. When Default Typing is enabled (either globally or for aspecific property) for an externally exposed JSON endpoint and the servicehas JDOM 1.x or 2.x jar in the classpath, an attacker can send aspecifically crafted JSON message that allows them to read arbitrary localfiles on the server. Update Instructions: Run `sudo pro fix CVE-2019-12814` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjackson2-databind-java - 2.9.8-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-19 14:15:00 UTC 2019-06-19 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750 https://ubuntu.com/security/notices/USN-4813-1 CVE-2019-12814 In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a doublefree for the ms command. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-17 23:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 CVE-2019-12865 In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblksfunction of openjp2/t1.c. Remote attackers could leverage thisvulnerability to cause a denial of service via a crafted bmp file. Thisissue is similar to CVE-2018-6616. Update Instructions: Run `sudo pro fix CVE-2019-12973` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu4 libopenjp2-tools - 2.3.1-1ubuntu4 libopenjpip-dec-server - 2.3.1-1ubuntu4 libopenjpip-viewer - 2.3.1-1ubuntu4 libopenjpip7 - 2.3.1-1ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-06-26 18:15:00 UTC 2019-06-26 18:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931292 https://github.com/uclouvain/openjpeg/issues/1059 https://ubuntu.com/security/notices/USN-4497-1 https://ubuntu.com/security/notices/USN-4782-1 CVE-2019-12973 mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo=substring, as demonstrated by omitting the // after http: in the targetURL. Update Instructions: Run `sudo pro fix CVE-2019-13038` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libapache2-mod-auth-mellon - 0.14.2-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-29 14:15:00 UTC 2019-06-29 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931265 https://github.com/Uninett/mod_auth_mellon/issues/35 https://ubuntu.com/security/notices/USN-4291-1 CVE-2019-13038 Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows amalicious user to embed and execute JavaScript code in the browser of anyuser who navigates to this page. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-30 02:15:00 UTC CVE-2019-13072 ImageMagick before 7.0.8-50 has a memory leak vulnerability in the functionReadPSImage in coders/ps.c. Update Instructions: Run `sudo pro fix CVE-2019-13137` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7-common - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7.q16 - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7.q16hdri - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-q16-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-q16hdri-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7.q16-5 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7.q16hdri-5 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7-arch-config - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16hdri-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 perlmagick - 8:6.9.10.23+dfsg-2.1ubuntu9 No subscription required Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-07-01 20:15:00 UTC 2019-07-01 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931342 https://github.com/ImageMagick/ImageMagick/issues/1601 https://ubuntu.com/security/notices/USN-4192-1 https://ubuntu.com/security/notices/USN-8263-1 CVE-2019-13137 In Audio File Library (aka audiofile) 0.3.6, there exists one NULL pointerdereference bug in ulaw2linear_buf in G711.cpp in libmodules.a that allowsan attacker to cause a denial of service via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-02 00:15:00 UTC 2019-07-02 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343 https://ubuntu.com/security/notices/USN-6558-1 CVE-2019-13147 nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflow inthe dname_concatenate() function in dname.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-03 20:15:00 UTC CVE-2019-13207 A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allowsattackers to potentially cause information disclosure, denial of service,or possibly code execution by providing a crafted regular expression. Theattacker provides a pair of a regex pattern and a string, with a multi-byteencoding that gets handled by onig_new_deluxe(). Oniguruma issues oftenaffect Ruby, as well as common optional libraries for PHP and Rust. Update Instructions: Run `sudo pro fix CVE-2019-13224` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libonig5 - 6.9.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-10 2019-07-10 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931878 https://ubuntu.com/security/notices/USN-4088-1 CVE-2019-13224 An issue was discovered in Bento4 1.5.1.0. A memory allocation failure isunhandled in Core/Ap4SdpAtom.cpp and leads to crashes. When parsing inputvideo, the program allocates a new buffer to parse an atom in the stream.The unhandled memory allocation failure causes a direct copy to a NULLpointer. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-04 14:15:00 UTC CVE-2019-13238 In Xymon through 4.3.28, a buffer overflow vulnerability exists in thecsvinfo CGI script. The overflow may be exploited by sending a crafted GETrequest that triggers an sprintf of the srcdb parameter. Update Instructions: Run `sudo pro fix CVE-2019-13273` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13273 In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CGIscript due to insufficient filtering of the db parameter. Update Instructions: Run `sudo pro fix CVE-2019-13274` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13274 Artifex MuPDF 1.15.0 has a heap-based buffer overflow infz_append_display_node located at fitz/list-device.c, allowing remoteattackers to execute arbitrary code via a crafted PDF file. This occurswith a large BDC property name that overflows the allocated size of adisplay list node. Update Instructions: Run `sudo pro fix CVE-2019-13290` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmupdf25.1 - 1.15.0+ds1-1 mupdf - 1.15.0+ds1-1 mupdf-tools - 1.15.0+ds1-1 python3-mupdf - 1.15.0+ds1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-04 22:15:00 UTC CVE-2019-13290 posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (asdistributed with alsa-plugins 1.1.7 and later) has a "double filedescriptor close" issue during a failed connection attempt when jackd2 isnot running. Exploitation success depends on multithreaded timing of thatdouble close, which can result in unintended information disclosure,crashes, or file corruption due to having the wrong file associated withthe file descriptor. Update Instructions: Run `sudo pro fix CVE-2019-13351` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jackd2 - 1.9.12~dfsg-2ubuntu2 jackd2-firewire - 1.9.12~dfsg-2ubuntu2 libjack-jackd2-0 - 1.9.12~dfsg-2ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-05 20:15:00 UTC 2019-07-05 20:15:00 UTC Joseph Yasi https://github.com/xbmc/xbmc/issues/16258 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931488 https://bugs.launchpad.net/ubuntu/+source/jackd2/+bug/1833479 https://ubuntu.com/security/notices/USN-5656-1 CVE-2019-13351 In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier.c has aheap-based buffer over-read because of incorrect calls toGetCacheViewVirtualPixels. Update Instructions: Run `sudo pro fix CVE-2019-13391` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7-common - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7.q16 - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7.q16hdri - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-q16-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-q16hdri-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7.q16-5 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7.q16hdri-5 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7-arch-config - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16hdri-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 perlmagick - 8:6.9.10.23+dfsg-2.1ubuntu9 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-07 22:15:00 UTC 2019-07-07 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931633 https://github.com/ImageMagick/ImageMagick/issues/1588 https://github.com/ImageMagick/ImageMagick/issues/1595 https://ubuntu.com/security/notices/USN-4192-1 https://ubuntu.com/security/notices/USN-8263-1 CVE-2019-13391 In Xymon through 4.3.28, a buffer overflow vulnerability exists inhistory.c. Update Instructions: Run `sudo pro fix CVE-2019-13451` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13451 In Xymon through 4.3.28, a buffer overflow vulnerability exists inreportlog.c. Update Instructions: Run `sudo pro fix CVE-2019-13452` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13452 In Xymon through 4.3.28, a stack-based buffer overflow vulnerability existsin the alert acknowledgment CGI tool because of &nbsp; expansion inacknowledge.c. Update Instructions: Run `sudo pro fix CVE-2019-13455` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13455 An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2. Useof X.Filename instead of X_Filename can bypass some PHP Script Uploadsrules, because PHP automatically transforms dots into underscores incertain contexts where dots are invalid. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-09 19:15:00 UTC CVE-2019-13464 In Xymon through 4.3.28, a buffer overflow exists in the status-log viewerCGI because of &nbsp; expansion in appfeed.c. Update Instructions: Run `sudo pro fix CVE-2019-13484` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13484 In Xymon through 4.3.28, a stack-based buffer overflow vulnerability existsin the history viewer component via a long hostname or service parameter tohistory.c. Update Instructions: Run `sudo pro fix CVE-2019-13485` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13485 In Xymon through 4.3.28, a stack-based buffer overflow exists in thestatus-log viewer component because of &nbsp; expansion in svcstatus.c. Update Instructions: Run `sudo pro fix CVE-2019-13486` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xymon - 4.3.29-1 xymon-client - 4.3.29-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-27 17:15:00 UTC CVE-2019-13486 Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79allowed a remote attacker to potentially exploit heap corruption via acrafted HTML page. Update Instructions: Run `sudo pro fix CVE-2019-13734` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 79.0.3945.79-0ubuntu1 chromium-browser-l10n - 79.0.3945.79-0ubuntu1 chromium-chromedriver - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg-extra - 79.0.3945.79-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-10 22:15:00 UTC 2019-12-10 22:15:00 UTC Wenxiang Qian https://ubuntu.com/security/notices/USN-4298-1 https://ubuntu.com/security/notices/USN-4298-2 CVE-2019-13734 Insufficient data validation in SQLite in Google Chrome prior to79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measuresvia a crafted HTML page. Update Instructions: Run `sudo pro fix CVE-2019-13750` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 79.0.3945.79-0ubuntu1 chromium-browser-l10n - 79.0.3945.79-0ubuntu1 chromium-chromedriver - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg-extra - 79.0.3945.79-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-10 22:15:00 UTC 2019-12-10 22:15:00 UTC https://ubuntu.com/security/notices/USN-4298-1 https://ubuntu.com/security/notices/USN-4298-2 CVE-2019-13750 Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 alloweda remote attacker to obtain potentially sensitive information from processmemory via a crafted HTML page. Update Instructions: Run `sudo pro fix CVE-2019-13751` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 79.0.3945.79-0ubuntu1 chromium-browser-l10n - 79.0.3945.79-0ubuntu1 chromium-chromedriver - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg-extra - 79.0.3945.79-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-10 22:15:00 UTC 2019-12-10 22:15:00 UTC https://ubuntu.com/security/notices/USN-4298-1 https://ubuntu.com/security/notices/USN-4298-2 CVE-2019-13751 Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 alloweda remote attacker to obtain potentially sensitive information from processmemory via a crafted HTML page. Update Instructions: Run `sudo pro fix CVE-2019-13752` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 79.0.3945.79-0ubuntu1 chromium-browser-l10n - 79.0.3945.79-0ubuntu1 chromium-chromedriver - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg-extra - 79.0.3945.79-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-10 22:15:00 UTC 2019-12-10 22:15:00 UTC https://ubuntu.com/security/notices/USN-4298-1 https://ubuntu.com/security/notices/USN-4298-2 CVE-2019-13752 Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 alloweda remote attacker to obtain potentially sensitive information from processmemory via a crafted HTML page. Update Instructions: Run `sudo pro fix CVE-2019-13753` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chromium-browser - 79.0.3945.79-0ubuntu1 chromium-browser-l10n - 79.0.3945.79-0ubuntu1 chromium-chromedriver - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg - 79.0.3945.79-0ubuntu1 chromium-codecs-ffmpeg-extra - 79.0.3945.79-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-10 22:15:00 UTC 2019-12-10 22:15:00 UTC https://ubuntu.com/security/notices/USN-4298-1 https://ubuntu.com/security/notices/USN-4298-2 CVE-2019-13753 In Bento4 1.5.1-627, AP4_DataBuffer::SetDataSize does not handlereallocation failures, leading to a memory copy into a NULL pointer. Thisis different from CVE-2018-20186. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-18 19:15:00 UTC CVE-2019-13959 dpic 2019.06.20 has a Stack-based Buffer Overflow in the wfloat() functionin main.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-19 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597334 CVE-2019-13989 initDocumentParser in xml/XMLSchedulingDataProcessor.java in TerracottaQuartz Scheduler through 2.3.0 allows XXE attacks via a job description. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-26 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933169 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933170 CVE-2019-13990 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars()and words() methods were passed the html=True argument, they were extremelyslow to evaluate certain inputs due to a catastrophic backtrackingvulnerability in a regular expression. The chars() and words() methods areused to implement the truncatechars_html and truncatewords_html templatefilters, which were thus vulnerable. Update Instructions: Run `sudo pro fix CVE-2019-14232` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 1:1.11.22-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-01 10:00:00 UTC 2019-08-01 10:00:00 UTC https://ubuntu.com/security/notices/USN-4084-1 CVE-2019-14232 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlyingHTMLParser, django.utils.html.strip_tags would be extremely slow toevaluate certain inputs containing large sequences of nested incompleteHTML entities. Update Instructions: Run `sudo pro fix CVE-2019-14233` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 1:1.11.22-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-01 10:00:00 UTC 2019-08-01 10:00:00 UTC https://ubuntu.com/security/notices/USN-4084-1 CVE-2019-14233 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow keytransformation, key and index lookups fordjango.contrib.postgres.fields.JSONField, and key lookups fordjango.contrib.postgres.fields.HStoreField, were subject to SQL injection.This could, for example, be exploited via crafted use of "OR 1=1" in a keyor index name to return all records, using a suitably crafted dictionary,with dictionary expansion, as the **kwargs passed to the QuerySet.filter()function. Update Instructions: Run `sudo pro fix CVE-2019-14234` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 1:1.11.22-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-01 10:00:00 UTC 2019-08-01 10:00:00 UTC https://ubuntu.com/security/notices/USN-4084-1 CVE-2019-14234 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before2.1.11, and 2.2.x before 2.2.4. If passed certain inputs,django.utils.encoding.uri_to_iri could lead to significant memory usage dueto a recursion when repercent-encoding invalid UTF-8 octet sequences. Update Instructions: Run `sudo pro fix CVE-2019-14235` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 1:1.11.22-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-01 10:00:00 UTC 2019-08-01 10:00:00 UTC https://ubuntu.com/security/notices/USN-4084-1 CVE-2019-14235 In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows aNULL pointer dereference in process_pragma, search_pragma_list, andnasm_set_limit when "%pragma limit" is mishandled. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-24 04:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932907 CVE-2019-14248 MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function insupport.c. Update Instructions: Run `sudo pro fix CVE-2019-14274` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmcpp0 - 2.7.2-5 mcpp - 2.7.2-5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-26 04:15:00 UTC CVE-2019-14274 An issue was discovered in Xpdf 4.01.01. There is an Integer overflow inthe function JBIG2Bitmap::combine at JBIG2Stream.cc for the "one byte perline" case. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14288 An issue was discovered in Xpdf 4.01.01. There is an integer overflow inthe function JBIG2Bitmap::combine at JBIG2Stream.cc for the "multiple bytesper line" case. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14289 An issue was discovered in Xpdf 4.01.01. There is an out of bounds read inthe function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 2. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14290 An issue was discovered in Xpdf 4.01.01. There is an out of bounds read inthe function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 3. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14291 An issue was discovered in Xpdf 4.01.01. There is an out of bounds read inthe function GfxPatchMeshShading::parse at GfxState.cc for typeA!=6 case 1. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14292 An issue was discovered in Xpdf 4.01.01. There is an out of bounds read inthe function GfxPatchMeshShading::parse at GfxState.cc for typeA!=6 case 2. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14293 An issue was discovered in Xpdf 4.01.01. There is a use-after-free in thefunction JPXStream::fillReadBuf at JPXStream.cc, due to an out of boundsread. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-27 19:15:00 UTC CVE-2019-14294 ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflowvia a large packet because it mishandles a case involving the firstfragment. Update Instructions: Run `sudo pro fix CVE-2019-14378` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:4.2-1ubuntu1 qemu-block-supplemental - 1:4.2-1ubuntu1 qemu-guest-agent - 1:4.2-1ubuntu1 qemu-system - 1:4.2-1ubuntu1 qemu-system-arm - 1:4.2-1ubuntu1 qemu-system-common - 1:4.2-1ubuntu1 qemu-system-data - 1:4.2-1ubuntu1 qemu-system-gui - 1:4.2-1ubuntu1 qemu-system-mips - 1:4.2-1ubuntu1 qemu-system-misc - 1:4.2-1ubuntu1 qemu-system-modules-opengl - 1:4.2-1ubuntu1 qemu-system-modules-spice - 1:4.2-1ubuntu1 qemu-system-ppc - 1:4.2-1ubuntu1 qemu-system-riscv - 1:4.2-1ubuntu1 qemu-system-s390x - 1:4.2-1ubuntu1 qemu-system-sparc - 1:4.2-1ubuntu1 qemu-system-x86 - 1:4.2-1ubuntu1 qemu-system-x86-xen - 1:4.2-1ubuntu1 qemu-system-xen - 1:4.2-1ubuntu1 qemu-user - 1:4.2-1ubuntu1 qemu-user-binfmt - 1:4.2-1ubuntu1 qemu-utils - 1:4.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-07-29 11:15:00 UTC 2019-07-29 11:15:00 UTC https://gitlab.freedesktop.org/slirp/libslirp/issues/10 https://ubuntu.com/security/notices/USN-4191-1 https://ubuntu.com/security/notices/USN-4191-2 CVE-2019-14378 fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-basedbuffer overflow. Update Instructions: Run `sudo pro fix CVE-2019-14465` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: schism - 2:20190805-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 23:15:00 UTC CVE-2019-14465 Sphinx Technologies Sphinx 3.1.1 by default has no authentication andlistens on 0.0.0.0, making it exposed to the internet (unless filtered by afirewall or reconfigured to listen to 127.0.0.1 only). Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-22 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939762 CVE-2019-14511 An issue was discovered in Schism Tracker through 20190722. There is aninteger underflow via a large plen in fmt_okt_load_song in the AmigaOktalyzer parser in fmt/okt.c. Update Instructions: Run `sudo pro fix CVE-2019-14523` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: schism - 2:20190805-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-02 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933809 CVE-2019-14523 An issue was discovered in Schism Tracker through 20190722. There is aheap-based buffer overflow via a large number of song patterns infmt_mtm_load_song in fmt/mtm.c, a different vulnerability thanCVE-2019-14465. Update Instructions: Run `sudo pro fix CVE-2019-14524` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: schism - 2:20190805-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-02 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933808 CVE-2019-14524 An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an out ofbounds read on iso9660 while parsing System Use Sharing Protocol data infs/iso9660.c. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-02 15:15:00 UTC CVE-2019-14531 An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is anoff-by-one overwrite due to an underflow on tools/hashtools/hfind.cpp whileusing a bogus hash table. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-02 15:15:00 UTC CVE-2019-14532 Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout infileio.c via crafted BASIC source code. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-05 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933996 CVE-2019-14662 Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin infileio.c via crafted BASIC source code. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-05 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933996 CVE-2019-14663 Brandy 1.20.1 has a heap-based buffer overflow in define_array invariables.c via crafted BASIC source code. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-05 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933996 CVE-2019-14665 In radare2 before 3.7.0, a command injection vulnerability exists inbin_symbols() in libr/core/cbin.c. By using a crafted executable file, it'spossible to execute arbitrary shell commands with the permissions of thevictim. This vulnerability is due to improper handling of symbol namesembedded in executables. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-07 15:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 https://bugs.launchpad.net/ubuntu/+source/radare2/+bug/1882889 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934204 CVE-2019-14745 A flaw was found in the 'deref' plugin of 389-ds-base where it could usethe 'search' permission to display attribute values. In someconfigurations, this could allow an authenticated attacker to view privateattributes, such as password hashes. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-08 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944150 CVE-2019-14824 A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies wereretained in the cache after logout. An attacker could abuse this flaw ifthey obtain previously valid session cookies and can use this to gainaccess to the session. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-17 16:15:00 UTC CVE-2019-14826 A flaw was found in the way certificate signatures could be forged usingcollisions found in the SHA-1 algorithm. An attacker could use thisweakness to create forged certificate signatures. This issue affects GnuPGversions before 2.2.18. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-20 16:15:00 UTC 2020-03-20 16:15:00 UTC https://dev.gnupg.org/T4755 https://ubuntu.com/security/notices/USN-4516-1 CVE-2019-14855 A vulnerability was found in the Undertow HTTP server in versions before2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS portto carry out a Denial Of Service (DOS) to make the service unavailable onSSL. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-23 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1772464 CVE-2019-14888 A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, andAndroid that allows a malicious access point, or an adjacent user, todetermine if a connected user is using a VPN, make positive inferencesabout the websites they are visiting, and determine the correct sequenceand acknowledgement numbers in use, allowing the bad actor to inject datainto the TCP stream. This provides everything that is needed for anattacker to hijack active connections inside the VPN tunnel. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-11 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14899 CVE-2019-14899 There is an issue in all samba 4.11.x versions before 4.11.5, all samba4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18,where the removal of the right to create or modify a subtree would notautomatically be taken away on all domain controllers. Update Instructions: Run `sudo pro fix CVE-2019-14902` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-21 2020-01-21 https://bugzilla.samba.org/show_bug.cgi?id=12497 https://ubuntu.com/security/notices/USN-4244-1 CVE-2019-14902 All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.xbefore 4.11.5 have an issue where if it is set with "log level = 3" (orabove) then the string obtained from the client, after a failed characterconversion, is printed. Such strings can be provided during the NTLMSSPauthentication exchange. In the Samba AD DC in particular, this may cause along-lived process(such as the RPC server) to terminate. (In the fileserver case, the most likely target, smbd, operates as process-per-clientand so a crash there is harmless). Update Instructions: Run `sudo pro fix CVE-2019-14907` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-21 2020-01-21 Robert Święcki https://bugzilla.samba.org/show_bug.cgi?id=14208 https://ubuntu.com/security/notices/USN-4244-1 CVE-2019-14907 JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantumlartifact download link via a cleartext http connection. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-01 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2019-14954 In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is adivide-by-zero vulnerability in the MeanShiftImage function. It allows anattacker to cause a denial of service by sending a crafted file. Update Instructions: Run `sudo pro fix CVE-2019-14981` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7-common - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7.q16 - 8:6.9.10.23+dfsg-2.1ubuntu9 imagemagick-7.q16hdri - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-q16-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libimage-magick-q16hdri-perl - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7.q16-5 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagick++-7.q16hdri-5 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7-arch-config - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickcore-7.q16hdri-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 libmagickwand-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu9 perlmagick - 8:6.9.10.23+dfsg-2.1ubuntu9 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-12 23:15:00 UTC 2019-08-12 23:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/1552 https://ubuntu.com/security/notices/USN-4192-1 https://ubuntu.com/security/notices/USN-8263-1 CVE-2019-14981 An issue was discovered in Bento4 1.5.1.0. There is a heap-based bufferover-read in the function AP4_BitReader::SkipBits at Core/Ap4Utils.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-14 16:15:00 UTC CVE-2019-15047 An issue was discovered in Bento4 1.5.1.0. There is a heap-based bufferoverflow in the AP4_RtpAtom class at Core/Ap4RtpAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-14 16:15:00 UTC CVE-2019-15048 An issue was discovered in Bento4 1.5.1.0. There is a heap-based bufferover-read in the AP4_Dec3Atom class at Core/Ap4Dec3Atom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-14 16:15:00 UTC CVE-2019-15049 An issue was discovered in Bento4 1.5.1.0. There is a heap-based bufferover-read in the AP4_AvccAtom class at Core/Ap4AvccAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-14 16:15:00 UTC CVE-2019-15050 The HTTP client in Gradle before 5.6 sends authentication credentialsoriginally destined for the configured host. If that host returns a 30xredirect, Gradle also sends those credentials to all subsequent hosts thatthe request redirects to. This is similar to CVE-2018-1000007. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-14 20:15:00 UTC CVE-2019-15052 stb_image.h (aka the stb image loader) 2.23 has a heap-based bufferover-read in stbi__tga_load, leading to Information Disclosure or Denial ofService. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-14 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934973 CVE-2019-15058 WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allowsattackers to cause a denial-of-service (application crash resulting from aheap-based buffer over-read) via a crafted TIFF image file, related toTIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, andTIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: thisoccurs because of an incomplete fix for CVE-2019-11597. Update Instructions: Run `sudo pro fix CVE-2019-15141` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.10.23+dfsg-2.1ubuntu2 imagemagick-7-common - 8:6.9.10.23+dfsg-2.1ubuntu2 imagemagick-7.q16 - 8:6.9.10.23+dfsg-2.1ubuntu2 imagemagick-7.q16hdri - 8:6.9.10.23+dfsg-2.1ubuntu2 libimage-magick-perl - 8:6.9.10.23+dfsg-2.1ubuntu2 libimage-magick-q16-perl - 8:6.9.10.23+dfsg-2.1ubuntu2 libimage-magick-q16hdri-perl - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagick++-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagick++-7.q16-5 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagick++-7.q16hdri-5 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7-arch-config - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16hdri-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickwand-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickwand-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickwand-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 perlmagick - 8:6.9.10.23+dfsg-2.1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-18 19:15:00 UTC 2019-08-18 19:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/1560 https://ubuntu.com/security/notices/USN-7053-1 CVE-2019-15141 An issue was discovered in the Linux kernel before 5.2.3. There is ause-after-free caused by a malicious USB device in thedrivers/media/usb/dvb-usb/dvb-usb-init.c driver. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-19 22:15:00 UTC https://bugzilla.kernel.org/show_bug.cgi?id=204597 https://bugzilla.suse.com/show_bug.cgi?id=1146544 CVE-2019-15213 Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names,leading to homograph attacks. Update Instructions: Run `sudo pro fix CVE-2019-15237` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: roundcube - 1.5.0+dfsg.1-2 roundcube-core - 1.5.0+dfsg.1-2 roundcube-mysql - 1.5.0+dfsg.1-2 roundcube-pgsql - 1.5.0+dfsg.1-2 roundcube-plugins - 1.5.0+dfsg.1-2 roundcube-sqlite3 - 1.5.0+dfsg.1-2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-20 01:15:00 UTC 2019-08-20 01:15:00 UTC https://ubuntu.com/security/notices/USN-8223-1 CVE-2019-15237 django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS viajs_reverse_inline. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-23 13:15:00 UTC CVE-2019-15486 In situations where an attacker receives automated notification of thesuccess or failure of a decryption attempt an attacker, after sending avery large number of messages to be decrypted, can recover a CMS/PKCS7transported encryption key or decrypt any RSA encrypted message that wasencrypted with the public RSA key, using a Bleichenbacher padding oracleattack. Applications are not affected if they use a certificate togetherwith the private RSA key to the CMS_decrypt or PKCS7_decrypt functions toselect the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d(Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k).Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). Update Instructions: Run `sudo pro fix CVE-2019-1563` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 1.1.1d-2ubuntu1 openssl - 1.1.1d-2ubuntu1 openssl-provider-legacy - 1.1.1d-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-09-10 17:15:00 UTC 2019-09-10 17:15:00 UTC Bernd Edlinger https://ubuntu.com/security/notices/USN-4376-1 https://ubuntu.com/security/notices/USN-4376-2 https://ubuntu.com/security/notices/USN-4504-1 CVE-2019-1563 TightVNC code version 1.3.10 contains heap buffer overflow inrfbServerCutText handler, which can potentially result code execution..This attack appear to be exploitable via network connectivity. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-29 19:15:00 UTC Pavel Cheremushkin CVE-2019-15678 TightVNC code version 1.3.10 contains heap buffer overflow inInitialiseRFBConnection function, which can potentially result codeexecution. This attack appear to be exploitable via network connectivity. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-29 19:15:00 UTC Pavel Cheremushkin CVE-2019-15679 TightVNC code version 1.3.10 contains null pointer dereference inHandleZlibBPP function, which results Denial of System (DoS). This attackappear to be exploitable via network connectivity. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-10-29 19:15:00 UTC 2019-10-29 19:15:00 UTC Pavel Cheremushkin https://github.com/LibVNC/libvncserver/issues/359 https://ubuntu.com/security/notices/USN-4407-1 CVE-2019-15680 LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains amemory leak (CWE-655) in VNC server code, which allow an attacker to readstack memory and can be abused for information disclosure. Combined withanother vulnerability, it can be used to leak stack memory and bypass ASLR.This attack appear to be exploitable via network connectivity. Thesevulnerabilities have been fixed in commitd01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-10-29 19:15:00 UTC 2019-10-29 19:15:00 UTC Pavel Cheremushkin http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943793 https://ubuntu.com/security/notices/USN-4407-1 https://ubuntu.com/security/notices/USN-4547-1 https://ubuntu.com/security/notices/USN-4573-1 https://ubuntu.com/security/notices/USN-4587-1 CVE-2019-15681 Overlayfs in the Linux kernel and shiftfs, a non-upstream patch to theLinux kernel included in the Ubuntu 5.0 and 5.3 kernel series, both replacevma->vm_file in their mmap handlers. On error the original value is notrestored, and the reference is put for the file to which vm_file points. Onupstream kernels this is not an issue, as no callers dereference vm_filefollowing after call_mmap() returns an error. However, the aufs patchschange mmap_region() to replace the fput() using a local variable withvma_fput(), which will fput() vm_file, leading to a refcount underflow. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-08 2019-11-08 Jann Horn https://bugs.launchpad.net/bugs/1850994 https://ubuntu.com/security/notices/USN-4208-1 https://ubuntu.com/security/notices/USN-4209-1 CVE-2019-15794 The POWER9 backend in GNU Compiler Collection (GCC) before version 10 couldoptimize multiple calls of the __builtin_darn intrinsic into a single call,thus reducing the entropy of the random number generator. This occurredbecause a volatile operation was not specified. For example, within asingle execution of a program, the output of every __builtin_darn() callmay be the same. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-09-02 23:15:00 UTC https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481 CVE-2019-15847 Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc. NOTE: 2.00 isa version from November 2002. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-03 07:15:00 UTC CVE-2019-15860 libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass inip_input.c. Update Instructions: Run `sudo pro fix CVE-2019-15890` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:4.2-1ubuntu1 qemu-block-supplemental - 1:4.2-1ubuntu1 qemu-guest-agent - 1:4.2-1ubuntu1 qemu-system - 1:4.2-1ubuntu1 qemu-system-arm - 1:4.2-1ubuntu1 qemu-system-common - 1:4.2-1ubuntu1 qemu-system-data - 1:4.2-1ubuntu1 qemu-system-gui - 1:4.2-1ubuntu1 qemu-system-mips - 1:4.2-1ubuntu1 qemu-system-misc - 1:4.2-1ubuntu1 qemu-system-modules-opengl - 1:4.2-1ubuntu1 qemu-system-modules-spice - 1:4.2-1ubuntu1 qemu-system-ppc - 1:4.2-1ubuntu1 qemu-system-riscv - 1:4.2-1ubuntu1 qemu-system-s390x - 1:4.2-1ubuntu1 qemu-system-sparc - 1:4.2-1ubuntu1 qemu-system-x86 - 1:4.2-1ubuntu1 qemu-system-x86-xen - 1:4.2-1ubuntu1 qemu-system-xen - 1:4.2-1ubuntu1 qemu-user - 1:4.2-1ubuntu1 qemu-user-binfmt - 1:4.2-1ubuntu1 qemu-utils - 1:4.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-09-06 17:15:00 UTC 2019-09-06 17:15:00 UTC https://ubuntu.com/security/notices/USN-4191-1 https://ubuntu.com/security/notices/USN-4191-2 CVE-2019-15890 In libexpat before 2.2.8, crafted XML input could fool the parser intochanging from DTD parsing to document parsing too early; a consecutive callto XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resultedin a heap-based buffer over-read. Update Instructions: Run `sudo pro fix CVE-2019-15903` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firefox - 70.0+build2-0ubuntu1 No subscription required thunderbird - 1:68.2.0+build1.1-0ubuntu1 No subscription required chromium-browser - 78.0.3904.70-0ubuntu1 chromium-browser-l10n - 78.0.3904.70-0ubuntu1 chromium-chromedriver - 78.0.3904.70-0ubuntu1 chromium-codecs-ffmpeg - 78.0.3904.70-0ubuntu1 chromium-codecs-ffmpeg-extra - 78.0.3904.70-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-04 2019-09-04 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394 https://ubuntu.com/security/notices/USN-4132-1 https://ubuntu.com/security/notices/USN-4132-2 https://ubuntu.com/security/notices/USN-4165-1 https://ubuntu.com/security/notices/USN-4202-1 https://ubuntu.com/security/notices/USN-4335-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-4852-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2019-15903 Xpdf 3.04 has a SIGSEGV in XRef::fetch in XRef.cc after many recursivecalls to Catalog::countPageTree in Catalog.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-06 22:15:00 UTC CVE-2019-16088 In Xpdf 4.01.01, a stack-based buffer under-read could be triggered inIdentityFunction::transform in Function.cc, used byGfxAxialShading::getColor. It can, for example, be triggered by sending acrafted PDF document to the pdftoppm tool. It allows an attacker to use acrafted PDF file to cause Denial of Service or possibly unspecified otherimpact. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-08 22:15:00 UTC CVE-2019-16115 GNU cflow through 1.6 has a heap-based buffer over-read in the nexttokenfunction in parser.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-09 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939916 CVE-2019-16166 WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6,and 2.6.x through 2.6.4 has a regular expression Denial of Service cause bylooping/backtracking. A victim must expose a WEBrick server that usesDigestAuth to the Internet or a untrusted network. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-20 00:00:00 UTC 2019-11-20 00:00:00 UTC https://ubuntu.com/security/notices/USN-4201-1 CVE-2019-16201 WordPress before 5.2.3 allows XSS in media uploads becausewp_ajax_upload_attachment is mishandled. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16217 WordPress before 5.2.3 allows XSS in stored comments. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16218 WordPress before 5.2.3 allows XSS in shortcode previews. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16219 In WordPress before 5.2.3, validation and sanitization of a URL inwp_validate_redirect in wp-includes/pluggable.php could lead to an openredirect if a provided URL path does not start with a forward slash. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16220 WordPress before 5.2.3 allows reflected XSS in the dashboard. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16221 WordPress before 5.2.3 has an issue with URL sanitization inwp_kses_bad_protocol_once in wp-includes/kses.php that can lead tocross-site scripting (XSS) attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16222 WordPress before 5.2.3 allows XSS in post previews by authenticated users. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 14:15:00 UTC CVE-2019-16223 An issue was discovered in py-lmdb 0.97. For certain values of md_flags,mdb_node_add does not properly set up a memcpy destination, leading to aninvalid write operation. NOTE: this outcome occurs when accessing adata.mdb file supplied by an attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 15:15:00 UTC CVE-2019-16224 An issue was discovered in py-lmdb 0.97. For certain values of mp_flags,mdb_page_touch does not properly set up mc->mc_pg[mc->top], leading to aninvalid write operation. NOTE: this outcome occurs when accessing adata.mdb file supplied by an attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 15:15:00 UTC CVE-2019-16225 An issue was discovered in py-lmdb 0.97. mdb_node_del does not validate amemmove in the case of an unexpected node->mn_hi, leading to an invalidwrite operation. NOTE: this outcome occurs when accessing a data.mdb filesupplied by an attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 15:15:00 UTC CVE-2019-16226 An issue was discovered in py-lmdb 0.97. For certain values of mn_flags,mdb_cursor_set triggers a memcpy with an invalid write operation withinmdb_xcursor_init1. NOTE: this outcome occurs when accessing a data.mdb filesupplied by an attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 15:15:00 UTC CVE-2019-16227 An issue was discovered in py-lmdb 0.97. There is a divide-by-zero error inthe function mdb_env_open2 if mdb_env_read_header obtains a zero value fora certain size field. NOTE: this outcome occurs when accessing a data.mdbfile supplied by an attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-11 15:15:00 UTC CVE-2019-16228 Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allowscode injection if the first argument (aka the "command" argument) toShell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker canexploit this to call an arbitrary Ruby method. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-20 00:00:00 UTC 2019-11-20 00:00:00 UTC https://ubuntu.com/security/notices/USN-4201-1 CVE-2019-16255 Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-16 13:15:00 UTC CVE-2019-16349 The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm,which might allow an attacker to replace an artifact with a different onethat has the same SHA-1 message digest, a related issue to CVE-2005-4900. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-16 18:15:00 UTC 2019-09-16 18:15:00 UTC https://ubuntu.com/security/notices/USN-4858-1 CVE-2019-16370 Hunspell 1.7.0 has an invalid read operation inSuggestMgr::leftcommonsubstring in suggestmgr.cxx. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-09-23 12:15:00 UTC CVE-2019-16707 ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage incoders/ps3.c, as demonstrated by WritePS3Image. Update Instructions: Run `sudo pro fix CVE-2019-16712` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.10.23+dfsg-2.1ubuntu2 imagemagick-7-common - 8:6.9.10.23+dfsg-2.1ubuntu2 imagemagick-7.q16 - 8:6.9.10.23+dfsg-2.1ubuntu2 imagemagick-7.q16hdri - 8:6.9.10.23+dfsg-2.1ubuntu2 libimage-magick-perl - 8:6.9.10.23+dfsg-2.1ubuntu2 libimage-magick-q16-perl - 8:6.9.10.23+dfsg-2.1ubuntu2 libimage-magick-q16hdri-perl - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagick++-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagick++-7.q16-5 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagick++-7.q16hdri-5 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7-arch-config - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickcore-7.q16hdri-10-extra - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickwand-7-headers - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickwand-7.q16-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 libmagickwand-7.q16hdri-10 - 8:6.9.10.23+dfsg-2.1ubuntu2 perlmagick - 8:6.9.10.23+dfsg-2.1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-09-23 12:15:00 UTC 2019-09-23 12:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/1557 https://ubuntu.com/security/notices/USN-7053-1 CVE-2019-16712 In MediaWiki through 1.33.0, Special:Redirect allows information disclosureof suppressed usernames via a User ID Lookup. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-26 02:15:00 UTC CVE-2019-16738 Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary FileWrite. It is possible for packages to create symlinks to files outside ofthenode_modules folder through the bin field upon installation. A properlyconstructed entry in the package.json bin field would allow a packagepublisher to create a symlink pointing to arbitrary files on a user'ssystem when the package is installed. This behavior is still possiblethrough install scripts. This vulnerability bypasses a user using the--ignore-scripts install option. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-13 01:15:00 UTC CVE-2019-16775 Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary FileWrite. It fails to prevent access to folders outside of the intendednode_modules folder through the bin field. A properly constructed entry inthe package.json bin field would allow a package publisher to modify and/orgain access to arbitrary files on a user's system when the package isinstalled. This behavior is still possible through install scripts. Thisvulnerability bypasses a user using the --ignore-scripts install option. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-13 01:15:00 UTC CVE-2019-16776 Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary FileOverwrite. It fails to prevent existing globally-installed binaries to beoverwritten by other package installations. For example, if a package wasinstalled globally and created a serve binary, any subsequent installs ofpackages that also create a serve binary would overwrite the previous servebinary. This behavior is still allowed in local installations and alsothrough install scripts. This vulnerability bypasses a user using the--ignore-scripts install option. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-13 01:15:00 UTC CVE-2019-16777 In postfix-mta-sts-resolver before 0.5.1, All users can receive incorrectresponse from daemon under rare conditions, rendering downgrade ofeffective STS policy. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-22 02:15:00 UTC CVE-2019-16791 Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of theTextPage::findGaps function in TextOutputDev.cc, a different vulnerabilitythan CVE-2019-9877. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-27 20:15:00 UTC CVE-2019-16927 Catalog.cc in Xpdf 4.02 has a NULL pointer dereference becauseCatalog.pageLabels is initialized too late in the Catalog constructor. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-01 16:15:00 UTC CVE-2019-17064 PuTTY before 0.73 on Windows improperly opens port-forwarding listeningsockets, which allows attackers to listen on the same port to steal anincoming connection. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-01 17:15:00 UTC CVE-2019-17067 The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions,such that a gem install may result in 0777 permissions in the targetfilesystem. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-09 16:15:00 UTC CVE-2019-17383 Bento4 1.5.1.0 has a NULL pointer dereference inAP4_DescriptorListInspector::Action in Core/Ap4Descriptor.h, related toAP4_IodsAtom::InspectFields in Core/Ap4IodsAtom.cpp, as demonstrated bymp4dump. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-10 17:15:00 UTC CVE-2019-17452 Bento4 1.5.1.0 has a NULL pointer dereference inAP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, related toAP4_IodsAtom::WriteFields in Core/Ap4IodsAtom.cpp, as demonstrated bymp4encrypt or mp4compact. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-10 17:15:00 UTC CVE-2019-17453 Bento4 1.5.1.0 has a NULL pointer dereference in AP4_Descriptor::GetTag inCore/Ap4Descriptor.h, related to AP4_StsdAtom::GetSampleDescription inCore/Ap4StsdAtom.cpp, as demonstrated by mp4info. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-10 17:15:00 UTC CVE-2019-17454 An issue was discovered in Bento4 1.5.1.0. There is a SEGV in the functionAP4_TfhdAtom::SetDefaultSampleSize at Core/Ap4TfhdAtom.h when called fromAP4_Processor::ProcessFragments in Core/Ap4Processor.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-12 20:15:00 UTC CVE-2019-17528 An issue was discovered in Bento4 1.5.1.0. There is a heap-based bufferover-read in AP4_CencSampleEncryption::DoInspectFields inCore/Ap4CommonEncryption.cpp when called from AP4_Atom::Inspect inCore/Ap4Atom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-12 20:15:00 UTC CVE-2019-17529 An issue was discovered in Bento4 1.5.1.0. There is a heap-based bufferover-read in AP4_PrintInspector::AddField in Core/Ap4Atom.cpp when calledfrom AP4_CencSampleEncryption::DoInspectFields inCore/Ap4CommonEncryption.cpp, when called from AP4_Atom::Inspect inCore/Ap4Atom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-12 20:15:00 UTC CVE-2019-17530 Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0'character, leading to a heap-based buffer over-read in strdup_vprintf whenuninitialized memory is accessed. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-13 02:15:00 UTC 2019-10-13 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942255 https://ubuntu.com/security/notices/USN-5185-1 CVE-2019-17533 tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 andother products, has an integer overflow that potentially causes aheap-based buffer overflow via a crafted RGBA image, related to a"Negative-size-param" condition. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-14 02:15:00 UTC 2019-10-14 02:15:00 UTC https://ubuntu.com/security/notices/USN-4158-1 https://ubuntu.com/security/notices/USN-5841-1 CVE-2019-17546 The "Apache NetBeans" autoupdate system does not validate SSL certificatesand hostnames for https based downloads. This allows an attacker tointercept downloads of autoupdates and modify the download, potentiallyinjecting malicious code. “Apache NetBeans" versions up to and including11.2 are affected by this vulnerability. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-30 19:15:00 UTC CVE-2019-17560 The "Apache NetBeans" autoupdate system does not fully validate codesignatures. An attacker could modify the downloaded nbm and includeadditional code. "Apache NetBeans" versions up to and including 11.2 areaffected by this vulnerability. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-30 19:15:00 UTC CVE-2019-17561 ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remoteunauthenticated denial-of-service due to incorrect handling of overly longcommands because main.c in a child process enters an infinite loop. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-21 04:15:00 UTC CVE-2019-18217 JetBrains IntelliJ IDEA before 2019.2 allows local user privilegeescalation, potentially leading to arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-31 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2019-18361 HTCondor up to and including stable series 8.8.6 and development series8.9.4 has Incorrect Access Control. It is possible to use a differentauthentication method to submit a job than the administrator has specified.If the administrator has configured the READ or WRITE methods to includeCLAIMTOBE, then it is possible to impersonate another user to thecondor_schedd. (For example to submit or remove jobs) Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-27 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963777 CVE-2019-18823 maidag in GNU Mailutils before 3.8 is installed setuid and allows localprivilege escalation in the url mode. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-11 16:15:00 UTC CVE-2019-18862 : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaSPlatform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server15 allowed local attackers to read a cookie store used by libzypp, exposingprivate cookies. This issue affects: SUSE CaaS Platform 3.0 libzyppversions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzyppversions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 1517.19.0-3.34.1. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-24 16:15:00 UTC CVE-2019-18900 UniValue::read() in UniValue before 1.0.5 allow attackers to cause a denialof service (the class internal data reaches an inconsistent state) viainput data that triggers an error. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-21 01:15:00 UTC CVE-2019-18936 An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. Adereference of a NULL pointer may occur. This pointer is returned by theOpenSSL sk_X509_REVOKED_value() function when encountering an empty CRLinstalled by a system administrator. The dereference occurs when validatingthe certificate of a client connecting to the server in a TLS client/servermutual-authentication setup. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-30 23:15:00 UTC CVE-2019-19269 An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b.Failure to check for the appropriate field of a CRL entry (checking twicefor subject, rather than once for subject and once for issuer) preventssome valid CRLs from being taken into account, and can allow clients whosecertificates have been revoked to proceed with a connection to the server. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-26 04:15:00 UTC CVE-2019-19270 In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0, thereis a NULL pointer dereference while parsing a TTF font file that lacks aname section (due to a g_strconcat call that returns NULL). Update Instructions: Run `sudo pro fix CVE-2019-19308` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnome-font-viewer - 3.34.0-2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-27 15:15:00 UTC https://gitlab.gnome.org/GNOME/gnome-font-viewer/issues/17 CVE-2019-19308 A flaw was found in Undertow when using Remoting as shipped in Red HatJboss EAP before version 7.2.4. A memory leak in HttpOpenListener due toholding remote connections indefinitely may lead to denial of service.Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 arebelieved to be vulnerable. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-23 21:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1780445 CVE-2019-19343 In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image canlead to slab-out-of-bounds write access in index_rbio_pages infs/btrfs/raid56.c. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-29 17:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1158270 https://bugzilla.redhat.com/show_bug.cgi?id=1781899 CVE-2019-19378 When GNOME Dia before 2019-11-27 is launched with a filename argument thatis not a valid codepoint in the current encoding, it enters an endlessloop, thus endlessly writing text to stdout. If this launch is from athumbnailer service, this output will usually be written to disk via thesystem's logging facility (potentially with elevated privileges), thusfilling up the disk and eventually rendering the system unusable. (Thefilename can be for a nonexistent file.) NOTE: this does not affect anupstream release, but affects certain Linux distribution packages withversion numbers such as 0.97.3. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-11-29 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945876 CVE-2019-19451 SMPlayer 19.5.0 has a buffer overflow via a long .m3u file. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-02 02:15:00 UTC CVE-2019-19489 Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function inflex.c via a crafted BASIC source file. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-11 04:15:00 UTC CVE-2019-19720 In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image cancause __remove_dirty_segment slab-out-of-bounds write access because anarray is bounded by the number of dirty types (8) but the array index canexceed this. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-17 06:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1159437 CVE-2019-19814 An issue was discovered in ezXML 0.8.3 through 0.8.6. The functionezxml_decode, while parsing a crafted XML file, performs incorrect memoryhandling, leading to a heap-based buffer over-read while running strchr()starting with a pointer after a '\0' character (where the processing of astring was finished). Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-26 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20005 An issue was discovered in ezXML 0.8.3 through 0.8.6. The functionezxml_char_content puts a pointer to the internal address of a larger blockas xml->txt. This is later deallocated (using free), leading to asegmentation fault. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-26 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20006 An issue was discovered in ezXML 0.8.2 through 0.8.6. The functionezxml_str2utf8, while parsing a crafted XML file, performs zero-lengthreallocation in ezxml.c, leading to returning a NULL pointer (in somecompilers). After this, the function ezxml_parse_str does not check whetherthe s variable is not NULL in ezxml.c, leading to a NULL pointerdereference and crash (segmentation fault). Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-26 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20007 An attempted excessive memory allocation was discovered in Mat_VarRead5 inmat5.c in matio 1.5.17. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-27 02:15:00 UTC CVE-2019-20019 An issue was discovered in Bento4 1.5.1.0. There is a use-after-free inAP4_Sample::GetOffset in Core/Ap4Sample.h when called fromAp4LinearReader.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-30 04:15:00 UTC CVE-2019-20090 An issue was discovered in Bento4 1.5.1.0. There is a NULL pointerdereference in AP4_Descriptor::GetTag in mp42ts when called fromAP4_DecoderConfigDescriptor::GetDecoderSpecificInfoDescriptor inAp4DecoderConfigDescriptor.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-30 04:15:00 UTC CVE-2019-20091 An issue was discovered in Bento4 1.5.1.0. There is a NULL pointerdereference in AP4_Descriptor::GetTag in mp42ts when called fromAP4_EsDescriptor::GetDecoderConfigDescriptor in Ap4EsDescriptor.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-30 04:15:00 UTC CVE-2019-20092 KeePass 2.4.1 allows CSV injection in the title field of a CSV export. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-09 22:15:00 UTC CVE-2019-20184 An issue was discovered in ezXML 0.8.3 through 0.8.6. The functionezxml_ent_ok() mishandles recursion, leading to stack consumption for acrafted XML file. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-31 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20198 An issue was discovered in ezXML 0.8.3 through 0.8.6. The functionezxml_decode, while parsing a crafted XML file, performs incorrect memoryhandling, leading to NULL pointer dereference while running strlen() on aNULL pointer. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-31 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20199 An issue was discovered in ezXML 0.8.3 through 0.8.6. The functionezxml_decode, while parsing crafted a XML file, performs incorrect memoryhandling, leading to a heap-based buffer over-read in the "normalize lineendings" feature. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-31 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20200 An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_*functions mishandle XML entities, leading to an infinite loop in whichmemory allocations occur. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-31 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20201 An issue was discovered in ezXML 0.8.3 through 0.8.6. The functionezxml_char_content() tries to use realloc on a block that was notallocated, leading to an invalid free and segmentation fault. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-31 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2019-20202 ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via theheader.php ce parameter. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-11 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948664 CVE-2019-20378 ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via theheader.php cs parameter. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-11 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948664 CVE-2019-20379 In the Lustre file system before 2.12.3, the ptlrpc module has anout-of-bounds access and panic due to the lack of validation for specificfields of packets sent by a client. In the functionldlm_cancel_hpreq_check, there is no lock_count bounds check. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-27 05:15:00 UTC CVE-2019-20426 In ruamel.yaml through 0.16.7, the load method allows remote code executionif the application calls this method with an untrusted argument. In otherwords, this issue affects developers who are unaware of the need to usemethods such as safe_load in these use cases. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-19 04:15:00 UTC CVE-2019-20478 usrsctp before 2019-12-20 has out-of-bounds reads insctp_load_addresses_from_init. Update Instructions: Run `sudo pro fix CVE-2019-20503` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firefox - 74.0+build3-0ubuntu1 No subscription required thunderbird - 1:68.6.0+build2-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-06 20:15:00 UTC 2020-03-06 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953270 https://ubuntu.com/security/notices/USN-4299-1 https://ubuntu.com/security/notices/USN-4328-1 https://ubuntu.com/security/notices/USN-4335-1 CVE-2019-20503 GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Freevulnerability in the function another_hunk in pch.c that can cause a denialof service via a crafted patch file. NOTE: this issue exists because of anincomplete fix for CVE-2018-6952. Ubuntu 26.04 LTS Negligible Copyright (C) 2020 Canonical Ltd. 2020-03-25 17:15:00 UTC CVE-2019-20633 Teeworlds before 0.7.4 has an integer overflow when computing a tilemapsize. Update Instructions: Run `sudo pro fix CVE-2019-20787` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: teeworlds - 0.7.2-5 teeworlds-data - 0.7.2-5 teeworlds-server - 0.7.2-5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-22 17:15:00 UTC CVE-2019-20787 OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2,allows attacks that bypass SPF and DMARC authentication in situations wherethe HELO field is inconsistent with the MAIL FROM field. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-27 14:15:00 UTC https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 CVE-2019-20790 An issue was discovered in the Linux kernel 4.18 through 5.6.11 whenunprivileged user namespaces are allowed. A user can create their own PIDnamespace, and mount a FUSE filesystem. Upon interaction with this FUSEfilesystem, if the userspace component is terminated via a kill of the PIDnamespace's pid 1, it will result in a hung task, and resources beingpermanently locked up until system reboot. This can result in resourceexhaustion. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-05-09 18:15:00 UTC CVE-2019-20794 libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflowvia a long socket filename. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 CVE-2019-20839 An issue was discovered in LibVNCServer before 0.9.13.libvncserver/ws_decode.c can lead to a crash because of unaligned accessesin hybiReadAndDecode. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 CVE-2019-20840 In ParseContentEncodingEntry of mkvparser.cc, there is a possible doublefree due to a missing reset of a freed pointer. This could lead to remotecode execution with no additional execution privileges needed. Userinteraction is needed for exploitation. Product: Android. Versions:Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.Android ID: A-127702368. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-08-20 20:15:00 UTC 2019-08-20 20:15:00 UTC https://ubuntu.com/security/notices/USN-4199-1 https://ubuntu.com/security/notices/USN-7579-1 CVE-2019-2126 In ACELP_4t64_fx of c4t64fx.c, there is a possible out of bounds write dueto a missing bounds check. This could lead to local escalation of privilegewith no additional execution privileges needed. User interaction is notneeded for exploitation. Product: Android. Versions: Android-7.0Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID:A-132647222. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-20 20:15:00 UTC CVE-2019-2128 Vulnerability in the MySQL Connectors component of Oracle MySQL(subcomponent: Connector/Python). Supported versions that are affected are8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via TLS to compromiseMySQL Connectors. Successful attacks require human interaction from aperson other than the attacker. Successful attacks of this vulnerabilitycan result in unauthorized creation, deletion or modification access tocritical data or all MySQL Connectors accessible data as well asunauthorized access to critical data or complete access to all MySQLConnectors accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality andIntegrity impacts). CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-16 19:30:00 UTC CVE-2019-2435 ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, asdemonstrated by a "string index out of range" error and worker-processcrash for a "Cookie: =abc" header. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-06 17:15:00 UTC CVE-2019-25043 An issue was discovered in USBGuard before 1.1.0. On systems with theusbguard-dbus daemon running, an unprivileged user could make USBGuardallow all USB devices to be connected in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-24 15:15:00 UTC CVE-2019-25058 The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2and 3.0.0 allows remote attackers to cause a denial of service (delays oflegitimate traffic) via crafted packet data that requires excessiveevaluation time within the packet classification algorithm for the MegaFlowcache, aka a Tuple Space Explosion (TSE) attack. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-08 23:15:00 UTC CVE-2019-25076 A vulnerability has been found in rtcwcoop 1.0.2 and classified asproblematic. Affected by this vulnerability is the functionAICast_ScriptLoad of the file code/game/ai_cast_script.c of the componentTeam Command Handler. The manipulation leads to denial of service. Theidentifier of the patch is f2cd18bc2e1cbca8c4b78bee9c392272bd5f42ac. It isrecommended to apply a patch to fix this issue. The identifier VDB-221485was assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 18:15:00 UTC CVE-2019-25104 `sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-siteScripting (XSS). The `sanitizeHtml()` function in `index.js` does notsanitize content when using the custom `transformTags` option, which isintended to convert attribute values into text. As a result, maliciousinput can be transformed into executable code. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-08 10:15:00 UTC CVE-2019-25225 DokuWiki 2018-04-22b contains a username enumeration vulnerability in itspassword reset functionality that allows attackers to identify valid useraccounts. Attackers can submit different usernames to the password resetendpoint and distinguish between existing and non-existing accounts byanalyzing the server's error response messages. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-12 23:16:00 UTC CVE-2019-25338 gSOAP 2.8 contains a directory traversal vulnerability that allowsunauthenticated attackers to access system files by manipulating HTTP pathtraversal techniques. Attackers can retrieve sensitive files like/etc/passwd by sending crafted GET requests with multiple '../' directorytraversal sequences. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 22:16:00 UTC CVE-2019-25355 Pidgin 2.13.0 contains a denial of service vulnerability that allows localattackers to crash the application by providing an excessively longusername string during account creation. Attackers can input a buffer of1000 characters in the username field and trigger a crash when joining achat, causing the application to become unavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-21 13:16:00 UTC CVE-2019-25544 Deluge 1.3.15 contains a denial of service vulnerability that allows localattackers to crash the application by supplying an excessively long stringin the Webseeds field. Attackers can paste a buffer of 5000 bytes into theWebseeds field during torrent creation to trigger an application crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 01:16:00 UTC CVE-2019-25585 Deluge 1.3.15 contains a denial of service vulnerability that allows localattackers to crash the application by supplying an excessively long stringin the URL field. Attackers can paste a buffer of 5000 characters into the'From URL' field during torrent addition to trigger an application crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 01:16:00 UTC CVE-2019-25586 DNSS Domain Name Search Software 2.1.8 contains a buffer overflowvulnerability in the registration code input field that allows localattackers to crash the application by submitting an excessively longstring. Attackers can trigger a denial of service by pasting a maliciousregistration code containing 300 repeated characters into the Name/Keyfield via the Register menu option. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 14:16:00 UTC CVE-2019-25591 R i386 3.5.0 contains a local buffer overflow vulnerability in the GUIPreferences dialog that allows local attackers to trigger a structuredexception handler (SEH) overwrite by supplying malicious input. Attackerscan craft a payload string in the 'Language for menus and messages' fieldto overwrite SEH records and achieve code execution with calculator orarbitrary shellcode. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-05 21:16:00 UTC CVE-2019-25656 FileZilla 3.40.0 contains a denial of service vulnerability in the localsearch functionality that allows local attackers to crash the applicationby supplying a malformed path string. Attackers can trigger the crash byentering a crafted path containing 384 'A' characters followed by 'BBBB'and 'CCCC' sequences in the search directory field and initiating a localsearch operation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-05 21:16:00 UTC CVE-2019-25683 R 3.4.4 contains a local buffer overflow vulnerability that allowsattackers to execute arbitrary code by injecting malicious input into theGUI Preferences language field. Attackers can craft a payload with a292-byte offset and JMP ESP instruction to execute commands like calc.exewhen the payload is pasted into the Language for menus and messages field. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-12 13:16:00 UTC CVE-2019-25695 A External Control of File Name or Path vulnerability in osc of SUSE LinuxEnterprise Module for Development Tools 15, SUSE Linux Enterprise SoftwareDevelopment Kit 12-SP5, SUSE Linux Enterprise Software Development Kit12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers thatcan change downloaded packages to overwrite arbitrary files. This issueaffects: SUSE Linux Enterprise Module for Development Tools 15 osc versionsprior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise SoftwareDevelopment Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory oscversions prior to 0.169.0 . Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-29 12:15:00 UTC CVE-2019-3681 Open Build Service before version 0.165.4 diddn't validate TLS certificatesfor HTTPS connections with the osc client binary Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-11-05 10:15:00 UTC CVE-2019-3685 The nfs-utils package in SUSE Linux Enterprise Server 12 before andincluding version 1.3.0-34.18.1 and in SUSE Linux Enterprise Server 15before and including version 2.1.1-6.10.2 the directory /var/lib/nfs isowned by statd:nogroup. This directory contains files owned and managed byroot. If statd is compromised, it can therefore trick processes runningwith root privileges into creating/overwriting files anywhere on thesystem. Update Instructions: Run `sudo pro fix CVE-2019-3689` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnfsidmap-regex - 1:1.3.4-2.5ubuntu5 libnfsidmap1 - 1:1.3.4-2.5ubuntu5 nfs-common - 1:1.3.4-2.5ubuntu5 nfs-kernel-server - 1:1.3.4-2.5ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-09-19 14:15:00 UTC 2019-09-19 14:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1150733 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940848 https://ubuntu.com/security/notices/USN-4400-1 CVE-2019-3689 Openwsman, versions up to and including 2.6.9, are vulnerable to arbitraryfile disclosure because the working directory of openwsmand daemon was setto root directory. A remote, unauthenticated attacker can exploit thisvulnerability by sending a specially crafted HTTP request to openwsmanserver. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-14 22:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754501 CVE-2019-3816 A vulnerability was discovered in gdm before 3.31.4. When timed login isenabled in configuration, an attacker could bypass the lock screen byselecting the timed login user and waiting for the timer to expire, atwhich time they would gain access to the logged-in user's session. Update Instructions: Run `sudo pro fix CVE-2019-3825` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gdm3 - 3.31.4+git20190225-1ubuntu1 gir1.2-gdm-1.0 - 3.31.4+git20190225-1ubuntu1 libgdm1 - 3.31.4+git20190225-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-06 2019-02-06 Burghard Britzke https://gitlab.gnome.org/GNOME/gdm/issues/460 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921764 https://ubuntu.com/security/notices/USN-3892-1 CVE-2019-3825 Openwsman, versions up to and including 2.6.9, are vulnerable to infiniteloop in process_connection() when parsing specially crafted HTTP requests.A remote, unauthenticated attacker can exploit this vulnerability bysending malicious HTTP request to cause denial of service to openwsmanserver. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-14 22:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754501 CVE-2019-3833 In 389-ds-base up to version 1.4.1.2, requests are handled by workersthreads. Each sockets will be waited by the worker for at most'ioblocktimeout' seconds. However this timeout applies only forun-encrypted requests. Connections using SSL/TLS are not taking thistimeout into account during reads, and may hang longer.An unauthenticatedattacker could repeatedly create hanging LDAP requests to hang all theworkers, resulting in a Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-04-17 14:29:00 UTC CVE-2019-3883 A vulnerability was found in Undertow web server before 2.0.21. Aninformation exposure of plain text credentials through log files becauseConnectors.executeRootHandler:402 logs the HttpServerExchange object atERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t,exchange) Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-12 14:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930349 CVE-2019-3888 It was discovered evolution-ews before 3.31.3 does not check the validityof SSL certificates. An attacker could abuse this flaw to get confidentialinformation by tricking the user into connecting to a fake server withoutthe user noticing the difference. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-01 14:15:00 UTC CVE-2019-3890 An access-control flaw was found in the Octavia service when the cloudplatform was deployed using Red Hat OpenStack Platform Director. Anattacker could cause new amphorae to run based on any arbitrary image. Thismeant that a remote attacker could upload a new amphorae image and, ifrequested to spawn new amphorae, Octavia would then pick up the compromisedimage. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-06-03 19:29:00 UTC https://bugs.launchpad.net/octavia/+bug/1620629 CVE-2019-3895 An exploitable code execution vulnerability exists in the PCXimage-rendering functionality of SDL2_image 2.0.4. A specially crafted PCXimage can cause a heap overflow, resulting in code execution. An attackercan display a specially crafted image to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2019-5057` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libsdl2-image-2.0-0 - 2.0.5+dfsg1-1 libsdl2-image-tests - 2.0.5+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 17:15:00 UTC CVE-2019-5057 An exploitable code execution vulnerability exists in the XCF imagerendering functionality of SDL2_image 2.0.4. A specially crafted XCF imagecan cause a heap overflow, resulting in code execution. An attacker candisplay a specially crafted image to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2019-5058` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libsdl2-image-2.0-0 - 2.0.5+dfsg1-1 libsdl2-image-tests - 2.0.5+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 17:15:00 UTC CVE-2019-5058 An exploitable code execution vulnerability exists in the XPM imagerendering functionality of SDL2_image 2.0.4. A specially crafted XPM imagecan cause an integer overflow, allocating too small of a buffer. Thisbuffer can then be written out of bounds resulting in a heap overflow,ultimately ending in code execution. An attacker can display a speciallycrafted image to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2019-5059` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libsdl2-image-2.0-0 - 2.0.5+dfsg1-1 libsdl2-image-tests - 2.0.5+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 17:15:00 UTC CVE-2019-5059 An exploitable code execution vulnerability exists in the XPM imagerendering function of SDL2_image 2.0.4. A specially crafted XPM image cancause an integer overflow in the colorhash function, allocating too smallof a buffer. This buffer can then be written out of bounds, resulting in aheap overflow, ultimately ending in code execution. An attacker can displaya specially crafted image to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2019-5060` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libsdl2-image-2.0-0 - 2.0.5+dfsg1-1 libsdl2-image-tests - 2.0.5+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-31 17:15:00 UTC CVE-2019-5060 An exploitable denial-of-service vulnerability exists in the hostapd 2.6,where an attacker could trigger AP to send IAPP location updates forstations, before the required authentication process has completed. Thiscould lead to different denial of service scenarios, either by causing CAMtable attacks, or by leading to traffic flapping if faking already existingclients in other nearby Aps of the same wireless infrastructure. Anattacker can forge Authentication and Association Request packets totrigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2019-5061` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: eapoltest - 2:2.9.0-20build1 hostapd - 2:2.9.0-20build1 wpagui - 2:2.9.0-20build1 wpasupplicant - 2:2.9.0-20build1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-12-12 22:15:00 UTC CVE-2019-5061 An exploitable denial-of-service vulnerability exists in the 802.11wsecurity state handling for hostapd 2.6 connected clients with valid802.11w sessions. By simulating an incomplete new association, an attackercan trigger a deauthentication against stations using 802.11w, resulting ina denial of service. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-12-12 22:15:00 UTC CVE-2019-5062 An exploitable information disclosure vulnerability exists in the networkpacket handling functionality of Shadowsocks-libev 3.3.2. When utilizing aStream Cipher, a specially crafted set of network packets can cause anoutbound connection from the server, resulting in information disclosure.An attacker can send arbitrary packets to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-12-18 15:15:00 UTC CVE-2019-5152 An Integer underflow in VLC Media Player versions < 3.0.7 leads to anout-of-band read. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-30 21:15:00 UTC CVE-2019-5459 An issue was discovered in Bento4 v1.5.1-627. There is a memory leak inAP4_DescriptorFactory::CreateDescriptorFromStream inCore/Ap4DescriptorFactory.cpp when called from the AP4_EsdsAtom class inCore/Ap4EsdsAtom.cpp, as demonstrated by mp42aac. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-11 05:29:00 UTC CVE-2019-6132 An infinite recursion issue was discovered in eval.c in Netwide Assembler(NASM) through 2.14.02. There is a stack exhaustion problem resulting frominfinite recursion in the functions expr, rexp, bexpr and cexpr in certainscenarios involving lots of '{' characters. Remote attackers could leveragethis vulnerability to cause a denial-of-service via a crafted asm file. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-01-15 00:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392548 CVE-2019-6290 An issue was discovered in the function expr6 in eval.c in NetwideAssembler (NASM) through 2.14.02. There is a stack exhaustion problemcaused by the expr6 function making recursive calls to itself in certainscenarios involving lots of '!' or '+' or '-' characters. Remote attackerscould leverage this vulnerability to cause a denial-of-service via acrafted asm file. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-01-15 00:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392549 CVE-2019-6291 An issue was discovered in the function mark_beginning_as_normal in nfa.cin flex 2.6.4. There is a stack exhaustion problem caused by themark_beginning_as_normal function making recursive calls to itself incertain scenarios involving lots of '*' characters. Remote attackers couldleverage this vulnerability to cause a denial-of-service. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-15 00:29:00 UTC https://github.com/westes/flex/issues/414 CVE-2019-6293 examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through3.15.7 has a heap-based buffer overflow. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-01-16 03:29:00 UTC CVE-2019-6439 An issue was discovered in Bento4 1.5.1-628. The AP4_ElstAtom class inCore/Ap4ElstAtom.cpp has an attempted excessive memory allocation relatedto AP4_Array<AP4_ElstEntry>::EnsureCapacity in Core/Ap4Array.h, asdemonstrated by mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-25 23:29:00 UTC CVE-2019-6966 An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers tocause a denial of service (attempted excessive memory allocation) inopj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile inopenjp2/tcd.c, as demonstrated by the 64-bit opj_decompress. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-28 16:29:00 UTC sayun (ghostscript) https://github.com/uclouvain/openjpeg/issues/1178 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922648 CVE-2019-6988 A buffer over-read exists in the function crc64ib in crc64.c in nasmlib inNetwide Assembler (NASM) 2.14rc16. A crafted asm input can causesegmentation faults, leading to denial-of-service. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-29 00:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392544 CVE-2019-7147 A NULL pointer dereference was discovered inwasm::Module::getFunctionOrNull in wasm/wasm.cpp in Binaryen 1.38.22. Acrafted input can cause segmentation faults, leading to denial-of-service,as demonstrated by wasm-opt. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-29 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920853 CVE-2019-7151 A heap-based buffer over-read was discovered inwasm::WasmBinaryBuilder::processFunctions() in wasm/wasm-binary.cpp (whencalling wasm::WasmBinaryBuilder::getFunctionIndexName) in Binaryen 1.38.22.A crafted input can cause segmentation faults, leading todenial-of-service, as demonstrated by wasm-opt. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-29 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920853 CVE-2019-7152 A NULL pointer dereference was discovered inwasm::WasmBinaryBuilder::processFunctions() in wasm/wasm-binary.cpp (whencalling wasm::WasmBinaryBuilder::getFunctionIndexName) in Binaryen 1.38.22.A crafted input can cause segmentation faults, leading todenial-of-service, as demonstrated by wasm-opt. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-29 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920853 CVE-2019-7153 The main function in tools/wasm2js.cpp in Binaryen 1.38.22 has a heap-basedbuffer overflow because Emscripten is misused, triggering an error incashew::JSPrinter::printAst() in emscripten-optimizer/simple_ast.h. Acrafted input can cause segmentation faults, leading to denial-of-service,as demonstrated by wasm2js. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-01-29 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920853 CVE-2019-7154 In libdoc through 2019-01-28, calcFileBlockOffset in ole.c allows divisionby zero. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-29 08:29:00 UTC CVE-2019-7156 In libdoc through 2019-01-28, doc2text in catdoc.c has a NULL pointerdereference. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-01-30 21:29:00 UTC CVE-2019-7233 www/resource.py in Buildbot before 1.8.1 allows CRLF injection in theLocation header of /auth/login and /auth/logout via the redirect parameter.This affects other web sites in the same domain. Update Instructions: Run `sudo pro fix CVE-2019-7313` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: buildbot - 2.0.0-1 buildbot-worker - 2.0.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-03 08:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921271 CVE-2019-7313 png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-freebecause png_image_free_function is called under png_safe_execute. Update Instructions: Run `sudo pro fix CVE-2019-7317` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firefox - 67.0+build2-0ubuntu1 No subscription required thunderbird - 1:60.7.0+build1-0ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 2019-02-04 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921355 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 https://github.com/glennrp/libpng/issues/275 https://ubuntu.com/security/notices/USN-3962-1 https://ubuntu.com/security/notices/USN-3991-1 https://ubuntu.com/security/notices/USN-3997-1 https://ubuntu.com/security/notices/USN-4080-1 https://ubuntu.com/security/notices/USN-4083-1 CVE-2019-7317 Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'Exportfile' parameter value in the view download (download.php) becauseproper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7333 Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'Exportfile' parameter value in the view export (export.php) because properfiltration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7334 Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attackerto execute HTML or JavaScript code in the view 'log' as it insecurelyprints the 'Log Message' value on the web page without applying any properfiltration. This relates to the view=logs value. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7335 Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through1.32.3, as the view _monitor_filters.php contains takes in input from theuser and saves it into the session, and retrieves it later (insecurely).The values of the MonitorName and Source parameters are being displayedwithout any output filtration being applied. This relates to the view=cyclevalue. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7336 Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 asthe view 'events' (events.php) insecurely displays the limit parametervalue, without applying any proper output filtration. This issue existsbecause of the function sortHeader() in functions.php, which insecurelyreturns the value of the limit query string parameter without applying anyfiltration. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7337 Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attackerto execute HTML or JavaScript code in the view 'group' as it insecurelyprints the 'Group Name' value on the web page without applying any properfiltration. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7338 POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'level' parameter value in the view log (log.php) because proper filtrationis omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7339 POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'filter[Query][terms][0][val]' parameter value in the view filter(filter.php) because proper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7340 Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'newMonitor[LinkedMonitors]' parameter value in the view monitor(monitor.php) because proper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7341 POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'filter[AutoExecuteCmd]' parameter value in the view filter (filter.php)because proper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7342 Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'newMonitor[Method]' parameter value in the view monitor (monitor.php)because proper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7343 Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker toexecute HTML or JavaScript code in the view 'filter' as it insecurelyprints the 'filter[Name]' (aka Filter name) value on the web page withoutapplying any proper filtration. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7344 Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through1.32.3, as the view 'options' (options.php) does no input validation forthe WEB_TITLE, HOME_URL, HOME_CONTENT, or WEB_CONSOLE_BANNER value,allowing an attacker to execute HTML or JavaScript code. This relates tofunctions.php. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7345 A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRFcheck fails, a callback function is called displaying a "Try again" button,which allows resending the failed request, making the CSRF attacksuccessful. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7346 A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMinderthrough 1.32.3 as a session remains active for an authenticated user evenafter deletion from the users table. This allows a nonexistent user toaccess and modify records (add/delete Monitors, Users, etc.). Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7347 Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through1.32.3, allowing an attacker to execute HTML or JavaScript code via avulnerable 'username' parameter value in the view user (user.php) becauseproper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7348 Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3,allowing an attacker to execute HTML or JavaScript code via a vulnerable'newMonitor[V4LCapturesPerFrame]' parameter value in the view monitor(monitor.php) because proper filtration is omitted. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7349 Session fixation exists in ZoneMinder through 1.32.3, as an attacker canfixate his own session cookies to the next logged-in user, therebyhijacking the victim's account. This occurs because a set of multiplecookies (between 3 and 5) is being generated when a user successfully logsin, and these sets overlap for successive logins. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7350 Log Injection exists in ZoneMinder through 1.32.3, as an attacker canentice the victim to visit a specially crafted link, which in turn willinject a custom Log message provided by the attacker in the 'log' viewpage, as demonstrated by the message=User%20'admin'%20Logged%20in value. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7351 Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through1.32.3, as the view 'state' (aka Run State) (state.php) does no inputvalidation to the value supplied to the 'New State' (aka newState) field,allowing an attacker to execute HTML or JavaScript code. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-04 19:29:00 UTC CVE-2019-7352 Stack-based buffer overflow in the strip_vt102_codes function in TinTin++2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrarycode by sending a long message to the client. Update Instructions: Run `sudo pro fix CVE-2019-7629` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: tintin++ - 2.01.5-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-18 20:29:00 UTC CVE-2019-7629 An Invalid Address dereference was discovered inTIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remoteattackers could leverage this vulnerability to cause a denial-of-servicevia a crafted tiff file. This is different from CVE-2018-12900. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-09 2019-02-09 http://bugzilla.maptools.org/show_bug.cgi?id=2833 https://ubuntu.com/security/notices/USN-3906-1 https://ubuntu.com/security/notices/USN-3906-2 CVE-2019-7663 An issue was discovered in Bento4 v1.5.1-627. There is an assertion failurein AP4_AtomListWriter::Action in Core/Ap4Atom.cpp, leading to a denial ofservice (program crash), as demonstrated by mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-10 22:29:00 UTC CVE-2019-7697 An issue was discovered in AP4_Array<AP4_CttsTableEntry>::EnsureCapacity inCore/Ap4Array.h in Bento4 1.5.1-627. Crafted MP4 input triggers an attemptat excessive memory allocation, as demonstrated by mp42hls, a related issueto CVE-2018-20095. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-10 22:29:00 UTC CVE-2019-7698 A heap-based buffer over-read occurs in AP4_BitStream::WriteBytes inCodecs/Ap4BitStream.cpp in Bento4 v1.5.1-627. Remote attackers couldleverage this vulnerability to cause an exception via crafted mp4 input,which leads to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-10 22:29:00 UTC CVE-2019-7699 A heap-based buffer over-read was discovered inwasm::WasmBinaryBuilder::visitCall in wasm-binary.cpp in Binaryen 1.38.22.A crafted wasm input can cause a segmentation fault, leading todenial-of-service, as demonstrated by wasm-merge. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-10 22:29:00 UTC CVE-2019-7700 TightVNC code version 1.3.10 contains global buffer overflow inHandleCoRREBBP macro function, which can potentially result code execution.This attack appear to be exploitable via network connectivity. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-10-29 19:15:00 UTC CVE-2019-8287 In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its defaultconfiguration, certificate-verification results are not properly checked. Update Instructions: Run `sudo pro fix CVE-2019-8337` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mpop - 1.4.3-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-13 20:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922345 CVE-2019-8337 In Netwide Assembler (NASM) 2.14.02, there is a use-after-free inpaste_tokens in asm/preproc.c. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-02-15 07:29:00 UTC https://bugzilla.nasm.us/show_bug.cgi?id=3392556 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922433 CVE-2019-8343 An issue was discovered in Bento4 1.5.1-628. A heap-based buffer over-readexists in AP4_BitStream::ReadBytes() in Codecs/Ap4BitStream.cpp, a similarissue to CVE-2017-14645. It can be triggered by sending a crafted file tothe aac2mp4 binary. It allows an attacker to cause a Denial of Service(Segmentation fault) or possibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-17 02:29:00 UTC CVE-2019-8378 An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenceoccurs in AP4_Track::GetSampleIndexForTimeStampMs() located inCore/Ap4Track.cpp. It can triggered by sending a crafted file to themp4audioclip binary. It allows an attacker to cause a Denial of Service(Segmentation fault) or possibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-17 02:29:00 UTC CVE-2019-8380 An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenceoccurs in the function AP4_List:Find located in Core/Ap4List.h when calledfrom Core/Ap4Movie.cpp. It can be triggered by sending a crafted file tothe mp4dump binary. It allows an attacker to cause a Denial of Service(Segmentation fault) or possibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-17 02:29:00 UTC CVE-2019-8382 An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ofbounds read in the function H5T_close_real in H5T.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-17 06:29:00 UTC CVE-2019-8397 An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ofbounds read in the function H5T_get_size in H5T.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-17 06:29:00 UTC CVE-2019-8398 ZoneMinder through 1.32.3 has SQL Injection via theskins/classic/views/events.php filter[Query][terms][0][cnj] parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-18 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922724 CVE-2019-8423 ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sortparameter. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-18 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922724 CVE-2019-8424 skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS viathe newControl array, as demonstrated by the newControl[MinTiltRange]parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-18 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922724 CVE-2019-8426 ZoneMinder before 1.32.3 has SQL Injection via theskins/classic/views/control.php groupSql parameter, as demonstrated by anewGroup[MonitorIds][] value. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-18 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922724 CVE-2019-8428 ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.phpfilter[Query][terms][0][cnj] parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-18 00:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922724 CVE-2019-8429 SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heapout-of-bound read in the rtreenode() function when handling invalid rtreetables. Update Instructions: Run `sudo pro fix CVE-2019-8457` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: lemon - 3.27.2-3 libsqlite3-0 - 3.27.2-3 libsqlite3-ext-csv - 3.27.2-3 libsqlite3-ext-icu - 3.27.2-3 libsqlite3-tcl - 3.27.2-3 sqlite3 - 3.27.2-3 sqlite3-tools - 3.27.2-3 No subscription required db5.3-util - 5.3.28+dfsg1-0.6ubuntu1 libdb5.3++t64 - 5.3.28+dfsg1-0.6ubuntu1 libdb5.3t64 - 5.3.28+dfsg1-0.6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-05-31 2019-05-31 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929775 https://ubuntu.com/security/notices/USN-4004-1 https://ubuntu.com/security/notices/USN-4004-2 https://ubuntu.com/security/notices/USN-4019-1 https://ubuntu.com/security/notices/USN-4019-2 CVE-2019-8457 WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). Anattacker (who has privileges to crop an image) can write the output imageto an arbitrary directory via a filename containing two image extensionsand ../ sequences, such as a filename ending with the .jpg?/../../file.jpgsubstring. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-20 03:29:00 UTC CVE-2019-8943 An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ofbounds read in the function H5VM_memcpyvv in H5VM.c when called fromH5D__compact_readvv in H5Dcompact.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-25 19:29:00 UTC CVE-2019-9151 An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ofbounds read in the function H5MM_xstrdup in H5MM.c when called fromH5O_dtype_decode_helper in H5Odtype.c. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-02-25 19:29:00 UTC CVE-2019-9152 In several JetBrains IntelliJ IDEA versions, a Spring Boot runconfiguration with the default setting allowed remote attackers to executecode when the configuration is running, because a JMX server listens on allinterfaces (instead of listening on only the localhost interface). Thisissue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8,2018.1.8, and 2017.3.7. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-03 19:15:00 UTC CVE-2019-9186 In opencv calls that use libpng, there is a possible out of bounds writedue to a missing bounds check. This could lead to local escalation ofprivilege with no additional execution privileges required. Userinteraction is not required for exploitation. Product: AndroidVersions:Android-10Android ID: A-110986616 Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-27 19:15:00 UTC CVE-2019-9423 Some HTTP/2 implementations are vulnerable to ping floods, potentiallyleading to a denial of service. The attacker sends continual pings to anHTTP/2 peer, causing the peer to build an internal queue of responses.Depending on how efficiently this data is queued, this can consume excessCPU, memory, or both. Update Instructions: Run `sudo pro fix CVE-2019-9512` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-twisted - 18.9.0-6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-13 2019-08-13 Jonathan Looney of Netflix https://github.com/golang/go/issues/33606 https://ubuntu.com/security/notices/USN-4308-1 https://ubuntu.com/security/notices/USN-4866-1 CVE-2019-9512 Some HTTP/2 implementations are vulnerable to a reset flood, potentiallyleading to a denial of service. The attacker opens a number of streams andsends an invalid request over each stream that should solicit a stream ofRST_STREAM frames from the peer. Depending on how the peer queues theRST_STREAM frames, this can consume excess memory, CPU, or both. Update Instructions: Run `sudo pro fix CVE-2019-9514` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-twisted - 18.9.0-6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-13 2019-08-13 Jonathan Looney of Netflix https://github.com/golang/go/issues/33606 https://ubuntu.com/security/notices/USN-4308-1 https://ubuntu.com/security/notices/USN-4866-1 CVE-2019-9514 Some HTTP/2 implementations are vulnerable to a settings flood, potentiallyleading to a denial of service. The attacker sends a stream of SETTINGSframes to the peer. Since the RFC requires that the peer reply with oneacknowledgement per SETTINGS frame, an empty SETTINGS frame is almostequivalent in behavior to a ping. Depending on how efficiently this data isqueued, this can consume excess CPU, memory, or both. Update Instructions: Run `sudo pro fix CVE-2019-9515` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-twisted - 18.9.0-6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-08-13 2019-08-13 Jonathan Looney of Netflix https://ubuntu.com/security/notices/USN-4308-1 https://ubuntu.com/security/notices/USN-4866-1 CVE-2019-9515 An issue was discovered in Poppler 0.74.0. A recursive function call, inJBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can betriggered by sending a crafted pdf file to (for example) the pdfseparatebinary. It allows an attacker to cause Denial of Service (Segmentationfault) or possibly have unspecified other impact. This is related toJArithmeticDecoder::decodeBit. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-03-01 19:29:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923553 https://gitlab.freedesktop.org/poppler/poppler/issues/730 CVE-2019-9543 An issue was discovered in Bento4 1.5.1-628. An out of bounds write occursin AP4_CttsTableEntry::AP4_CttsTableEntry() located in Core/Ap4Array.h. Itcan be triggered by sending a crafted file to (for example) the mp42hlsbinary. It allows an attacker to cause Denial of Service (Segmentationfault) or possibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-03-01 19:29:00 UTC CVE-2019-9544 An issue was discovered in Poppler 0.74.0. A recursive function call, inJBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggeredby sending a crafted pdf file to (for example) the pdfimages binary. Itallows an attacker to cause Denial of Service (Segmentation fault) orpossibly have unspecified other impact. This is related toJBIG2Bitmap::clearToZero. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-03-01 19:29:00 UTC https://gitlab.freedesktop.org/poppler/poppler/issues/731 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923552 CVE-2019-9545 There is a stack consumption issue in md5Round1() located in Decrypt.cc inXpdf 4.01. It can be triggered by sending a crafted pdf file to (forexample) the pdfimages binary. It allows an attacker to cause Denial ofService (Segmentation fault) or possibly have unspecified other impact.This is related to Catalog::countPageTree. Ubuntu 26.04 LTS Negligible Copyright (C) 2019 Canonical Ltd. 2019-03-06 08:29:00 UTC CVE-2019-9587 There is an Invalid memory access in gAtomicIncrement() located at GMutex.hin Xpdf 4.01. It can be triggered by sending a crafted pdf file to (forexample) the pdftops binary. It allows an attacker to cause Denial ofService (Segmentation fault) or possibly have unspecified other impact. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-03-06 08:29:00 UTC CVE-2019-9588 In Libav 12.3, a denial of service in the subtitle decoder allows attackersto hog the CPU via a crafted video file in Matroska format, becausesrt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-19 21:15:00 UTC CVE-2019-9717 A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allowsattackers to corrupt the stack via a crafted video file in Matroska format,because srt_to_ass in libavcodec/srtdec.c misuses snprintf. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-09-19 21:15:00 UTC CVE-2019-9720 In libwebm before 2019-03-08, a NULL pointer dereference caused by thefunctions OutputCluster and OutputTracks in webm_info.cc will trigger anabort, which allows a DoS attack, a similar issue to CVE-2018-19212. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-03-13 16:29:00 UTC CVE-2019-9746 In several JetBrains IntelliJ IDEA versions, creating remote runconfigurations of JavaEE application servers leads to saving a cleartextrecord of the server credentials in the IDE configuration files. The issuehas been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-03 19:15:00 UTC CVE-2019-9823 In several versions of JetBrains IntelliJ IDEA Ultimate, creating TaskServers configurations leads to saving a cleartext unencrypted record ofthe server credentials in the IDE configuration files. The issue has beenfixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8. Ubuntu 26.04 LTS Medium Copyright (C) 2019 Canonical Ltd. 2019-07-03 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2019-9873 An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1.Stack consumption occurs because of recursive agclose calls inlib\cgraph\graph.c in libcgraph.a, related to agfstsubg inlib\cgraph\subg.c. Ubuntu 26.04 LTS Low Copyright (C) 2019 Canonical Ltd. 2019-03-21 18:29:00 UTC https://gitlab.com/graphviz/graphviz/issues/1512 CVE-2019-9904 In exif_data_save_data_entry of exif-data.c, there is a possible out ofbounds read due to a missing bounds check. This could lead to localinformation disclosure with no additional execution privileges needed. Userinteraction is needed for exploitation.Product: AndroidVersions:Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132 Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-05-14 21:15:00 UTC 2020-05-14 21:15:00 UTC https://github.com/libexif/libexif/issues/42 https://ubuntu.com/security/notices/USN-4396-1 CVE-2020-0093 Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticatedattacker to acquire credentials with two pairing devices via adjacentaccess when the unauthenticated user initiates different pairing methods ineach peer device and an end-user erroneously completes both pairingprocedures with the MITM using the confirmation number of one peer as thepasskey of the other. An adjacent, unauthenticated attacker could be ableto initiate any Bluetooth operation on either attacked device exposed bythe enabled Bluetooth profiles. This exposure may be limited when the usermust authorize certain access explicitly, but so long as a user assumesthat it is the intended remote device requesting permissions, device-localprotections may be weakened. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-19 16:15:00 UTC CVE-2020-10134 utility.c in telnetd in netkit telnet through 0.17 allows remote attackersto execute arbitrary code via short writes or urgent data, because of abuffer overflow involving the netclear and nextitem functions. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-06 15:15:00 UTC 2020-03-06 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953477 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953478 https://ubuntu.com/security/notices/USN-5048-1 https://ubuntu.com/security/notices/USN-5048-2 https://ubuntu.com/security/notices/USN-7781-1 CVE-2020-10188 In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap-basedbuffer over-read in ntfs_dinode_lookup in fs/ntfs.c. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-09 00:15:00 UTC CVE-2020-10233 A deserialization flaw was discovered in jackson-databind through 2.9.10.4.It could allow an unauthenticated user to perform code execution viaignite-jta or quartz-core:org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup,org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, andorg.quartz.utils.JNDIConnectionProvider. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-26 20:15:00 UTC CVE-2020-10650 A flaw was discovered in all versions of Undertow before Undertow2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 ispossible against HTTP/1.x and HTTP/2 due to permitting invalid charactersin an HTTP request. This flaw allows an attacker to poison a web-cache,perform an XSS attack, or obtain sensitive information from request otherthan their own. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-23 13:15:00 UTC CVE-2020-10687 A cross-site scripting (XSS) flaw was found in RESTEasy in versions before3.11.1.Final and before 4.5.3.Final, where it did not properly handle URLencoding when the RESTEASY003870 exception occurs. An attacker could usethis flaw to launch a reflected XSS attack. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 19:15:00 UTC 2021-05-27 19:15:00 UTC Nikos Papadopoulos https://ubuntu.com/security/notices/USN-7351-1 https://ubuntu.com/security/notices/USN-7630-1 CVE-2020-10688 A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in themessage interpolation processor enables invalid EL expressions to beevaluated as if they were valid. This flaw allows attackers to bypass inputsanitation (escaping, stripping) controls that developers may have put inplace when handling user-controlled data in error messages. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-06 14:15:00 UTC CVE-2020-10693 A flaw was discovered in Undertow in versions before Undertow 2.1.1.Finalwhere certain requests to the "Expect: 100-continue" header may cause anout of memory error. This flaw may potentially lead to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-10 20:15:00 UTC CVE-2020-10705 A flaw was found in Undertow in versions before 2.1.1.Final, regarding theprocessing of invalid HTTP requests with large chunk sizes. This flawallows an attacker to take advantage of HTTP request smuggling. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-26 16:15:00 UTC CVE-2020-10719 A buffer overflow vulnerability in Code::Blocks 17.12 allows an attacker toexecute arbitrary code via a crafted project file. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-08 19:15:00 UTC CVE-2020-10814 Their is an information disclosure vulnerability in Helm from version 3.1.0and before version 3.2.0. `lookup` is a Helm template function introducedin Helm v3. It is able to lookup resources in the cluster to check for theexistence of specific resources and get details about them. This can beused as part of the process to render templates. The documented behavior of`helm template` states that it does not attach to a remote cluster.However, a the recently added `lookup` template function circumvents thisrestriction and connects to the cluster even during `helm template` and`helm install|update|delete|rollback --dry-run`. The user is not notifiedof this behavior. Running `helm template` should not make calls to acluster. This is different from `install`, which is presumed to have accessto a cluster in order to load resources into Kubernetes. Helm 2 isunaffected by this vulnerability. A malicious chart author could inject a`lookup` into a chart that, when rendered through `helm template`, performsunannounced lookups against the cluster a user&#39;s `KUBECONFIG` filepoints to. This information can then be disclosed via the output of `helmtemplate`. This issue has been fixed in Helm 3.2.0 Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-24 20:15:00 UTC CVE-2020-11013 In affected versions of WordPress, a cross-site scripting (XSS)vulnerability in the navigation section of Customizer allows JavaScriptcode to be executed. Exploitation requires an authenticated user. This hasbeen patched in version 5.4.1, along with all the previously affectedversions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13,4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31,3.8.33, 3.7.33). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-30 22:15:00 UTC CVE-2020-11025 In affected versions of WordPress, files with a specially crafted name whenuploaded to the Media section can lead to script execution upon accessingthe file. This requires an authenticated user with privileges to uploadfiles. This has been patched in version 5.4.1, along with all thepreviously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5,5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27,4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-30 23:15:00 UTC CVE-2020-11026 In affected versions of WordPress, a password reset link emailed to a userdoes not expire upon changing the user password. Access would be needed tothe email account of the user by a malicious party for successfulexecution. This has been patched in version 5.4.1, along with all thepreviously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5,5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27,4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-30 23:15:00 UTC CVE-2020-11027 In affected versions of WordPress, some private posts, which werepreviously public, can result in unauthenticated disclosure under aspecific set of conditions. This has been patched in version 5.4.1, alongwith all the previously affected versions via a minor release (5.3.3,5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22,4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-30 23:15:00 UTC CVE-2020-11028 In affected versions of WordPress, a vulnerability in the stats() method ofclass-wp-object-cache.php can be exploited to execute cross-site scripting(XSS) attacks. This has been patched in version 5.4.1, along with all thepreviously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5,5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27,4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-30 23:15:00 UTC CVE-2020-11029 In affected versions of WordPress, a special payload can be crafted thatcan lead to scripts getting executed within the search block of the blockeditor. This requires an authenticated user with the ability to addcontent. This has been patched in version 5.4.1, along with all thepreviously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5,5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27,4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-30 23:15:00 UTC CVE-2020-11030 In JetBrains IntelliJ IDEA before 2020.1, the license server could beresolved to an untrusted host in some cases. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-22 14:15:00 UTC CVE-2020-11690 cpp-httplib through 0.5.8 does not filter \r\n in parameters passed intothe set_redirect and set_header functions, which creates possibilities forCRLF injection and HTTP response splitting in some specific contexts. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-12 14:15:00 UTC https://github.com/yhirose/cpp-httplib/issues/425 CVE-2020-11709 load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitializedpointer leading to an invalid call to free, which can cause a denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-12 19:15:00 UTC CVE-2020-11721 It was discovered that aufs improperly managed inode reference counts inthe vfsub_dentry_open() method. A local attacker could use thisvulnerability to cause a denial of service attack. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-29 2020-06-29 Mauricio Faria de Oliveira https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1873074 https://ubuntu.com/security/notices/USN-4425-1 https://ubuntu.com/security/notices/USN-4426-1 https://ubuntu.com/security/notices/USN-4427-1 https://ubuntu.com/security/notices/USN-4439-1 https://ubuntu.com/security/notices/USN-4440-1 CVE-2020-11935 To be able to analyze gradle projects, the build scripts need to beexecuted. Apache NetBeans follows this pattern. This causes the code of thebuild script to be invoked at load time of the project. Apache NetBeans upto and including 12.0 did not request consent from the user for theanalysis of the project at load time. This in turn will run potentiallymalicious code, from an external source, without the consent of the user. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-09 16:15:00 UTC CVE-2020-11986 Apache Batik 1.13 is vulnerable to server-side request forgery, caused byimproper input validation by the NodePickerPanel. By using aspecially-crafted argument, an attacker could exploit this vulnerability tocause the underlying server to make arbitrary GET requests. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-24 18:15:00 UTC 2021-02-24 18:15:00 UTC https://ubuntu.com/security/notices/USN-6117-1 CVE-2020-11987 Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-siderequest forgery, caused by improper input validation by the XMPParser. Byusing a specially-crafted argument, an attacker could exploit thisvulnerability to cause the underlying server to make arbitrary GETrequests. Users should upgrade to 2.6 or later. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-24 18:15:00 UTC CVE-2020-11988 A regression has been introduced in the commit preventing JMX re-bind. Bypassing an empty environment map to RMIConnectorServer, instead of the mapthat contains the authentication credentials, it leaves ActiveMQ open tothe following attack:https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html"A remote client could create a javax.management.loading.MLet MBean and useit to create new MBeans from arbitrary URLs, at least if there is nosecurity manager. In other words, a rogue remote client could make yourJava application execute arbitrary code." Mitigation: Upgrade to ApacheActiveMQ 5.15.13 Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-10 19:15:00 UTC CVE-2020-11998 SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4,has a race condition leading to root privilege escalation because any usercan replace a /tmp/sqliteodbc$$ file with new contents that cause loadingof an arbitrary library. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-30 17:15:00 UTC CVE-2020-12050 bson before 0.8 incorrectly uses int rather than size_t for many variables,parameters, and return values. In particular, the bson_ensure_space()parameter bytesNeeded could have an integer overflow via properlyconstructed bson input. Update Instructions: Run `sudo pro fix CVE-2020-12135` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libwhoopsie0 - 0.2.71 whoopsie - 0.2.71 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-24 01:15:00 UTC 2020-04-24 01:15:00 UTC Seong-Joong Kim http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958998 https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560 https://ubuntu.com/security/notices/USN-4450-1 CVE-2020-12135 The Open Connectivity Foundation UPnP specification before 2020-04-17 doesnot forbid the acceptance of a subscription request with a delivery URL ona different network segment than the fully qualified event-subscriptionURL, aka the CallStranger issue. Update Instructions: Run `sudo pro fix CVE-2020-12695` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: eapoltest - 2:2.9-1ubuntu10 hostapd - 2:2.9-1ubuntu10 wpagui - 2:2.9-1ubuntu10 wpasupplicant - 2:2.9-1ubuntu10 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-08 17:15:00 UTC 2020-06-08 17:15:00 UTC https://github.com/pupnp/pupnp/pull/181 https://github.com/pupnp/pupnp/pull/185 https://github.com/pupnp/pupnp/pull/188 https://ubuntu.com/security/notices/USN-4494-1 https://ubuntu.com/security/notices/USN-4722-1 https://ubuntu.com/security/notices/USN-4734-1 https://ubuntu.com/security/notices/USN-4734-2 CVE-2020-12695 yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLSciphers, as demonstrated by ones that allow Sweet32 attacks, if running onan Erlang/OTP virtual machine with a version less than 21.0. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-05-15 19:15:00 UTC CVE-2020-12872 SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in theweb configuration interface that permits an authenticated user to executearbitrary Python commands on the underlying operating system. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-11 16:15:00 UTC CVE-2020-13124 A remote user can create a specially crafted M3U file, media playlist filethat when loaded by the target user, will trigger a memory leak, wherebyAmarok 2.8.0 continue to waste resources over time, eventually allowsattackers to cause a denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-05-20 13:15:00 UTC CVE-2020-13152 An exploitable denial-of-service vulnerability exists in Systemd 245. Aspecially crafted DHCP FORCERENEW packet can cause a server running theDHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker canforge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server. Update Instructions: Run `sudo pro fix CVE-2020-13529` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-myhostname - 248.3-1ubuntu3 libnss-mymachines - 248.3-1ubuntu3 libnss-resolve - 248.3-1ubuntu3 libnss-systemd - 248.3-1ubuntu3 libpam-systemd - 248.3-1ubuntu3 libsystemd-shared - 248.3-1ubuntu3 libsystemd0 - 248.3-1ubuntu3 libudev1 - 248.3-1ubuntu3 systemd - 248.3-1ubuntu3 systemd-boot - 248.3-1ubuntu3 systemd-boot-efi - 248.3-1ubuntu3 systemd-boot-tools - 248.3-1ubuntu3 systemd-container - 248.3-1ubuntu3 systemd-coredump - 248.3-1ubuntu3 systemd-cryptsetup - 248.3-1ubuntu3 systemd-homed - 248.3-1ubuntu3 systemd-journal-remote - 248.3-1ubuntu3 systemd-oomd - 248.3-1ubuntu3 systemd-repart - 248.3-1ubuntu3 systemd-resolved - 248.3-1ubuntu3 systemd-standalone-shutdown - 248.3-1ubuntu3 systemd-standalone-sysusers - 248.3-1ubuntu3 systemd-standalone-tmpfiles - 248.3-1ubuntu3 systemd-sysv - 248.3-1ubuntu3 systemd-tests - 248.3-1ubuntu3 systemd-timesyncd - 248.3-1ubuntu3 systemd-ukify - 248.3-1ubuntu3 systemd-userdbd - 248.3-1ubuntu3 udev - 248.3-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 16:15:00 UTC 2021-05-10 16:15:00 UTC Mitchell Frank https://github.com/systemd/systemd/issues/16774 https://bugzilla.redhat.com/show_bug.cgi?id=1959398 https://ubuntu.com/security/notices/USN-5013-1 https://ubuntu.com/security/notices/USN-5013-2 CVE-2020-13529 A denial-of-service vulnerability exists in the WS-Security pluginfunctionality of Genivia gSOAP 2.8.107. A specially crafted SOAP requestcan lead to denial of service. An attacker can send an HTTP request totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-10 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983596 CVE-2020-13578 hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger anout-of-bounds access by providing an address near the end of the PCIconfiguration space. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-04 16:15:00 UTC Ren Ding, Hanqing Zhao, Yi Ren CVE-2020-13791 Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS commandinjection via URL parameter of dependency specification. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-02 17:15:00 UTC CVE-2020-13802 Arm Armv8-A core implementations utilizing speculative execution pastunconditional changes in control flow may allow unauthorized disclosure ofinformation to an attacker with local user access via a side-channelanalysis, aka "straight-line speculation." Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-08 23:15:00 UTC CVE-2020-13844 Sylabs Singularity 3.0 through 3.5 has Improper Validation of an IntegrityCheck Value. Image integrity is not validated when an ECL policy isenforced. The fingerprint required by the ECL is compared against thesignature object descriptor(s) in the SIF file, rather than to acryptographically validated signature. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-14 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040 CVE-2020-13845 Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a StatusCode. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-07-14 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040 CVE-2020-13846 Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check.Singularity's sign and verify commands do not sign metadata found in theglobal header or data object descriptors of a SIF file. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-14 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040 CVE-2020-13847 Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), releasedin Solr version 8.6.0. The Replication handler(https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler)allows commands backup, restore and deleteBackup. Each of these take alocation parameter, which was not validated, i.e you could read/write toany location the solr user can access. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-17 13:15:00 UTC CVE-2020-13941 An instance of a cross-site scripting vulnerability was identified to bepresent in the web based administration console on the message.jsp page ofApache ActiveMQ versions 5.15.12 through 5.16.0. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-08 22:15:00 UTC CVE-2020-13947 In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send shortmessages which would result in a large memory allocation, potentiallyleading to denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-12 20:15:00 UTC CVE-2020-13949 The kramdown gem before 2.3.0 for Ruby processes the template option insideKramdown documents by default, which allows unintended read access (such astemplate="/etc/passwd") or unintended embedded Ruby code execution (such asa string that begins with template="string://<%= `). NOTE: kramdown is usedin Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum. Update Instructions: Run `sudo pro fix CVE-2020-14001` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: kramdown - 2.3.0-4 ruby-kramdown - 2.3.0-4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-17 16:15:00 UTC 2020-07-17 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965305 https://ubuntu.com/security/notices/USN-4562-1 https://ubuntu.com/security/notices/USN-4562-2 CVE-2020-14001 An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirsscript (run as part of the icinga2 systemd service) executes chmod 2750/run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user bydefault. If /run/icinga2/cmd is a symlink, then it will by followed andarbitrary files can be changed to mode 2750 by the unprivileged icinga2user. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-12 16:15:00 UTC CVE-2020-14004 Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for/etc/target/saveconfig.json because shutil.copyfile (instead ofshutil.copy) is used, and thus permissions are not preserved. Update Instructions: Run `sudo pro fix CVE-2020-14019` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-rtslib-fb - 2.1.73-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-19 11:15:00 UTC CVE-2020-14019 In IJG JPEG (aka libjpeg) before 9d, jpeg_mem_available() in jmemnobs.c indjpeg does not honor the max_memory_to_use setting, possibly causingexcessive memory consumption. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-15 17:15:00 UTC 2020-06-15 17:15:00 UTC https://bugs.gentoo.org/727908 https://ubuntu.com/security/notices/USN-5497-1 https://ubuntu.com/security/notices/USN-5553-1 https://ubuntu.com/security/notices/USN-5497-2 https://ubuntu.com/security/notices/USN-5336-1 CVE-2020-14152 A memory disclosure flaw was found in the Linux kernel's ethernet drivers,in the way it read data from the EEPROM of the device. This flaw allows alocal user to read uninitialized values from the kernel memory. The highestthreat from this vulnerability is to confidentiality. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-09-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702 https://bugzilla.redhat.com/show_bug.cgi?id=1847539 https://bugzilla.suse.com/show_bug.cgi?id=1173327 CVE-2020-14304 A memory corruption vulnerability is present in bspatch as shipped in ColinPercival’s bsdiff tools version 4.3. Insufficient checks when handlingexternal inputs allows an attacker to bypass the sanity checks in place andwrite out of a dynamically allocated buffer boundaries. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-16 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964796 CVE-2020-14315 A vulnerability was found in RESTEasy, where RootNode incorrectly cachesroutes. This issue results in hash flooding, leading to slower requestswith higher CPU time spent searching and adding the entry. This flaw allowsan attacker to cause a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-02 12:15:00 UTC CVE-2020-14326 A flaw was found in the Ansible Engine when using module_args. Tasksexecuted with check mode (--check-mode) do not properly neutralizesensitive data exposed in the event data. This flaw allows unauthorizedusers to read this data. The highest threat from this vulnerability is toconfidentiality. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-09-11 18:15:00 UTC CVE-2020-14332 Multiple buffer overflow vulnerabilities were found in the QUIC imagedecoding process of the SPICE remote display system, before spice-0.14.2-1.Both the SPICE client (spice-gtk) and server are affected by these flaws.These flaws allow a malicious client or server to send specially craftedmessages that, when processed by the QUIC image compression algorithm,result in a process crash or potential code execution. Update Instructions: Run `sudo pro fix CVE-2020-14355` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libspice-server1 - 0.14.3-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-06 12:00:00 UTC 2020-10-06 12:00:00 UTC Frediano Ziglio https://ubuntu.com/security/notices/USN-4572-1 https://ubuntu.com/security/notices/USN-4572-2 CVE-2020-14355 A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem inversions before 5.7.10 was found in the way when reboot the system. A localuser could use this flaw to crash the system or escalate their privilegeson the system. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-19 15:15:00 UTC 2020-08-19 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1868453 https://ubuntu.com/security/notices/USN-4483-1 https://ubuntu.com/security/notices/USN-4484-1 https://ubuntu.com/security/notices/USN-4526-1 CVE-2020-14356 A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packagesusing the dnf module. GPG signatures are ignored during installation evenwhen disable_gpg_check is set to False, which is the default behavior. Thisflaw leads to malicious packages being installed on the system andarbitrary code executed via package installation scripts. The highestthreat from this vulnerability is to integrity and system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-23 13:15:00 UTC CVE-2020-14365 A flaw was found in chrony versions before 3.5.1 when creating the PID fileunder the /var/run/chrony folder. The file is created during chronydstartup while still running as the root user, and when it's opened forwriting, chronyd does not check for an existing symbolic link with the samefile name. This flaw allows an attacker with privileged access to create asymlink with the default PID file name pointing to any destination file inthe system, resulting in data loss and a denial of service due to the pathtraversal. Update Instructions: Run `sudo pro fix CVE-2020-14367` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: chrony - 3.5.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-24 15:15:00 UTC 2020-08-24 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1870298 https://ubuntu.com/security/notices/USN-4475-1 CVE-2020-14367 An issue was discovered in LibVNCServer before 0.9.13.libvncclient/tls_openssl.c has a NULL pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 CVE-2020-14396 An issue was discovered in LibVNCServer before 0.9.13.libvncserver/rfbregion.c has a NULL pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 https://ubuntu.com/security/notices/USN-4573-1 CVE-2020-14397 An issue was discovered in LibVNCServer before 0.9.13. An improperly closedTCP connection causes an infinite loop in libvncclient/sockets.c. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 CVE-2020-14398 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.chas a pixel_value integer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 CVE-2020-14401 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.callows out-of-bounds access via encodings. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 https://ubuntu.com/security/notices/USN-4573-1 CVE-2020-14402 An issue was discovered in LibVNCServer before 0.9.13.libvncserver/hextile.c allows out-of-bounds access via encodings. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 https://ubuntu.com/security/notices/USN-4573-1 CVE-2020-14403 An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rre.callows out-of-bounds access via encodings. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 https://ubuntu.com/security/notices/USN-4573-1 CVE-2020-14404 An issue was discovered in LibVNCServer before 0.9.13.libvncclient/rfbproto.c does not limit TextChat size. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-17 16:15:00 UTC 2020-06-17 16:15:00 UTC https://ubuntu.com/security/notices/USN-4434-1 CVE-2020-14405 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to5.2.44, prior to 6.0.24 and prior to 6.1.12. Easily exploitablevulnerability allows high privileged attacker with logon to theinfrastructure where Oracle VM VirtualBox executes to compromise Oracle VMVirtualBox. Successful attacks require human interaction from a personother than the attacker. Successful attacks of this vulnerability canresult in takeover of Oracle VM VirtualBox. Note: The CVE-2020-14711 isapplicable to macOS host only. CVSS 3.1 Base Score 6.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-15 18:15:00 UTC CVE-2020-14711 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Serialization). Supported versions that are affected are JavaSE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:Applies to client and server deployment of Java. This vulnerability can beexploited through sandboxed Java Web Start applications and sandboxed Javaapplets. It can also be exploited by supplying data to APIs in thespecified Component without using sandboxed Java Web Start applications orsandboxed Java applets, such as through a web service. CVSS 3.1 Base Score3.7 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2020-14779` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14779 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: JNDI). Supported versions that are affected are Java SE: 7u271,8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks of this vulnerability can result in unauthorized read access to asubset of Java SE, Java SE Embedded accessible data. Note: Applies toclient and server deployment of Java. This vulnerability can be exploitedthrough sandboxed Java Web Start applications and sandboxed Java applets.It can also be exploited by supplying data to APIs in the specifiedComponent without using sandboxed Java Web Start applications or sandboxedJava applets, such as through a web service. CVSS 3.1 Base Score 3.7(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14781` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14781 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Libraries). Supported versions that are affected are Java SE:7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Java SE, Java SE Embedded accessible data. Note:Applies to client and server deployment of Java. This vulnerability can beexploited through sandboxed Java Web Start applications and sandboxed Javaapplets. It can also be exploited by supplying data to APIs in thespecified Component without using sandboxed Java Web Start applications orsandboxed Java applets, such as through a web service. CVSS 3.1 Base Score3.7 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14782` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14782 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Hotspot). Supported versions that are affected are Java SE:7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks require human interaction from a person other than the attacker.Successful attacks of this vulnerability can result in unauthorized update,insert or delete access to some of Java SE, Java SE Embedded accessibledata as well as unauthorized read access to a subset of Java SE, Java SEEmbedded accessible data. Note: Applies to client and server deployment ofJava. This vulnerability can be exploited through sandboxed Java Web Startapplications and sandboxed Java applets. It can also be exploited bysupplying data to APIs in the specified Component without using sandboxedJava Web Start applications or sandboxed Java applets, such as through aweb service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14792` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14792 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Libraries). Supported versions that are affected are Java SE:7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks require human interaction from a person other than the attacker.Successful attacks of this vulnerability can result in unauthorized readaccess to a subset of Java SE, Java SE Embedded accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14796` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14796 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Libraries). Supported versions that are affected are Java SE:7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Java SE, Java SE Embedded accessible data. Note:Applies to client and server deployment of Java. This vulnerability can beexploited through sandboxed Java Web Start applications and sandboxed Javaapplets. It can also be exploited by supplying data to APIs in thespecified Component without using sandboxed Java Web Start applications orsandboxed Java applets, such as through a web service. CVSS 3.1 Base Score3.7 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14797` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14797 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Libraries). Supported versions that are affected are Java SE:7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks require human interaction from a person other than the attacker.Successful attacks of this vulnerability can result in unauthorized update,insert or delete access to some of Java SE, Java SE Embedded accessibledata. Note: This vulnerability applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. This vulnerabilitydoes not apply to Java deployments, typically in servers, that load and runonly trusted code (e.g., code installed by an administrator). CVSS 3.1 BaseScore 3.1 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14798` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14798 Vulnerability in the Java SE product of Oracle Java SE (component:Libraries). Supported versions that are affected are Java SE: 11.0.8 and15. Easily exploitable vulnerability allows unauthenticated attacker withnetwork access via multiple protocols to compromise Java SE. Successfulattacks of this vulnerability can result in unauthorized read access to asubset of Java SE accessible data. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2020-14803` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.9+11-0ubuntu2 openjdk-11-jdk - 11.0.9+11-0ubuntu2 openjdk-11-jdk-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre - 11.0.9+11-0ubuntu2 openjdk-11-jre-headless - 11.0.9+11-0ubuntu2 openjdk-11-jre-zero - 11.0.9+11-0ubuntu2 openjdk-11-source - 11.0.9+11-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-21 15:15:00 UTC 2020-10-21 15:15:00 UTC https://ubuntu.com/security/notices/USN-4607-1 https://ubuntu.com/security/notices/USN-4607-2 CVE-2020-14803 An issue was discovered in map.c in FreedroidRPG 1.0rc2. It assumes lengthsof data sets read from saved game files. It copies data from a file into afixed-size heap-allocated buffer without size verification, leading to aheap-based buffer overflow. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-23 10:15:00 UTC CVE-2020-14938 An issue was discovered in savestruct_internal.c in FreedroidRPG 1.0rc2.Saved game files are composed of Lua scripts that recover a game's state. Afile can be modified to put any Lua code inside, leading to arbitrary codeexecution while loading. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-23 10:15:00 UTC CVE-2020-14939 An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar1.5.4. It uses misconfigured XML parsers, leading to XXE while loading GP6(.gpx) and GP7 (.gp) tablature files. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-23 10:15:00 UTC CVE-2020-14940 In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.xbefore 1.34.2, private wikis behind a caching server using the img_auth.phpimage authorization security feature may have had their files cachedpublicly, so any unauthorized user could view them. This occurs becauseCache-Control and Vary headers were mishandled. Update Instructions: Run `sudo pro fix CVE-2020-15005` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mediawiki - 1:1.31.8-1 mediawiki-classes - 1:1.31.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-24 23:15:00 UTC CVE-2020-15005 In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic indecodeRecord method. The size of a record is stored in the length field ofa WAL file and no additional validation is done on this data. Therefore, itis possible to forge an extremely large frame size that can unintentionallypanic at the expense of any RAFT participant trying to decode the WAL. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-05 19:15:00 UTC 2020-08-05 19:15:00 UTC https://ubuntu.com/security/notices/USN-5628-1 https://ubuntu.com/security/notices/USN-5628-2 CVE-2020-15106 In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entryindex greater then the number of entries in the ReadAll method inwal/wal.go. This could cause issues when WAL entries are being read duringconsensus as an arbitrary etcd consensus participant could go down from aruntime panic when reading the entry. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-05 20:15:00 UTC 2020-08-05 20:15:00 UTC https://ubuntu.com/security/notices/USN-5628-1 https://ubuntu.com/security/notices/USN-5628-2 CVE-2020-15112 In etcd before versions 3.3.23 and 3.4.10, certain directory paths arecreated (etcd data directory and the directory path when provided toautomatically generate self-signed certificates for TLS connections withclients) with restricted access permissions (700) by using the os.MkdirAll.This function does not perform any permission checks when a given directorypath exists already. A possible workaround is to ensure the directorieshave the desired permission (700). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-05 20:15:00 UTC 2020-08-05 20:15:00 UTC https://ubuntu.com/security/notices/USN-5628-1 https://ubuntu.com/security/notices/USN-5628-2 CVE-2020-15113 etcd before versions 3.3.23 and 3.4.10 does not perform any password lengthvalidation, which allows for very short passwords, such as those with alength of one. This may allow an attacker to guess or brute-force users'passwords with little computational effort. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-08-06 22:15:00 UTC CVE-2020-15115 In radare2 before version 4.5.0, malformed PDB file names in the PDB serverpath cause shell injection. To trigger the problem it's required to openthe executable in radare2 and run idpd to trigger the download. The shellcode will execute, and will create a file called pwned in the currentdirectory. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-20 18:15:00 UTC https://bugs.launchpad.net/bugs/1888338 CVE-2020-15121 In faye-websocket before version 0.11.0, there is a lack of certificationvalidation in TLS handshakes. The `Faye::WebSocket::Client` class uses the`EM::Connection#start_tls` method in EventMachine to implement the TLShandshake whenever a `wss:` URL is used for the connection. This methoddoes not implement certificate verification by default, meaning that itdoes not check that the server presents a valid and trusted TLS certificatefor the expected hostname. That means that any `wss:` connection made usingthis library is vulnerable to a man-in-the-middle attack, since it does notconfirm the identity of the server it is connected to. For furtherbackground information on this issue, please see the referenced GitHubAdvisory. Upgrading `faye-websocket` to v0.11.0 is recommended. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-31 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967061 CVE-2020-15133 In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication isonly applied to endpoints detected in DNS SRV records. When starting agateway, TLS authentication will only be attempted on endpoints identifiedin DNS SRV records for a given domain, which occurs in thediscoverEndpoints function. No authentication is performed againstendpoints provided in the --endpoints flag. This has been fixed in versions3.4.10 and 3.3.23 with improved documentation and deprecation of thefunctionality. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-06 23:15:00 UTC CVE-2020-15136 In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potentialCross-Site Scripting (XSS) vulnerability in Action View's translationhelpers. Views that allow the user to control the default (not found) valueof the `t` and `translate` helpers could be susceptible to XSS attacks.When an HTML-unsafe string is passed as the default for a missingtranslation key named html or ending in _html, the default string isincorrectly marked as HTML-safe and not escaped. This is patched inversions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed inthe source advisory. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-11 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040 CVE-2020-15169 django-filter is a generic system for filtering Django QuerySets based onuser selections. In django-filter before version 2.4.0, automaticallygenerated `NumberFilter` instances, whose value was later converted to aninteger, were subject to potential DoS from maliciously input usingexponential format with sufficiently large exponents. Version 2.4.0+applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to theform field used by `NumberFilter` instances. In addition, `NumberFilter`implements the new `get_max_validator()` which should return a configuredvalidator instance to customise the limit, or else `None` to disable theadditional validation. Users may manually apply an equivalent validator ifthey are not able to upgrade. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-29 21:15:00 UTC CVE-2020-15225 Crossbeam is a set of tools for concurrent programming. Incrossbeam-channel before version 0.4.4, the bounded channel incorrectlyassumes that `Vec::from_iter` has allocated capacity that same as thenumber of iterator elements. `Vec::from_iter` does not actually guaranteethat and may allocate extra memory. The destructor of the `bounded` channelreconstructs `Vec` from the raw pointer based on the incorrect assumesdescribed above. This is unsound and causing deallocation with theincorrect capacity when `Vec::from_iter` has allocated different sizes withthe number of iterator elements. This has been fixed in crossbeam-channel0.4.4. Update Instructions: Run `sudo pro fix CVE-2020-15254` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firefox - 82.0.2+build1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-22 2020-10-22 https://ubuntu.com/security/notices/USN-4599-1 https://ubuntu.com/security/notices/USN-4599-2 CVE-2020-15254 LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() inmetadata\exif_gps.cpp via an unrecognized AtomName and a zero value oftiff_nifds. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-28 13:15:00 UTC CVE-2020-15365 In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utilitycalls chown on files in user-owned directories. By winning a race, a localattacker could use this to escalate his privileges to root. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-30 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964198 CVE-2020-15396 HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that executebinaries from directories writable by unprivileged users (e.g., locationsunder /var/spool/hylafax that are writable by the uucp account). Thisallows these users to execute code in the context of the user calling thesebinaries (often root). Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-30 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964198 CVE-2020-15397 In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callbackmethods, leading to a NULL pointer dereference. Update Instructions: Run `sudo pro fix CVE-2020-15469` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-1~ubuntu3 qemu-block-supplemental - 1:6.0+dfsg-1~ubuntu3 qemu-guest-agent - 1:6.0+dfsg-1~ubuntu3 qemu-system - 1:6.0+dfsg-1~ubuntu3 qemu-system-arm - 1:6.0+dfsg-1~ubuntu3 qemu-system-common - 1:6.0+dfsg-1~ubuntu3 qemu-system-data - 1:6.0+dfsg-1~ubuntu3 qemu-system-gui - 1:6.0+dfsg-1~ubuntu3 qemu-system-mips - 1:6.0+dfsg-1~ubuntu3 qemu-system-misc - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-opengl - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-spice - 1:6.0+dfsg-1~ubuntu3 qemu-system-ppc - 1:6.0+dfsg-1~ubuntu3 qemu-system-riscv - 1:6.0+dfsg-1~ubuntu3 qemu-system-s390x - 1:6.0+dfsg-1~ubuntu3 qemu-system-sparc - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86 - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86-xen - 1:6.0+dfsg-1~ubuntu3 qemu-system-xen - 1:6.0+dfsg-1~ubuntu3 qemu-user - 1:6.0+dfsg-1~ubuntu3 qemu-user-binfmt - 1:6.0+dfsg-1~ubuntu3 qemu-utils - 1:6.0+dfsg-1~ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-07-02 20:15:00 UTC 2020-07-02 20:15:00 UTC Lei Sun https://ubuntu.com/security/notices/USN-5010-1 CVE-2020-15469 LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affectsdecoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, andutils/thumb_utils.cpp. For example,malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs withoutvalidating T.tlength. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-07-02 14:15:00 UTC 2020-07-02 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1853477 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964747 https://ubuntu.com/security/notices/USN-5715-1 CVE-2020-15503 In Nim before 1.2.6, the standard library asyncftpclient lacks a check forwhether a message contains a newline character. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-30 06:15:00 UTC CVE-2020-15690 In Nim 1.2.4, the standard library browsers mishandles the URL argument tobrowsers.openDefaultBrowser. This argument can be a local file path thatwill be opened in the default explorer. An attacker can pass one argumentto the underlying open command to execute arbitrary registered systemcommands. Update Instructions: Run `sudo pro fix CVE-2020-15692` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nim - 1.2.6-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-14 19:15:00 UTC CVE-2020-15692 In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LFinjection in the target URL. An injection is possible if the attackercontrols any part of the URL provided in a call (such as httpClient.get orhttpClient.post), the User-Agent header value, or custom HTTP header namesor values. Update Instructions: Run `sudo pro fix CVE-2020-15693` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nim - 1.2.6-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-14 19:15:00 UTC CVE-2020-15693 In Nim 1.2.4, the standard library httpClient fails to properly validatethe server response. For example, httpClient.get().contentLength() does notraise any error if a malicious server provides a negative Content-Length. Update Instructions: Run `sudo pro fix CVE-2020-15694` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nim - 1.2.6-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-14 19:15:00 UTC CVE-2020-15694 In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affectedby the issue. Fixed version is 1.4.0) there is a script-cache privilegeescalation vulnerability due to kotlin-main-kts cached scripts in thesystem temp directory, which is shared by all users by default. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-08 21:15:00 UTC CVE-2020-15824 mruby through 2.1.2-rc has a heap-based buffer overflow in themrb_yield_with_class function in vm.c because of incorrect VM stackhandling. It can be triggered via the stack_copy function. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-07-21 15:15:00 UTC CVE-2020-15866 LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and otherproducts, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3.When a server sends a "begin TLS" response, the client reads additionaldata (e.g., from a meddler-in-the-middle attacker) and evaluates it in aTLS context, aka "response injection." Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-27 07:15:00 UTC 2020-07-27 07:15:00 UTC https://github.com/dinhvh/libetpan/issues/386 https://ubuntu.com/security/notices/USN-4598-1 CVE-2020-15953 KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 communicationduring times when the UI indicates that encryption is in use. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-27 07:15:00 UTC CVE-2020-15954 gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup ifgdm3 can't contact the accountservice service via dbus in a timely manner;on Ubuntu (and potentially derivatives) this could be be chained with anadditional issue that could allow a local user to create a new privilegedaccount. Update Instructions: Run `sudo pro fix CVE-2020-16125` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gdm3 - 3.38.1-2ubuntu1.1 gir1.2-gdm-1.0 - 3.38.1-2ubuntu1.1 libgdm1 - 3.38.1-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-03 2020-11-03 Kevin Backhouse https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1900314 https://gitlab.gnome.org/GNOME/gdm/-/issues/642 https://ubuntu.com/security/notices/USN-4614-1 CVE-2020-16125 The CPAN::Checksums package 2.12 for Perl does not uniquely define signeddata. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-13 18:15:00 UTC CVE-2020-16155 radare2 4.5.0 misparses DWARF information in executable files, causing asegmentation fault in parse_typedef in type_dwarf.c via a malformedDW_AT_name in the .debug_info section. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-08-03 16:15:00 UTC CVE-2020-16269 A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final andall resteasy 4.x.x versions prior to 4.6.0.Final, where an improper inputvalidation results in returning an illegal header that integrates into theserver's response. This flaw may result in an injection, which leads tounexpected behavior when the HTTP response is constructed. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-19 15:15:00 UTC 2020-05-19 15:15:00 UTC Mirko Selber https://ubuntu.com/security/notices/USN-7351-1 https://ubuntu.com/security/notices/USN-7630-1 CVE-2020-1695 An out-of-bounds heap buffer access flaw was found in the way the iSCSIBlock driver in QEMU versions 2.12.0 before 4.2.1 handled a response comingfrom an iSCSI server while checking the status of a Logical Address Block(LBA) in an iscsi_co_block_status() routine. A remote user could use thisflaw to crash the QEMU process, resulting in a denial of service orpotential execution of arbitrary code with privileges of the QEMU processon the host. Update Instructions: Run `sudo pro fix CVE-2020-1711` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:4.2-3ubuntu1 qemu-block-supplemental - 1:4.2-3ubuntu1 qemu-guest-agent - 1:4.2-3ubuntu1 qemu-system - 1:4.2-3ubuntu1 qemu-system-arm - 1:4.2-3ubuntu1 qemu-system-common - 1:4.2-3ubuntu1 qemu-system-data - 1:4.2-3ubuntu1 qemu-system-gui - 1:4.2-3ubuntu1 qemu-system-mips - 1:4.2-3ubuntu1 qemu-system-misc - 1:4.2-3ubuntu1 qemu-system-modules-opengl - 1:4.2-3ubuntu1 qemu-system-modules-spice - 1:4.2-3ubuntu1 qemu-system-ppc - 1:4.2-3ubuntu1 qemu-system-riscv - 1:4.2-3ubuntu1 qemu-system-s390x - 1:4.2-3ubuntu1 qemu-system-sparc - 1:4.2-3ubuntu1 qemu-system-x86 - 1:4.2-3ubuntu1 qemu-system-x86-xen - 1:4.2-3ubuntu1 qemu-system-xen - 1:4.2-3ubuntu1 qemu-user - 1:4.2-3ubuntu1 qemu-user-binfmt - 1:4.2-3ubuntu1 qemu-utils - 1:4.2-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-11 20:15:00 UTC 2020-02-11 20:15:00 UTC Felipe Franciosi, Raphael Norwitz, Peter Turschmid http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949731 https://ubuntu.com/security/notices/USN-4283-1 CVE-2020-1711 A heap use-after-free vulnerability was found in systemd before versionv245-rc1, where asynchronous Polkit queries are performed while handlingdbus messages. A local unprivileged attacker can abuse this flaw to crashsystemd services or potentially execute code and elevate their privileges,by sending specially crafted dbus messages. Update Instructions: Run `sudo pro fix CVE-2020-1712` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-myhostname - 244.1-0ubuntu3 libnss-mymachines - 244.1-0ubuntu3 libnss-resolve - 244.1-0ubuntu3 libnss-systemd - 244.1-0ubuntu3 libpam-systemd - 244.1-0ubuntu3 libsystemd-shared - 244.1-0ubuntu3 libsystemd0 - 244.1-0ubuntu3 libudev1 - 244.1-0ubuntu3 systemd - 244.1-0ubuntu3 systemd-boot - 244.1-0ubuntu3 systemd-boot-efi - 244.1-0ubuntu3 systemd-boot-tools - 244.1-0ubuntu3 systemd-container - 244.1-0ubuntu3 systemd-coredump - 244.1-0ubuntu3 systemd-cryptsetup - 244.1-0ubuntu3 systemd-homed - 244.1-0ubuntu3 systemd-journal-remote - 244.1-0ubuntu3 systemd-oomd - 244.1-0ubuntu3 systemd-repart - 244.1-0ubuntu3 systemd-resolved - 244.1-0ubuntu3 systemd-standalone-shutdown - 244.1-0ubuntu3 systemd-standalone-sysusers - 244.1-0ubuntu3 systemd-standalone-tmpfiles - 244.1-0ubuntu3 systemd-sysv - 244.1-0ubuntu3 systemd-tests - 244.1-0ubuntu3 systemd-timesyncd - 244.1-0ubuntu3 systemd-ukify - 244.1-0ubuntu3 systemd-userdbd - 244.1-0ubuntu3 udev - 244.1-0ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-05 09:00:00 UTC 2020-02-05 09:00:00 UTC Tavis Ormandy https://ubuntu.com/security/notices/USN-4269-1 CVE-2020-1712 A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending avery long password (>= 1,000,000 characters) to the server, the passwordhashing process could exhaust memory and CPU leading to a denial of serviceand the website becoming unresponsive. The highest threat from thisvulnerability is to system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-27 21:15:00 UTC CVE-2020-1722 A flaw was found in the pipe lookup plugin of ansible. Arbitrary commandscan be run, when the pipe lookup plugin uses subprocess.Popen() withshell=True, by overwriting ansible facts and the variable is not escaped byquote plugin. An attacker could take advantage and run arbitrary commandsby overwriting the ansible facts. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-03 22:15:00 UTC CVE-2020-1734 A flaw was found in Ansible Engine when a file is moved using atomic_moveprimitive as the file mode cannot be specified. This sets the destinationfiles world-readable if the destination file does not exist and if the fileexists, the file could be changed to have less restrictive permissionsbefore the move. This could lead to the disclosure of sensitive data. Allversions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-16 16:15:00 UTC CVE-2020-1736 A flaw was found in Ansible Engine when the module package or service isused and the parameter 'use' is not specified. If a previous task isexecuted with a malicious user, the module sent can be selected by theattacker using the ansible facts file. All versions in 2.7.x, 2.8.x and2.9.x branches are believed to be vulnerable. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-16 16:15:00 UTC CVE-2020-1738 A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCIdevice emulation support. It could occur while doing a multi block SDMAtransfer via the sdhci_sdma_transfer_multi_blocks() routine inhw/sd/sdhci.c. A guest user or process could use this flaw to crash theQEMU process on the host, resulting in a denial of service condition, orpotentially execute arbitrary code with privileges of the QEMU process onthe host. Update Instructions: Run `sudo pro fix CVE-2020-17380` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-14 00:00:00 UTC 2020-08-14 00:00:00 UTC Alexander Bulekov https://bugzilla.redhat.com/show_bug.cgi?id=1862167 https://bugs.launchpad.net/qemu/+bug/1892960 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-17380 A file inclusion vulnerability was found in the AJP connector enabled witha default AJP configuration port of 8009 in Undertow version 2.0.29.Finaland before and was fixed in 2.0.30.Final. A remote, unauthenticatedattacker could exploit this vulnerability to read web application filesfrom a vulnerable server. In instances where the vulnerable server allowsfile uploads, an attacker could upload malicious JavaServer Pages (JSP)code within a variety of file types and trigger this vulnerability to gainremote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-28 15:15:00 UTC CVE-2020-1745 radare2 4.5.0 misparses signature information in PE files, causing asegmentation fault in r_x509_parse_algorithmidentifier in libr/util/x509.c.This is due to a malformed object identifier inIMAGE_DIRECTORY_ENTRY_SECURITY. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-11 20:15:00 UTC CVE-2020-17487 django-celery-results through 1.2.1 stores task results in the database.Among the data it stores are the variables passed into the tasks. Thevariables may contain sensitive cleartext information that does not belongunencrypted in the database. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-11 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968305 CVE-2020-17495 Apache Groovy provides extension methods to aid with creating temporarydirectories. Prior to this fix, Groovy's implementation of those extensionmethods was using a now superseded Java JDK method call that is potentiallynot secure on some operating systems in some contexts. Users not using theextension methods mentioned in the advisory are not affected, but may wishto read the advisory for further details. Versions Affected: 2.0 to 2.4.20,2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-12-07 20:15:00 UTC CVE-2020-17521 A security flaw was found in Ansible Engine, all Ansible 2.7.x versionsprior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible2.9.x versions prior to 2.9.7, when managing kubernetes using the k8smodule. Sensitive parameters such as passwords and tokens are passed tokubectl from the command line, not using an environment variable or aninput configuration file. This will disclose passwords and tokens fromprocess list and no_log directive from debug module would not have anyeffect making these secrets being disclosed on stdout and log files. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-16 15:15:00 UTC CVE-2020-1753 There exists a race condition between the deletion of the temporary fileand the creation of the temporary directory in `webkit` subproject ofHTML/Java API version 1.7. A similar vulnerability has recently beendisclosed in other Java projects and the fix in HTML/Java API version 1.7.1follows theirs: To avoid local privilege escalation version 1.7.1 createsthe temporary directory atomically without dealing with the temporary file:https://github.com/apache/netbeans-html4j/commit/fa70e507e5555e1adb4f6518479fc408a7abd0e6 Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-11 16:15:00 UTC CVE-2020-17534 A flaw was found in all undertow-2.x.x SP1 versions prior toundertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions priorto undertow-2.1.0.Final, where the Servlet container causes servletPath tonormalize incorrectly by truncating the path after semicolon which may leadto an application mapping resulting in the security bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-21 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1752770 CVE-2020-1757 A NULL pointer dereference was discovered inSExpressionWasmBuilder::makeBlock in wasm/wasm-s-parser.c in Binaryen1.38.26. A crafted wasm input can cause a segmentation fault, leading todenial-of-service, as demonstrated by wasm-as. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:15:00 UTC CVE-2020-18378 Heap-buffer-overflow in /src/wasm/wasm-binary.cpp inwasm::WasmBinaryBuilder::visitBlock(wasm::Block*) in Binaryen 1.38.26. Acrafted wasm input can cause a segmentation fault, leading todenial-of-service, as demonstrated by wasm-opt. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:15:00 UTC CVE-2020-18382 tinyexr commit 0.9.5 was discovered to contain an array index error in thetinyexr::SaveEXR component, which can lead to a denial of service (DOS). Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-26 22:15:00 UTC CVE-2020-18428 tinyexr 0.9.5 was discovered to contain an array index error in thetinyexr::DecodeEXRImage component, which can lead to a denial of service(DOS). Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-26 22:15:00 UTC CVE-2020-18430 A stack buffer overflow in /ddsi/q_bitset.h of Eclipse IOT Cyclone DDSProject v0.1.0 causes the DDS subscriber server to crash. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-23 21:15:00 UTC CVE-2020-18734 A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDSProject v0.1.0 causes the DDS subscriber server to crash. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-23 21:15:00 UTC CVE-2020-18735 An issue was discovered in function zzip_disk_entry_to_file_header inmmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:15:00 UTC CVE-2020-18770 An invalid memory access in the decode function in iptc.cpp of Exiv20.27.99.0 allows attackers to cause a denial of service (DOS) via a craftedtif file. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-08-23 22:15:00 UTC https://github.com/Exiv2/exiv2/issues/760 CVE-2020-18773 A float point exception in the printLong function in tags_int.cpp of Exiv20.27.99.0 allows attackers to cause a denial of service (DOS) via a craftedtif file. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-08-23 22:15:00 UTC https://github.com/Exiv2/exiv2/issues/759 CVE-2020-18774 Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers tocause a denial of service via 'crc64i' in the component 'nasmlib/crc64'.This issue is different than CVE-2019-7147. Ubuntu 26.04 LTS Negligible Copyright (C) 2021 Canonical Ltd. 2021-08-25 16:15:00 UTC CVE-2020-18974 In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open toXSS, in the view that lists the contents of a queue. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-14 17:15:00 UTC CVE-2020-1941 tinyexr 0.9.5 has a integer overflow over-write in tinyexr::DecodePixelDatain tinyexr.h, related to OpenEXR code. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-21 18:15:00 UTC CVE-2020-19490 Unverified indexs into the array lead to out of bound access in thegif_out_code function in fromgif.c in libsixel 1.8.6. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-20 16:15:00 UTC CVE-2020-19668 There is a use-after-free vulnerability in file pdd_simplifier.cpp in Z3before 4.8.8. It occurs when the solver attempt to simplify the constraintsand causes unexpected memory access. It can cause segmentation faults orarbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2020-19725 The find_color_or_error function in gifsicle 1.92 contains a NULL pointerdereference. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-07 20:15:00 UTC CVE-2020-19752 An issue in MPV v.0.29.1 fixed in v0.30 allows attackers to executearbitrary code and crash program via the ao_c parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-17 18:15:00 UTC CVE-2020-19824 A use after free vulnerability in ip_reass() in ip_input.c of libslirp4.2.0 and prior releases allows crafted packets to cause a denial ofservice. Update Instructions: Run `sudo pro fix CVE-2020-1983` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libslirp0 - 4.1.0-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-22 20:15:00 UTC 2020-04-22 20:15:00 UTC Aviv Sasson https://ubuntu.com/security/notices/USN-4372-1 https://ubuntu.com/security/notices/USN-7094-1 CVE-2020-1983 Platinum Upnp SDK through 1.2.0 has a directory traversal vulnerability.The attack could remote attack victim by sendinghttp://ip:port/../privacy.avi URL to compromise a victim's privacy. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-21 13:15:00 UTC 2022-01-21 13:15:00 UTC https://ubuntu.com/security/notices/USN-7266-1 CVE-2020-19858 An issue was discovered in Bento4 v1.5.1.0. There is a heap-buffer-overflowin AP4_Dec3Atom::AP4_Dec3Atom at Ap4Dec3Atom.cpp, leading to a denial ofservice (program crash), as demonstrated by mp42aac. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-13 21:15:00 UTC CVE-2020-21066 Buffer Overflow vulnerability in function C_IStream::read in PluginEXR.cppin FreeImage 3.18.0 allows remote attackers to run arbitrary code and causeother impacts via crafted image file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051736 CVE-2020-21426 Buffer Overflow vulnerability in function LoadPixelDataRLE8 inPluginBMP.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrarycode and cause other impacts via crafted image file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC 2023-08-22 19:16:00 UTC https://ubuntu.com/security/notices/USN-6586-1 CVE-2020-21427 A heap-based buffer overflow in the sixel_encoder_output_without_macrofunction in encoder.c of Libsixel 1.8.4 allows attackers to cause a denialof service (DOS) via converting a crafted PNG file into Sixel format. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-10 21:15:00 UTC CVE-2020-21677 A heap-use-after-free in the av_freep function in libavutil/mem.c of FFmpeg4.2 allows attackers to execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-10 21:15:00 UTC 2021-08-10 21:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 https://ubuntu.com/security/notices/USN-5167-1 CVE-2020-21688 A heap-use-after-free in the mpeg_mux_write_packet function inlibavformat/mpegenc.c of FFmpeg 4.2 allows to cause a denial of service(DOS) via a crafted avi file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-10 21:15:00 UTC 2021-08-10 21:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 https://ubuntu.com/security/notices/USN-5167-1 CVE-2020-21697 Buffer Overflow vulnerability in oggvideotools 0.9.1 allows remoteattackers to run arbitrary code via opening of crafted ogg file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2020-21722 A Segmentation Fault issue discovered StreamSerializer::extractStreamsfunction in streamSerializer.cpp in oggvideotools 0.9.1 allows remoteattackers to cause a denial of service (crash) via opening of crafted oggfile. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2020-21723 Buffer Overflow vulnerability in ExtractorInformation function instreamExtractor.cpp in oggvideotools 0.9.1 allows remaote attackers to runarbitrary code via opening of crafted ogg file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2020-21724 A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 infilter_frame at libavfilter/vf_fieldorder.c, which might lead to memorycorruption and other potential consequences. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 19:15:00 UTC 2021-05-27 19:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 https://ubuntu.com/security/notices/USN-5167-1 CVE-2020-22022 A heap-based Buffer Overflow vulnerability exists in gaussian_blur atlibavfilter/vf_edgedetect.c, which might lead to memory corruption andother potential consequences. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 19:15:00 UTC 2021-05-27 19:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 https://ubuntu.com/security/notices/USN-5167-1 CVE-2020-22025 Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 21:15:00 UTC 2021-05-26 21:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 CVE-2020-22028 A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 atlibavfilter/af_afade.c in crossfade_samples_fltp, which might lead tomemory corruption and other potential consequences. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 18:15:00 UTC 2021-05-27 18:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 CVE-2020-22030 A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 atlibavfilter/vf_edgedetect.c in gaussian_blur, which might lead to memorycorruption and other potential consequences. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 19:15:00 UTC 2021-05-27 19:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 https://ubuntu.com/security/notices/USN-5167-1 CVE-2020-22032 A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 inget_block_row at libavfilter/vf_bm3d.c, which might lead to memorycorruption and other potential consequences. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-01 19:15:00 UTC 2021-06-01 19:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 CVE-2020-22035 A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 infilter_intra at libavfilter/vf_bwdif.c, which might lead to memorycorruption and other potential consequences. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-01 19:15:00 UTC 2021-06-01 19:15:00 UTC https://ubuntu.com/security/notices/USN-5472-1 CVE-2020-22036 A buffer overflow vulnerability in theicmp6_send_response_with_addrs_and_netif() function of Free SoftwareFoundation lwIP version git head allows attackers to access sensitiveinformation via a crafted ICMPv6 packet. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-22 20:15:00 UTC CVE-2020-22283 A buffer overflow vulnerability in the zepif_linkoutput() function of FreeSoftware Foundation lwIP git head version and version 2.1.2 allowsattackers to access sensitive information via a crafted 6LoWPAN packet. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-22 20:15:00 UTC CVE-2020-22284 An issue was discovered in pdfcrack 0.17 thru 0.18, allows attackers toexecute arbitrary code via a stack overflow in the MD5 function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-06 14:15:00 UTC https://sourceforge.net/p/pdfcrack/bugs/12/ CVE-2020-22336 SQL Injection vulnerability in function getTableCreationQuery inCreateAddField.php in phpMyAdmin 5.x before 5.2.0 via thetbl_storage_engine or tbl_collation parameters to tbl_create.php. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-26 21:15:00 UTC CVE-2020-22452 Buffer Overflow vulnerability in LibRaw::stretch() function inlibraw\src\postprocessing\aspect_ratio.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC 2023-08-22 19:16:00 UTC https://github.com/LibRaw/LibRaw/issues/269 https://ubuntu.com/security/notices/USN-6377-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2020-22628 Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQLinjection bypass vulnerability. Attackers can use the comment charactersand variable assignments in the SQL syntax to bypass Modsecurity WAFprotection and implement SQL injection attacks on Web applications. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-02 18:15:00 UTC CVE-2020-22669 A vulnerability in all versions of Nim-lang allows unauthenticatedattackers to write files to arbitrary directories via a crafted zip filewith dot-slash characters included in the name of the crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-10 17:15:00 UTC CVE-2020-23171 An issue was discovered in Bento4 version 06c39d9. A NULL pointerdereference exists in the AP4_Stz2Atom::GetSampleSize component located in/Core/Ap4Stz2Atom.cpp. It allows an attacker to cause a denial of service(DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-17 22:15:00 UTC CVE-2020-23330 An issue was discovered in Bento4 version 06c39d9. A NULL pointerdereference exists in the AP4_DescriptorListWriter::Action componentlocated in /Core/Ap4Descriptor.h. It allows an attacker to cause a denialof service (DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-17 22:15:00 UTC CVE-2020-23331 A heap-based buffer overflow exists in theAP4_StdcFileByteStream::ReadPartial component located in/StdC/Ap4StdCFileByteStream.cpp of Bento4 version 06c39d9. This issue canlead to a denial of service (DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-17 22:15:00 UTC CVE-2020-23332 A heap-based buffer overflow exists in the AP4_CttsAtom::AP4_CttsAtomcomponent located in /Core/Ap4Utils.h of Bento4 version 06c39d9. This canlead to a denial of service (DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-17 22:15:00 UTC CVE-2020-23333 A WRITE memory access in theAP4_NullTerminatedStringAtom::AP4_NullTerminatedStringAtom component ofBento4 version 06c39d9 can lead to a segmentation fault. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-17 22:15:00 UTC CVE-2020-23334 A cross-site scripting (XSS) vulnerability in Selenium Grid v3.141.59allows attackers to execute arbitrary web scripts or HTML via a craftedpayload injected into the hub parameter under the /grid/console page. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-05 18:15:00 UTC CVE-2020-23452 Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, intline) function at src/parser.c, which could cause a denial of service viathe pointer variable caller->callee. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-18 15:15:00 UTC CVE-2020-23856 A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ofservice (DoS) via a crafted MNG file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-10 22:15:00 UTC CVE-2020-23884 FFmpeg N-98388-g76a3ee996b allows attackers to cause a denial of service(DoS) via a crafted audio file due to insufficient verification of dataauthenticity. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-10 22:15:00 UTC CVE-2020-23906 Heap-based buffer over-read in function png_convert_4 in file pngex.cc inAdvanceMAME through 2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 14:15:00 UTC https://sourceforge.net/p/advancemame/bugs/285/ https://bugzilla.redhat.com/show_bug.cgi?id=2161641 (private) CVE-2020-23909 Stack-based buffer overflow vulnerability in asn1c through v0.9.28 viafunction genhash_get in genhash.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 14:15:00 UTC CVE-2020-23910 An issue was discovered in asn1c through v0.9.28. A NULL pointerdereference exists in the function _default_error_logger() located inasn1fix.c. It allows an attacker to cause Denial of Service. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-07-18 14:15:00 UTC CVE-2020-23911 An issue was discovered in Bento4 through v1.6.0-637. A NULL pointerdereference exists in the function AP4_StszAtom::GetSampleSize() located inAp4StszAtom.cpp. It allows an attacker to cause Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-21 18:15:00 UTC CVE-2020-23912 An issue was discovered in cpp-peglib through v0.1.12. A NULL pointerdereference exists in the peg::AstOptimizer::optimize() located inpeglib.h. It allows an attacker to cause Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-21 18:15:00 UTC CVE-2020-23914 An issue was discovered in cpp-peglib through v0.1.12.peg::resolve_escape_sequence() in peglib.h has a heap-based bufferover-read. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-21 18:15:00 UTC CVE-2020-23915 Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled whenrequesting binaries even if the user is not specifying an alternativedownload path. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-11 19:15:00 UTC CVE-2020-24025 A heap buffer overflow read was discovered in upx 4.0.0, because the checkin p_lx_elf.cpp is not perfect. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-14 21:15:00 UTC CVE-2020-24119 Buffer Overflow vulnerability in load function in PluginICO.cpp inFreeImage 3.19.0 [r1859] allows remote attackers to run arbitrary code viaopening of crafted ico file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059152 CVE-2020-24292 Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser.cpp inFreeImage 3.19.0 [r1859] allows remote attackers to run arbitrary code viaopening of crafted psd file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059152 CVE-2020-24293 Buffer Overflow vulnerability in psdParser::UnpackRLE function inPSDParser.cpp in FreeImage 3.19.0 [r1859] allows remote attackers to cuasea denial of service via opening of crafted psd file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059152 CVE-2020-24294 Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() inFreeImage 3.19.0 [r1859] allows remote attackers to ru narbitrary code viause of crafted psd file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059152 CVE-2020-24295 An issue was discovered in QEMU through 5.1.0. An out-of-bounds memoryaccess was found in the ATI VGA device implementation. This flaw occurs inthe ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO writeoperations through the ati_mm_write() callback. A malicious guest could usethis flaw to crash the QEMU process on the host, resulting in a denial ofservice. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-10-16 06:15:00 UTC Yi Ren http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968820 https://bugzilla.redhat.com/show_bug.cgi?id=1847584 CVE-2020-24352 LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run inlj_err.c. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-17 17:15:00 UTC CVE-2020-24372 An issue was discovered in the selinux-policy (aka Reference Policy)package 3.14 through 2020-08-24 because the .config/Yubico directory ismishandled. Consequently, when SELinux is in enforced mode, pam-u2f is notallowed to read the user's U2F configuration file. If configured with thenouserok option (the default when configured by the authselect tool), andthat file cannot be read, the second factor is disabled. An attacker withonly the knowledge of the password can then log in, bypassing 2FA. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-08-24 21:15:00 UTC CVE-2020-24612 FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interactionbetween serialization gadgets and typing, related tobr.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-08-25 18:15:00 UTC CVE-2020-24616 In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLSbecause of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middleattacker could offer a spoofed download resource. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-22 12:15:00 UTC CVE-2020-24619 FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interactionbetween serialization gadgets and typing, related tocom.pastdev.httpcomponents.configuration.JndiConfiguration. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-17 19:15:00 UTC CVE-2020-24750 Libraw before 0.20.1 has a stack buffer overflow viaLibRaw::identify_process_dng_fields in identify.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-02 16:15:00 UTC https://github.com/LibRaw/LibRaw/commit/4feaed4dea636cee4fee010f615881ccf76a096d CVE-2020-24870 The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPGallows remote attackers to execute arbitrary code because openpgp4fpr: URLsare supported without safe handling of command-line options. The Qtplatformpluginpath command-line option can be used to load an arbitraryDLL. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-29 21:15:00 UTC CVE-2020-24972 There is an invalid memory access in the function TextString::~TextString()located in Catalog.cc in Xpdf 4.0.2. It can be triggered by (for example)sending a crafted pdf file to the pdftohtml binary, which allows a remoteattacker to cause a Denial of Service (Segmentation fault) or possibly haveunspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-03 23:15:00 UTC CVE-2020-24996 There is an invalid memory access in the function fprintf located inError.cc in Xpdf 4.0.2. It can be triggered by sending a crafted PDF fileto the pdftohtml binary, which allows a remote attacker to cause a Denialof Service (Segmentation fault) or possibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-03 23:15:00 UTC CVE-2020-24999 checkinstall 1.6.2, when used to create a package that contains a symlink,may trigger the creation of a mode 0777 executable file. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-31 04:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/checkinstall/+bug/1861281 CVE-2020-25031 Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions ontemporary directories used in fakeroot or user namespace containerexecution. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-16 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465 CVE-2020-25039 Sylabs Singularity through 3.6.2 has Insecure Permissions on temporarydirectories used in explicit and implicit container build operations, adifferent vulnerability than CVE-2020-25039. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-16 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465 CVE-2020-25040 QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because theusb_packet_map return value is not checked. Update Instructions: Run `sudo pro fix CVE-2020-25084` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-09-25 05:15:00 UTC 2020-09-25 05:15:00 UTC Sergej Schumilo, Cornelius Aschermann, Simon Wrner http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970539 https://bugs.launchpad.net/qemu/+bug/1891341 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-25084 QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue inexec.c because hw/sd/sdhci.c mishandles a write operation in theSDHC_BLKSIZE case. Update Instructions: Run `sudo pro fix CVE-2020-25085` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-25 05:15:00 UTC 2020-09-25 05:15:00 UTC Sergej Schumilo, Cornelius Aschermann, Simon Wrner http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970540 https://bugs.launchpad.net/qemu/+bug/1892960 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-25085 AppImage libappimage before 1.0.3 allows attackers to trigger an overwriteof a system-installed .desktop file by providing a .desktop file thatcontains Name= with path components. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-02 17:15:00 UTC CVE-2020-25265 AppImage appimaged before 1.0.3 does not properly check whether adownloaded file is a valid appimage. For example, it will accept a craftedmp3 file that contains an appimage, and install it. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-02 17:15:00 UTC CVE-2020-25266 A null pointer dereference was discovered lzo_decompress_buf in stream.c inIrzip 0.621 which allows an attacker to cause a denial of service (DOS) viaa crafted compressed file. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-10 16:15:00 UTC 2021-06-10 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/lrzip/+bug/1893641 https://ubuntu.com/security/notices/USN-5840-1 CVE-2020-25467 hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read viavalues obtained from the host controller driver. Update Instructions: Run `sudo pro fix CVE-2020-25624` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-09-25 00:00:00 UTC 2020-09-25 00:00:00 UTC Gaoning Pan, Yongkang Jia, Yi Ren http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970541 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-25624 hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has aloop. Update Instructions: Run `sudo pro fix CVE-2020-25625` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-09-25 05:15:00 UTC 2020-09-25 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970542 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-25625 A flaw was found in Django REST Framework versions before 3.12.0 and before3.11.2. When using the browseable API viewer, Django REST Framework failsto properly escape certain strings that can come from user input. Thisallows a user who can control those strings to inject malicious <script>tags, leading to a cross-site-scripting (XSS) vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-30 20:15:00 UTC CVE-2020-25626 A flaw was found in RESTEasy client in all versions of RESTEasy up to4.5.6.Final. It may allow client users to obtain the server's potentiallysensitive information when the server got WebApplicationException from theRESTEasy client call. The highest threat from this vulnerability is to dataconfidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-18 19:15:00 UTC 2020-09-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970585 https://ubuntu.com/security/notices/USN-7351-1 https://ubuntu.com/security/notices/USN-7630-1 CVE-2020-25633 A flaw was found in Ansible Base when using the aws_ssm connection pluginas garbage collector is not happening after playbook run is completed.Files would remain in the bucket exposing the data. This issue affectsdirectly data confidentiality. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-10-05 14:15:00 UTC CVE-2020-25635 A flaw was found in Ansible Base when using the aws_ssm connection pluginas there is no namespace separation for file transfers. Files are writtendirectly to the root bucket, making possible to have collisions whenrunning multiple ansible processes. This issue affects mainly the serviceavailability. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-10-05 13:15:00 UTC CVE-2020-25636 A flaw was found in Ansible Collection community.crypto.openssl_privatekey_info exposes private key in logs. This directly impactsconfidentiality Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-29 20:15:00 UTC CVE-2020-25646 A flaw was found in the way the spice-vdagentd daemon handled filetransfers from the host system to the virtual machine. Any unprivilegedlocal guest user with access to the UNIX domain socket path`/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform amemory denial of service for spice-vdagentd or even other processes in theVM system. The highest threat from this vulnerability is to systemavailability. This flaw affects spice-vdagent versions 0.20 and previousversions. Update Instructions: Run `sudo pro fix CVE-2020-25650` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: spice-vdagent - 0.20.0-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-03 2020-11-03 Matthias Gerstner https://ubuntu.com/security/notices/USN-4617-1 CVE-2020-25650 A flaw was found in the SPICE file transfer protocol. File data from thehost system can end up in full or in parts in the client connection of anillegitimate local user in the VM system. Active file transfers from otherusers could also be interrupted, resulting in a denial of service. Thehighest threat from this vulnerability is to data confidentiality as wellas system availability. This flaw affects spice-vdagent versions 0.20 andprior. Update Instructions: Run `sudo pro fix CVE-2020-25651` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: spice-vdagent - 0.20.0-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-03 2020-11-03 Matthias Gerstner https://ubuntu.com/security/notices/USN-4617-1 CVE-2020-25651 A flaw was found in the spice-vdagentd daemon, where it did not properlyhandle client connections that can be established via the UNIX domainsocket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged localguest user could use this flaw to prevent legitimate agents from connectingto the spice-vdagentd daemon, resulting in a denial of service. The highestthreat from this vulnerability is to system availability. This flaw affectsspice-vdagent versions 0.20 and prior. Update Instructions: Run `sudo pro fix CVE-2020-25652` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: spice-vdagent - 0.20.0-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-03 2020-11-03 Matthias Gerstner https://ubuntu.com/security/notices/USN-4617-1 CVE-2020-25652 A race condition vulnerability was found in the way the spice-vdagentddaemon handled new client connections. This flaw may allow an unprivilegedlocal guest user to become the active agent for spice-vdagentd, possiblyresulting in a denial of service or information leakage from the host. Thehighest threat from this vulnerability is to data confidentiality as wellas system availability. This flaw affects spice-vdagent versions 0.20 andprior. Update Instructions: Run `sudo pro fix CVE-2020-25653` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: spice-vdagent - 0.20.0-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-03 2020-11-03 Matthias Gerstner https://ubuntu.com/security/notices/USN-4617-1 CVE-2020-25653 A flaw was found in all released versions of m2crypto, where they arevulnerable to Bleichenbacher timing attacks in the RSA decryption API viathe timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threatfrom this vulnerability is to confidentiality. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-12 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1889823 CVE-2020-25657 In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call toAcquireVirtualMemory() and memset() allows for an out-of-bounds write laterwhen PopShortPixel() from MagickCore/quantum-private.h is called. The patchfixes the calls by adding 256 to rowbytes. An attacker who is able tosupply a specially crafted image could affect availability with a lowimpact to data integrity. This flaw affects ImageMagick versions prior to6.9.10-68 and 7.0.8-68. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-08 21:15:00 UTC 2020-12-08 21:15:00 UTC Suhwan Song https://github.com/ImageMagick/ImageMagick/issues/1716 https://ubuntu.com/security/notices/USN-5335-1 https://ubuntu.com/security/notices/USN-7068-1 CVE-2020-25664 An out-of-bounds write flaw was found in FontForge in versions before20200314 while parsing SFD files containing certain LayerCount tokens. Thisflaw allows an attacker to manipulate the memory allocated on the heap,causing the application to crash or execute arbitrary code. The highestthreat from this vulnerability is to confidentiality, integrity, as well assystem availability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-23 04:15:00 UTC CVE-2020-25690 A divide by zero issue was found to occur in libvncserver-0.9.12. Amalicious client could use this flaw to send a specially crafted messagethat, when processed by the VNC server, would lead to a floating pointexception, resulting in a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-13 00:00:00 UTC 2020-11-13 00:00:00 UTC https://ubuntu.com/security/notices/USN-4636-1 CVE-2020-25708 A flaw was found in the way Samba maps domain users to local users. Anauthenticated attacker could use this flaw to cause possible privilegeescalation. Update Instructions: Run `sudo pro fix CVE-2020-25717` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-09 2021-11-09 Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=14834 https://bugzilla.samba.org/show_bug.cgi?id=14725 https://bugzilla.samba.org/show_bug.cgi?id=14556 https://ubuntu.com/security/notices/USN-5142-1 https://ubuntu.com/security/notices/USN-5174-1 CVE-2020-25717 Multiple flaws were found in the way samba AD DC implemented access andconformance checking of stored data. An attacker could use this flaw tocause total domain compromise. Update Instructions: Run `sudo pro fix CVE-2020-25722` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-09 2021-11-09 Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=14834 https://bugzilla.samba.org/show_bug.cgi?id=14725 https://bugzilla.samba.org/show_bug.cgi?id=14564 https://ubuntu.com/security/notices/USN-5142-1 https://ubuntu.com/security/notices/USN-5174-1 CVE-2020-25722 A reachable assertion issue was found in the USB EHCI emulation code ofQEMU. It could occur while processing USB requests due to missing handlingof DMA memory map failure. A malicious privileged user within the guest mayabuse this flaw to send bogus USB requests and crash the QEMU process onthe host, resulting in a denial of service. Update Instructions: Run `sudo pro fix CVE-2020-25723` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-18 08:28:00 UTC 2020-11-18 08:28:00 UTC Cheolwoo Myung https://bugzilla.redhat.com/show_bug.cgi?id=1898579 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-25723 In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state)SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`,which causes an `heap-use-after-free` problem. The codes of a previous fixfor nested Type 3 characters wasn't correctly handling the case where aType 3 char referred to another char in the same Type 3 font. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-21 06:15:00 UTC Mike Zhang https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25725 https://forum.xpdfreader.com/viewtopic.php?f=3&t=41915 CVE-2020-25725 Cross Site Scripting (XSS) vulnerability in ZoneMinder before version1.34.21, allows remote attackers execute arbitrary code, escalateprivileges, and obtain sensitive information via PHP_SELF component inclassic/views/download.php. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-04 08:15:00 UTC CVE-2020-25730 fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointerdereference via a NULL block pointer for the current drive. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-10-02 09:15:00 UTC Sergej Schumilo, Cornelius Aschermann, Simon Wrner CVE-2020-25741 pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULLpointer dereference because pci_get_bus() might not return a valid pointer. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-10-06 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971390 CVE-2020-25742 hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereferencebecause it lacks a pointer check before an ide_cancel_dma_sync call. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-10-06 15:15:00 UTC Sergej Schumilo, Cornelius Aschermann, Simon Wrner CVE-2020-25743 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Serialization). Supported versions that are affected are JavaSE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:This vulnerability applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets (inJava SE 8), that load and run untrusted code (e.g., code that comes fromthe internet) and rely on the Java sandbox for security. This vulnerabilitycan also be exploited by using APIs in the specified Component, e.g.,through a web service which supplies data to the APIs. CVSS 3.0 Base Score3.7 (Availability impacts). CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2020-2583` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.6+10-1ubuntu1 openjdk-11-jdk - 11.0.6+10-1ubuntu1 openjdk-11-jdk-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre - 11.0.6+10-1ubuntu1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1 openjdk-11-source - 11.0.6+10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-15 17:15:00 UTC 2020-01-15 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-2583 https://ubuntu.com/security/notices/USN-4257-1 CVE-2020-2583 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Security). Supported versions that are affected are Java SE:7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia Kerberos to compromise Java SE, Java SE Embedded. Successful attacks ofthis vulnerability can result in unauthorized update, insert or deleteaccess to some of Java SE, Java SE Embedded accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets (in Java SE8), that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. This vulnerability canalso be exploited by using APIs in the specified Component, e.g., through aweb service which supplies data to the APIs. CVSS 3.0 Base Score 3.7(Integrity impacts). CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2020-2590` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.6+10-1ubuntu1 openjdk-11-jdk - 11.0.6+10-1ubuntu1 openjdk-11-jdk-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre - 11.0.6+10-1ubuntu1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1 openjdk-11-source - 11.0.6+10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-15 17:15:00 UTC 2020-01-15 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-2590 https://ubuntu.com/security/notices/USN-4257-1 CVE-2020-2590 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Networking). Supported versions that are affected are Java SE:7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Java SE, Java SE Embedded. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Java SE, Java SE Embedded accessible data as wellas unauthorized read access to a subset of Java SE, Java SE Embeddedaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets (in Java SE 8), that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability can also be exploited by using APIs in thespecified Component, e.g., through a web service which supplies data to theAPIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSSVector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2020-2593` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.6+10-1ubuntu1 openjdk-11-jdk - 11.0.6+10-1ubuntu1 openjdk-11-jdk-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre - 11.0.6+10-1ubuntu1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1 openjdk-11-source - 11.0.6+10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-15 17:15:00 UTC 2020-01-15 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-2593 https://ubuntu.com/security/notices/USN-4257-1 CVE-2020-2593 Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE(component: Security). Supported versions that are affected are Java SE:7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia Kerberos to compromise Java SE, Java SE Embedded. While thevulnerability is in Java SE, Java SE Embedded, attacks may significantlyimpact additional products. Successful attacks of this vulnerability canresult in unauthorized access to critical data or complete access to allJava SE, Java SE Embedded accessible data. Note: This vulnerability appliesto Java deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets (in Java SE 8), that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentialityimpacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2020-2601` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.6+10-1ubuntu1 openjdk-11-jdk - 11.0.6+10-1ubuntu1 openjdk-11-jdk-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre - 11.0.6+10-1ubuntu1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1 openjdk-11-source - 11.0.6+10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-15 17:15:00 UTC 2020-01-15 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-2601 https://ubuntu.com/security/notices/USN-4257-1 CVE-2020-2601 An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 forAWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintextframes in a protected Wi-Fi network. An adversary can abuse this to injectarbitrary data frames independent of the network configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-11 18:00:00 UTC Mathy Vanhoef CVE-2020-26140 An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2,and WPA3 implementations treat fragmented frames as full frames. Anadversary can abuse this to inject arbitrary network packets, independentof the network configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-11 18:00:00 UTC Mathy Vanhoef CVE-2020-26142 An issue was discovered in the ALFA Windows 10 driver 1030.36.604 forAWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmentedplaintext frames in a protected Wi-Fi network. An adversary can abuse thisto inject arbitrary data frames independent of the network configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-11 18:00:00 UTC Mathy Vanhoef CVE-2020-26143 An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA,WPA2, and WPA3 implementations reassemble fragments with non-consecutivepacket numbers. An adversary can abuse this to exfiltrate selectedfragments. This vulnerability is exploitable when another device sendsfragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocolis used. Note that WEP is vulnerable to this attack by design. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-11 18:00:00 UTC Mathy Vanhoef CVE-2020-26146 jwt-go before 4.0.0-preview1 allows attackers to bypass intended accessrestrictions in situations with []string{} for m["aud"] (which is allowedby the specification). Because the type assertion fails, "" is the value ofaud. This is a security problem if the JWT token is presented to a servicethat lacks its own audience check. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-30 18:15:00 UTC https://github.com/dgrijalva/jwt-go/issues/422 https://github.com/dgrijalva/jwt-go/issues/428 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971556 CVE-2020-26160 In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on thelocal network could send crafted packets that trigger use of large amountsof CPU, memory, or network connection slots, aka a Denial of Serviceattack. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-07 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971736 CVE-2020-26164 Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 allows denialof service via packet injection or crafted capture file Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-21 18:15:00 UTC CVE-2020-26422 Vulnerability in the Java SE product of Oracle Java SE (component:Libraries). Supported versions that are affected are Java SE: 7u241, 8u231,11.0.5 and 13.0.1. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Java SE. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofJava SE. Note: This vulnerability can only be exploited by supplying datato APIs in the specified Component without using Untrusted Java Web Startapplications or Untrusted Java applets, such as through a web service. CVSS3.0 Base Score 3.7 (Availability impacts). CVSS Vector:(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2020-2654` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.6+10-1ubuntu1 openjdk-11-jdk - 11.0.6+10-1ubuntu1 openjdk-11-jdk-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre - 11.0.6+10-1ubuntu1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1 openjdk-11-source - 11.0.6+10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-01-15 17:15:00 UTC 2020-01-15 17:15:00 UTC Bo Zhang and Long Kuan https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-2654 https://ubuntu.com/security/notices/USN-4257-1 CVE-2020-2654 Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 maypermit a nearby device, reflecting the authentication evidence from aProvisioner, to complete authentication without possessing the AuthValue,and potentially acquire a NetKey and AppKey. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-24 18:15:00 UTC CVE-2020-26560 A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1allows remote unauthenticated users to cause a webu.c segmentation faultand kill the main process via a crafted HTTP request. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-26 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972986 CVE-2020-26566 The CivetWeb web library does not validate uploaded filepaths when runningon an OS other than Windows, when using the built-in HTTP form-based fileupload mechanism, via the mg_handle_form_request API. Web applications thatuse the file upload form handler, and use parts of the user-controlledfilename in the output path, are susceptible to directory traversal Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-21 16:15:00 UTC CVE-2020-27304 A buffer overflow vulnerability exists in Brandy Basic V Interpreter 1.21in the run_interpreter function. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-11 19:15:00 UTC CVE-2020-27372 An issue was discovered in the stripTags and unescapeHTML components inPrototype 1.7.3 where an attacker can cause a Regular Expression Denial ofService (ReDOS) through stripping crafted HTML tags. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-21 20:15:00 UTC CVE-2020-27511 eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users totrigger an assertion failure. A guest can crash the QEMU process via packetdata that lacks a valid Layer 3 protocol. Update Instructions: Run `sudo pro fix CVE-2020-27617` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-2ubuntu1 qemu-block-supplemental - 1:5.2+dfsg-2ubuntu1 qemu-guest-agent - 1:5.2+dfsg-2ubuntu1 qemu-system - 1:5.2+dfsg-2ubuntu1 qemu-system-arm - 1:5.2+dfsg-2ubuntu1 qemu-system-common - 1:5.2+dfsg-2ubuntu1 qemu-system-data - 1:5.2+dfsg-2ubuntu1 qemu-system-gui - 1:5.2+dfsg-2ubuntu1 qemu-system-mips - 1:5.2+dfsg-2ubuntu1 qemu-system-misc - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-opengl - 1:5.2+dfsg-2ubuntu1 qemu-system-modules-spice - 1:5.2+dfsg-2ubuntu1 qemu-system-ppc - 1:5.2+dfsg-2ubuntu1 qemu-system-riscv - 1:5.2+dfsg-2ubuntu1 qemu-system-s390x - 1:5.2+dfsg-2ubuntu1 qemu-system-sparc - 1:5.2+dfsg-2ubuntu1 qemu-system-x86 - 1:5.2+dfsg-2ubuntu1 qemu-system-x86-xen - 1:5.2+dfsg-2ubuntu1 qemu-system-xen - 1:5.2+dfsg-2ubuntu1 qemu-user - 1:5.2+dfsg-2ubuntu1 qemu-user-binfmt - 1:5.2+dfsg-2ubuntu1 qemu-utils - 1:5.2+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-06 08:15:00 UTC 2020-11-06 08:15:00 UTC Gaoning Pan https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973324 https://bugs.launchpad.net/qemu/+bug/1878067 https://ubuntu.com/security/notices/USN-4650-1 CVE-2020-27617 A flaw was found in the Undertow AJP connector. Malicious requests andabrupt connection closes could be triggered by an attacker using querystrings with non-RFC compliant characters resulting in a denial of service.The highest threat from this vulnerability is to system availability. Thisaffects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-23 19:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1901304 CVE-2020-27782 A heap-based buffer over-read was discovered in the invert_pt_dynamicfunction in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27796 An invalid memory address reference was discovered in the elf_lookupfunction in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27797 An invalid memory address reference was discovered in the adjABS functionin p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27798 A heap-based buffer over-read was discovered in the acc_ua_get_be32function in miniacc.h in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27799 A heap-based buffer over-read was discovered in the get_le32 function inbele.h in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27800 A heap-based buffer over-read was discovered in the get_le64 function inbele.h in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27801 An floating point exception was discovered in the elf_lookup function inp_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2020-27802 A heap-buffer overflow was found in the way openjpeg2 handled certain PNGformat files. An attacker could use this flaw to cause an application crashor in some cases execute arbitrary code with the permission of the userrunning such an application. Update Instructions: Run `sudo pro fix CVE-2020-27814` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-30 00:00:00 UTC 2020-11-30 00:00:00 UTC https://github.com/uclouvain/openjpeg/issues/1283 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-4880-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27814 A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. Anattacker able to pass a malicious file to be processed by pngcheck couldcause a temporary denial of service, posing a low risk to applicationavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-08 01:15:00 UTC 2020-12-08 01:15:00 UTC https://ubuntu.com/security/notices/USN-6182-1 CVE-2020-27818 An issue was discovered in libxls before and including 1.6.1 when readingMicrosoft Excel files. A NULL pointer dereference vulnerability exists whenparsing XLS cells in libxls/xls2csv.c:199. It could allow a remote attackerto cause a denial of service via crafted XLS file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-23 04:15:00 UTC CVE-2020-27819 A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker topass specially crafted x,y offset input to OpenJPEG to use during encoding.The highest threat from this vulnerability is to confidentiality,integrity, as well as system availability. Update Instructions: Run `sudo pro fix CVE-2020-27823` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-09 00:00:00 UTC 2020-12-09 00:00:00 UTC https://github.com/uclouvain/openjpeg/issues/1284 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4880-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27823 A flaw was found in OpenJPEG’s encoder in theopj_dwt_calc_explicit_stepsizes() function. This flaw allows an attackerwho can supply crafted input to decomposition levels to cause a bufferoverflow. The highest threat from this vulnerability is to systemavailability. Update Instructions: Run `sudo pro fix CVE-2020-27824` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-10 2020-12-10 https://github.com/uclouvain/openjpeg/issues/1286 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-4880-1 https://ubuntu.com/security/notices/USN-5664-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27824 A flaw was found in multiple versions of OpenvSwitch. Specially craftedLLDP packets can cause memory to be lost when allocating data to handlespecific optional TLVs, potentially causing a denial of service. Thehighest threat from this vulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2020-27827` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openvswitch-common - 2.15.0-0ubuntu1 openvswitch-ipsec - 2.15.0-0ubuntu1 openvswitch-pki - 2.15.0-0ubuntu1 openvswitch-source - 2.15.0-0ubuntu1 openvswitch-switch - 2.15.0-0ubuntu1 openvswitch-switch-dpdk - 2.15.0-0ubuntu1 openvswitch-test - 2.15.0-0ubuntu1 openvswitch-testcontroller - 2.15.0-0ubuntu1 openvswitch-vtep - 2.15.0-0ubuntu1 python3-openvswitch - 2.15.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-13 2021-01-13 Jonas Rudloff https://bugs.launchpad.net/ubuntu/+source/lldpd/+bug/1937121 https://ubuntu.com/security/notices/USN-4691-1 CVE-2020-27827 There's a flaw in openjpeg in versions prior to 2.4.0 insrc/lib/openjp2/pi.c. When an attacker is able to provide crafted input tobe processed by the openjpeg encoder, this could cause an out-of-boundsread. The greatest impact from this flaw is to application availability. Update Instructions: Run `sudo pro fix CVE-2020-27841` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-05 18:15:00 UTC 2021-01-05 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1293 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-4880-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27841 There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. Anattacker who is able to provide crafted input to be processed by openjpegcould cause a null pointer dereference. The highest impact of this flaw isto application availability. Update Instructions: Run `sudo pro fix CVE-2020-27842` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-05 18:15:00 UTC 2021-01-05 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1294 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27842 A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allowsan attacker to provide specially crafted input to the conversion orencoding functionality, causing an out-of-bounds read. The highest threatfrom this vulnerability is system availability. Update Instructions: Run `sudo pro fix CVE-2020-27843` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-05 18:15:00 UTC 2021-01-05 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1297 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27843 There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to2.4.0. If an attacker is able to provide untrusted input to openjpeg'sconversion/encoding functionality, they could cause an out-of-bounds read.The highest impact of this flaw is to application availability. Update Instructions: Run `sudo pro fix CVE-2020-27845` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu5 libopenjp2-tools - 2.3.1-1ubuntu5 libopenjpip-dec-server - 2.3.1-1ubuntu5 libopenjpip-viewer - 2.3.1-1ubuntu5 libopenjpip7 - 2.3.1-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-05 18:15:00 UTC 2021-01-05 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1302 https://ubuntu.com/security/notices/USN-4685-1 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-4880-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-27845 WordPress before 5.5.2 mishandles deserialization requests inwp-includes/Requests/Utility/FilteredIterator.php. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28032 WordPress before 5.5.2 mishandles embeds from disabled sites on a multisitenetwork, as demonstrated by allowing a spam embed. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28033 WordPress before 5.5.2 allows XSS associated with global variables. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28034 WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28035 wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allowsattackers to gain privileges by using XML-RPC to comment on a post. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28036 is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2improperly determines whether WordPress is already installed, which mightallow an attacker to perform a new installation, leading to remote codeexecution (as well as a denial of service for the old installation). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28037 WordPress before 5.5.2 allows stored XSS via post slugs. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28038 is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allowsarbitrary file deletion because it does not properly determine whether ameta key is considered protected. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28039 WordPress before 5.5.2 allows CSRF attacks that change a theme's backgroundimage. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-11-02 21:15:00 UTC CVE-2020-28040 pass through 1.7.3 has a possibility of using a password for an unintendedresource. For exploitation to occur, the user must do a git pull, decrypt apassword, and log into a remote service with the password. If an attackercontrols the central Git server or one of the other members' machines, andalso controls one of the services already in the password store, they canrename one of the password files in the Git repository to something else:pass doesn't correctly verify that the content of a file matches thefilename, so a user might be tricked into decrypting the wrong password andsending that to a service that the attacker controls. NOTE: forenvironments in which this threat model is of concern, signing commits canbe a solution. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-12-09 19:15:00 UTC CVE-2020-28086 Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF)vulnerability where an attacker is able to bypass a proxy by providing aURL that responds with a redirect to a restricted host or IP address. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-06 20:15:00 UTC Dima Ryskin CVE-2020-28168 libmaxminddb before 1.4.3 has a heap-based buffer over-read indump_entry_data_list in maxminddb.c. Update Instructions: Run `sudo pro fix CVE-2020-28241` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmaxminddb0 - 1.4.2-0ubuntu2 mmdb-bin - 1.4.2-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-06 05:15:00 UTC 2020-11-06 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973878 https://github.com/maxmind/libmaxminddb/issues/236 https://ubuntu.com/security/notices/USN-4631-1 https://ubuntu.com/security/notices/USN-5751-1 CVE-2020-28241 This affects the packagecom.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of bytebuffer can cause a java.lang.OutOfMemoryError exception. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 16:15:00 UTC CVE-2020-28491 This affects the package three before 0.125.0. This can happen whenhandling rgb or hsl colors. PoC: var three = require('three') functionbuild_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " "} return ret + ""; } var Color = three.Color var time = Date.now(); newColor(build_blank(50000)) var time_cost = Date.now() - time;console.log(time_cost+" ms") Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 15:15:00 UTC CVE-2020-28496 The package elliptic before 6.5.4 are vulnerable to Cryptographic Issuesvia the secp256k1 implementation in elliptic/ec/key.js. There is no checkto confirm that the public key point passed into the derive functionactually exists on the secp256k1 curve. This results in the potential forthe private key used in this implementation to be revealed after a numberof ECDH operations are performed. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-02 19:15:00 UTC CVE-2020-28498 Lodash versions prior to 4.17.21 are vulnerable to Regular ExpressionDenial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-15 11:15:00 UTC CVE-2020-28500 An improper array index validation vulnerability exists in the LoadObjfunctionality of tinyobjloader v2.0-rc1 and tinyobjloader developmentcommit 79d4421. A specially crafted file could lead to code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-11 13:15:00 UTC CVE-2020-28589 A use-after-free vulnerability exists in the_3MF_Importer::_handle_end_model() functionality of Prusa ResearchPrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted 3MFfile can lead to code execution. An attacker can provide a malicious fileto trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-17 20:15:00 UTC CVE-2020-28594 An out-of-bounds write vulnerability exists in the Obj.cpp load_obj()functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit4b040b856). A specially crafted obj file can lead to code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-10 22:15:00 UTC CVE-2020-28595 A stack-based buffer overflow vulnerability exists in theObjparser::objparse() functionality of Prusa Research PrusaSlicer 2.2.0 andMaster (commit 4b040b856). A specially crafted obj file can lead to codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-10 22:15:00 UTC CVE-2020-28596 An out-of-bounds write vulnerability exists in the Admeshstl_fix_normal_directions() functionality of Prusa Research PrusaSlicer2.2.0 and Master (commit 4b040b856). A specially crafted AMF file can leadto code execution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-08 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074415 CVE-2020-28598 An out-of-bounds write vulnerability exists in theimport_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2.A specially crafted STL file can lead to code execution. An attacker canprovide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-10 20:15:00 UTC CVE-2020-28600 Incorrect access control in push notification service in Night Owl SmartDoorbell FW version 20190505 allows remote users to send push notificationevents via an exposed PNS server. A remote attacker can passively recordpush notification events which are sent over an insecure web request. Theweb service does not authenticate requests, and allows attackers to send anindefinite amount of motion or doorbell events to a user's mobileapplication by either replaying or deliberately crafting false events. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-08 19:15:00 UTC CVE-2020-28713 includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWikithrough 1.35 allows XSS via a qbfind message supplied by an administrator. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-24 06:15:00 UTC CVE-2020-29002 The PollNY extension for MediaWiki through 1.35 allows XSS via an answeroption for a poll question, entered during Special:CreatePoll orSpecial:UpdatePoll. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-11-24 06:15:00 UTC CVE-2020-29003 libvncclient v0.9.13 was discovered to contain a memory leak via thefunction rfbClientCleanup(). Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-02 23:15:00 UTC CVE-2020-29260 A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise11.0 through 13.0, when running with Python 3.6 or later, allows remoteauthenticated users to execute arbitrary code, leading to privilegeescalation. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-22 17:15:00 UTC CVE-2020-29396 ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allowsout-of-bounds read access because a buffer index is not validated. Update Instructions: Run `sudo pro fix CVE-2020-29443` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-1~ubuntu3 qemu-block-supplemental - 1:6.0+dfsg-1~ubuntu3 qemu-guest-agent - 1:6.0+dfsg-1~ubuntu3 qemu-system - 1:6.0+dfsg-1~ubuntu3 qemu-system-arm - 1:6.0+dfsg-1~ubuntu3 qemu-system-common - 1:6.0+dfsg-1~ubuntu3 qemu-system-data - 1:6.0+dfsg-1~ubuntu3 qemu-system-gui - 1:6.0+dfsg-1~ubuntu3 qemu-system-mips - 1:6.0+dfsg-1~ubuntu3 qemu-system-misc - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-opengl - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-spice - 1:6.0+dfsg-1~ubuntu3 qemu-system-ppc - 1:6.0+dfsg-1~ubuntu3 qemu-system-riscv - 1:6.0+dfsg-1~ubuntu3 qemu-system-s390x - 1:6.0+dfsg-1~ubuntu3 qemu-system-sparc - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86 - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86-xen - 1:6.0+dfsg-1~ubuntu3 qemu-system-xen - 1:6.0+dfsg-1~ubuntu3 qemu-user - 1:6.0+dfsg-1~ubuntu3 qemu-user-binfmt - 1:6.0+dfsg-1~ubuntu3 qemu-utils - 1:6.0+dfsg-1~ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-26 18:15:00 UTC 2021-01-26 18:15:00 UTC Wenxiang Qian https://ubuntu.com/security/notices/USN-4725-1 https://ubuntu.com/security/notices/USN-5010-1 CVE-2020-29443 In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used fortemporary file and folder creation. An attacker was able to read data fromsuch files and list directories due to insecure permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-03 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001037 CVE-2020-29582 A nil pointer dereference in the golang.org/x/crypto/ssh component throughv0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to causea denial of service against SSH servers. Update Instructions: Run `sudo pro fix CVE-2020-29652` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: golang-golang-x-crypto-dev - 1:0.0~git20201221.eec23a3-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-17 05:15:00 UTC CVE-2020-29652 An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allowsusers to store malicious values that may be executed by other users at alater time via get_request in lib/function.php. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-11 05:15:00 UTC Andy Gu https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474 CVE-2020-35132 Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-SiteRequest Forgery (CSRF) in many functions, like adding – deleting for hostsor servers. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-23 19:15:00 UTC CVE-2020-35269 Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate server useby making enough connections to exceed the connection limit. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-26 05:15:00 UTC CVE-2020-35359 Xpdf 4.02 allows stack consumption because of an incorrect subroutinereference in a Type 1C font charstring, related to the FoFiType1C::getOp()function. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-26 04:15:00 UTC CVE-2020-35376 An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackersable to call "crm history" (when "crm" is run) were able to executecommands via shell code injection to the crm history commandline,potentially allowing escalation of privileges. Update Instructions: Run `sudo pro fix CVE-2020-35459` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: crmsh - 4.2.1-2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-12 12:00:00 UTC 2021-01-12 12:00:00 UTC Vincent Berg https://ubuntu.com/security/notices/USN-6711-1 CVE-2020-35459 In MediaWiki before 1.35.1, the combination of Html::rawElement andMessage::text leads to XSS because the definition ofMediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki sothat the output is raw HTML. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-18 08:15:00 UTC CVE-2020-35474 In MediaWiki before 1.35.1, the messages userrights-expiry-current anduserrights-expiry-none can contain raw HTML. XSS can happen when a uservisits Special:UserRights but does not have rights to change alluserrights, and the table on the left side has unchangeable groups in it.(The right column with the changeable groups is not affected and is escapedcorrectly.) Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-18 08:15:00 UTC CVE-2020-35475 MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries insome situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/MainPage, visits a log entry on Special:Log, and toggles the "Change visibilityof selected log entries" checkbox (or a tags checkbox) next to it, there isa redirection to the main page's action=historysubmit (instead of thedesired behavior in which a revision-deletion form appears). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-18 08:15:00 UTC CVE-2020-35477 MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php.MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPTtags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 andlater. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-18 08:15:00 UTC CVE-2020-35478 MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php.Language::translateBlockExpiry itself does not escape in all code paths.For example, the return of Language::userTimeAndDate is is always unsafefor HTML in a month value. This affects MediaWiki 1.12.0 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-18 08:15:00 UTC CVE-2020-35479 An issue was discovered in MediaWiki before 1.35.1. Missing users (accountsthat don't exist) and hidden users (accounts that have been explicitlyhidden due to being abusive, or similar) that the viewer cannot see arehandled differently, exposing sensitive information about the hidden statusto unprivileged viewers. This exists on various code paths. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-18 08:15:00 UTC CVE-2020-35480 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.commons.dbcp2.datasources.PerUserPoolDataSource. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-17 19:15:00 UTC CVE-2020-35490 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.commons.dbcp2.datasources.SharedPoolDataSource. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-17 19:15:00 UTC CVE-2020-35491 A flaw was found in the Linux kernels implementation of audit rules, wherea syscall can unexpectedly not be correctly not be logged by the auditsubsystem Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-30 16:15:00 UTC Felix Kosterhon https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-35501 https://github.com/linux-audit/audit-kernel/issues/9 CVE-2020-35501 A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host busadapter emulation of QEMU in versions before and including 6.0. This issueoccurs in the megasas_command_cancelled() callback function while droppinga SCSI request. This flaw allows a privileged guest user to crash the QEMUprocess on the host, resulting in a denial of service. The highest threatfrom this vulnerability is to system availability. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-02 14:15:00 UTC Cheolwoo Myung https://bugzilla.redhat.com/show_bug.cgi?id=1910346 CVE-2020-35503 A NULL pointer dereference flaw was found in the SCSI emulation support ofQEMU in versions before 6.0.0. This flaw allows a privileged guest user tocrash the QEMU process on the host, resulting in a denial of service. Thehighest threat from this vulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2020-35504` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-1~ubuntu3 qemu-block-supplemental - 1:6.0+dfsg-1~ubuntu3 qemu-guest-agent - 1:6.0+dfsg-1~ubuntu3 qemu-system - 1:6.0+dfsg-1~ubuntu3 qemu-system-arm - 1:6.0+dfsg-1~ubuntu3 qemu-system-common - 1:6.0+dfsg-1~ubuntu3 qemu-system-data - 1:6.0+dfsg-1~ubuntu3 qemu-system-gui - 1:6.0+dfsg-1~ubuntu3 qemu-system-mips - 1:6.0+dfsg-1~ubuntu3 qemu-system-misc - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-opengl - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-spice - 1:6.0+dfsg-1~ubuntu3 qemu-system-ppc - 1:6.0+dfsg-1~ubuntu3 qemu-system-riscv - 1:6.0+dfsg-1~ubuntu3 qemu-system-s390x - 1:6.0+dfsg-1~ubuntu3 qemu-system-sparc - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86 - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86-xen - 1:6.0+dfsg-1~ubuntu3 qemu-system-xen - 1:6.0+dfsg-1~ubuntu3 qemu-user - 1:6.0+dfsg-1~ubuntu3 qemu-user-binfmt - 1:6.0+dfsg-1~ubuntu3 qemu-utils - 1:6.0+dfsg-1~ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-28 11:15:00 UTC 2021-05-28 11:15:00 UTC Cheolwoo Myung https://bugzilla.redhat.com/show_bug.cgi?id=1909766 https://bugs.launchpad.net/qemu/+bug/1910723 https://ubuntu.com/security/notices/USN-5010-1 CVE-2020-35504 A NULL pointer dereference flaw was found in the am53c974 SCSI host busadapter emulation of QEMU in versions before 6.0.0. This issue occurs whilehandling the 'Information Transfer' command. This flaw allows a privilegedguest user to crash the QEMU process on the host, resulting in a denial ofservice. The highest threat from this vulnerability is to systemavailability. Update Instructions: Run `sudo pro fix CVE-2020-35505` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-1~ubuntu3 qemu-block-supplemental - 1:6.0+dfsg-1~ubuntu3 qemu-guest-agent - 1:6.0+dfsg-1~ubuntu3 qemu-system - 1:6.0+dfsg-1~ubuntu3 qemu-system-arm - 1:6.0+dfsg-1~ubuntu3 qemu-system-common - 1:6.0+dfsg-1~ubuntu3 qemu-system-data - 1:6.0+dfsg-1~ubuntu3 qemu-system-gui - 1:6.0+dfsg-1~ubuntu3 qemu-system-mips - 1:6.0+dfsg-1~ubuntu3 qemu-system-misc - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-opengl - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-spice - 1:6.0+dfsg-1~ubuntu3 qemu-system-ppc - 1:6.0+dfsg-1~ubuntu3 qemu-system-riscv - 1:6.0+dfsg-1~ubuntu3 qemu-system-s390x - 1:6.0+dfsg-1~ubuntu3 qemu-system-sparc - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86 - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86-xen - 1:6.0+dfsg-1~ubuntu3 qemu-system-xen - 1:6.0+dfsg-1~ubuntu3 qemu-user - 1:6.0+dfsg-1~ubuntu3 qemu-user-binfmt - 1:6.0+dfsg-1~ubuntu3 qemu-utils - 1:6.0+dfsg-1~ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-28 11:15:00 UTC 2021-05-28 11:15:00 UTC Cheolwoo Myung https://bugzilla.redhat.com/show_bug.cgi?id=1909769 https://bugs.launchpad.net/qemu/+bug/1910723 https://ubuntu.com/security/notices/USN-5010-1 CVE-2020-35505 A global buffer overflow was discovered in pngcheck function inpngcheck-2.4.0(5 patches applied) via a crafted png file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-23 20:15:00 UTC 2022-08-23 20:15:00 UTC https://ubuntu.com/security/notices/USN-6182-1 CVE-2020-35511 In LibRaw, there is an out-of-bounds write vulnerability within the"new_node()" function (libraw\src\x3f\x3f_utils_patched.cpp) that can betriggered via a crafted X3F file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC 2022-09-01 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/272 https://ubuntu.com/security/notices/USN-5715-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2020-35530 In LibRaw, an out-of-bounds read vulnerability exists within theget_huffman_diff() function (libraw\src\x3f\x3f_utils_patched.cpp) whenreading data from an image file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC 2022-09-01 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/270 https://ubuntu.com/security/notices/USN-5715-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2020-35531 In LibRaw, an out-of-bounds read vulnerability exists within the"simple_decode_row()" function (libraw\src\x3f\x3f_utils_patched.cpp) whichcan be triggered via an image with a large row_stride field. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC 2022-09-01 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/271 https://ubuntu.com/security/notices/USN-5715-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2020-35532 In LibRaw, an out-of-bounds read vulnerability exists within the"LibRaw::adobe_copy_pixel()" function (libraw\src\decoders\dng.cpp) whenreading data from the image file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC 2022-09-01 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/273 https://ubuntu.com/security/notices/USN-5715-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2020-35533 In LibRaw, there is a memory corruption vulnerability within the"crxFreeSubbandData()" function (libraw\src\decoders\crx.cpp) whenprocessing cr3 files. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/279 CVE-2020-35534 In LibRaw, there is an out-of-bounds read vulnerability within the"LibRaw::parseSonySRF()" function (libraw\src\metadata\sony.cpp) whenprocessing srf files. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/283 CVE-2020-35535 An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before13.38.0, 14.x through 16.x before 16.15.0, 17.x before 17.9.0, and 18.xbefore 18.1.0. A crash can occur when a SIP message is received with aHistory-Info header that contains a tel-uri, or when a SIP 181 response isreceived that contains a tel-uri in the Diversion header. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-29 08:15:00 UTC CVE-2020-35652 Autobahn|Python before 20.12.3 allows redirect header injection. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-27 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978416 CVE-2020-35678 smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whichmight allow attackers to trigger a "very significant" memory leak viamessages to an instance that performs many regex lookups. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-24 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978038 CVE-2020-35679 smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations,allows remote attackers to cause a denial of service (NULL pointerdereference and daemon crash) via a crafted pattern of client activity,because the filter state machine does not properly maintain the I/O channelbetween the SMTP engine and the filters layer. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-24 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978039 CVE-2020-35680 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related tocom.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (akaembedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-27 05:15:00 UTC CVE-2020-35728 The test suite in libopendkim in OpenDKIM through 2.10.3 allows local usersto gain privileges via a symlink attack against the /tmp/testkeys file(related to t-testdata.h, t-setup.c, and t-cleanup.c). NOTE: this isapplicable to persons who choose to engage in the "A number of self-testprograms are included here for unit-testing the library" situation. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-28 20:15:00 UTC CVE-2020-35766 A buffer overflow in res_pjsip_diversion.c in Sangoma Asterisk versions13.38.1, 16.15.1, 17.9.1, and 18.1.1 allows remote attacker to crashAsterisk by deliberately misusing SIP 181 responses. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983158 CVE-2020-35776 socket.io-parser before 3.4.1 allows attackers to cause a denial of service(memory consumption) via a large packet because a concatenation approach isused. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-08 00:15:00 UTC CVE-2020-36049 Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsixelv1.8.6 allows attackers to cause a Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-14 14:15:00 UTC CVE-2020-36120 RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has anout-of-bounds write for certain relationships between key size and digestsize. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-06 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/wolfssl/+bug/1914474 CVE-2020-36177 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related tooadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-07 00:15:00 UTC CVE-2020-36179 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-07 00:15:00 UTC CVE-2020-36180 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36181 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-07 00:15:00 UTC CVE-2020-36182 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-07 00:15:00 UTC CVE-2020-36183 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36184 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36185 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36186 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related toorg.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36187 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related tocom.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36188 FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interactionbetween serialization gadgets and typing, related tocom.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-06 23:15:00 UTC CVE-2020-36189 JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an_xsrf field, as demonstrated by a /hub/api/user request (to add or remove auser account). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-13 04:15:00 UTC CVE-2020-36191 A flaw was found in libwebp in versions before 1.0.1. When reading a filelibwebp allocates an excessive amount of memory. The highest threat fromthis vulnerability is to the service availability. Update Instructions: Run `sudo pro fix CVE-2020-36332` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libsharpyuv0 - 0.6.1-2ubuntu1 libwebp7 - 0.6.1-2ubuntu1 libwebpdecoder3 - 0.6.1-2ubuntu1 libwebpdemux2 - 0.6.1-2ubuntu1 libwebpmux3 - 0.6.1-2ubuntu1 webp - 0.6.1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-12-31 00:00:00 UTC 2020-12-31 00:00:00 UTC https://bugs.chromium.org/p/webp/issues/detail?id=391 https://ubuntu.com/security/notices/USN-4971-1 CVE-2020-36332 jackson-databind before 2.13.0 allows a Java StackOverflow exception anddenial of service via a large depth of nested objects. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-11 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007109 CVE-2020-36518 lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0)does not escape the message_key value. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-18 23:15:00 UTC CVE-2020-36599 A vulnerability, which was classified as critical, was found in hughsk flatup to 5.0.0. This affects the function unflatten of the file index.js. Themanipulation leads to improperly controlled modification of objectprototype attributes ('prototype pollution'). It is possible to initiatethe attack remotely. Upgrading to version 5.0.1 is able to address thisissue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13.It is recommended to upgrade the affected component. The identifierVDB-216777 was assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-25 20:15:00 UTC CVE-2020-36632 A vulnerability classified as problematic was found in gturri aXMLRPC up to1.12.0. This vulnerability affects the function ResponseParser of the filesrc/main/java/de/timroes/axmlrpc/ResponseParser.java. The manipulationleads to xml external entity reference. Upgrading to version 1.14.0 is ableto address this issue. The patch is identified as456752ebc1ef4c0db980cb5b01a0b3cd0a9e0bae. It is recommended to upgrade theaffected component. VDB-217450 is the identifier assigned to thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-05 12:15:00 UTC CVE-2020-36641 A vulnerability was found in mholt PapaParse up to 5.1.x. It has beenclassified as problematic. Affected is an unknown function of the filepapaparse.js. The manipulation leads to inefficient regular expressioncomplexity. Upgrading to version 5.2.0 is able to address this issue. Thename of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It isrecommended to upgrade the affected component. The identifier of thisvulnerability is VDB-218004. Ubuntu 26.04 LTS Negligible Copyright (C) 2023 Canonical Ltd. 2023-01-11 15:15:00 UTC CVE-2020-36649 uptimed before 0.4.6-r1 on Gentoo allows local users (with access to theuptimed user account) to gain root privileges by creating a hard linkwithin the /var/spool/uptimed directory, because there is an unsafe chown-R call. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-26 21:15:00 UTC CVE-2020-36657 The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0exhibits signature malleability and does not satisfy the SUF-CMA (StrongExistential Unforgeability under Chosen Message Attacks) property. Thisallows attackers to create new valid signatures different from previoussignatures for a known message. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-13 06:15:00 UTC CVE-2020-36843 A buffer overflow, as described in CVE-2020-8927, exists in the embeddedBrotli library.  Versions of IO::Compress::Brotli prior to 0.007 included aversion of the brotli library prior to version 1.0.8, where an attackercontrolling the input length of a "one-shot" decompression request to ascript can trigger a crash, which happens when copying over chunks of datalarger than 2 GiB. It is recommended to update your IO::Compress::Brotlimodule to 0.007 or later. If one cannot update, we recommend to use the"streaming" API as opposed to the "one-shot" API, and impose chunk sizelimits. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-30 01:15:00 UTC CVE-2020-36846 M/Monit 3.7.4 contains an authentication vulnerability that allowsauthenticated attackers to retrieve user password hashes through anadministrative API endpoint. Attackers can send requests to the/api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5password hashes for all users. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 18:16:00 UTC CVE-2020-36968 M/Monit 3.7.4 contains a privilege escalation vulnerability that allowsauthenticated users to modify user permissions by manipulating the adminparameter. Attackers can send a POST request to the/api/1/admin/users/update endpoint with a crafted payload to grantadministrative access to a standard user account. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 18:16:00 UTC CVE-2020-36969 Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability thatallows attackers to trigger an out-of-bounds write by crafting a maliciousTTF font file. Attackers can generate a specially crafted TTF file with anoversized pattern to cause an infinite malloc() loop and potentially crashthe gnome-font-viewer process. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-29 15:16:00 UTC CVE-2020-37011 Code Blocks 20.03 contains a denial of service vulnerability that allowsattackers to crash the application by manipulating input in the FSymbolssearch field. Attackers can paste a large payload of 5000 repeatedcharacters into the search field to trigger an application crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 23:16:00 UTC CVE-2020-37038 Code Blocks 17.12 contains a local buffer overflow vulnerability thatallows attackers to execute arbitrary code by crafting a malicious filename with Unicode characters. Attackers can trigger the vulnerability bypasting a specially crafted payload into the file name field during projectcreation, potentially executing system commands like calc.exe. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 23:16:00 UTC CVE-2020-37040 CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allowsattackers to execute arbitrary code by overwriting Structured ExceptionHandler with crafted Unicode characters. Attackers can create a maliciousM3U playlist file with 536 bytes of buffer and shellcode to trigger remotecode execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 17:16:00 UTC CVE-2020-37121 Redir 3.3 contains a stack overflow vulnerability in the doproxyconnect()function that allows attackers to crash the application by sendingoversized input. Attackers can exploit the sprintf() buffer without properlength checking to overwrite memory and cause a segmentation fault,resulting in program termination. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-02-11 21:16:00 UTC CVE-2020-37182 libbabl 0.1.62 contains a broken double free detection vulnerability thatallows attackers to bypass memory safety checks by exploiting signatureoverwriting in freed chunks. Attackers can call babl_free() twice on thesame pointer without triggering detection, as libc's malloc metadataoverwrites babl's signature field upon freeing, enabling potential memorycorruption and code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-16 16:16:00 UTC CVE-2020-37239 It's been found that multiple functions in ipmitool before 1.8.19 neglectproper checking of the data received from a remote LAN party, which maylead to buffer overflows and potentially to remote code execution on theipmitool side. This is especially dangerous if ipmitool is run as aprivileged user. This problem is fixed in version 1.8.19. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-05 14:15:00 UTC 2020-02-05 14:15:00 UTC https://ubuntu.com/security/notices/USN-5997-1 CVE-2020-5208 The table extension in GitHub Flavored Markdown before version 0.29.0.gfm.1takes O(n * n) time to parse certain inputs. An attacker could craft amarkdown table which would take an unreasonably long time to process,causing a denial of service. This issue does not affect the upstream cmarkproject. The issue has been fixed in version 0.29.0.gfm.1. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-07-01 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965984 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965983 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965981 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965982 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965980 CVE-2020-5238 uap-core before 0.7.3 is vulnerable to a denial of service attack whenprocessing crafted User-Agent strings. Some regexes are vulnerable toregular expression denial of service (REDoS) due to overlapping capturegroups. This allows remote attackers to overload a server by setting theUser-Agent header in an HTTP(S) request to maliciously crafted longstrings. This has been patched in uap-core 0.7.3. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-21 00:15:00 UTC CVE-2020-5243 Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRFattacks through CORS preflight requests that target Spring MVC(spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.Only non-authenticated endpoints are vulnerable because preflight requestsshould not include credentials and therefore requests should failauthentication. However a notable exception to this are Chrome basedbrowsers when using client certificates for authentication since Chromesends TLS client certificates in CORS preflight requests in violation ofspec requirements. No HTTP body can be sent or received as a result of thisattack. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-17 19:15:00 UTC CVE-2020-5397 In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable toa reflected file download (RFD) attack when it sets a "Content-Disposition"header in the response where the filename attribute is derived from usersupplied input. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-17 00:15:00 UTC CVE-2020-5398 In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18,4.3.0 - 4.3.28, and older unsupported versions, the protections against RFDattacks from CVE-2015-5211 may be bypassed depending on the browser usedthrough the use of a jsessionid path parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-09-19 04:15:00 UTC CVE-2020-5421 In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists inthe user accounts page. A malicious user could inject custom SQL in placeof their own username when creating queries to this page. An attacker musthave a valid MySQL account to access the server. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-09 22:15:00 UTC 2020-01-09 22:15:00 UTC https://ubuntu.com/security/notices/USN-4639-1 https://ubuntu.com/security/notices/USN-4843-1 CVE-2020-5504 NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerabilityin the NVJPEG library in which an out-of-bounds read or write operation maylead to code execution, denial of service, or information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-30 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973543 CVE-2020-5991 An exploitable code execution vulnerability exists in the file systemchecking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs filecan cause a logic flaw and out-of-bounds heap operations, resulting in codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-08-10 14:15:00 UTC CVE-2020-6070 An exploitable signed comparison vulnerability exists in the ARMv7 memcpy()implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targetsthat utilize the GNU glibc implementation) with a negative value for the'num' parameter results in a signed comparison vulnerability. If anattacker underflows the 'num' parameter to memcpy(), this vulnerabilitycould lead to undefined behavior such as writing to out-of-bounds memoryand potentially remote code execution. Furthermore, this memcpy()implementation allows for program execution to continue in scenarios wherea segmentation fault or crash should have occurred. The dangers occur inthat subsequent execution and iterations of this code will be executed withthis corrupted data. Update Instructions: Run `sudo pro fix CVE-2020-6096` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.32-0ubuntu3 libc-bin - 2.32-0ubuntu3 libc6 - 2.32-0ubuntu3 libc6-amd64 - 2.32-0ubuntu3 libc6-i386 - 2.32-0ubuntu3 libc6-x32 - 2.32-0ubuntu3 locales - 2.32-0ubuntu3 locales-all - 2.32-0ubuntu3 nscd - 2.32-0ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-01 22:15:00 UTC 2020-04-01 22:15:00 UTC Jason Royes and Samuel Dytrych https://sourceware.org/bugzilla/show_bug.cgi?id=25620 https://ubuntu.com/security/notices/USN-4954-1 https://ubuntu.com/security/notices/USN-5310-1 CVE-2020-6096 An exploitable denial of service vulnerability exists in the freeDiameterfunctionality of freeDiameter 1.3.2. A specially crafted Diameter requestcan trigger a memory corruption resulting in denial-of-service. An attackercan send a malicious packet to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-28 22:15:00 UTC CVE-2020-6098 An exploitable information disclosure vulnerability exists in theget_dnode_of_data functionality of F2fs-Tools F2fs.Fsck 1.13. A speciallycrafted f2fs filesystem can cause information disclosure resulting in ainformation disclosure. An attacker can provide a malicious file to triggerthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-15 15:15:00 UTC CVE-2020-6104 An exploitable code execution vulnerability exists in the multiple devicesfunctionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fsfilesystem can cause Information overwrite resulting in a code execution.An attacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-15 15:15:00 UTC CVE-2020-6105 An exploitable information disclosure vulnerability exists in theinit_node_manager functionality of F2fs-Tools F2fs.Fsck 1.12 and 1.13. Aspecially crafted filesystem can be used to disclose information. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-15 15:15:00 UTC CVE-2020-6106 An exploitable information disclosure vulnerability exists in the dev_readfunctionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fsfilesystem can cause an uninitialized read resulting in an informationdisclosure. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-15 15:15:00 UTC CVE-2020-6107 An exploitable code execution vulnerability exists in thefsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. Aspecially crafted f2fs filesystem can cause a heap buffer overflowresulting in a code execution. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-10-15 15:15:00 UTC CVE-2020-6108 stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_int. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6617 stb stb_truetype.h through 1.22 has a heap-based buffer over-read instbtt__find_table. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6618 stb stb_truetype.h through 1.22 has an assertion failure instbtt__buf_seek. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6619 stb stb_truetype.h through 1.22 has a heap-based buffer over-read instbtt__buf_get8. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6620 stb stb_truetype.h through 1.22 has a heap-based buffer over-read inttUSHORT. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6621 stb stb_truetype.h through 1.22 has a heap-based buffer over-read instbtt__buf_peek8. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6622 stb stb_truetype.h through 1.22 has an assertion failure instbtt__cff_get_index. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-08 23:15:00 UTC CVE-2020-6623 In mruby 2.1.0, there is a use-after-free in hash_values_at inmrbgems/mruby-hash-ext/src/hash-ext.c. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-11 03:15:00 UTC CVE-2020-6838 In mruby 2.1.0, there is a stack-based buffer overflow inmrb_str_len_to_dbl in string.c. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-11 03:15:00 UTC CVE-2020-6839 In mruby 2.1.0, there is a use-after-free in hash_slice inmrbgems/mruby-hash-ext/src/hash-ext.c. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-11 03:15:00 UTC CVE-2020-6840 OpenJPEG through 2.3.1 has a heap-based buffer overflow inopj_t1_clbl_decode_processor in openjp2/t1.c because of lack ofopj_j2k_update_image_dimensions validation. Update Instructions: Run `sudo pro fix CVE-2020-6851` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu4 libopenjp2-tools - 2.3.1-1ubuntu4 libopenjpip-dec-server - 2.3.1-1ubuntu4 libopenjpip-viewer - 2.3.1-1ubuntu4 libopenjpip7 - 2.3.1-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-13 06:15:00 UTC 2020-01-13 06:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1228 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950000 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-4497-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-6851 PKCE support is not implemented in accordance with the RFC for OAuth 2.0for Native Apps. Without the use of PKCE, the authorization code returnedby an authorization server is not enough to guarantee that the client thatissued the initial authorization request is the one that will beauthorized. An attacker is able to obtain the authorization code using amalicious app on the client-side and use it to gain authorization to theprotected resource. This affects the packagecom.google.oauth-client:google-oauth-client before 1.31.0. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-09 14:15:00 UTC CVE-2020-7692 This affects all versions of package uvicorn. The request logger providedby the package is vulnerable to ASNI escape sequence injection. Wheneverany HTTP request is received, the default behaviour of uvicorn is to logits details to either the console or a log file. When attackers requestcrafted URLs with percent-encoded escape sequences, the logging componentwill log the URL after it's been processed with urllib.parse.unquote,therefore converting any percent-encoded characters into theirsingle-character equivalent, which can have special meaning in terminalemulators. By requesting URLs with crafted paths, attackers can: * Polluteuvicorn's access logs, therefore jeopardising the integrity of such files.* Use ANSI sequence codes to attempt to interact with the terminal emulatorthat's displaying the logs (either in real time or from a file). Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-27 12:15:00 UTC CVE-2020-7694 Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLFsequences are not escaped in the value of HTTP headers. Attackers canexploit this to add arbitrary headers to HTTP responses, or even return anarbitrary response body, whenever crafted input is used to construct HTTPheaders. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-27 12:15:00 UTC CVE-2020-7695 The package ua-parser-js before 0.7.22 are vulnerable to Regular ExpressionDenial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad TabletsUA. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-09-16 14:15:00 UTC CVE-2020-7733 This affects the package ini before 1.3.6. If an attacker submits amalicious INI file to an application that parses it with ini.parse, theywill pollute the prototype on the application. This can be exploitedfurther depending on the context. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-12-11 11:15:00 UTC CVE-2020-7788 In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories wereaccessed via HTTP instead of HTTPS. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-30 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2020-7904 Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed tothe network. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-30 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2020-7905 In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfigurationallows arbitrary file read operations over the network. This issue wasfixed in 2019.3. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-31 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747616 CVE-2020-7914 Puppet Server and PuppetDB provide useful performance and debugginginformation via their metrics API endpoints. For PuppetDB this may containthings like hostnames. Puppet Server reports resource names and titles fordefined types (which may contain sensitive information) as well as functionnames and class names. Previously, these endpoints were open to the localnetwork. PE 2018.1.13 & 2019.5.0, Puppet Server 6.9.2 & 5.3.12, andPuppetDB 6.9.1 & 5.2.13 disable trapperkeeper-metrics /v1 metrics API andonly allows /v2 access on localhost by default. This affects softwareversions: Puppet Enterprise 2018.1.x stream prior to 2018.1.13 PuppetEnterprise prior to 2019.5.0 Puppet Server prior to 6.9.2 Puppet Serverprior to 5.3.12 PuppetDB prior to 6.9.1 PuppetDB prior to 5.2.13 Resolvedin: Puppet Enterprise 2018.1.13 Puppet Enterprise 2019.5.0 Puppet Server6.9.2 Puppet Server 5.3.12 PuppetDB 6.9.1 PuppetDB 5.2.13 Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-03-11 23:15:00 UTC CVE-2020-7943 Prototype 1.6.0.1 allows remote authenticated users to forge ticketcreation (on behalf of other user accounts) via a modified email ID field. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-03 15:15:00 UTC CVE-2020-7993 A Improper Neutralization of Input During Web Page Generation vulnerabilityin open-build-service allows remote attackers to store arbitrary JS code tocause XSS. This issue affects: openSUSE open-build-service versions priorto 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-13 15:15:00 UTC CVE-2020-8020 a Improper Access Control vulnerability in of Open Build Service allowsremote attackers to read files of an OBS package where thesourceaccess/access is disabled This issue affects: Open Build Serviceversions prior to 2.10.5. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-19 15:15:00 UTC CVE-2020-8021 A Incorrect Default Permissions vulnerability in the packaging of hylafax+of openSUSE Leap 15.2, openSUSE Leap 15.1, openSUSE Factory allows localattackers to escalate from user uucp to users calling hylafax binaries.This issue affects: openSUSE Leap 15.2 hylafax+ versions prior to7.0.2-lp152.2.1. openSUSE Leap 15.1 hylafax+ version 5.6.1-lp151.3.7 andprior versions. openSUSE Factory hylafax+ versions prior to 7.0.2-2.1. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-06-29 08:15:00 UTC CVE-2020-8024 A Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability in Open Build Service allows remote attackers tostore JS code in markdown that is not properly escaped, impactingconfidentiality and integrity. This issue affects: Open Build Serviceversions prior to 2.10.8. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-11 15:15:00 UTC CVE-2020-8031 opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, adifferent issue than CVE-2020-6851. Update Instructions: Run `sudo pro fix CVE-2020-8112` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.3.1-1ubuntu4 libopenjp2-tools - 2.3.1-1ubuntu4 libopenjpip-dec-server - 2.3.1-1ubuntu4 libopenjpip-viewer - 2.3.1-1ubuntu4 libopenjpip7 - 2.3.1-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-01-28 18:15:00 UTC 2020-01-28 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1231 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950184 https://ubuntu.com/security/notices/USN-4686-1 https://ubuntu.com/security/notices/USN-4497-1 https://ubuntu.com/security/notices/USN-5952-1 CVE-2020-8112 There is a possible information disclosure issue in Active Resource <v5.1.1that could allow an attacker to create specially crafted requests to accessdata in an unexpected way and possibly leak information. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-05-12 13:15:00 UTC CVE-2020-8151 The is a code injection vulnerability in versions of Rails prior to 5.0.1that wouldallow an attacker who controlled the `locals` argument of a`render` call to perform a RCE. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-02 19:15:00 UTC CVE-2020-8163 Insufficient input validation in npm package `jison` <= 0.4.18 may lead toOS command injection attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-15 17:15:00 UTC CVE-2020-8178 A denial of service vulnerability exists in Rails <6.0.3.2 that allowed anuntrusted user to run any pending migrations on a Rails app running inproduction. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-02 19:15:00 UTC CVE-2020-8185 Prototype pollution attack when using _.zipObjectDeep in lodash before4.17.20. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-07-15 17:15:00 UTC CVE-2020-8203 eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflowin the eap_request and eap_response functions. Update Instructions: Run `sudo pro fix CVE-2020-8597` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ppp - 2.4.7-2+4.1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-03 23:15:00 UTC 2020-02-03 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950618 https://ubuntu.com/security/notices/USN-4288-1 https://ubuntu.com/security/notices/USN-4288-2 CVE-2020-8597 In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintfreturn values, leading to a buffer overflow in later code. Update Instructions: Run `sudo pro fix CVE-2020-8608` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libslirp0 - 4.1.0-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-06 17:15:00 UTC 2020-02-06 17:15:00 UTC Laszlo Ersek https://ubuntu.com/security/notices/USN-4283-1 https://ubuntu.com/security/notices/USN-4632-1 https://ubuntu.com/security/notices/USN-7094-1 CVE-2020-8608 OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., onsome Linux distributions) because of a combination of an untrusted searchpath in makemap.c and race conditions in the offline functionality insmtpd.c. Update Instructions: Run `sudo pro fix CVE-2020-8793` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: opensmtpd - 6.6.4p1-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-02-25 17:15:00 UTC 2020-02-25 17:15:00 UTC https://ubuntu.com/security/notices/USN-4294-1 https://ubuntu.com/security/notices/USN-4875-1 CVE-2020-8793 OpenSMTPD before 6.6.4 allows remote code execution because of anout-of-bounds read in mta_io in mta_session.c for multi-line replies.Although this vulnerability affects the client side of OpenSMTPD, it ispossible to attack a server because the server code launches the clientcode during bounce handling. Update Instructions: Run `sudo pro fix CVE-2020-8794` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: opensmtpd - 6.6.4p1-1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2020 Canonical Ltd. 2020-02-25 17:15:00 UTC 2020-02-25 17:15:00 UTC https://ubuntu.com/security/notices/USN-4294-1 https://ubuntu.com/security/notices/USN-4875-1 CVE-2020-8794 A vulnerability in Google Cloud Platform's guest-oslogin versions between20190304 and 20200507 allows a user that is only granted the role"roles/compute.osLogin" to escalate privileges to root. Using theirmembership to the "adm" group, users with this role are able to read theDHCP XID from the systemd journal. Using the DHCP XID, it is then possibleto set the IP address and hostname of the instance to any value, which isthen stored in /etc/hosts. An attacker can then pointmetadata.google.internal to an arbitrary IP address and impersonate the GCEmetadata server which make it is possible to instruct the OS Login PAMmodule to grant administrative privileges. All images created after2020-May-07 (20200507) are fixed, and if you cannot update, we recommendyou edit /etc/group/security.conf and remove the "adm" user from the OSLogin entry. Update Instructions: Run `sudo pro fix CVE-2020-8903` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gce-compute-image-packages - 20190801-0ubuntu5 google-compute-engine - 20190801-0ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-22 14:15:00 UTC CVE-2020-8903 A vulnerability in Google Cloud Platform's guest-oslogin versions between20190304 and 20200507 allows a user that is only granted the role"roles/compute.osLogin" to escalate privileges to root. Using theirmembership to the "docker" group, an attacker with this role is able to rundocker and mount the host OS. Within docker, it is possible to modify thehost OS filesystem and modify /etc/groups to gain administrativeprivileges. All images created after 2020-May-07 (20200507) are fixed, andif you cannot update, we recommend you edit /etc/group/security.conf andremove the "docker" user from the OS Login entry. Update Instructions: Run `sudo pro fix CVE-2020-8907` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gce-compute-image-packages - 20190801-0ubuntu5 google-compute-engine - 20190801-0ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-22 14:15:00 UTC CVE-2020-8907 A URL parsing issue in goog.uri of the Google Closure Library versions upto and including v20200224 allows an attacker to send malicious URLs to beparsed by the library and return the wrong authority. Mitigation: updateyour library to version v20200315. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-03-26 12:15:00 UTC CVE-2020-8910 A vulnerability in Google Cloud Platform's guest-oslogin versions between20190304 and 20200507 allows a user that is only granted the role"roles/compute.osLogin" to escalate privileges to root. Using themembership to the "lxd" group, an attacker can attach host devices andfilesystems. Within an lxc container, it is possible to attach the host OSfilesystem and modify /etc/sudoers to then gain administrative privileges.All images created after 2020-May-07 (20200507) are fixed, and if youcannot update, we recommend you edit /etc/group/security.conf and removethe "lxd" user from the OS Login entry. Update Instructions: Run `sudo pro fix CVE-2020-8933` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gce-compute-image-packages - 20190801-0ubuntu5 google-compute-engine - 20190801-0ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-06-22 14:15:00 UTC CVE-2020-8933 The proglottis Go wrapper before 0.1.1 for the GPGME library has ause-after-free, as demonstrated by use for container image pulls by Dockeror CRI-O. This leads to a crash or potential code execution during GPGsignature verification. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-02-12 18:15:00 UTC CVE-2020-8945 A carefully crafted or corrupt file may trigger a System.exit in Tika'sOneNote Parser. Crafted or corrupted files can also cause out of memoryerrors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser,SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users shouldupgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser werepartially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependencyto org.tallison:isoparser:1.9.41.2. For unrelated security reasons, weupgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. Ubuntu 26.04 LTS Medium Copyright (C) 2020 Canonical Ltd. 2020-04-27 14:15:00 UTC CVE-2020-9489 A logic issue was addressed with improved state management. This issue isfixed in iOS 13.4 and iPadOS 13.4. An attacker in a privileged networkposition may be able to intercept Bluetooth traffic. Ubuntu 26.04 LTS Low Copyright (C) 2020 Canonical Ltd. 2020-04-01 18:15:00 UTC CVE-2020-9770 Observable response discrepancy in some Intel(R) Processors may allow anauthorized user to potentially enable information disclosure via localaccess. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-09 20:15:00 UTC CVE-2021-0089 JSDom improperly allows the loading of local resources, which allows forlocal files to be manipulated by a malicious web page when script executionis enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-16 20:15:00 UTC CVE-2021-20066 Due to the Asset Explorer agent not validating HTTPS certificates, anattacker on the network can statically configure their IP address to matchthe Asset Explorer's Server IP address. This will allow an attacker to senda NEWSCAN request to a listening agent on the network as well as receivethe agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agentresponding back over HTTP is vulnerable to a Heap Overflow if the POSTpayload response is too large. The POST payload response is converted toUnicode using vswprintf. This is written to a buffer only 0x2000 bytes big.If POST payload is larger, then heap overflow will occur. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-19 15:15:00 UTC CVE-2021-20109 Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPScertificates, an attacker on the network can statically configure their IPaddress to match the Asset Explorer's Server IP address. This will allow anattacker to send a NEWSCAN request to a listening agent on the network aswell as receive the agent's HTTP request verifying its authtoken. Inhttphandler.cpp, the agent reaching out over HTTP is vulnerable to anInteger Overflow, which can be turned into a Heap Overflow allowing forremote code execution as NT AUTHORITY/SYSTEM on the agent machine. TheInteger Overflow occurs when receiving POST response from the Manage Engineserver, and the agent calling "HttpQueryInfoW" in order to get the"Content-Length" size from the incoming POST request. This size is taken,but multiplied to a larger amount. If an attacker specifies aContent-Length size of 1073741823 or larger, this integer arithmetic willwrap the value back around to smaller integer, then calls "calloc" withthis size to allocate memory. The following API "InternetReadFile" willcopy the POST data into this buffer, which will be too small for thecontents, and cause heap overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-19 15:15:00 UTC CVE-2021-20110 A flaw was found in ansible module where credentials are disclosed in theconsole log by default and not protected by the security feature when usingthe bitbucket_pipeline_variable module. This flaw allows an attacker tosteal bitbucket_pipeline credentials. The highest threat from thisvulnerability is to confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 12:15:00 UTC CVE-2021-20178 A flaw was found in ansible module where credentials are disclosed in theconsole log by default and not protected by the security feature when usingthe bitbucket_pipeline_variable module. This flaw allows an attacker tosteal bitbucket_pipeline credentials. The highest threat from thisvulnerability is to confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-16 15:15:00 UTC CVE-2021-20180 A race condition flaw was found in the 9pfs server implementation of QEMUup to and including 5.2.0. This flaw allows a malicious 9p client to causea use-after-free error, potentially escalating their privileges on thesystem. The highest threat from this vulnerability is to confidentiality,integrity as well as system availability. Update Instructions: Run `sudo pro fix CVE-2021-20181` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-6ubuntu2 qemu-block-supplemental - 1:5.2+dfsg-6ubuntu2 qemu-guest-agent - 1:5.2+dfsg-6ubuntu2 qemu-system - 1:5.2+dfsg-6ubuntu2 qemu-system-arm - 1:5.2+dfsg-6ubuntu2 qemu-system-common - 1:5.2+dfsg-6ubuntu2 qemu-system-data - 1:5.2+dfsg-6ubuntu2 qemu-system-gui - 1:5.2+dfsg-6ubuntu2 qemu-system-mips - 1:5.2+dfsg-6ubuntu2 qemu-system-misc - 1:5.2+dfsg-6ubuntu2 qemu-system-modules-opengl - 1:5.2+dfsg-6ubuntu2 qemu-system-modules-spice - 1:5.2+dfsg-6ubuntu2 qemu-system-ppc - 1:5.2+dfsg-6ubuntu2 qemu-system-riscv - 1:5.2+dfsg-6ubuntu2 qemu-system-s390x - 1:5.2+dfsg-6ubuntu2 qemu-system-sparc - 1:5.2+dfsg-6ubuntu2 qemu-system-x86 - 1:5.2+dfsg-6ubuntu2 qemu-system-x86-xen - 1:5.2+dfsg-6ubuntu2 qemu-system-xen - 1:5.2+dfsg-6ubuntu2 qemu-user - 1:5.2+dfsg-6ubuntu2 qemu-user-binfmt - 1:5.2+dfsg-6ubuntu2 qemu-utils - 1:5.2+dfsg-6ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-01 00:00:00 UTC 2021-02-01 00:00:00 UTC https://ubuntu.com/security/notices/USN-4725-1 CVE-2021-20181 A flaw was found in ansible. Credentials, such as secrets, are beingdisclosed in console log by default and not protected by no_log featurewhen using those modules. An attacker can take advantage of thisinformation to steal those credentials. The highest threat from thisvulnerability is to data confidentiality. Versions before ansible 2.9.18are affected. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 21:15:00 UTC CVE-2021-20191 A NULL pointer dereference flaw was found in the floppy disk emulator ofQEMU. This issue occurs while processing read/write ioport commands if theselected floppy drive is not initialized with a block device. This flawallows a privileged guest user to crash the QEMU process on the host,resulting in a denial of service. The highest threat from thisvulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20196` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu5 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu5 qemu-guest-agent - 1:6.2+dfsg-2ubuntu5 qemu-system - 1:6.2+dfsg-2ubuntu5 qemu-system-arm - 1:6.2+dfsg-2ubuntu5 qemu-system-common - 1:6.2+dfsg-2ubuntu5 qemu-system-data - 1:6.2+dfsg-2ubuntu5 qemu-system-gui - 1:6.2+dfsg-2ubuntu5 qemu-system-mips - 1:6.2+dfsg-2ubuntu5 qemu-system-misc - 1:6.2+dfsg-2ubuntu5 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu5 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu5 qemu-system-ppc - 1:6.2+dfsg-2ubuntu5 qemu-system-riscv - 1:6.2+dfsg-2ubuntu5 qemu-system-s390x - 1:6.2+dfsg-2ubuntu5 qemu-system-sparc - 1:6.2+dfsg-2ubuntu5 qemu-system-x86 - 1:6.2+dfsg-2ubuntu5 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu5 qemu-system-xen - 1:6.2+dfsg-2ubuntu5 qemu-user - 1:6.2+dfsg-2ubuntu5 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu5 qemu-utils - 1:6.2+dfsg-2ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-26 22:15:00 UTC 2021-05-26 22:15:00 UTC Gaoning Pan https://bugzilla.redhat.com/show_bug.cgi?id=1919210 https://bugs.launchpad.net/qemu/+bug/1912780 https://ubuntu.com/security/notices/USN-5307-1 CVE-2021-20196 An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMUfor versions up to v5.2.0. It may occur if a guest was to supply invalidvalues for rx/tx queue size or other NIC parameters. A privileged guestuser may use this flaw to crash the QEMU process on the host resulting inDoS scenario. Update Instructions: Run `sudo pro fix CVE-2021-20203` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu5 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu5 qemu-guest-agent - 1:6.2+dfsg-2ubuntu5 qemu-system - 1:6.2+dfsg-2ubuntu5 qemu-system-arm - 1:6.2+dfsg-2ubuntu5 qemu-system-common - 1:6.2+dfsg-2ubuntu5 qemu-system-data - 1:6.2+dfsg-2ubuntu5 qemu-system-gui - 1:6.2+dfsg-2ubuntu5 qemu-system-mips - 1:6.2+dfsg-2ubuntu5 qemu-system-misc - 1:6.2+dfsg-2ubuntu5 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu5 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu5 qemu-system-ppc - 1:6.2+dfsg-2ubuntu5 qemu-system-riscv - 1:6.2+dfsg-2ubuntu5 qemu-system-s390x - 1:6.2+dfsg-2ubuntu5 qemu-system-sparc - 1:6.2+dfsg-2ubuntu5 qemu-system-x86 - 1:6.2+dfsg-2ubuntu5 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu5 qemu-system-xen - 1:6.2+dfsg-2ubuntu5 qemu-user - 1:6.2+dfsg-2ubuntu5 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu5 qemu-utils - 1:6.2+dfsg-2ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-25 20:15:00 UTC 2021-02-25 20:15:00 UTC Gaoning Pan https://bugs.launchpad.net/qemu/+bug/1913873 https://bugs.launchpad.net/qemu/+bug/1890152 https://gitlab.com/qemu-project/qemu/-/issues/308 https://ubuntu.com/security/notices/USN-5307-1 CVE-2021-20203 A heap memory corruption problem (use after free) can be triggered inlibgetdata v0.10.0 when processing maliciously crafted dirfile databases.This degrades the confidentiality, integrity and availability ofthird-party software that uses libgetdata as a library. This vulnerabilitymay lead to arbitrary code execution or privilege escalation depending oninput/skills of attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-06 15:15:00 UTC Carlos Andres Ramirez https://bugs.launchpad.net/ubuntu/+source/libgetdata/+bug/1912050 CVE-2021-20204 A flaw was found in Undertow. A regression in the fix for CVE-2020-10687was found. HTTP request smuggling related to CVE-2017-2666 is possibleagainst HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTPrequest. This flaw allows an attacker to poison a web-cache, perform an XSSattack, or obtain sensitive information from request other than their own.The highest threat from this vulnerability is to data confidentiality andintegrity. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-23 18:15:00 UTC CVE-2021-20220 An out-of-bounds heap buffer access issue was found in the ARM GenericInterrupt Controller emulator of QEMU up to and including qemu 4.2.0onaarch64 platform. The issue occurs because while writing an interrupt ID tothe controller memory area, it is not masked to be 4 bits wide. It may leadto the said issue while updating controller state fields and theirsubsequent processing. A privileged guest user may use this flaw to crashthe QEMU process on the host resulting in DoS scenario. Update Instructions: Run `sudo pro fix CVE-2021-20221` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:5.2+dfsg-6ubuntu2 qemu-block-supplemental - 1:5.2+dfsg-6ubuntu2 qemu-guest-agent - 1:5.2+dfsg-6ubuntu2 qemu-system - 1:5.2+dfsg-6ubuntu2 qemu-system-arm - 1:5.2+dfsg-6ubuntu2 qemu-system-common - 1:5.2+dfsg-6ubuntu2 qemu-system-data - 1:5.2+dfsg-6ubuntu2 qemu-system-gui - 1:5.2+dfsg-6ubuntu2 qemu-system-mips - 1:5.2+dfsg-6ubuntu2 qemu-system-misc - 1:5.2+dfsg-6ubuntu2 qemu-system-modules-opengl - 1:5.2+dfsg-6ubuntu2 qemu-system-modules-spice - 1:5.2+dfsg-6ubuntu2 qemu-system-ppc - 1:5.2+dfsg-6ubuntu2 qemu-system-riscv - 1:5.2+dfsg-6ubuntu2 qemu-system-s390x - 1:5.2+dfsg-6ubuntu2 qemu-system-sparc - 1:5.2+dfsg-6ubuntu2 qemu-system-x86 - 1:5.2+dfsg-6ubuntu2 qemu-system-x86-xen - 1:5.2+dfsg-6ubuntu2 qemu-system-xen - 1:5.2+dfsg-6ubuntu2 qemu-user - 1:5.2+dfsg-6ubuntu2 qemu-user-binfmt - 1:5.2+dfsg-6ubuntu2 qemu-utils - 1:5.2+dfsg-6ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-13 16:15:00 UTC 2021-05-13 16:15:00 UTC https://bugs.launchpad.net/qemu/+bug/1914353 https://ubuntu.com/security/notices/USN-5010-1 CVE-2021-20221 A flaw was found in the Ansible Engine 2.9.18, where sensitive info is notmasked by default and is not protected by the no_log feature when using thesub-option feature of the basic.py module. This flaw allows an attacker toobtain sensitive information. The highest threat from this vulnerability isto confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-29 16:15:00 UTC CVE-2021-20228 A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits acrafted file that is processed by ImageMagick could trigger undefinedbehavior in the form of math division by zero. The highest threat from thisvulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20241` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-09 18:15:00 UTC 2021-03-09 18:15:00 UTC https://ubuntu.com/security/notices/USN-5335-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 https://ubuntu.com/security/notices/USN-7164-1 CVE-2021-20241 A flaw was found in ImageMagick in MagickCore/resize.c. An attacker whosubmits a crafted file that is processed by ImageMagick could triggerundefined behavior in the form of math division by zero. The highest threatfrom this vulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20243` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-09 18:15:00 UTC 2021-03-09 18:15:00 UTC https://ubuntu.com/security/notices/USN-5335-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 https://ubuntu.com/security/notices/USN-7164-1 CVE-2021-20243 A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attackerwho submits a crafted file that is processed by ImageMagick could triggerundefined behavior in the form of math division by zero. The highest threatfrom this vulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20244` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-09 19:15:00 UTC 2021-03-09 19:15:00 UTC https://ubuntu.com/security/notices/USN-5158-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-20244 A flaw was found in ImageMagick in coders/webp.c. An attacker who submits acrafted file that is processed by ImageMagick could trigger undefinedbehavior in the form of math division by zero. The highest threat from thisvulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20245` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-09 19:15:00 UTC 2021-03-09 19:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/3176 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 CVE-2021-20245 A flaw was found in ImageMagick in MagickCore/resample.c. An attacker whosubmits a crafted file that is processed by ImageMagick could triggerundefined behavior in the form of math division by zero. The highest threatfrom this vulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20246` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-09 19:15:00 UTC 2021-03-09 19:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/3195 https://ubuntu.com/security/notices/USN-5158-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-20246 A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of themailbox names returned by IMAP LIST/LSUB do not occur allowing a maliciousor compromised server to use specially crafted mailbox names containing'..' path components to access data outside the designated mailbox on theopposite end of the synchronization channel. The highest threat from thisvulnerability is to data confidentiality and integrity. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-23 19:15:00 UTC CVE-2021-20247 A stack overflow via an infinite recursion vulnerability was found in theeepro100 i8255x device emulator of QEMU. This issue occurs while processingcontroller commands due to a DMA reentry issue. This flaw allows a guestuser or process to consume CPU cycles or crash the QEMU process on thehost, resulting in a denial of service. The highest threat from thisvulnerability is to system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-09 20:15:00 UTC Sergej Schumilo, Cornelius Aschermann, Simon Werner CVE-2021-20255 A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flawallows attackers to cause a denial of service (SEGV or buffer overflow andapplication crash) or possibly have unspecified other impacts via a craftedELF. The highest threat from this vulnerability is to system availability. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-26 17:15:00 UTC Hao Wang https://github.com/upx/upx/commit/3781df9da23840e596d5e9e8493f22666802fe6c CVE-2021-20285 A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final.The endpoint class and method names are returned as part of the exceptionresponse when RESTEasy cannot convert one of the request URI path or queryvalues to the matching JAX-RS resource method's parameter value. Thehighest threat from this vulnerability is to data confidentiality. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-26 17:15:00 UTC 2021-03-26 17:15:00 UTC Dirk Papenberg https://bugzilla.redhat.com/show_bug.cgi?id=1935927 https://ubuntu.com/security/notices/USN-7351-1 https://ubuntu.com/security/notices/USN-7630-1 CVE-2021-20289 A flaw was found in Nettle in versions before 3.7.2, where several Nettlesignature verification functions (GOST DSA, EDDSA & ECDSA) result in theElliptic Curve Cryptography point (ECC) multiply function being called without-of-range scalers, possibly resulting in incorrect results. This flawallows an attacker to force an invalid signature, causing an assertionfailure or possible validation. The highest threat to this vulnerability isto confidentiality, integrity, as well as system availability. Update Instructions: Run `sudo pro fix CVE-2021-20305` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libhogweed6t64 - 3.7-2.1ubuntu1 libnettle8t64 - 3.7-2.1ubuntu1 nettle-bin - 3.7-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-05 22:15:00 UTC 2021-04-05 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985652 https://ubuntu.com/security/notices/USN-4906-1 CVE-2021-20305 A flaw was found in ImageMagick in versions before 7.0.11 and before6.9.12, where a division by zero in WaveImage() ofMagickCore/visual-effects.c may trigger undefined behavior via a craftedimage file submitted to an application using ImageMagick. The highestthreat from this vulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20309` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-11 23:15:00 UTC 2021-05-11 23:15:00 UTC https://ubuntu.com/security/notices/USN-5158-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-20309 A flaw was found in ImageMagick in versions 7.0.11, where an integeroverflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefinedbehavior via a crafted image file that is submitted by an attacker andprocessed by an application using ImageMagick. The highest threat from thisvulnerability is to system availability. Update Instructions: Run `sudo pro fix CVE-2021-20312` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-11 23:15:00 UTC 2021-05-11 23:15:00 UTC https://ubuntu.com/security/notices/USN-5158-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-20312 A flaw was found in ImageMagick in versions before 7.0.11. A potentialcipher leak when the calculate signatures in TransformSignature ispossible. The highest threat from this vulnerability is to dataconfidentiality. Update Instructions: Run `sudo pro fix CVE-2021-20313` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-11 23:15:00 UTC 2021-05-11 23:15:00 UTC https://ubuntu.com/security/notices/USN-5158-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-20313 Specific versions of the Java driver that support client-side field levelencryption (CSFLE) fail to perform correct host name verification on theKMS server’s certificate. This vulnerability in combination with aprivileged network position active MITM attack could result in interceptionof traffic between the Java driver and the KMS service rendering FieldLevel Encryption ineffective. This issue was discovered during internaltesting and affects all versions of the Java driver that support CSFLE. TheJava async, Scala, and reactive streams drivers are not impacted. Thisvulnerability does not impact driver traffic payloads with CSFLE-supportedkey services originating from applications residing inside the AWS, GCP,and Azure network fabrics due to compensating controls in theseenvironments. This issue does not impact driver workloads that don’t useField Level Encryption. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-25 17:15:00 UTC CVE-2021-20328 CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based onCairo. In CairoSVG before version 2.5.1, there is a regular expressiondenial of service (REDoS) vulnerability. When processing SVG files, thepython package CairoSVG uses two regular expressions which are vulnerableto Regular Expression Denial of Service (REDoS). If an attacker provides amalicious SVG, it can make cairosvg get stuck processing the file for avery long time. This is fixed in version 2.5.1. See Referenced GitHubadvisory for more information. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-06 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979597 CVE-2021-21236 Netty is an open-source, asynchronous event-driven network applicationframework for rapid development of maintainable high performance protocolservers & clients. In Netty before version 4.1.59.Final there is avulnerability on Unix-like systems involving an insecure temp file. Whennetty's multipart decoders are used local information disclosure can occurvia the local system temporary directory if temporary storing uploads onthe disk is enabled. On unix-like systems, the temporary directory isshared between all user. As such, writing to this directory using APIs thatdo not explicitly set the file/directory permissions can lead toinformation disclosure. Of note, this does not impact modern MacOSOperating Systems. The method "File.createTempFile" on unix-like systemscreates a random file, but, by default will create this file with thepermissions "-rw-r--r--". Thus, if sensitive information is written to thisfile, other local users can read this information. This is the case innetty's "AbstractDiskHttpData" is vulnerable. This has been fixed inversion 4.1.59.Final. As a workaround, one may specify your own"java.io.tmpdir" when you start the JVM or use"DefaultHttpDataFactory.setBaseDir(...)" to set the directory to somethingthat is only readable by the current user. Update Instructions: Run `sudo pro fix CVE-2021-21290` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-08 20:15:00 UTC 2021-02-08 20:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2021-21290 Netty is an open-source, asynchronous event-driven network applicationframework for rapid development of maintainable high performance protocolservers & clients. In Netty (io.netty:netty-codec-http2) before version4.1.60.Final there is a vulnerability that enables request smuggling. If aContent-Length header is present in the original HTTP/2 request, the fieldis not validated by `Http2MultiplexHandler` as it is propagated up. This isfine as long as the request is not proxied through as HTTP/1.1. If therequest comes in as an HTTP/2 stream, gets converted into the HTTP/1.1domain objects (`HttpRequest`, `HttpContent`, etc.) via`Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel'spipeline and proxied through a remote peer as HTTP/1.1 this may result inrequest smuggling. In a proxy case, users may assume the content-length isvalidated somehow, which is not the case. If the request is forwarded to abackend channel that is a HTTP/1.1 connection, the Content-Length now hasmeaning and needs to be checked. An attacker can smuggle requests insidethe body as it gets downgraded from HTTP/2 to HTTP/1.1. For an exampleattack refer to the linked GitHub Advisory. Users are only affected if allof this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used,`Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects,and these HTTP/1.1 objects are forwarded to another remote peer. This hasbeen patched in 4.1.60.Final As a workaround, the user can do thevalidation by themselves by implementing a custom `ChannelInboundHandler`that is put in the `ChannelPipeline` behind`Http2StreamFrameToHttpObjectCodec`. Update Instructions: Run `sudo pro fix CVE-2021-21295` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-09 19:15:00 UTC 2021-03-09 19:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2021-21295 Helm is open-source software which is essentially "The Kubernetes PackageManager". Helm is a tool for managing Charts. Charts are packages ofpre-configured Kubernetes resources. In Helm from version 3.0 and beforeversion 3.5.2, there a few cases where data loaded from potentiallyuntrusted sources was not properly sanitized. When a SemVer in the`version` field of a chart is invalid, in some cases Helm allows the stringto be used "as is" without sanitizing. Helm fails to properly sanitizedsome fields present on Helm repository `index.yaml` files. Helm does notproperly sanitized some fields in the `plugin.yaml` file for plugins Insome cases, Helm does not properly sanitize the fields in the `Chart.yaml`file. By exploiting these attack vectors, core maintainers were able tosend deceptive information to a terminal screen running the `helm` command,as well as obscure or alter information on the screen. In some cases, wecould send codes that terminals used to execute higher-order logic, likeclearing a terminal screen. Further, during evaluation, the Helmmaintainers discovered a few other fields that were not properly sanitizedwhen read out of repository index files. This fix remedies all such cases,and once again enforces SemVer2 policies on version fields. All users ofthe Helm 3 should upgrade to the fixed version 3.5.2 or later. Those whouse Helm as a library should verify that they either sanitize this data ontheir own, or use the proper Helm API calls to sanitize the data. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-05 22:15:00 UTC CVE-2021-21303 uap-core in an open-source npm package which contains the core ofBrowserScope's original user agent string parser. In uap-core beforeversion 0.11.0, some regexes are vulnerable to regular expression denial ofservice (REDoS) due to overlapping capture groups. This allows remoteattackers to overload a server by setting the User-Agent header in anHTTP(S) request to maliciously crafted long strings. This is fixed inversion 0.11.0. Downstream packages such as uap-python, uap-ruby etc whichdepend upon uap-core follow different version schemes. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-16 18:15:00 UTC CVE-2021-21317 Nimble is a package manager for the Nim programming language. In Nimrelease version before versions 1.2.10 and 1.4.4, Nimble doCmd is used indifferent places and can be leveraged to execute arbitrary commands. Anattacker can craft a malicious entry in the packages.json package list totrigger code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-26 22:15:00 UTC CVE-2021-21372 Nimble is a package manager for the Nim programming language. In Nimrelease versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetchesa list of Nimble packages over HTTPS by default. In case of error it fallsback to a non-TLS URL http://irclogs.nim-lang.org/packages.json. Anattacker able to perform MitM can deliver a modified package listcontaining malicious software packages. If the packages are installed andused the attack escalates to untrusted code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-26 22:15:00 UTC CVE-2021-21373 Nimble is a package manager for the Nim programming language. In Nimrelease versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetchesa list of Nimble packages over HTTPS without full verification of theSSL/TLS certificate due to the default setting of httpClient. An attackerable to perform MitM can deliver a modified package list containingmalicious software packages. If the packages are installed and used theattack escalates to untrusted code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-26 22:15:00 UTC CVE-2021-21374 Syncthing is a continuous file synchronization program. In Syncthing beforeversion 1.15.0, the relay server `strelaysrv` can be caused to crash andexit by sending a relay message with a negative length field. Similarly,Syncthing itself can crash for the same reason if given a malformed messagefrom a malicious relay server when attempting to join the relay. Relayjoins are essentially random (from a subset of low latency relays) andSyncthing will by default restart when crashing, at which point it's likelyto pick another non-malicious relay. This flaw is fixed in version 1.15.0. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-06 20:15:00 UTC CVE-2021-21404 Netty is an open-source, asynchronous event-driven network applicationframework for rapid development of maintainable high performance protocolservers & clients. In Netty (io.netty:netty-codec-http2) before version4.1.61.Final there is a vulnerability that enables request smuggling. Thecontent-length header is not correctly validated if the request only uses asingle Http2HeaderFrame with the endStream set to to true. This could leadto request smuggling if the request is proxied to a remote peer andtranslated to HTTP/1.1. This is a followup ofGHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.This was fixed as part of 4.1.61.Final. Update Instructions: Run `sudo pro fix CVE-2021-21409` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-30 15:15:00 UTC 2021-03-30 15:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2021-21409 django-registration is a user registration package for Django. Thedjango-registration package provides tools for implementing user-accountregistration flows in the Django web framework. In django-registrationprior to 3.1.2, the base user-account registration view did not properlyapply filters to sensitive data, with the result that sensitive data couldbe included in error reports rather than removed automatically by Django.Triggering this requires: A site is using django-registration < 3.1.2, Thesite has detailed error reports (such as Django's emailed error reports tosite staff/developers) enabled and a server-side error (HTTP 5xx) occursduring an attempt by a user to register an account. Under these conditions,recipients of the detailed error report will see all submitted data fromthe account-registration attempt, which may include the user's proposedcredentials (such as a password). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-01 22:15:00 UTC CVE-2021-21416 Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM EnterpriseEdition product of Oracle Java SE (component: Libraries). Supportedversions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SEEmbedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and21.0.0.2. Difficult to exploit vulnerability allows unauthenticatedattacker with network access via multiple protocols to compromise Java SE,Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks ofthis vulnerability can result in unauthorized creation, deletion ormodification access to critical data or all Java SE, Java SE Embedded,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments that load and run untrusted code (e.g., codethat comes from the internet) and rely on the Java sandbox for security. Itcan also be exploited by supplying untrusted data to APIs in the specifiedComponent. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-22 22:15:00 UTC CVE-2021-2161 Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM EnterpriseEdition product of Oracle Java SE (component: Libraries). Supportedversions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SEEmbedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and21.0.0.2. Difficult to exploit vulnerability allows unauthenticatedattacker with network access via multiple protocols to compromise Java SE,Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacksrequire human interaction from a person other than the attacker. Successfulattacks of this vulnerability can result in unauthorized creation, deletionor modification access to critical data or all Java SE, Java SE Embedded,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments that load and run untrusted code (e.g., codethat comes from the internet) and rely on the Java sandbox for security.CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2021-2163` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u292-b10-0ubuntu1 openjdk-8-jdk - 8u292-b10-0ubuntu1 openjdk-8-jdk-headless - 8u292-b10-0ubuntu1 openjdk-8-jre - 8u292-b10-0ubuntu1 openjdk-8-jre-headless - 8u292-b10-0ubuntu1 openjdk-8-jre-zero - 8u292-b10-0ubuntu1 openjdk-8-source - 8u292-b10-0ubuntu1 No subscription required openjdk-11-demo - 11.0.11+9-0ubuntu2 openjdk-11-jdk - 11.0.11+9-0ubuntu2 openjdk-11-jdk-headless - 11.0.11+9-0ubuntu2 openjdk-11-jre - 11.0.11+9-0ubuntu2 openjdk-11-jre-headless - 11.0.11+9-0ubuntu2 openjdk-11-jre-zero - 11.0.11+9-0ubuntu2 openjdk-11-source - 11.0.11+9-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-20 17:34:00 UTC 2021-04-20 17:34:00 UTC https://ubuntu.com/security/notices/USN-4892-1 CVE-2021-2163 A code execution vulnerability exists in the WS-Addressing pluginfunctionality of Genivia gSOAP 2.8.107. A specially crafted SOAP requestcan lead to remote code execution. An attacker can send an HTTP request totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-25 17:15:00 UTC CVE-2021-21783 A code execution vulnerability exists in the DL_Dxf::handleLWPolylineDatafunctionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf filecan lead to a heap buffer overflow. An attacker can provide a maliciousfile to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-08 16:15:00 UTC CVE-2021-21897 A code execution vulnerability exists in the dxfRW::processLType()functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. Aspecially-crafted .dxf file can lead to a use-after-free vulnerability. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-19 19:15:00 UTC 2021-11-19 19:15:00 UTC https://ubuntu.com/security/notices/USN-5957-1 CVE-2021-21900 In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and olderunsupported versions, it is possible for a user to provide malicious inputto cause the insertion of additional log entries. This is a follow-up toCVE-2021-22096 that protects against additional types of input and in moreplaces of the Spring Framework codebase. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:10:00 UTC CVE-2021-22060 In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQPMessage object, in its toString() method, will create a new String objectfrom the message body, regardless of its size. This can cause an OOM Errorwith a large message Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-30 19:15:00 UTC CVE-2021-22095 In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and olderunsupported versions, it is possible for a user to provide malicious inputto cause the insertion of additional log entries. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-28 16:15:00 UTC CVE-2021-22096 Memory leak in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denialof service via packet injection or crafted capture file Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-17 15:15:00 UTC CVE-2021-22173 Crash in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial ofservice via packet injection or crafted capture file Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-17 15:15:00 UTC CVE-2021-22174 Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection orcrafted capture file Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-23 18:15:00 UTC CVE-2021-22207 Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allowsdenial of service via packet injection or crafted capture file Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-07 13:15:00 UTC CVE-2021-22222 An issue has been discovered in GitLab CE/EE affecting all versionsstarting from 13.11 before 13.11.7, all versions starting from 13.12 before13.12.8, and all versions starting from 14.0 before 14.0.4. A speciallycrafted design image allowed attackers to read arbitrary files on theserver. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-05 21:15:00 UTC CVE-2021-22234 Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14allows denial of service via packet injection or crafted capture file Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-20 12:15:00 UTC CVE-2021-22235 The vulnerability is that IDToken verifier does not verify if token isproperly signed. Signature verification makes sure that the token's payloadcomes from valid provider, not from someone else. An attacker can provide acompromised token with custom payload. The token will pass the validationon the client side. We recommend upgrading to version 1.33.3 or above Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-03 16:15:00 UTC CVE-2021-22573 Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injectionby way of missing validation of URLs, allowing a malicious server toexecute remote commands. User interaction is needed for exploitation. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-14 13:15:00 UTC CVE-2021-22879 The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5suffers from a regular expression denial of service (REDoS) vulnerability.Carefully crafted input can cause the input validation in the `money` typeof the PostgreSQL adapter in Active Record to spend too much time in aregular expression, resulting in the potential for a DoS attack. This onlyimpacts Rails applications that are using PostgreSQL along with money typecolumns that take user input. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-11 18:15:00 UTC CVE-2021-22880 The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5suffers from an open redirect vulnerability. Specially crafted `Host`headers in combination with certain "allowed host" formats can cause theHost Authorization middleware in Action Pack to redirect users to amalicious website. Impacted applications will have allowed hosts with aleading dot. When an allowed host contains a leading dot, a speciallycrafted `Host` header can be used to redirect to a malicious website. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-11 18:15:00 UTC CVE-2021-22881 A possible information disclosure / unintended method executionvulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or`polymorphic_url`helper with untrusted user input. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 12:15:00 UTC CVE-2021-22885 Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificatevalidation due to lack of SSL certificate verification when using the"Register with a Provider" flow. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-11 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989846 CVE-2021-22895 The actionpack ruby gem (a framework for handling and responding to webrequests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denialof service vulnerability in the Mime type parser of Action Dispatch.Carefully crafted Accept headers can cause the mime type parser in ActionDispatch to do catastrophic backtracking in the regular expression engine. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-11 16:15:00 UTC CVE-2021-22902 The actionpack ruby gem before 6.1.3.2 suffers from a possible openredirect vulnerability. Specially crafted Host headers in combination withcertain "allowed host" formats can cause the Host Authorization middlewarein Action Pack to redirect users to a malicious website. This is similar toCVE-2021-22881. Strings in config.hosts that do not have a leading dot areconverted to regular expressions without proper escaping. This causes, forexample, `config.hosts << "sub.example.com"` to permit a request with aHost header value of `sub-example.com`. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-11 16:15:00 UTC CVE-2021-22903 The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffersfrom a possible denial of service vulnerability in the Token Authenticationlogic in Action Controller due to a too permissive regular expression.Impacted code uses `authenticate_or_request_with_http_token` or`authenticate_with_http_token` for request authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-11 16:15:00 UTC CVE-2021-22904 A possible open redirect vulnerability in the Host Authorization middlewarein Action Pack >= 6.0.0 that could allow attackers to redirect users to amalicious website. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-18 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586 CVE-2021-22942 A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise15.0 and earlier allows authenticated administrators to read and writelocal files on the server. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-23166 Improper access control in reporting engine of l10n_fr_fec module in OdooCommunity 15.0 and earlier and Odoo Enterprise 15.0 and earlier allowsremote authenticated users to extract accounting information via craftedRPC packets. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-23176 Improper access control in Odoo Community 15.0 and earlier and OdooEnterprise 15.0 and earlier allows attackers to validate online paymentswith a tokenized payment method that belongs to another user, causing thevictim's payment method to be charged instead. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-23178 A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise15.0 and earlier allows authenticated administrators to access and modifydatabase contents of other tenants, in a multi-tenant system. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-23186 Improper access control in reporting engine of Odoo Community 14.0 through15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers todownload PDF reports for arbitrary documents, via crafted requests. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-23203 Cacti 1.1.38 allows authenticated users with User Management permissions toinject arbitrary web script or HTML in the "new_username" field duringcreation of a new user via "Copy" method at user_admin.php. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 21:15:00 UTC CVE-2021-23225 The sudoedit personality of Sudo before 1.9.5 may allow a localunprivileged user to perform arbitrary directory-existence tests by winninga sudo_edit.c race condition in replacing a user-controlled directory by asymlink to an arbitrary path. Update Instructions: Run `sudo pro fix CVE-2021-23239` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-sudo - 1.9.4p2-2ubuntu2 sudo - 1.9.4p2-2ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-01-12 09:15:00 UTC 2021-01-12 09:15:00 UTC https://ubuntu.com/security/notices/USN-4705-1 CVE-2021-23239 Lodash versions prior to 4.17.21 are vulnerable to Command Injection viathe template function. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-15 13:15:00 UTC Marc Hassan CVE-2021-23337 The package prismjs before 1.23.0 are vulnerable to Regular ExpressionDenial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap andprism-eiffel components. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 16:15:00 UTC CVE-2021-23341 The package handlebars before 4.7.7 are vulnerable to Prototype Pollutionwhen selecting certain compiling options to compile templates coming froman untrusted source. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-04 09:15:00 UTC CVE-2021-23383 This affects the package jszip before 3.7.0. Crafting a new zip file withfilenames set to Object prototype values (e.g __proto__, toString, etc)results in a returned object with a modified prototype instance. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-25 13:15:00 UTC CVE-2021-23413 This affects the package bikeshed before 3.0.0. This can occur when anuntrusted source file containing Inline Tag Command metadata is processed.When an arbitrary OS command is executed, the command output would beincluded in the HTML output. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-16 08:15:00 UTC CVE-2021-23422 This affects the package bikeshed before 3.0.0. This can occur when anuntrusted source file containing include, include-code or include-raw blockis processed. The contents of arbitrary files could be disclosed in theHTML output. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-08-16 08:15:00 UTC CVE-2021-23423 This affects all versions of package mootools. This is due to the abilityto pass untrusted input to Object.merge() Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-24 09:15:00 UTC CVE-2021-23432 This affects the package object-path before 0.11.6. A type confusionvulnerability can lead to a bypass of CVE-2020-15256 when the pathcomponents used in the path parameter are arrays. In particular, thecondition currentPath === '__proto__' returns false if currentPath is['__proto__']. This is because the === operator returns always false whenthe type of the operands is different. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 17:15:00 UTC 2021-08-27 17:15:00 UTC https://ubuntu.com/security/notices/USN-5967-1 CVE-2021-23434 The package pillow 5.2.0 and before 8.3.2 are vulnerable to RegularExpression Denial of Service (ReDoS) via the getrgb function. Update Instructions: Run `sudo pro fix CVE-2021-23437` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 9.0.0-1 python3-pil.imagetk - 9.0.0-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-03 16:15:00 UTC 2021-09-03 16:15:00 UTC https://ubuntu.com/security/notices/USN-5227-1 https://ubuntu.com/security/notices/USN-5227-2 CVE-2021-23437 This affects the package set-value before <2.0.1, >=3.0.0 <4.0.1. A typeconfusion vulnerability can lead to a bypass of CVE-2019-10747 when theuser-provided keys used in the path parameter are arrays. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-12 13:15:00 UTC CVE-2021-23440 This affects the package datatables.net before 1.11.3. If an array ispassed to the HTML escape entities function it would not have its contentsescaped. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-27 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995229 CVE-2021-23445 This affects versions before 1.19.1 of package bootstrap-table. A typeconfusion vulnerability can lead to a bypass of input sanitization when theinput provided to the escapeHTML function is an array (instead of a string)even if the escape attribute is set. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-03 18:15:00 UTC https://github.com/wenzhixin/bootstrap-table/pull/5941 CVE-2021-23472 The package cached-path-relative before 1.1.0 are vulnerable to PrototypePollution via the cache variable that is set as {} instead ofObject.create(null) in the cachedPathRelative function, which allows accessto the parent prototype properties when the object is used to create thecached relative path. When using the origin path as __proto__, theattribute of the object is accessed instead of a path. **Note:** Thisvulnerability derives from an incomplete fix inhttps://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573 Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-21 20:15:00 UTC CVE-2021-23518 The package juce-framework/juce before 6.1.5 are vulnerable to ArbitraryFile Write via Archive Extraction (Zip Slip) via theZipFile::uncompressEntry function in juce_ZipFile.cpp. This vulnerabilityis triggered when the archive is extracted upon calling uncompressTo() on aZipFile object. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-31 11:15:00 UTC CVE-2021-23520 This affects the package juce-framework/JUCE before 6.1.5. Thisvulnerability is triggered when a malicious archive is crafted with anentry containing a symbolic link. When extracted, the symbolic link isfollowed outside of the target dir allowing writing arbitrary files on thetarget host. In some cases, this can allow an attacker to execute arbitrarycode. The vulnerable code is in the ZipFile::uncompressEntry function injuce_ZipFile.cpp and is executed when the archive is extracted upon callinguncompressTo() on a ZipFile object. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-31 11:15:00 UTC CVE-2021-23521 The package guake before 3.8.5 are vulnerable to Exposed Dangerous Methodor Function due to the exposure of execute_command andexecute_command_by_uuid methods via the d-bus interface, which makes itpossible for a malicious user to run an arbitrary command via the d-busmethod. **Note:** Exploitation requires the user to have installed anothermalicious program that will be able to send dbus signals or run terminalcommands. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-17 12:15:00 UTC CVE-2021-23556 The package nanoid from 3.0.0 and before 3.1.31 are vulnerable toInformation Exposure via the valueOf() function which allows to reproducethe last id generated. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-14 20:15:00 UTC CVE-2021-23566 The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 arevulnerable to XML External Entity (XXE) Injection due to an insecurelyinitialized XML parser for reading XMP Metadata. An attacker can exploitthis vulnerability if they are able to supply a file (e.g. when an onlineprofile picture is processed) with a malicious XMP segment. If the XMPmetadata of the uploaded image is parsed, then the XXE vulnerability istriggered. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-06 20:15:00 UTC CVE-2021-23792 All versions of package http-server-node are vulnerable to DirectoryTraversal via use of --path-as-is. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-17 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031301 CVE-2021-23797 Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate mayoverflow the output length argument in some cases where the input length isclose to the maximum permissable length for an integer on the platform. Insuch cases the return value from the function call will be 1 (indicatingsuccess), but the output length value will be negative. This could causeapplications to behave incorrectly or crash. OpenSSL versions 1.1.1i andbelow are affected by this issue. Users of these versions should upgrade toOpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by thisissue. However OpenSSL 1.0.2 is out of support and no longer receivingpublic updates. Premium support customers of OpenSSL 1.0.2 should upgradeto 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j(Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). Update Instructions: Run `sudo pro fix CVE-2021-23840` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 1.1.1j-1ubuntu1 openssl - 1.1.1j-1ubuntu1 openssl-provider-legacy - 1.1.1j-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-16 17:15:00 UTC 2021-02-16 17:15:00 UTC Paul Kehrer https://bugzilla.tianocore.org/show_bug.cgi?id=3266 (edk2) https://ubuntu.com/security/notices/USN-4738-1 https://ubuntu.com/security/notices/USN-5088-1 https://ubuntu.com/security/notices/USN-7018-1 CVE-2021-23840 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.24. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in takeover of OracleVM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-21 15:15:00 UTC CVE-2021-2409 In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM filedecoding allows system-level (administrator) attackers to obtaininformation about secret RSA keys via a controlled-channel and side-channelattack on software running in isolated environments that can be singlestepped, especially Intel SGX. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-14 13:15:00 UTC CVE-2021-24116 In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64PEM file decoding allows system-level (administrator) attackers to obtaininformation about secret RSA keys via a controlled-channel and side-channelattack on software running in isolated environments that can be singlestepped, especially Intel SGX. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-14 13:15:00 UTC CVE-2021-24119 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.24. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in unauthorized abilityto cause a hang or frequently repeatable crash (complete DOS) of Oracle VMVirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-21 15:16:00 UTC CVE-2021-2442 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.24. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in unauthorized abilityto cause a hang or frequently repeatable crash (complete DOS) of Oracle VMVirtualBox as well as unauthorized update, insert or delete access to someof Oracle VM VirtualBox accessible data and unauthorized read access to asubset of Oracle VM VirtualBox accessible data. Note: This vulnerabilityapplies to Solaris x86 and Linux systems only. CVSS 3.1 Base Score 7.3(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-21 15:16:00 UTC CVE-2021-2443 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.24. Difficult to exploit vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.0(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-21 00:15:00 UTC CVE-2021-2454 An issue was discovered in Pillow before 8.2.0. There is an out-of-boundsread in J2kDecode, in j2ku_graya_la. Update Instructions: Run `sudo pro fix CVE-2021-25287` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 8.1.2+dfsg-0.1ubuntu1 python3-pil.imagetk - 8.1.2+dfsg-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 00:00:00 UTC 2021-05-10 00:00:00 UTC https://ubuntu.com/security/notices/USN-4963-1 https://ubuntu.com/security/notices/USN-8135-1 CVE-2021-25287 An issue was discovered in Pillow before 8.2.0. There is an out-of-boundsread in J2kDecode, in j2ku_gray_i. Update Instructions: Run `sudo pro fix CVE-2021-25288` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 8.1.2+dfsg-0.1ubuntu1 python3-pil.imagetk - 8.1.2+dfsg-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 00:00:00 UTC 2021-05-10 00:00:00 UTC https://ubuntu.com/security/notices/USN-4963-1 https://ubuntu.com/security/notices/USN-8135-1 CVE-2021-25288 A Incorrect Default Permissions vulnerability in the packaging ofvirtualbox of openSUSE Factory allows local attackers in the vboxusersgroupu to escalate to root. This issue affects: openSUSE Factory virtualboxversion 6.1.20-1.1 and prior versions. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-05 09:15:00 UTC CVE-2021-25319 A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKittyof openSUSE Leap 15.2, Factory allows local attackers to escalateprivileges from the user hyperkitty or hyperkitty-admin to root. This issueaffects: openSUSE Leap 15.2 python-HyperKitty version 1.3.2-lp152.2.3.1 andprior versions. openSUSE Factory python-HyperKitty versions prior to1.3.4-5.1. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-10 12:15:00 UTC CVE-2021-25322 The ezxml_toxml function in ezxml 0.8.6 and earlier is vulnerable to OOBwrite when opening XML file after exhausting the memory pool. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-08 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2021-26220 The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOBwrite when opening XML file after exhausting the memory pool. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-08 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2021-26221 The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOBwrite when opening XML file after exhausting the memory pool. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-08 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2021-26222 As an unauthenticated remote user, visit"http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>"to successfully execute the JavaScript payload present in the "ref" URLparameter. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 21:15:00 UTC CVE-2021-26247 Cross-site scripting (XSS) issue in Discuss app of Odoo Community 14.0through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remoteattackers to inject arbitrary web script in the browser of a victim, byposting crafted contents. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-26263 Potential speculative code store bypass in all supported CPU products, inconjunction with software vulnerabilities relating to speculative executionof overwritten instructions, may cause an incorrect speculation and couldresult in data leakage. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-09 12:15:00 UTC CVE-2021-26313 Potential floating point value injection in all supported CPU products, inconjunction with software vulnerabilities relating to speculative executionwith incorrect floating point results, may cause the use of incorrect datafrom FPVI and may result in data leakage. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-09 12:15:00 UTC CVE-2021-26314 Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1,16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow aremote unauthenticated attacker to prematurely terminate secure calls byreplaying SRTP packets. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 21:15:00 UTC CVE-2021-26712 A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asteriskbefore 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and CertifiedAsterisk before 16.8-cert6 allows an authenticated WebRTC client to causean Asterisk crash by sending multiple hold/unhold requests in quicksuccession. This is caused by a signedness comparison mismatch. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-19 20:15:00 UTC CVE-2021-26713 An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.xbefore 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before16.8-cert6. When re-negotiating for T.38, if the initial remote responsewas delayed just enough, Asterisk would send both audio and T.38 in theSDP. If this happened, and the remote responded with a declined T.38stream, then Asterisk would crash. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 20:15:00 UTC CVE-2021-26717 A directory traversal issue was discovered in Gradlegradle-enterprise-test-distribution-agent before 1.3.2,test-distribution-gradle-plugin before 1.3.2, andgradle-enterprise-maven-extension before 1.8.2. A malicious actor (withcertain credentials) can perform a registration step such that crafted TARarchives lead to extraction of files into arbitrary filesystem locations. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-09 14:15:00 UTC CVE-2021-26719 markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expressiondenial of service vulnerability. If an attacker provides a maliciousstring, it can make markdown2 processing difficult or delayed for anextended period of time. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-03 16:15:00 UTC CVE-2021-26813 An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest isallowed to control whether memory accesses are bypassing the cache. Thismeans that Xen needs to ensure that all writes (such as the ones duringscrubbing) have reached the memory before handing over the page to a guest.Unfortunately, the operation to clean the cache is happening beforechecking if the page was scrubbed. Therefore there is no guarantee when allthe writes will reach the memory. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-17 02:15:00 UTC Julien Grall CVE-2021-26933 An issue was discovered in the Linux kernel 4.18 through 5.10.16, as usedby Xen. The backend allocation (aka be-alloc) mode of the drm_xen_frontdrivers was not meant to be a supported configuration, but this wasn'tstated accordingly in its support status entry. Ubuntu 26.04 LTS Negligible Copyright (C) 2021 Canonical Ltd. 2021-02-17 02:15:00 UTC Jan Beulich CVE-2021-26934 An integer overflow leading to a heap-buffer overflow was found in OpenEXRin versions before 3.0.1. An attacker could use this flaw to crash anapplication compiled with OpenEXR. Ubuntu 26.04 LTS Negligible Copyright (C) 2021 Canonical Ltd. 2021-06-08 12:15:00 UTC https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31221 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31228 CVE-2021-26945 Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and OdooEnterprise 15.0 and earlier, allows remote attackers to inject arbitraryweb script in the browser of a victim, via a crafted link. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-26947 PuppetDB logging included potentially sensitive system information. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-30 18:15:00 UTC CVE-2021-27019 steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easierfor attackers to detect hidden data. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-02-15 19:15:00 UTC CVE-2021-27211 In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programminglanguages rely heavily on regular expressions. Some of the regularexpressions have exponential or cubic worst-case complexity and arevulnerable to ReDoS. By crafting malicious input, an attacker can cause adenial of service. Update Instructions: Run `sudo pro fix CVE-2021-27291` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pygments - 2.7.1+dfsg-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-17 13:15:00 UTC 2021-03-17 13:15:00 UTC Ben Caller https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985574 https://ubuntu.com/security/notices/USN-4897-1 https://ubuntu.com/security/notices/USN-4897-2 CVE-2021-27291 An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guestOS users to achieve unintended read/write DMA access, and possibly cause adenial of service (host OS crash) or gain privileges. This occurs because abackport missed a flush, and thus IOMMU updates were not always correct.NOTE: this issue exists because of an incomplete fix for CVE-2020-15565. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-18 17:15:00 UTC CVE-2021-27379 There is a Null Pointer Dereference vulnerability in theXFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-05-18 15:15:00 UTC CVE-2021-27548 ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.9.1 hasa stack-based buffer overflow that is reachable from the C API through anapplication that includes the Zint Barcode Generator library code. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-26 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983610 CVE-2021-27799 A carefully crafted PDF file can trigger an infinite loop while loading thefile. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.xversions. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-19 16:15:00 UTC Fabian Meumertzheim CVE-2021-27807 NULL Pointer Deference in the exif command line tool, when printing out XMLformatted EXIF data, in exif v0.6.22 and earlier allows attackers to causea Denial of Service (DoS) by uploading a malicious JPEG file, causing theapplication to crash. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-14 14:15:00 UTC CVE-2021-27815 An issue was discoverered in in function xls_getWorkSheet in xls.c inlibxls 1.6.2, allows attackers to cause a denial of service, via a craftedXLS file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-03 17:15:00 UTC CVE-2021-27836 The ReplicationHandler (normally registered at "/replication" under a Solrcore) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameterthat is used to designate another ReplicationHandler on another Solr coreto replicate index data into the local core. To prevent a SSRFvulnerability, Solr ought to check these parameters against a similarconfiguration it uses for the "shards" parameter. Prior to this bug gettingfixed, it did not. This problem affects essentially all Solr versions priorto it getting fixed in 8.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-13 07:15:00 UTC CVE-2021-27905 A carefully crafted PDF file can trigger an OutOfMemory-Exception whileloading the file. This issue affects Apache PDFBox version 2.0.22 and prior2.0.x versions. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-19 16:15:00 UTC Fabian Meumertzheim CVE-2021-27906 Buffer overflow vulnerability in function stbi__extend_receive instb_image.h in stb 2.26 via a crafted JPEG file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-15 16:15:00 UTC CVE-2021-28021 Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial ofservice (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-11 14:15:00 UTC CVE-2021-28025 Squid through 4.14 and 5.x through 5.0.5, in some configurations, allowsinformation disclosure because of an out-of-bounds read in WCCP protocoldata. This can be leveraged as part of a chain for remote code execution asnobody. Update Instructions: Run `sudo pro fix CVE-2021-28116` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 4.13-10ubuntu5 squid-cgi - 4.13-10ubuntu5 squid-common - 4.13-10ubuntu5 squid-openssl - 4.13-10ubuntu5 squid-purge - 4.13-10ubuntu5 squidclient - 4.13-10ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-09 22:15:00 UTC 2021-03-09 22:15:00 UTC Lyu https://bugs.squid-cache.org/show_bug.cgi?id=5131 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986804 https://ubuntu.com/security/notices/USN-5104-1 CVE-2021-28116 libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before5.21.3 automatically creates links to potentially dangerous URLs (that areneither https:// nor http://) based on the content of the store.kde.org website. (5.18.7 is also a fixed version.) Update Instructions: Run `sudo pro fix CVE-2021-28117` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: kde-config-updates - 5.21.3-0ubuntu1 plasma-discover - 5.21.3-0ubuntu1 plasma-discover-backend-flatpak - 5.21.3-0ubuntu1 plasma-discover-backend-fwupd - 5.21.3-0ubuntu1 plasma-discover-backend-snap - 5.21.3-0ubuntu1 plasma-discover-common - 5.21.3-0ubuntu1 plasma-discover-notifier - 5.21.3-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-20 21:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/plasma-discover/+bug/1918681 CVE-2021-28117 In the Jakarta Expression Language implementation 3.0.3 and earlier, a bugin the ELParserTokenManager enables invalid EL expressions to be evaluatedas if they were valid. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989259 CVE-2021-28170 Authentication vulnerability found in Etcd-io v.3.4.10 allows remoteattackers to escalate privileges via the debug function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-04 15:15:00 UTC 2023-04-04 15:15:00 UTC https://ubuntu.com/security/notices/USN-6189-1 CVE-2021-28235 A carefully crafted or corrupt file may trigger an infinite loop in Tika'sMP3Parser up to and including Tika 1.25. Apache Tika users should upgradeto 1.26 or later. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-31 08:15:00 UTC CVE-2021-28657 In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,MultiPartParser allowed directory traversal via uploaded files withsuitably crafted file names. Built-in upload handlers were not affected bythis vulnerability. Update Instructions: Run `sudo pro fix CVE-2021-28658` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 2:2.2.19-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-06 08:00:00 UTC 2021-04-06 08:00:00 UTC Dennis Brinkrolf https://ubuntu.com/security/notices/USN-4902-1 CVE-2021-28658 An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFilelacked a sanity check on the number of input layers relative to the size ofthe data block. This could lead to a DoS on Image.open prior to Image.load. Update Instructions: Run `sudo pro fix CVE-2021-28675` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 8.1.2+dfsg-0.1ubuntu1 python3-pil.imagetk - 8.1.2+dfsg-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 00:00:00 UTC 2021-05-10 00:00:00 UTC https://ubuntu.com/security/notices/USN-4963-1 https://ubuntu.com/security/notices/USN-8135-1 CVE-2021-28675 An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode didnot properly check that the block advance was non-zero, potentially leadingto an infinite loop on load. Update Instructions: Run `sudo pro fix CVE-2021-28676` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 8.1.2+dfsg-0.1ubuntu1 python3-pil.imagetk - 8.1.2+dfsg-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 00:00:00 UTC 2021-05-10 00:00:00 UTC https://ubuntu.com/security/notices/USN-4963-1 https://ubuntu.com/security/notices/USN-8135-1 CVE-2021-28676 An issue was discovered in Pillow before 8.2.0. For EPS data, the readlineimplementation used in EPSImageFile has to deal with any combination of \rand \n as line endings. It used an accidentally quadratic method ofaccumulating lines while looking for a line ending. A malicious EPS filecould use this to perform a DoS of Pillow in the open phase, before animage was accepted for opening. Update Instructions: Run `sudo pro fix CVE-2021-28677` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 8.1.2+dfsg-0.1ubuntu1 python3-pil.imagetk - 8.1.2+dfsg-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 00:00:00 UTC 2021-05-10 00:00:00 UTC https://ubuntu.com/security/notices/USN-4963-1 https://ubuntu.com/security/notices/USN-8135-1 CVE-2021-28677 An issue was discovered in Pillow before 8.2.0. For BLP data,BlpImagePlugin did not properly check that reads (after jumping to fileoffsets) returned data. This could lead to a DoS where the decoder could berun a large number of times on empty data. Update Instructions: Run `sudo pro fix CVE-2021-28678` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 8.1.2+dfsg-0.1ubuntu1 python3-pil.imagetk - 8.1.2+dfsg-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-10 00:00:00 UTC 2021-05-10 00:00:00 UTC https://ubuntu.com/security/notices/USN-4963-1 CVE-2021-28678 x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests32-bit x86 PV guest kernels run in ring 1. At the time when Xen wasdeveloped, this area of the i386 architecture was rarely used, which is whyXen was able to use it to implement paravirtualisation, Xen's novelapproach to virtualization. In AMD64, Xen had to use a differentimplementation approach, so Xen does not use ring 1 to support 64-bitguests. With the focus now being on 64-bit systems, and the availability ofexplicit hardware support for virtualization, fixing speculation issues inring 1 is not a priority for processor companies. Indirect BranchRestricted Speculation (IBRS) is an architectural x86 extension puttogether to combat speculative execution sidechannel attacks, includingSpectre v2. It was retrofitted in microcode to existing CPUs. For moredetails on Spectre v2, see: http://xenbits.xen.org/xsa/advisory-254.htmlHowever, IBRS does not architecturally protect ring 0 from predictionslearnt in ring 1. For more details, see:https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculationSimilar situations may exist with other mitigations for other kinds ofspeculative execution attacks. The situation is quite likely to be similarfor speculative execution attacks which have yet to be discovered,disclosed, or mitigated. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-11 15:15:00 UTC CVE-2021-28689 x86: TSX Async Abort protections not restored after S3 This issue relatesto the TSX Async Abort speculative security vulnerability. Please seehttps://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAAby disabling TSX (the default and preferred option) requires selecting anon-default setting in MSR_TSX_CTRL. This setting isn't restored after S3suspend. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-29 12:15:00 UTC CVE-2021-28690 inappropriate x86 IOMMU timeout detection / handling IOMMUs processcommands issued to them in parallel with the operation of the CPU(s)issuing such commands. In the current implementation in Xen, asynchronousnotification of the completion of such commands is not used. Instead, theissuing CPU spin-waits for the completion of the most recently issuedcommand(s). Some of these waiting loops try to apply a timeout to failoverly-slow commands. The course of action upon a perceived timeoutactually being detected is inappropriate: - on Intel hardware guests whichdid not originally cause the timeout may be marked as crashed, - on AMDhardware higher layer callers would not be notified of the issue, makingthem continue as if the IOMMU operation succeeded. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-30 11:15:00 UTC CVE-2021-28692 xen/arm: Boot modules are not scrubbed The bootloader will load bootmodules (e.g. kernel, initramfs...) in a temporary area before they arecopied by Xen to each domain memory. To ensure sensitive data is not leakedfrom the modules, Xen must "scrub" them before handing the page over to theallocator. Unfortunately, it was discovered that modules will not bescrubbed on Arm. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-30 11:15:00 UTC CVE-2021-28693 IOMMU page mapping issues on x86 T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Both AMD and Intel allow ACPI tables to specify regions ofmemory which should be left untranslated, which typically means theseaddresses should pass the translation phase unaltered. While these aretypically device specific ACPI properties, they can also be specified toapply to a range of devices, or even all devices. On all systems with suchregions Xen failed to prevent guests from undoing/replacing such mappings(CVE-2021-28694). On AMD systems, where a discontinuous range is specifiedby firmware, the supposedly-excluded middle range will also beidentity-mapped (CVE-2021-28695). Further, on AMD systems, uponde-assigment of a physical device from a guest, the identity mappings wouldbe left in place, allowing a guest continued access to ranges of memorywhich it shouldn't have access to anymore (CVE-2021-28696). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28694 IOMMU page mapping issues on x86 T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Both AMD and Intel allow ACPI tables to specify regions ofmemory which should be left untranslated, which typically means theseaddresses should pass the translation phase unaltered. While these aretypically device specific ACPI properties, they can also be specified toapply to a range of devices, or even all devices. On all systems with suchregions Xen failed to prevent guests from undoing/replacing such mappings(CVE-2021-28694). On AMD systems, where a discontinuous range is specifiedby firmware, the supposedly-excluded middle range will also beidentity-mapped (CVE-2021-28695). Further, on AMD systems, uponde-assigment of a physical device from a guest, the identity mappings wouldbe left in place, allowing a guest continued access to ranges of memorywhich it shouldn't have access to anymore (CVE-2021-28696). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28695 IOMMU page mapping issues on x86 T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Both AMD and Intel allow ACPI tables to specify regions ofmemory which should be left untranslated, which typically means theseaddresses should pass the translation phase unaltered. While these aretypically device specific ACPI properties, they can also be specified toapply to a range of devices, or even all devices. On all systems with suchregions Xen failed to prevent guests from undoing/replacing such mappings(CVE-2021-28694). On AMD systems, where a discontinuous range is specifiedby firmware, the supposedly-excluded middle range will also beidentity-mapped (CVE-2021-28695). Further, on AMD systems, uponde-assigment of a physical device from a guest, the identity mappings wouldbe left in place, allowing a guest continued access to ranges of memorywhich it shouldn't have access to anymore (CVE-2021-28696). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28696 grant table v2 status pages may remain accessible after de-allocation Guestget permitted access to certain Xen-owned pages of memory. The majority ofsuch pages remain allocated / associated with a guest for its entirelifetime. Grant table v2 status pages, however, get de-allocated when aguest switched (back) from v2 to v1. The freeing of such pages requiresthat the hypervisor know where in the guest these pages were mapped. Thehypervisor tracks only one use within guest space, but racing requests fromthe guest to insert mappings of these pages may result in any of them tobecome mapped in multiple locations. Upon switching back from v2 to v1, theguest would then retain access to a page that was freed and perhaps re-usedfor other purposes. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28697 long running loops in grant table handling In order to properly monitorresource use, Xen maintains information on the grant mappings a domain maycreate to map grants offered by other domains. In the process of carryingout certain actions, Xen would iterate over all such entries, includingones which aren't in use anymore and some which may have been created butnever used. If the number of entries for a given domain is large enough,this iterating of the entire table may tie up a CPU for too long, starvingother domains or causing issues in the hypervisor itself. Note that adomain may map its own grants, i.e. there is no need for multiple domainsto be involved here. A pair of "cooperating" guests may, however, cause theeffects to be more severe. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28698 inadequate grant-v2 status frames array bounds check The v2 grant tableinterface separates grant attributes from grant status. That is, whenoperating in this mode, a guest has two tables. As a result, guests alsoneed to be able to retrieve the addresses that the new status trackingtable can be accessed through. For 32-bit guests on x86, translation ofrequests has to occur because the interface structure layouts commonlydiffer between 32- and 64-bit. The translation of the request to obtain theframe numbers of the grant status table involves translating the resultingarray of frame numbers. Since the space used to carry out the translationis limited, the translation layer tells the core function the capacity ofthe array within translation space. Unfortunately the core function thenonly enforces array bounds to be below 8 times the specified value, andwould write past the available space if enough frame numbers neededstoring. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28699 xen/arm: No memory limit for dom0less domUs The dom0less feature allows anadministrator to create multiple unprivileged domains directly from Xen.Unfortunately, the memory limit from them is not set. This allow a domainto allocate memory beyond what an administrator originally configured. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-27 19:15:00 UTC CVE-2021-28700 Another race in XENMAPSPACE_grant_table handling Guests are permittedaccess to certain Xen-owned pages of memory. The majority of such pagesremain allocated / associated with a guest for its entire lifetime. Granttable v2 status pages, however, are de-allocated when a guest switches(back) from v2 to v1. Freeing such pages requires that the hypervisorenforce that no parallel request can result in the addition of a mapping ofsuch a page to a guest. That enforcement was missing, allowing guests toretain access to pages that were freed and perhaps re-used for otherpurposes. Unfortunately, when XSA-379 was being prepared, this similarissue was not noticed. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-08 14:15:00 UTC CVE-2021-28701 PCI devices with RMRRs not deassigned correctly Certain PCI devices in asystem might be assigned Reserved Memory Regions (specified via ReservedMemory Region Reporting, "RMRR"). These are typically used for platformtasks such as legacy USB emulation. If such a device is passed through to aguest, then on guest shutdown the device is not properly deassigned. TheIOMMU configuration for these devices which are not properly deassignedends up pointing to a freed data structure, including the IO Pagetables.Subsequent DMA or interrupts from the device will have unpredictablebehaviour, ranging from IOMMU faults to memory corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-06 14:15:00 UTC CVE-2021-28702 grant table v2 status pages may remain accessible after de-allocation (taketwo) Guest get permitted access to certain Xen-owned pages of memory. Themajority of such pages remain allocated / associated with a guest for itsentire lifetime. Grant table v2 status pages, however, get de-allocatedwhen a guest switched (back) from v2 to v1. The freeing of such pagesrequires that the hypervisor know where in the guest these pages weremapped. The hypervisor tracks only one use within guest space, but racingrequests from the guest to insert mappings of these pages may result in anyof them to become mapped in multiple locations. Upon switching back from v2to v1, the guest would then retain access to a page that was freed andperhaps re-used for other purposes. This bug was fortuitously fixed by codecleanup in Xen 4.14, and backported to security-supported Xen branches as aprerequisite of the fix for XSA-378. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-07 12:15:00 UTC CVE-2021-28703 PoD operations on misaligned GFNs T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] x86 HVM and PVH guests may be started in populate-on-demand(PoD) mode, to provide a way for them to later easily have more memoryassigned. Guests are permitted to control certain P2M aspects of individualpages via hypercalls. These hypercalls may act on ranges of pages specifiedvia page orders (resulting in a power-of-2 number of pages). Theimplementation of some of these hypercalls for PoD does not enforce thebase page frame number to be suitably aligned for the specified order, yetsome code involved in PoD handling actually makes such an assumption. Theseoperations are XENMEM_decrease_reservation (CVE-2021-28704) andXENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domainscontrolling the guest, i.e. a de-privileged qemu or a stub domain. (Patch1, combining the fix to both these two issues.) In addition handling ofXENMEM_decrease_reservation can also trigger a host crash when thespecified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-24 01:15:00 UTC CVE-2021-28704 issues with partially successful P2M updates on x86 T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guestsmay be started in populate-on-demand (PoD) mode, to provide a way for themto later easily have more memory assigned. Guests are permitted to controlcertain P2M aspects of individual pages via hypercalls. These hypercallsmay act on ranges of pages specified via page orders (resulting in apower-of-2 number of pages). In some cases the hypervisor carries out therequests by splitting them into smaller chunks. Error handling in certainPoD cases has been insufficient in that in particular partial success ofsome operations was not properly accounted for. There are two code pathsaffected - page removal (CVE-2021-28705) and insertion of new pages(CVE-2021-28709). (We provide one patch which combines the fix to bothissues.) Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-24 02:15:00 UTC CVE-2021-28705 guests may exceed their designated memory limit When a guest is permittedto have close to 16TiB of memory, it may be able to issue hypercalls toincrease its memory allocation beyond the administrator established limit.This is a result of a calculation done with 32-bit precision, which mayoverflow. It would then only be the overflowed (and hence small) numberwhich gets compared against the established upper bound. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-24 01:15:00 UTC CVE-2021-28706 PoD operations on misaligned GFNs T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] x86 HVM and PVH guests may be started in populate-on-demand(PoD) mode, to provide a way for them to later easily have more memoryassigned. Guests are permitted to control certain P2M aspects of individualpages via hypercalls. These hypercalls may act on ranges of pages specifiedvia page orders (resulting in a power-of-2 number of pages). Theimplementation of some of these hypercalls for PoD does not enforce thebase page frame number to be suitably aligned for the specified order, yetsome code involved in PoD handling actually makes such an assumption. Theseoperations are XENMEM_decrease_reservation (CVE-2021-28704) andXENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domainscontrolling the guest, i.e. a de-privileged qemu or a stub domain. (Patch1, combining the fix to both these two issues.) In addition handling ofXENMEM_decrease_reservation can also trigger a host crash when thespecified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-24 01:15:00 UTC CVE-2021-28707 PoD operations on misaligned GFNs T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] x86 HVM and PVH guests may be started in populate-on-demand(PoD) mode, to provide a way for them to later easily have more memoryassigned. Guests are permitted to control certain P2M aspects of individualpages via hypercalls. These hypercalls may act on ranges of pages specifiedvia page orders (resulting in a power-of-2 number of pages). Theimplementation of some of these hypercalls for PoD does not enforce thebase page frame number to be suitably aligned for the specified order, yetsome code involved in PoD handling actually makes such an assumption. Theseoperations are XENMEM_decrease_reservation (CVE-2021-28704) andXENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domainscontrolling the guest, i.e. a de-privileged qemu or a stub domain. (Patch1, combining the fix to both these two issues.) In addition handling ofXENMEM_decrease_reservation can also trigger a host crash when thespecified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-24 01:15:00 UTC CVE-2021-28708 issues with partially successful P2M updates on x86 T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guestsmay be started in populate-on-demand (PoD) mode, to provide a way for themto later easily have more memory assigned. Guests are permitted to controlcertain P2M aspects of individual pages via hypercalls. These hypercallsmay act on ranges of pages specified via page orders (resulting in apower-of-2 number of pages). In some cases the hypervisor carries out therequests by splitting them into smaller chunks. Error handling in certainPoD cases has been insufficient in that in particular partial success ofsome operations was not properly accounted for. There are two code pathsaffected - page removal (CVE-2021-28705) and insertion of new pages(CVE-2021-28709). (We provide one patch which combines the fix to bothissues.) Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-24 02:15:00 UTC CVE-2021-28709 A Regular Expression Denial of Service (ReDOS) vulnerability was discoveredin Color-String version 1.5.5 and below which occurs when the applicationis provided and checks a crafted invalid HWB string. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-21 16:15:00 UTC CVE-2021-29060 Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash theapplication, causing a Denial of Service (DoS). This occurs when theattacker uses the command line option "-ImgDir" on a directory thatcontains 1048576 files. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-14 14:15:00 UTC 2021-04-14 14:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1338 https://ubuntu.com/security/notices/USN-7083-1 CVE-2021-29338 ircII before 20210314 allows remote attackers to cause a denial of service(segmentation fault and client crash, disconnecting the victim from an IRCserver) via a crafted CTCP UTC message. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-30 07:15:00 UTC CVE-2021-29376 models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Pythonallows XXE when parsing XMP metadata entries. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-01 20:15:00 UTC CVE-2021-29421 The Net::Netmask module before 2.0000 for Perl does not properly considerextraneous zero characters at the beginning of an IP address string, which(in some situations) allows attackers to bypass access control that isbased on IP addresses. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-06 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986135 CVE-2021-29424 In Gradle before version 7.0, on Unix-like systems, the system temporarydirectory can be created with open permissions that allow multiple users tocreate and delete files within it. Gradle builds could be vulnerable to alocal privilege escalation from an attacker quickly deleting and recreatingfiles in the system temporary directory. This vulnerability impacted buildsusing precompiled script plugins written in Kotlin DSL and tests for Gradleplugins written using ProjectBuilder or TestKit. If you are on Windows ormodern versions of macOS, you are not vulnerable. If you are on a Unix-likeoperating system with the "sticky" bit set on your system temporarydirectory, you are not vulnerable. The problem has been patched andreleased with Gradle 7.0. As a workaround, on Unix-like operating systems,ensure that the "sticky" bit is set. This only allows the original user (orroot) to delete a file. If you are unable to change the permissions of thesystem temporary directory, you can move the Java temporary directory bysetting the System Property `java.io.tmpdir`. The new path needs to limitpermissions to the build user only. For additional details refer to thereferenced GitHub Security Advisory. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-13 20:15:00 UTC CVE-2021-29428 Wordpress is an open source CMS. A user with the ability to upload files(like an Author) can exploit an XML parsing issue in the Media Libraryleading to XXE attacks. This requires WordPress installation to be usingPHP 8. Access to internal files is possible in a successful XXE attack.This has been patched in WordPress version 5.7.1, along with the olderaffected versions via a minor release. We strongly recommend you keepauto-updates enabled. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-15 21:15:00 UTC CVE-2021-29447 Wordpress is an open source CMS. One of the blocks in the WordPress editorcan be exploited in a way that exposes password-protected posts and pages.This requires at least contributor privileges. This has been patched inWordPress 5.7.1, along with the older affected versions via minor releases.It's strongly recommended that you keep auto-updates enabled to receive thefix. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-15 22:15:00 UTC CVE-2021-29450 SIF is an open source implementation of the Singularity Container ImageFormat. The `siftool new` command and func siftool.New() producepredictable UUID identifiers due to insecure randomness in the version ofthe `github.com/satori/go.uuid` module used as a dependency. A patch isavailable in version >= v1.2.3 of the module. Users are encouraged toupgrade. As a workaround, users passing CreateInfo struct should ensure the`ID` field is generated using a version of `github.com/satori/go.uuid` thatis not vulnerable to this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-07 21:15:00 UTC CVE-2021-29499 GENIVI Diagnostic Log and Trace (DLT) provides a log and trace interface.In versions of GENIVI DLT between 2.10.0 and 2.18.6, a configuration filecontaining the special characters could cause a vulnerable component tocrash. All the applications which are using the configuration file couldfail to generate their dlt logs in system. As of time of publication, nopatch exists. As a workaround, one may check the integrity of informationin configuration file manually. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-28 21:15:00 UTC CVE-2021-29507 Seafile 7.0.5 (2019) allows Persistent XSS via the "share of libraryfunctionality." Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-06 16:15:00 UTC CVE-2021-30146 DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as addingnew manager accounts via admin.php. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-07 03:15:00 UTC CVE-2021-30147 An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, auser is currently able to protect to a higher level than they currentlyhave permissions for. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-09 07:15:00 UTC CVE-2021-30152 An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through1.35.x before 1.35.2. Special:Contributions can leak that a "hidden" userexists. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-09 07:15:00 UTC CVE-2021-30156 An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through1.35.x before 1.35.2. On ChangesList special pages such asSpecial:RecentChanges and Special:Watchlist, some of the rcfilters-filter-*label messages are output in HTML unescaped, leading to XSS. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-06 07:15:00 UTC CVE-2021-30157 An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens.This has security relevance because a blocked user might have accidentallyshared a token, or might know that a token has been compromised, and yet isnot able to block any potential future use of the token by an unauthorizedparty. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-06 07:15:00 UTC CVE-2021-30158 An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through1.35.x before 1.35.2. Users can bypass intended restrictions on deletingpages in certain "fast double move" situations.MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called ifTitle::getArticleID() returns non-zero with no special flags. Next,MovePage::moveToInternal() will delete the page ifgetArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing inthe replica DB, isValidMove() will return true, and then moveToInternal()will unconditionally delete the page if it can be found in the master. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-09 07:15:00 UTC CVE-2021-30159 git-big-picture before 1.0.0 mishandles ' characters in a branch name,leading to code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-13 17:15:00 UTC CVE-2021-3028 An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.xbefore 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.phpwill transform by using a <meta> tag, bypassing sanitization steps, andpotentially allowing for XSS. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-09 07:15:00 UTC CVE-2021-30458 A flaw was found in PoDoFo 0.9.7. An use-after-free inPoDoFo::PdfVecObjects::Clear() function can cause a denial of service via acrafted PDF file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 22:15:00 UTC CVE-2021-30469 A flaw was found in PoDoFo 0.9.7. A stack-based buffer overflow inPdfEncryptMD5Base::ComputeOwnerKey function in PdfEncrypt.cpp is possiblebecause of a improper check of the keyLength value. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 22:15:00 UTC CVE-2021-30472 An issue was discovered in libezxml.a in ezXML 0.8.6. The functionezxml_internal_dtd(), while parsing a crafted XML file, performs incorrectmemory handling, leading to a NULL pointer dereference while runningstrcmp() on a NULL pointer. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-11 16:15:00 UTC 2021-04-11 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 https://ubuntu.com/security/notices/USN-5061-1 CVE-2021-30485 Null pointer dereference was found in upx PackLinuxElf::canUnpack() inp_lx_elf.cpp,in version UPX 4.0.0. That allow attackers to executearbitrary code and cause a denial of service via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 00:15:00 UTC CVE-2021-30500 An assertion abort was found in upx MemBuffer::alloc() in mem.cpp, inversion UPX 4.0.0. The flow allows attackers to cause a denial of service(abort) via a crafted file. Ubuntu 26.04 LTS Negligible Copyright (C) 2021 Canonical Ltd. 2021-05-27 00:15:00 UTC CVE-2021-30501 An issue was discovered in GoGo Protobuf before 1.3.2.plugin/unmarshal/unmarshal.go lacks certain index validation, aka the"skippy peanut butter" issue. Update Instructions: Run `sudo pro fix CVE-2021-3121` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gogoprotobuf - 1.3.2-1 golang-gogoprotobuf-dev - 1.3.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-11 06:15:00 UTC CVE-2021-3121 An issue was discovered in libezxml.a in ezXML 0.8.6. The functionezxml_internal_dtd() performs incorrect memory handling while parsingcrafted XML files, which leads to an out-of-bounds write of a one byteconstant. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-15 15:15:00 UTC 2021-04-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 https://ubuntu.com/security/notices/USN-5061-1 CVE-2021-31229 An issue was discovered in libezxml.a in ezXML 0.8.6. The functionezxml_parse_str() performs incorrect memory handling while parsing craftedXML files (writing outside a memory region created by mmap). Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-16 18:15:00 UTC 2021-04-16 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 https://ubuntu.com/security/notices/USN-5061-1 CVE-2021-31347 An issue was discovered in libezxml.a in ezXML 0.8.6. The functionezxml_parse_str() performs incorrect memory handling while parsing craftedXML files (out-of-bounds read after a certain strcspn failure). Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-16 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 CVE-2021-31348 In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2,xcopy_locate_udev in tcmur_cmd_handler.c lacks a check for transport-layerrestrictions, allowing remote attackers to read or write files viadirectory traversal in an XCOPY request. For example, an attack can occurover a network if the attacker has access to one iSCSI LUN. NOTE: relativeto CVE-2020-28374, this is a similar mistake in a different algorithm. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-13 16:15:00 UTC 2021-01-13 16:15:00 UTC https://ubuntu.com/security/notices/USN-4707-1 CVE-2021-3139 The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver hascap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, whichallows local users to gain privileges because this is arguably incompatiblewith the design of the Mesa 3D Graphics library dependency. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-21 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987149 CVE-2021-31523 An issue was discovered in libezxml.a in ezXML 0.8.6. The functionezxml_decode() performs incorrect memory handling while parsing crafted XMLfiles, leading to a heap-based buffer overflow. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-24 17:15:00 UTC 2021-04-24 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989363 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989364 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989360 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989361 https://ubuntu.com/security/notices/USN-5061-1 CVE-2021-31598 Multiple path traversal vulnerabilities exist in smbserver.py in Impacketthrough 0.9.22. An attacker that connects to a running smbserver instancecan list and write to arbitrary files via ../ directory traversal. Thiscould potentially be abused to achieve arbitrary code execution byreplacing /etc/shadow or an SSH authorized key. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-05 11:15:00 UTC CVE-2021-31800 LeoCAD before 21.03 sometimes allows a use-after-free during the opening ofa new document. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-26 08:15:00 UTC CVE-2021-31804 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to amemory-management bug, it is vulnerable to a Denial of Service attack(against all clients using the proxy) via HTTP Range request processing. Update Instructions: Run `sudo pro fix CVE-2021-31806` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 4.13-10ubuntu1 squid-cgi - 4.13-10ubuntu1 squid-common - 4.13-10ubuntu1 squid-openssl - 4.13-10ubuntu1 squid-purge - 4.13-10ubuntu1 squidclient - 4.13-10ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 13:15:00 UTC 2021-05-27 13:15:00 UTC Joshua Rogers http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989043 https://bugzilla.suse.com/show_bug.cgi?id=1185916 https://ubuntu.com/security/notices/USN-4981-1 CVE-2021-31806 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Aninteger overflow problem allows a remote server to achieve Denial ofService when delivering responses to HTTP Range requests. The issue triggeris a header that can be expected to exist in HTTP traffic without anymalicious intent. Update Instructions: Run `sudo pro fix CVE-2021-31807` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 4.13-10ubuntu1 squid-cgi - 4.13-10ubuntu1 squid-common - 4.13-10ubuntu1 squid-openssl - 4.13-10ubuntu1 squid-purge - 4.13-10ubuntu1 squidclient - 4.13-10ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-28 00:00:00 UTC 2021-05-28 00:00:00 UTC Joshua Rogers http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989043 https://bugzilla.suse.com/show_bug.cgi?id=1185916 https://ubuntu.com/security/notices/USN-4981-1 CVE-2021-31807 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due toan input-validation bug, it is vulnerable to a Denial of Service attack(against all clients using the proxy). A client sends an HTTP Range requestto trigger this. Update Instructions: Run `sudo pro fix CVE-2021-31808` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 4.13-10ubuntu1 squid-cgi - 4.13-10ubuntu1 squid-common - 4.13-10ubuntu1 squid-openssl - 4.13-10ubuntu1 squid-purge - 4.13-10ubuntu1 squidclient - 4.13-10ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-27 14:15:00 UTC 2021-05-27 14:15:00 UTC Joshua Rogers http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989043 https://bugzilla.suse.com/show_bug.cgi?id=1185916 https://ubuntu.com/security/notices/USN-4981-1 CVE-2021-31808 In Apache PDFBox, a carefully crafted PDF file can trigger anOutOfMemory-Exception while loading the file. This issue affects ApachePDFBox version 2.0.23 and prior 2.0.x versions. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-12 10:15:00 UTC CVE-2021-31811 In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loopwhile loading the file. This issue affects Apache PDFBox version 2.0.23 andprior 2.0.x versions. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-12 10:15:00 UTC CVE-2021-31812 An issue was discovered in PJSIP in Asterisk before 16.19.1 and before18.5.1. To exploit, a re-INVITE without SDP must be received after Asteriskhas sent a BYE request. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-30 14:15:00 UTC CVE-2021-31878 GNU Wget through 1.21.1 does not omit the Authorization header upon aredirect to a different origin, a related issue to CVE-2018-1000007. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-29 05:15:00 UTC https://savannah.gnu.org/bugs/?56909 CVE-2021-31879 A Incorrect Default Permissions vulnerability in the packaging of inn ofSUSE Linux Enterprise Server 11-SP3; openSUSE Backports SLE-15-SP2,openSUSE Leap 15.2 allows local attackers to escalate their privileges fromthe news user to root. This issue affects: SUSE Linux Enterprise Server11-SP3 inn version inn-2.4.2-170.21.3.1 and prior versions. openSUSEBackports SLE-15-SP2 inn versions prior to 2.6.2. openSUSE Leap 15.2 innversions prior to 2.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-10 12:15:00 UTC CVE-2021-31998 Some MongoDB Drivers may erroneously publish events containingauthentication-related data to a command listener configured by anapplication. The published events may contain security-sensitive data whenspecific authentication-related commands are executed.Without due care, an application may inadvertently expose this sensitiveinformation, e.g., by writing it to a log file. This issue only arises ifan application enables the command listener feature (this is not enabled bydefault).This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHPDriver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1,MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issuealso affects users of the MongoDB C++ Driver dependent on the C driver1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-29 16:15:00 UTC CVE-2021-32050 MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.xbefore 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforcethe MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended tocontrol the locations from which a mapfile may be loaded (with MapServerCGI). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-06 13:15:00 UTC CVE-2021-32062 Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allows attackerto escalate privileges via the LibRaw_buffer_datastream::gets(char*, int)in /src/libraw/src/libraw_datastream.cpp. Update Instructions: Run `sudo pro fix CVE-2021-32142` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libraw-bin - 0.20.2-2.1ubuntu1 libraw23t64 - 0.20.2-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-02-17 18:15:00 UTC 2023-02-17 18:15:00 UTC https://github.com/LibRaw/LibRaw/issues/400 https://ubuntu.com/security/notices/USN-6137-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2021-32142 An issue was discovered in Bento4 through v1.6.0-637. Aglobal-buffer-overflow exists in the functionAP4_MemoryByteStream::WritePartial() located in Ap4ByteStream.cpp. Itallows an attacker to cause code execution or information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC CVE-2021-32265 An issue was discovered in faad2 before 2.10.0. A heap-buffer-overflowexists in the function stszin located in mp4read.c. It allows an attackerto cause Code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC 2021-09-20 16:15:00 UTC https://ubuntu.com/security/notices/USN-6313-1 CVE-2021-32272 An issue was discovered in faad2 through 2.10.0. A stack-buffer-overflowexists in the function ftypin located in mp4read.c. It allows an attackerto cause Code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC 2021-09-20 16:15:00 UTC https://ubuntu.com/security/notices/USN-6313-1 CVE-2021-32273 An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflowexists in the function sbr_qmf_synthesis_64 located in sbr_qmf.c. It allowsan attacker to cause code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC 2021-09-20 16:15:00 UTC https://ubuntu.com/security/notices/USN-6313-1 CVE-2021-32274 An issue was discovered in faust through v2.30.5. A NULL pointerdereference exists in the function CosPrim::computeSigOutput() located incosprim.hh. It allows an attacker to cause Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC CVE-2021-32275 An issue was discovered in faad2 through 2.10.0. A NULL pointer dereferenceexists in the function get_sample() located in output.c. It allows anattacker to cause Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC 2021-09-20 16:15:00 UTC https://ubuntu.com/security/notices/USN-6313-1 CVE-2021-32276 An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflowexists in the function sbr_qmf_analysis_32 located in sbr_qmf.c. It allowsan attacker to cause code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC 2021-09-20 16:15:00 UTC https://ubuntu.com/security/notices/USN-6313-1 CVE-2021-32277 An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflowexists in the function lt_prediction located in lt_predict.c. It allows anattacker to cause code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC 2021-09-20 16:15:00 UTC https://ubuntu.com/security/notices/USN-6313-1 CVE-2021-32278 An issue was discovered in hcxtools through 6.1.6. A global-buffer-overflowexists in the function pcapngoptionwalk located in hcxpcapngtool.c. Itallows an attacker to cause code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC CVE-2021-32286 An issue was discovered in libgig through 20200507. A heap-buffer-overflowexists in the function RIFF::List::GetSubList located in RIFF.cpp. Itallows an attacker to cause code Execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-20 16:15:00 UTC CVE-2021-32294 An issue in Schism Tracker v20200412 fixed in v.20200412 allows attacker toobtain sensitive information via the fmt_mtm_load_song function infmt/mtm.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-17 18:15:00 UTC CVE-2021-32419 dpic 2021.01.01 has a Heap-based Buffer Overflow in thestorestring functionin dpic.y. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2021-32420 dpic 2021.01.01 has a Heap Use-After-Free in thedeletestringbox() functionin dpic.y. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2021-32421 dpic 2021.01.01 has a Global buffer overflow in theyylex() function inmain.c and reads out of the bound array. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2021-32422 An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.xbefore 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and CertifiedAsterisk before 16.8-cert10. If the IAX2 channel driver receives a packetthat contains an unsupported media format, a crash can occur. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-30 14:15:00 UTC CVE-2021-32558 In Archive_Tar before 1.4.14, symlinks can refer to targets outside of theextracted archive, a different vulnerability than CVE-2020-36193. Update Instructions: Run `sudo pro fix CVE-2021-32610` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: php-pear - 1:1.10.12+submodules+notgz+20210212-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-27 00:00:00 UTC 2021-07-27 00:00:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991541 https://ubuntu.com/security/notices/USN-5027-1 https://ubuntu.com/security/notices/USN-5027-2 CVE-2021-32610 In radare2 through 5.3.0 there is a double free vulnerability in the pycparse via a crafted file which can lead to DoS. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-14 13:15:00 UTC Burak ÇARIKÇI CVE-2021-32613 A flaw was found in dmg2img through 20170502. fill_mishblk() does not checkthe length of the read buffer, and copy 0xCC bytes from it. The length ofthe buffer is controlled by an attacker. By providing a length smaller than0xCC, memcpy reaches out of the malloc'ed bound. This possibly leads tomemory layout information leaking in the data. This might be used in achain of vulnerability in order to reach code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 22:15:00 UTC Anshunkang Zhou https://github.com/Lekensteyn/dmg2img/issues/11 CVE-2021-32614 Singularity is an open source container platform. In verions 3.7.2 and3.7.3, Dde to incorrect use of a default URL, `singularity` action commands(`run`/`shell`/`exec`) specifying a container using a `library://` URI willalways attempt to retrieve the container from the default remote endpoint(`cloud.sylabs.io`) rather than the configured remote endpoint. An attackermay be able to push a malicious container to the default remote endpointwith a URI that is identical to the URI used by a victim with a non-defaultremote endpoint, thus executing the malicious container. Only actioncommands (`run`/`shell`/`exec`) against `library://` URIs are affected.Other commands such as `pull` / `push` respect the configured remoteendpoint. The vulnerability is patched in Singularity version 3.7.4. Twopossible workarounds exist: Users can only interact with the default remoteendpoint, or an installation can have an execution control list configuredto restrict execution to containers signed with specific secure keys. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-28 21:15:00 UTC CVE-2021-32635 Flysystem is an open source file storage library for PHP. The whitespacenormalisation using in 1.x and 2.x removes any unicode whitespace. Undercertain specific conditions this could potentially allow a malicious userto execute code remotely. The conditions are: A user is allowed to supplythe path or filename of an uploaded file, the supplied path or filename isnot checked against unicode chars, the supplied pathname checked against anextension deny-list, not an allow-list, the supplied path or filenamecontains a unicode whitespace char in the extension, the uploaded file isstored in a directory that allows PHP code to be executed. Given theseconditions are met a user can upload and execute arbitrary code on thesystem under attack. The unicode whitespace removal has been replaced witha rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users,upgrade to 2.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-24 17:15:00 UTC CVE-2021-32708 Prism is a syntax highlighting library. Some languages before 1.24.0 arevulnerable to Regular Expression Denial of Service (ReDoS). When Prism isused to highlight untrusted (user-given) text, an attacker can craft astring that will take a very very long time to highlight. This problem hasbeen fixed in Prism v1.24. As a workaround, do not use ASCIIDoc or ERB tohighlight untrusted text. Other languages are not affected and can be usedto highlight untrusted text. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-28 20:15:00 UTC CVE-2021-32723 Icinga is a monitoring system which checks the availability of networkresources, notifies users of outages, and generates performance data forreporting. From version 2.4.0 through version 2.12.4, a vulnerabilityexists that may allow privilege escalation for authenticated API users.With a read-ony user's credentials, an attacker can view most attributes ofall config objects including `ticket_salt` of `ApiListener`. This salt isenough to compute a ticket for every possible common name (CN). A ticket,the master node's certificate, and a self-signed certificate are enough tosuccessfully request the desired certificate from Icinga. That certificatemay in turn be used to steal an endpoint or API user's identity. Versions2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround,one may either specify queryable types explicitly or filter out ApiListenerobjects. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-15 15:15:00 UTC CVE-2021-32739 Icinga is a monitoring system which checks the availability of networkresources, notifies users of outages, and generates performance data forreporting. In versions prior to 2.11.10 and from version 2.12.0 throughversion 2.12.4, some of the Icinga 2 features that require credentials forexternal services expose those credentials through the API to authenticatedAPI users with read permissions for the corresponding object types.IdoMysqlConnection and IdoPgsqlConnection (every released version) exposesthe password of the user used to connect to the database. IcingaDB (addedin 2.12.0) exposes the password used to connect to the Redis server.ElasticsearchWriter (added in 2.8.0)exposes the password used to connect tothe Elasticsearch server. An attacker who obtains these credentials canimpersonate Icinga to these services and add, modify and delete informationthere. If credentials with more permissions are in use, this increases theimpact accordingly. Starting with the 2.11.10 and 2.12.5 releases, thesepasswords are no longer exposed via the API. As a workaround, API userpermissions can be restricted to not allow querying of any affectedobjects, either by explicitly listing only the required object types forobject query permissions, or by applying a filter rule. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-15 16:15:00 UTC CVE-2021-32743 Icinga Web 2 is an open source monitoring web interface, framework andcommand-line interface. Between versions 2.3.0 and 2.8.2, the `doc` moduleof Icinga Web 2 allows to view documentation directly in the UI. It must beenabled manually by an administrator and users need explicit accesspermission to use it. Then, by visiting a certain route, it is possible togain access to arbitrary files readable by the web-server user. The issuehas been fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, anadministrator may disable the `doc` module or revoke permission to use itfrom all users. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-12 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991116 CVE-2021-32746 Icinga Web 2 is an open source monitoring web interface, framework, andcommand-line interface. A vulnerability in which custom variables areexposed to unauthorized users exists between versions 2.0.0 and 2.8.2.Custom variables are user-defined keys and values on configuration objectsin Icinga 2. These are commonly used to reference secrets in otherconfigurations such as check commands to be able to authenticate with aservice being checked. Icinga Web 2 displays these custom variables tologged in users with access to said hosts or services. In order to protectthe secrets from being visible to anyone, it's possible to setup protectionrules and blacklists in a user's role. Protection rules result in `***`being shown instead of the original value, the key will remain. Backlistswill hide a custom variable entirely from the user. Besides using the UI,custom variables can also be accessed differently by using an undocumentedURL parameter. By adding a parameter to the affected routes, Icinga Web 2will show these columns additionally in the respective list. This parameteris also respected when exporting to JSON or CSV. Protection rules andblacklists however have no effect in this case. Custom variables are shownas-is in the result. The issue has been fixed in the 2.9.0, 2.8.3, and2.7.5 releases. As a workaround, one may set up a restriction to hide hostsand services with the custom variable in question. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-12 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991116 CVE-2021-32747 Gradle is a build tool with a focus on build automation. In versions priorto 7.2, start scripts generated by the `application` plugin and the`gradlew` script are both vulnerable to arbitrary code execution when anattacker is able to change environment variables for the user running thescript. This may impact those who use `gradlew` on Unix-like systems or usethe scripts generated by Gradle in thieir application on Unix-like systems.For this vulnerability to be exploitable, an attacker needs to be able toset the value of particular environment variables and have thoseenvironment variables be seen by the vulnerable scripts. This issue hasbeen patched in Gradle 7.2 by removing the use of `eval` and requiring theuse of the `bash` shell. There are a few workarounds available. For CI/CDsystems using the Gradle build tool, one may ensure that untrusted usersare unable to change environment variables for the user that executes`gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate anew `gradlew` script with Gradle 7.2 and use it for older versions ofGradle. Fpplications using start scripts generated by Gradle, one mayensure that untrusted users are unable to change environment variables forthe user that executes the start script. A vulnerable start script could bemanually patched to remove the use of `eval` or the use of environmentvariables that affect the application's command-line. If the application issimple enough, one may be able to avoid the use of the start scripts byrunning the application directly with Java command. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-20 23:15:00 UTC CVE-2021-32751 Racket is a general-purpose programming language and an ecosystem forlanguage-oriented programming. In versions prior to 8.2, code evaluatedusing the Racket sandbox could cause system modules to incorrectly useattacker-created modules instead of their intended dependencies. This couldallow system functions to be controlled by the attacker, giving access tofacilities intended to be restricted. This problem is fixed in Racketversion 8.2. A workaround is available, depending on system settings. Forsystems that provide arbitrary Racket evaluation, external sandboxing suchas containers limit the impact of the problem. For multi-user evaluationsystems, such as the `handin-server` system, it is not possible to workaround this problem and upgrading is required. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-20 00:15:00 UTC CVE-2021-32773 xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and olderdo not correctly escape special characters when serializing elementsremoved from their ancestor. This may lead to unexpected syntactic changesduring XML processing in some downstream applications. This issue has beenresolved in version 0.7.0. As a workaround downstream applications canvalidate the input and reject the maliciously crafted documents. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-27 22:15:00 UTC CVE-2021-32796 The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14,and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due toinsufficient absolute path sanitization. node-tar aims to preventextraction of absolute file paths by turning absolute paths into relativepaths when the `preservePaths` flag is not set to `true`. This is achievedby stripping the absolute path root from any absolute file paths containedin a tar file. For example `/home/user/.bashrc` would turn into`home/user/.bashrc`. This logic was insufficient when file paths containedrepeated path roots such as `////home/user/.bashrc`. `node-tar` would onlystrip a single path root from such paths. When given an absolute file pathwith repeating path roots, the resulting path (e.g. `///home/user/.bashrc`)would still resolve to an absolute path, thus allowing arbitrary filecreation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14,5.0.6 and 6.1.1. Users may work around this vulnerability without upgradingby creating a custom `onentry` method which sanitizes the `entry.path` or a`filter` method which removes entries with absolute paths. See referencedGitHub Advisory for details. Be aware of CVE-2021-32803 which fixes asimilar bug in later versions of tar. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-03 19:15:00 UTC CVE-2021-32804 crossbeam-deque is a package of work-stealing deques for building taskschedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0,the result of the race condition is that one or more tasks in the workerqueue can be popped twice instead of other tasks that are forgotten andnever popped. If tasks are allocated on the heap, this can cause doublefree and a memory leak. If not, this still can cause a logical bug. Cratesusing `Stealer::steal`, `Stealer::steal_batch`, or`Stealer::steal_batch_and_pop` are affected by this issue. This has beenfixed in crossbeam-deque 0.8.1 and 0.7.4. Update Instructions: Run `sudo pro fix CVE-2021-32810` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firefox - 93.0+build1-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-02 19:15:00 UTC 2021-08-02 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993146 https://ubuntu.com/security/notices/USN-5132-1 https://ubuntu.com/security/notices/USN-5107-1 CVE-2021-32810 MooTools is a collection of JavaScript utilities for JavaScript developers.All known versions include a CSS selector parser that is vulnerable toRegular Expression Denial of Service (ReDoS). An attack requires that anattacker can inject a string into a CSS selector at runtime, which is quitecommon with e.g. jQuery CSS selectors. No patches are available for thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-03 17:15:00 UTC CVE-2021-32821 In the bindata RubyGem before version 2.4.10 there is a potentialdenial-of-service vulnerability. In affected versions it is very slow forcertain classes in BinData to be created. For example BinData::Bit100000,BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combinationwith <user_input>.constantize there is a potential for a CPU-based DoS. Inversion 2.4.10 bindata improved the creation time of Bits and Integers. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-24 00:15:00 UTC CVE-2021-32823 SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior toversion 1.3.3, a TAR file entry `../evil.txt` may be extracted in theparent directory of `destFolder`. This leads to arbitrary file write thatmay lead to code execution. The vulnerability was patched in version 1.3.3. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-26 21:15:00 UTC CVE-2021-32840 SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Startingversion 1.3.0 and prior to version 1.3.3, a check was added if thedestination file is under destination directory. However, it is notenforced that `destDir` ends with slash. If the `destDir` is not slashterminated like `/home/user/dir` it is possible to create a file with aname thats begins with the destination directory, i.e. `/home/user/dir.sh`.Because of the file name and destination directory constraints, thearbitrary file creation impact is limited and depends on the use case.Version 1.3.3 contains a patch for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-26 22:15:00 UTC CVE-2021-32841 SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Startingversion 1.0.0 and prior to version 1.3.3, a check was added if thedestination file is under a destination directory. However, it is notenforced that `_baseDirectory` ends with slash. If the _baseDirectory isnot slash terminated like `/home/user/dir` it is possible to create a filewith a name thats begins as the destination directory one level up from thedirectory, i.e. `/home/user/dir.sh`. Because of the file name anddestination directory constraints, the arbitrary file creation impact islimited and depends on the use case. Version 1.3.3 fixed thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-26 21:15:00 UTC CVE-2021-32842 jQuery MiniColors is a color picker built on jQuery. Prior to version2.3.6, jQuery MiniColors is prone to cross-site scripting when handlinguntrusted color names. This issue is patched in version 2.3.6. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 22:15:00 UTC CVE-2021-32850 An issue was discovered in management/commands/hyperkitty_import.py inHyperKitty through 1.3.4. When importing a private mailing list's archives,these archives are publicly visible for the duration of the import. Forexample, sensitive information might be available on the web for an hourduring a large migration from Mailman 2 to Mailman 3. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-26 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989183 CVE-2021-33038 SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validatethe signatures of any SAML assertions it receives. Any actor with networkaccess to the deployment could impersonate users when SAML is theauthentication method. (Only versions after 2.0.5a are affected.) Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-04 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989479 CVE-2021-33054 Belledonne Belle-sip before 4.5.20, as used in Linphone and other products,can crash via an invalid From header in a SIP message. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-12 21:15:00 UTC CVE-2021-33056 Improper isolation of shared resources in network on chip for the Intel(R)82599 Ethernet Controllers and Adapters may allow an authenticated user topotentially enable denial of service via local access. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-09 23:15:00 UTC CVE-2021-33096 The Manage Backgrounds functionality within NagVis versions prior to 1.9.29is vulnerable to an authenticated path traversal vulnerability.Exploitation of this results in a malicious actor having the ability toarbitrarily delete files on the local system. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-14 15:15:00 UTC CVE-2021-33178 A vulnerability in the HTML pages of Apache Jena Fuseki allows an attackerto execute arbitrary javascript on certain page views. This issue affectsApache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-05 10:15:00 UTC CVE-2021-33192 DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not ceaseprocessing for certain anomalous peer behavior (sending an ED22519, ED448,ECC, or RSA signature without the corresponding certificate). The clientside is affected because man-in-the-middle attackers can impersonate TLS1.3 servers. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-01-29 05:15:00 UTC CVE-2021-3336 Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to causea denial of service via a crafted JXR file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-22 21:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032666 CVE-2021-33367 dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function indpic.y Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2021-33388 dpic 2021.04.10 has a use-after-free in thedeletestringbox() function indpic.y. A different vulnerablility than CVE-2021-32421. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2021-33390 An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrarycode via the -g option of the CleanNode() function in gdoc.c. Update Instructions: Run `sudo pro fix CVE-2021-33391` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtidy58 - 2:5.6.0-11ubuntu1 tidy - 2:5.6.0-11ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-17 18:15:00 UTC 2023-02-17 18:15:00 UTC Neeraj Pal http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032665 https://github.com/htacg/tidy-html5/issues/946 https://ubuntu.com/security/notices/USN-6483-1 CVE-2021-33391 An issue was discovered in lrzip version 0.641. There are memory leaks infill_buffer() in stream.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33451 An issue was discovered in lrzip version 0.641. There is a use-after-freein ucompthread() in stream.c:1538. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33453 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in yasm_expr_get_intnum() in libyasm/expr.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33454 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in do_directive() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33455 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in hash() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33456 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in expand_mmac_params() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33457 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in find_cc() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33458 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in nasm_parser_directive() inmodules/parsers/nasm/nasm-parse.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33459 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in if_condition() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33460 An issue was discovered in yasm version 1.3.0. There is a use-after-free inyasm_intnum_destroy() in libyasm/intnum.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33461 An issue was discovered in yasm version 1.3.0. There is a use-after-free inexpr_traverse_nodes_post() in libyasm/expr.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33462 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in yasm_expr__copy_except() in libyasm/expr.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33463 An issue was discovered in yasm version 1.3.0. There is aheap-buffer-overflow in inc_fopen() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33464 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in expand_mmacro() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33465 An issue was discovered in yasm version 1.3.0. There is a NULL pointerdereference in expand_smacro() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33466 An issue was discovered in yasm version 1.3.0. There is a use-after-free inpp_getline() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33467 An issue was discovered in yasm version 1.3.0. There is a use-after-free inerror() in modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2021-33468 A stack-based buffer overflow vulnerability was discovered in gocr through0.53-20200802 in measure_pitch() in pgm2asc.c. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-17 18:15:00 UTC CVE-2021-33479 An use-after-free vulnerability was discovered in gocr through0.53-20200802 in context_correction() in pgm2asc.c. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-17 18:15:00 UTC CVE-2021-33480 A stack-based buffer overflow vulnerability was discovered in gocr through0.53-20200802 in try_to_divide_boxes() in pgm2asc.c. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-17 18:15:00 UTC CVE-2021-33481 PuTTY before 0.75 on Windows allows remote servers to cause a denial ofservice (Windows GUI hang) by telling the PuTTY window to change its titlerepeatedly at high speed, which results in many SetWindowTextA orSetWindowTextW calls. NOTE: the same attack methodology may affect someOS-level GUIs on Linux or other platforms for similar reasons. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-21 20:15:00 UTC CVE-2021-33500 The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before6.0.1 for Node.js has a ReDoS (regular expression denial of service) issuebecause it has exponential performance for data: URLs. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-24 16:15:00 UTC CVE-2021-33502 An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before1.2.5. It allows DNS rebinding. A remote web server can exploit thisvulnerability to trick a victim's browser into triggering actions againstlocal UPnP services implemented using this library. Depending on theaffected service, this could be used for data exfiltration, data tempering,etc. Update Instructions: Run `sudo pro fix CVE-2021-33516` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gupnp-1.6 - 1.2.4-1ubuntu1 libgupnp-1.6-0 - 1.2.4-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-24 15:15:00 UTC 2021-05-24 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989098 https://ubuntu.com/security/notices/USN-4970-1 CVE-2021-33516 Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryptionbecause it lacks exponent blinding to address a side-channel attack againstmpi_powm, and the window size is not chosen appropriately. This, forexample, affects use of ElGamal in OpenPGP. Update Instructions: Run `sudo pro fix CVE-2021-33560` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libgcrypt-bin - 1.8.7-5ubuntu2 libgcrypt20 - 1.8.7-5ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-08 11:15:00 UTC 2021-06-08 11:15:00 UTC https://dev.gnupg.org/T5328 https://ubuntu.com/security/notices/USN-5080-1 https://ubuntu.com/security/notices/USN-5080-2 CVE-2021-33560 The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure thatattribute parsing has Linear Time Complexity relative to the size of theinput. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-28 20:15:00 UTC 2021-05-28 20:15:00 UTC https://ubuntu.com/security/notices/USN-6065-1 CVE-2021-33587 Ribose RNP before 0.15.1 does not implement a required step in acryptographic algorithm, resulting in weaker encryption than on the tin ofthe algorithm. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-21 12:15:00 UTC CVE-2021-33589 Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause adenial of service (affecting availability to all clients) via an HTTPresponse. The issue trigger is a header that can be expected to exist inHTTP traffic without any malicious intent by the server. Update Instructions: Run `sudo pro fix CVE-2021-33620` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 4.13-10ubuntu1 squid-cgi - 4.13-10ubuntu1 squid-common - 4.13-10ubuntu1 squid-openssl - 4.13-10ubuntu1 squid-purge - 4.13-10ubuntu1 squidclient - 4.13-10ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-28 12:15:00 UTC 2021-05-28 12:15:00 UTC Joshua Rogers https://ubuntu.com/security/notices/USN-4981-1 CVE-2021-33620 The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 forRuby allows HTTP response splitting. This is relevant to applications thatuse untrusted user input either to generate an HTTP response or to create aCGI::Cookie object. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-18 23:15:00 UTC 2022-11-18 23:15:00 UTC Hiroshi Tokumaru https://ubuntu.com/security/notices/USN-5806-1 https://ubuntu.com/security/notices/USN-5806-2 https://ubuntu.com/security/notices/USN-5806-3 https://ubuntu.com/security/notices/USN-6181-1 CVE-2021-33621 The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js hasan issue related to regular expression denial-of-service (ReDoS) for the.end() method. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-28 18:15:00 UTC 2021-05-28 18:15:00 UTC https://ubuntu.com/security/notices/USN-5999-1 CVE-2021-33623 A null pointer dereference was found in libpano13, versionlibpano13-2.9.20. The flow allows attackers to cause a denial of serviceand potential code execute via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-07 18:15:00 UTC CVE-2021-33798 An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to causea denial of service via a crafted HTTP request. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-16 12:15:00 UTC CVE-2021-33813 The aaugustin websockets library before 9.1 for Python has an ObservableTiming Discrepancy on servers when HTTP Basic Authentication is enabledwith basic_auth_protocol_factory(credentials=...). An attacker may be ableto guess a password via a timing attack. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-06 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989561 CVE-2021-33880 Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (onlyfor creation of new files) via URI-encoded path separators. Update Instructions: Run `sudo pro fix CVE-2021-33896` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dino-im - 0.2.0-2ubuntu1 dino-im-common - 0.2.0-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-07 19:15:00 UTC CVE-2021-33896 While investigating DIRSTUDIO-1219 it was noticed that configured StartTLSencryption was not applied when any SASL authentication mechanism(DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it wasnoticed that any configured SASL confidentiality layer was not applied.This issue affects Apache Directory Studio version 2.0.0.v20210213-M16 andprior versions. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-26 07:15:00 UTC CVE-2021-33900 A use-after-free flaw was found in the MegaRAID emulator of QEMU. Thisissue occurs while processing SCSI I/O requests in the case of an errormptsas_free_request() that does not dequeue the request object 'req' from apending requests queue. This flaw allows a privileged guest user to crashthe QEMU process on the host, resulting in a denial of service. Versionsbetween 2.10.0 and 5.2.0 are potentially affected. Update Instructions: Run `sudo pro fix CVE-2021-3392` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-1~ubuntu3 qemu-block-supplemental - 1:6.0+dfsg-1~ubuntu3 qemu-guest-agent - 1:6.0+dfsg-1~ubuntu3 qemu-system - 1:6.0+dfsg-1~ubuntu3 qemu-system-arm - 1:6.0+dfsg-1~ubuntu3 qemu-system-common - 1:6.0+dfsg-1~ubuntu3 qemu-system-data - 1:6.0+dfsg-1~ubuntu3 qemu-system-gui - 1:6.0+dfsg-1~ubuntu3 qemu-system-mips - 1:6.0+dfsg-1~ubuntu3 qemu-system-misc - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-opengl - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-spice - 1:6.0+dfsg-1~ubuntu3 qemu-system-ppc - 1:6.0+dfsg-1~ubuntu3 qemu-system-riscv - 1:6.0+dfsg-1~ubuntu3 qemu-system-s390x - 1:6.0+dfsg-1~ubuntu3 qemu-system-sparc - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86 - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86-xen - 1:6.0+dfsg-1~ubuntu3 qemu-system-xen - 1:6.0+dfsg-1~ubuntu3 qemu-user - 1:6.0+dfsg-1~ubuntu3 qemu-user-binfmt - 1:6.0+dfsg-1~ubuntu3 qemu-utils - 1:6.0+dfsg-1~ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-03-23 20:15:00 UTC 2021-03-23 20:15:00 UTC Cheolwoo Myung https://bugs.launchpad.net/qemu/+bug/1914236 https://ubuntu.com/security/notices/USN-5010-1 CVE-2021-3392 In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allowsremote attackers to cause a denial-of-service (and potentially codeexecution) due to a double free which can be triggered via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-04 22:15:00 UTC CVE-2021-3403 In ytnef 1.9.3, the SwapWord function in lib/ytnef.c allows remoteattackers to cause a denial-of-service (and potentially code execution) dueto a heap buffer overflow which can be triggered via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-04 22:15:00 UTC CVE-2021-3404 A flaw was found in libebml before 1.4.2. A heap overflow bug exists in theimplementation of EbmlString::ReadData and EbmlUnicodeString::ReadData inlibebml. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-02-23 20:15:00 UTC CVE-2021-3405 OS Command Injection vulnerability in bbultman gitsome through 0.2.3 allowsattackers to execute arbitrary commands via a crafted tag name of thetarget git repository. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:15:00 UTC CVE-2021-34081 Read access violation in the III_dequantize_sample function inmpglibDBL/layer3.c in mp3gain through 1.5.2-r2 allows remote attackers tocause a denial of service (application crash) or possibly have unspecifiedother impact, a different vulnerability than CVE-2017-9872. CVE-2017-14409,and CVE-2018-10778. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-11 18:15:00 UTC CVE-2021-34085 The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective,thus making QEMU vulnerable to the out-of-bounds read/write access issuespreviously found in the SDHCI controller emulation code. This flaw allows amalicious privileged guest to crash the QEMU process on the host, resultingin a denial of service or potential code execution. QEMU up to (including)5.2.0 is affected by this. Update Instructions: Run `sudo pro fix CVE-2021-3409` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-1~ubuntu3 qemu-block-supplemental - 1:6.0+dfsg-1~ubuntu3 qemu-guest-agent - 1:6.0+dfsg-1~ubuntu3 qemu-system - 1:6.0+dfsg-1~ubuntu3 qemu-system-arm - 1:6.0+dfsg-1~ubuntu3 qemu-system-common - 1:6.0+dfsg-1~ubuntu3 qemu-system-data - 1:6.0+dfsg-1~ubuntu3 qemu-system-gui - 1:6.0+dfsg-1~ubuntu3 qemu-system-mips - 1:6.0+dfsg-1~ubuntu3 qemu-system-misc - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-opengl - 1:6.0+dfsg-1~ubuntu3 qemu-system-modules-spice - 1:6.0+dfsg-1~ubuntu3 qemu-system-ppc - 1:6.0+dfsg-1~ubuntu3 qemu-system-riscv - 1:6.0+dfsg-1~ubuntu3 qemu-system-s390x - 1:6.0+dfsg-1~ubuntu3 qemu-system-sparc - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86 - 1:6.0+dfsg-1~ubuntu3 qemu-system-x86-xen - 1:6.0+dfsg-1~ubuntu3 qemu-system-xen - 1:6.0+dfsg-1~ubuntu3 qemu-user - 1:6.0+dfsg-1~ubuntu3 qemu-user-binfmt - 1:6.0+dfsg-1~ubuntu3 qemu-utils - 1:6.0+dfsg-1~ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-03-23 21:15:00 UTC 2021-03-23 21:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1928146 https://bugs.launchpad.net/qemu/+bug/1909418 https://ubuntu.com/security/notices/USN-5010-1 CVE-2021-3409 An issue in ttyd v.1.6.3 allows attacker to execute arbitrary code viadefault configuration permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-17 18:15:00 UTC CVE-2021-34182 The thefuck (aka The Fuck) package before 3.31 for Python allows PathTraversal that leads to arbitrary file deletion via the "undo archiveoperation" feature. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-10 11:15:00 UTC CVE-2021-34363 A flaw was found in several ansible modules, where parameters containingcredentials, such as secrets, were being logged in plain-text on managednodes, as well as being made visible on the controller node when run inverbose mode. These parameters were not protected by the no_log feature. Anattacker can take advantage of this information to steal those credentials,provided when they have access to the log files containing them. Thehighest threat from this vulnerability is to data confidentiality. Thisflaw affects Red Hat Ansible Automation Platform in versions before 1.2.2and Ansible Tower in versions before 3.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-01 18:15:00 UTC John Barker, Felix Fontein, and Chen Zhi https://bugzilla.redhat.com/show_bug.cgi?id=1939349 CVE-2021-3447 An OpenSSL TLS server may crash if sent a maliciously crafted renegotiationClientHello message from a client. If a TLSv1.2 renegotiation ClientHelloomits the signature_algorithms extension (where it was present in theinitial ClientHello), but includes a signature_algorithms_cert extensionthen a NULL pointer dereference will result, leading to a crash and adenial of service attack. A server is only vulnerable if it has TLSv1.2 andrenegotiation enabled (which is the default configuration). OpenSSL TLSclients are not impacted by this issue. All OpenSSL 1.1.1 versions areaffected by this issue. Users of these versions should upgrade to OpenSSL1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL1.1.1k (Affected 1.1.1-1.1.1j). Update Instructions: Run `sudo pro fix CVE-2021-3449` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 1.1.1j-1ubuntu3 openssl - 1.1.1j-1ubuntu3 openssl-provider-legacy - 1.1.1j-1ubuntu3 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2021 Canonical Ltd. 2021-03-25 2021-03-25 https://ubuntu.com/security/notices/USN-4891-1 https://ubuntu.com/security/notices/USN-5038-1 CVE-2021-3449 A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointerdereference during the parsing of the Binding DN could allow anunauthenticated attacker to crash the 389-ds-base directory server. Thehighest threat from this vulnerability is to system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-20 13:15:00 UTC CVE-2021-3480 A flaw was found in Qt. An out-of-bounds read vulnerability was found inQRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h inQt/Qtbase. While rendering and displaying a crafted Scalable VectorGraphics (SVG) file this flaw may lead to an unauthorized memory access.The highest threat from this vulnerability is to data confidentiality andthe application availability. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-04-03 00:00:00 UTC 2021-04-03 00:00:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1931444 https://bugreports.qt.io/browse/QTBUG-91507 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31668 https://ubuntu.com/security/notices/USN-5241-1 CVE-2021-3481 Quassel through 0.13.1, when --require-ssl is enabled, launches without SSLor TLS support if a usable X.509 certificate is not found on the localsystem. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-17 14:15:00 UTC CVE-2021-34825 A flaw was found in the hivex library in versions before 1.3.20. It iscaused due to a lack of bounds check within the hivex_open function. Anattacker could input a specially crafted Windows Registry (hive) file whichwould cause hivex to read memory beyond its normal bounds or cause theprogram to crash. The highest threat from this vulnerability is to systemavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-05-11 23:15:00 UTC 2021-05-11 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988024 https://ubuntu.com/security/notices/USN-5148-1 https://ubuntu.com/security/notices/USN-5148-2 CVE-2021-3504 OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using theHTML output serializer (XHTML is not affected). This was demonstrated by ajavascript: URL with &#00058 as the replacement for the : character. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-19 15:15:00 UTC CVE-2021-35043 A heap buffer overflow was found in the floppy disk emulator of QEMU up to6.0.0 (including). It could occur in fdctrl_transfer_handler() inhw/block/fdc.c while processing DMA read data transfers from the floppydrive to the guest system. A privileged guest user could use this flaw tocrash the QEMU process on the host resulting in DoS scenario, or potentialinformation leakage from the host memory. Update Instructions: Run `sudo pro fix CVE-2021-3507` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu8 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu8 qemu-guest-agent - 1:6.2+dfsg-2ubuntu8 qemu-system - 1:6.2+dfsg-2ubuntu8 qemu-system-arm - 1:6.2+dfsg-2ubuntu8 qemu-system-common - 1:6.2+dfsg-2ubuntu8 qemu-system-data - 1:6.2+dfsg-2ubuntu8 qemu-system-gui - 1:6.2+dfsg-2ubuntu8 qemu-system-mips - 1:6.2+dfsg-2ubuntu8 qemu-system-misc - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu8 qemu-system-ppc - 1:6.2+dfsg-2ubuntu8 qemu-system-riscv - 1:6.2+dfsg-2ubuntu8 qemu-system-s390x - 1:6.2+dfsg-2ubuntu8 qemu-system-sparc - 1:6.2+dfsg-2ubuntu8 qemu-system-x86 - 1:6.2+dfsg-2ubuntu8 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu8 qemu-system-xen - 1:6.2+dfsg-2ubuntu8 qemu-user - 1:6.2+dfsg-2ubuntu8 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu8 qemu-utils - 1:6.2+dfsg-2ubuntu8 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-06 16:15:00 UTC 2021-05-06 16:15:00 UTC Alexander Bulekov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987410 https://bugzilla.redhat.com/show_bug.cgi?id=1951118 https://ubuntu.com/security/notices/USN-5489-1 CVE-2021-3507 A flaw was found in PDFResurrect in version 0.22b. There is an infiniteloop in get_xref_linear_skipped() in pdf.c via a crafted PDF file. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-04-28 14:15:00 UTC 2021-04-28 14:15:00 UTC https://ubuntu.com/security/notices/USN-5282-1 CVE-2021-3508 A shell injection flaw was found in pglogical in versions before 2.3.4 andbefore 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL servercan craft a database name that allows execution of shell commands as thepostgresql user when calling pglogical.create_subscription(). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-01 14:15:00 UTC CVE-2021-3515 In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and1.36.x before 1.36.1, bots have certain unintended API access. When a botaccount has a "sitewide block" applied, it is able to still "purge" pagesthrough the MediaWiki Action API (which a "sitewide block" should haveprevented). Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-02 13:15:00 UTC CVE-2021-35197 There is a flaw in RPM's signature functionality. OpenPGP subkeys areassociated with a primary key via a "binding signature." RPM does not checkthe binding signature of subkeys prior to importing them. If an attacker isable to add or socially engineer another party to add a malicious subkey toa legitimate public key, RPM could wrongly trust a malicious signature. Thegreatest impact of this flaw is to data integrity. To exploit this flaw, anattacker must either compromise an RPM repository or convince anadministrator to install an untrusted RPM or public key. It is stronglyrecommended to only use RPMs and public keys from trusted sources. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-08-22 15:15:00 UTC CVE-2021-3521 A flaw was found in the USB redirector device (usb-redir) of QEMU. SmallUSB packets are combined into a single, large transfer request, to reducethe overhead and improve performance. The combined size of the bulktransfer is used to dynamically allocate a variable length array (VLA) onthe stack without proper validation. Since the total size is not bounded, amalicious guest could use this flaw to influence the array length and causethe QEMU process to perform an excessive allocation on the stack, resultingin a denial of service. Update Instructions: Run `sudo pro fix CVE-2021-3527` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.0+dfsg-2expubuntu1 qemu-block-supplemental - 1:6.0+dfsg-2expubuntu1 qemu-guest-agent - 1:6.0+dfsg-2expubuntu1 qemu-system - 1:6.0+dfsg-2expubuntu1 qemu-system-arm - 1:6.0+dfsg-2expubuntu1 qemu-system-common - 1:6.0+dfsg-2expubuntu1 qemu-system-data - 1:6.0+dfsg-2expubuntu1 qemu-system-gui - 1:6.0+dfsg-2expubuntu1 qemu-system-mips - 1:6.0+dfsg-2expubuntu1 qemu-system-misc - 1:6.0+dfsg-2expubuntu1 qemu-system-modules-opengl - 1:6.0+dfsg-2expubuntu1 qemu-system-modules-spice - 1:6.0+dfsg-2expubuntu1 qemu-system-ppc - 1:6.0+dfsg-2expubuntu1 qemu-system-riscv - 1:6.0+dfsg-2expubuntu1 qemu-system-s390x - 1:6.0+dfsg-2expubuntu1 qemu-system-sparc - 1:6.0+dfsg-2expubuntu1 qemu-system-x86 - 1:6.0+dfsg-2expubuntu1 qemu-system-x86-xen - 1:6.0+dfsg-2expubuntu1 qemu-system-xen - 1:6.0+dfsg-2expubuntu1 qemu-user - 1:6.0+dfsg-2expubuntu1 qemu-user-binfmt - 1:6.0+dfsg-2expubuntu1 qemu-utils - 1:6.0+dfsg-2expubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-26 22:15:00 UTC 2021-05-26 22:15:00 UTC Remy Noel https://ubuntu.com/security/notices/USN-5010-1 CVE-2021-3527 An issue was discovered in Bento4 through v1.6.0-636. A NULL pointerdereference exists in the function AP4_StszAtom::WriteFields located inAp4StszAtom.cpp. It allows an attacker to cause a denial of service (DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-05 20:15:00 UTC CVE-2021-35306 An issue was discovered in Bento4 through v1.6.0-636. A NULL pointerdereference exists in the AP4_DescriptorFinder::Test component located in/Core/Ap4Descriptor.h. It allows an attacker to cause a denial of service(DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-05 20:15:00 UTC CVE-2021-35307 OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailingpathname. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-05 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992000 CVE-2021-35368 A flaw was found in dmg2img through 20170502. dmg2img did not validate thesize of the read buffer during memcpy() inside the main() function. Thispossibly leads to memory layout information leaking in the data. This mightbe used in a chain of vulnerability in order to reach code execution. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-05-26 21:15:00 UTC CVE-2021-3548 When reading a specially crafted 7Z archive, the construction of the listof codecs that decompress an entry can result in an infinite loop. Thiscould be used to mount a denial of service attack against services that useCompress' sevenz package. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-13 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991041 CVE-2021-35515 When reading a specially crafted 7Z archive, Compress can be made toallocate large amounts of memory that finally leads to an out of memoryerror even for very small inputs. This could be used to mount a denial ofservice attack against services that use Compress' sevenz package. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-13 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991041 CVE-2021-35516 When reading a specially crafted TAR archive, Compress can be made toallocate large amounts of memory that finally leads to an out of memoryerror even for very small inputs. This could be used to mount a denial ofservice attack against services that use Compress' tar package. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-13 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991041 CVE-2021-35517 PostSRSd before 1.11 allows a denial of service (subprocess hang) ifPostfix sends certain long data fields such as multiple concatenated emailaddresses. NOTE: the PostSRSd maintainer acknowledges "theoretically, thiserror should never occur ... I'm not sure if there's a reliable way totrigger this condition by an external attacker, but it is a security bug inPostSRSd nevertheless." Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-28 18:15:00 UTC Mateusz Jończyk http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990439 CVE-2021-35525 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.28. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in takeover of Oracle VM VirtualBox. Note: This vulnerabilitydoes not apply to Windows systems. CVSS 3.1 Base Score 7.8(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-20 11:16:00 UTC CVE-2021-35538 A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2.tpm2_import used a fixed AES key for the inner wrapper, potentiallyallowing a MITM attacker to unwrap the inner portion and reveal the keybeing imported. The highest threat from this vulnerability is to dataconfidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-04 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989148 CVE-2021-3565 A vulnerability was found in ImageMagick-7.0.11-5, where executing acrafted file with the convert command, ASAN detects memory leaks. Update Instructions: Run `sudo pro fix CVE-2021-3574` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-26 16:15:00 UTC 2022-08-26 16:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/3540 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 CVE-2021-3574 A heap-based buffer overflow was found in openjpeg in color.c:379:42 insycc420_to_rgb when decompressing a crafted .j2k file. An attacker coulduse this to execute arbitrary code with the permissions of the applicationcompiled against openjpeg. Update Instructions: Run `sudo pro fix CVE-2021-3575` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.5.0-2ubuntu2 libopenjp2-tools - 2.5.0-2ubuntu2 libopenjpip-dec-server - 2.5.0-2ubuntu2 libopenjpip-viewer - 2.5.0-2ubuntu2 libopenjpip7 - 2.5.0-2ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-04 18:15:00 UTC 2022-03-04 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1347 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989775 https://ubuntu.com/security/notices/USN-7083-1 CVE-2021-3575 A flaw was found in mbsync before v1.3.6 and v1.4.2, where an uncheckedpointer cast allows a malicious or compromised server to write an arbitraryinteger value past the end of a heap-allocated structure by issuing anunexpected APPENDUID response. This could be plausibly exploited for remotecode execution on the client. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-06-07 12:00:00 UTC Lukas Braun CVE-2021-3578 A flaw was found in Ansible, where a user's controller is vulnerable totemplate injection. This issue can occur through facts used in the templateif the user is trying to put templates in multi-line YAML strings and thefacts being handled do not routinely include special template characters.This flaw allows attackers to perform command injection, which disclosessensitive information. The highest threat from this vulnerability is toconfidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-22 12:15:00 UTC 2021-09-22 12:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1968412 https://ubuntu.com/security/notices/USN-5315-1 CVE-2021-3583 An invalid pointer initialization issue was found in the SLiRP networkingimplementation of QEMU. The flaw exists in the udp6_input() function andcould occur while processing a udp packet that is smaller than the size ofthe 'udphdr' structure. This issue may lead to out-of-bounds read access orindirect host memory disclosure to the guest. The highest threat from thisvulnerability is to data confidentiality. This flaw affects libslirpversions prior to 4.6.0. Update Instructions: Run `sudo pro fix CVE-2021-3593` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libslirp0 - 4.6.1-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-06-15 21:15:00 UTC 2021-06-15 21:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1970487 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989994 https://ubuntu.com/security/notices/USN-5009-1 https://ubuntu.com/security/notices/USN-5010-1 https://ubuntu.com/security/notices/USN-5009-2 CVE-2021-3593 A symbolic link issue was found in rpm. It occurs when rpm sets the desiredpermissions and credentials after installing a file. A local unprivilegeduser could use this flaw to exchange the original file with a symbolic linkto a security-critical file and escalate their privileges on the system.The highest threat from this vulnerability is to data confidentiality andintegrity as well as system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 20:15:00 UTC CVE-2021-35938 It was found that the fix for CVE-2017-7500 and CVE-2017-7501 wasincomplete: the check was only implemented for the parent directory of thefile to be created. A local unprivileged user who owns another ancestordirectory could potentially use this flaw to gain root privileges. Thehighest threat from this vulnerability is to data confidentiality andintegrity as well as system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-26 16:15:00 UTC CVE-2021-35939 A flaw was found in undertow. The HTTP2SourceChannel fails to write thefinal frame under some circumstances, resulting in a denial of service. Thehighest threat from this vulnerability is availability. This flaw affectsUndertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to2.0.39.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-24 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989861 CVE-2021-3597 An information disclosure flaw was found in Buildah, when buildingcontainers using chroot isolation. Running processes in container builds(e.g. Dockerfile RUN commands) can access environment variables from parentand grandparent processes. When run in a container in a CI/CD environment,environment variables may include sensitive information that was sharedwith the container in order to be used only by Buildah itself (e.g.container registry credentials). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-03 19:15:00 UTC CVE-2021-3602 When reading a specially crafted ZIP archive, Compress can be made toallocate large amounts of memory that finally leads to an out of memoryerror even for very small inputs. This could be used to mount a denial ofservice attack against services that use Compress' zip package. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-13 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991041 CVE-2021-36090 A heap-based buffer overflow vulnerability was found in ImageMagick inversions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issueis due to an incorrect setting of the pixel array size, which can lead to acrash and segmentation fault. Update Instructions: Run `sudo pro fix CVE-2021-3610` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-24 19:15:00 UTC 2022-02-24 19:15:00 UTC https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-3610 Specially crafted string in OTRS system configuration can allow theexecution of any system command. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-21 10:15:00 UTC CVE-2021-36100 The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security accessconfiguration for several models, resulting in TrustZone bypass because theNonSecure World can perform arbitrary memory read/write operations onSecure World memory. This involves a DMA capable peripheral. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-07 21:15:00 UTC CVE-2021-36133 A flaw was found in Ansible Engine's ansible-connection module, wheresensitive information such as the Ansible user credentials is disclosed bydefault in the traceback error message. The highest threat from thisvulnerability is to confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-03 19:15:00 UTC 2022-03-03 19:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1975767 https://ubuntu.com/security/notices/USN-5315-1 CVE-2021-3620 A flaw was found in the hivex library. This flaw allows an attacker toinput a specially crafted Windows Registry (hive) file, which would causehivex to recursively call the _get_children() function, leading to a stackoverflow. The highest threat from this vulnerability is to systemavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991860 CVE-2021-3622 There is an integer overflow vulnerability in dcraw. When the victim runsdcraw with a maliciously crafted X3F input image, arbitrary code may beexecuted in the victim's system. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-18 17:15:00 UTC Wooseok Kang http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984761 CVE-2021-3624 A flaw was found in Undertow. A potential security issue in flow controlhandling by the browser over http/2 may potentially cause overhead or adenial of service in the server. The highest threat from this vulnerabilityis availability. This flaw affects Undertow versions prior to 2.0.40.Finaland prior to 2.2.11.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-24 19:15:00 UTC CVE-2021-3629 A flaw was found in libvirt while it generates SELinux MCS category pairsfor VMs' dynamic labels. This flaw allows one exploited guest to accessfiles labeled for another guest, resulting in the breaking out of sVirtconfinement. The highest threat from this vulnerability is toconfidentiality and integrity. Update Instructions: Run `sudo pro fix CVE-2021-3631` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-libvirt - 7.6.0-0ubuntu3 libvirt-clients - 7.6.0-0ubuntu3 libvirt-clients-qemu - 7.6.0-0ubuntu3 libvirt-common - 7.6.0-0ubuntu3 libvirt-daemon - 7.6.0-0ubuntu3 libvirt-daemon-common - 7.6.0-0ubuntu3 libvirt-daemon-config-network - 7.6.0-0ubuntu3 libvirt-daemon-config-nwfilter - 7.6.0-0ubuntu3 libvirt-daemon-driver-interface - 7.6.0-0ubuntu3 libvirt-daemon-driver-lxc - 7.6.0-0ubuntu3 libvirt-daemon-driver-network - 7.6.0-0ubuntu3 libvirt-daemon-driver-nodedev - 7.6.0-0ubuntu3 libvirt-daemon-driver-nwfilter - 7.6.0-0ubuntu3 libvirt-daemon-driver-qemu - 7.6.0-0ubuntu3 libvirt-daemon-driver-secret - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-disk - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-gluster - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-iscsi - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-iscsi-direct - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-logical - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-mpath - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-rbd - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-scsi - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-zfs - 7.6.0-0ubuntu3 libvirt-daemon-driver-vbox - 7.6.0-0ubuntu3 libvirt-daemon-driver-xen - 7.6.0-0ubuntu3 libvirt-daemon-lock - 7.6.0-0ubuntu3 libvirt-daemon-log - 7.6.0-0ubuntu3 libvirt-daemon-plugin-lockd - 7.6.0-0ubuntu3 libvirt-daemon-plugin-sanlock - 7.6.0-0ubuntu3 libvirt-daemon-system - 7.6.0-0ubuntu3 libvirt-daemon-system-systemd - 7.6.0-0ubuntu3 libvirt-daemon-system-sysv - 7.6.0-0ubuntu3 libvirt-l10n - 7.6.0-0ubuntu3 libvirt-login-shell - 7.6.0-0ubuntu3 libvirt-sanlock - 7.6.0-0ubuntu3 libvirt-ssh-proxy - 7.6.0-0ubuntu3 libvirt-wireshark - 7.6.0-0ubuntu3 libvirt0 - 7.6.0-0ubuntu3 No subscription required Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-03-02 23:15:00 UTC 2022-03-02 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990709 https://gitlab.com/libvirt/libvirt/-/issues/153 https://ubuntu.com/security/notices/USN-5399-1 CVE-2021-3631 An issue was discovered in Dropbear through 2020.81. Due to anon-RFC-compliant check of the available authentication methods in theclient-side SSH code, it is possible for an SSH server to change the loginprocess in its favor. This attack can bypass additional security measuressuch as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse aforwarded agent for logging on to another server unnoticed. Update Instructions: Run `sudo pro fix CVE-2021-36369` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dropbear - 2020.81-3+deb11u1 dropbear-bin - 2020.81-3+deb11u1 dropbear-initramfs - 2020.81-3+deb11u1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-12 21:15:00 UTC 2022-10-12 21:15:00 UTC https://ubuntu.com/security/notices/USN-7292-1 CVE-2021-36369 When reading a specially crafted TAR archive an Apache Ant build can bemade to allocate large amounts of memory that finally leads to an out ofmemory error, even for small inputs. This can be used to disrupt buildsusing Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-14 07:15:00 UTC CVE-2021-36373 When reading a specially crafted ZIP archive, or a derived formats, anApache Ant build can be made to allocate large amounts of memory that leadsto an out of memory error, even for small inputs. This can be used todisrupt builds using Apache Ant. Commonly used derived formats from ZIParchives are for instance JAR files and many office files. Apache Ant priorto 1.9.16 and 1.10.11 were affected. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-14 07:15:00 UTC CVE-2021-36374 Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostnamecheck during TLS certificate validation. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-12 13:15:00 UTC CVE-2021-36377 A flaw was found in mod_auth_mellon where it does not sanitize logout URLsproperly. This issue could be used by an attacker to facilitate phishingattacks by tricking users into visiting a trusted web application URL thatredirects to an external and potentially malicious server. The highestthreat from this liability is to confidentiality and integrity. Update Instructions: Run `sudo pro fix CVE-2021-3639` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libapache2-mod-auth-mellon - 0.17.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-04 00:00:00 UTC 2021-08-04 00:00:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991730 https://ubuntu.com/security/notices/USN-5069-1 https://ubuntu.com/security/notices/USN-5069-2 CVE-2021-3639 URI.js is vulnerable to URL Redirection to Untrusted Site Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-16 11:15:00 UTC CVE-2021-3647 Buffer Overflow vulnerability in Allegro through 5.2.6 allows attackers tocause a denial of service via crafted PCX/TGA/BMP files to allegro_imageaddon. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-03 18:15:00 UTC CVE-2021-36489 Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers tocrash the application via crafted command. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-03 18:15:00 UTC CVE-2021-36493 A flaw was found in mbsync versions prior to 1.4.4. Due to inadequatehandling of extremely large (>=2GiB) IMAP literals, malicious orcompromised IMAP servers, and hypothetically even external email senders,could cause several different buffer overflows, which could conceivably beexploited for remote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-18 18:15:00 UTC CVE-2021-3657 A null pointer de-reference was found in the way samba kerberos serverhandled missing sname in TGS-REQ (Ticket Granting Server - Request). Anauthenticated user could use this flaw to crash the samba server. Update Instructions: Run `sudo pro fix CVE-2021-3671` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-10-12 18:15:00 UTC 2021-10-12 18:15:00 UTC Joseph Sutton http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996586 https://bugzilla.redhat.com/show_bug.cgi?id=2013080 https://bugzilla.samba.org/show_bug.cgi?id=14770 https://ubuntu.com/security/notices/USN-5142-1 https://ubuntu.com/security/notices/USN-5174-1 https://ubuntu.com/security/notices/USN-5675-1 CVE-2021-3671 Cross Site Scripting (XSS) vulnerability in the DataTables plug-in 1.9.2for jQuery allows attackers to run arbitrary code via the sBaseNameparameter to function _fnCreateCookie. NOTE: 1.9.2 is a version from 2012. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-06 22:15:00 UTC CVE-2021-36713 A vulnerability was found in Radare2 in version 5.3.1. Improper inputvalidation when reading a crafted LE binary can lead to resource exhaustionand DoS. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-02 19:15:00 UTC CVE-2021-3673 Encode.pm, as distributed in Perl through 5.34.0, allows local users togain privileges via a Trojan horse Encode::ConfigLocal library (in thecurrent working directory) that preempts dynamic module loading.Exploitation requires an unusual configuration, and certain 2021 versionsof Encode.pm (3.05 through 3.11). This issue occurs because the || operatorevaluates @INC in a scalar context, and thus @INC has only an integervalue. Update Instructions: Run `sudo pro fix CVE-2021-36770` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libperl5.40 - 5.32.1-3ubuntu3 perl - 5.32.1-3ubuntu3 perl-base - 5.32.1-3ubuntu3 perl-debug - 5.32.1-3ubuntu3 perl-modules-5.40 - 5.32.1-3ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-09 00:00:00 UTC 2021-08-09 00:00:00 UTC https://ubuntu.com/security/notices/USN-5033-1 CVE-2021-36770 A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONGmessage may lead to memory exhaustion. This flaw allows an attacker tocause a denial of service. The highest threat from this vulnerability isavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-23 16:15:00 UTC CVE-2021-3690 In order to decrypt SM2 encrypted data an application is expected to callthe API function EVP_PKEY_decrypt(). Typically an application will callthis function twice. The first time, on entry, the "out" parameter can beNULL and, on exit, the "outlen" parameter is populated with the buffer sizerequired to hold the decrypted plaintext. The application can then allocatea sufficiently sized buffer and call EVP_PKEY_decrypt() again, but thistime passing a non-NULL value for the "out" parameter. A bug in theimplementation of the SM2 decryption code means that the calculation of thebuffer size required to hold the plaintext returned by the first call toEVP_PKEY_decrypt() can be smaller than the actual size required by thesecond call. This can lead to a buffer overflow when EVP_PKEY_decrypt() iscalled by the application a second time with a buffer that is too small. Amalicious attacker who is able present SM2 content for decryption to anapplication could cause attacker chosen data to overflow the buffer by upto a maximum of 62 bytes altering the contents of other data held after thebuffer, possibly changing application behaviour or causing the applicationto crash. The location of the buffer is application dependent but istypically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Update Instructions: Run `sudo pro fix CVE-2021-3711` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 1.1.1l-1ubuntu1 openssl - 1.1.1l-1ubuntu1 openssl-provider-legacy - 1.1.1l-1ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2021 Canonical Ltd. 2021-08-24 2021-08-24 John Ouyang https://ubuntu.com/security/notices/USN-5051-1 CVE-2021-3711 ASN.1 strings are represented internally within OpenSSL as an ASN1_STRINGstructure which contains a buffer holding the string data and a fieldholding the buffer length. This contrasts with normal C strings which arerepesented as a buffer for the string data which is terminated with a NUL(0) byte. Although not a strict requirement, ASN.1 strings that are parsedusing OpenSSL's own "d2i" functions (and other similar parsing functions)as well as any string whose value has been set with the ASN1_STRING_set()function will additionally NUL terminate the byte array in the ASN1_STRINGstructure. However, it is possible for applications to directly constructvalid ASN1_STRING structures which do not NUL terminate the byte array bydirectly setting the "data" and "length" fields in the ASN1_STRING array.This can also happen by using the ASN1_STRING_set0() function. NumerousOpenSSL functions that print ASN.1 data have been found to assume that theASN1_STRING byte array will be NUL terminated, even though this is notguaranteed for strings that have been directly constructed. Where anapplication requests an ASN.1 structure to be printed, and where that ASN.1structure contains ASN1_STRINGs that have been directly constructed by theapplication without NUL terminating the "data" field, then a read bufferoverrun can occur. The same thing can also occur during name constraintsprocessing of certificates (for example if a certificate has been directlyconstructed by the application instead of loading it via the OpenSSLparsing functions, and the certificate contains non NUL terminatedASN1_STRING structures). It can also occur in the X509_get1_email(),X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actorcan cause an application to directly construct an ASN1_STRING and thenprocess it through one of the affected OpenSSL functions then this issuecould be hit. This might result in a crash (causing a Denial of Serviceattack). It could also result in the disclosure of private memory contents(such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l(Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). Update Instructions: Run `sudo pro fix CVE-2021-3712` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 1.1.1l-1ubuntu1 openssl - 1.1.1l-1ubuntu1 openssl-provider-legacy - 1.1.1l-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-24 2021-08-24 Ingo Schwarze https://ubuntu.com/security/notices/USN-5051-1 https://ubuntu.com/security/notices/USN-5051-2 https://ubuntu.com/security/notices/USN-5051-3 https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm) https://ubuntu.com/security/notices/USN-5088-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2021-3712 The Bzip2 decompression decoder function doesn't allow setting sizerestrictions on the decompressed output data (which affects the allocationsize used during decompression). All users of Bzip2Decoder are affected.The malicious input can trigger an OOME and so a DoS attack Update Instructions: Run `sudo pro fix CVE-2021-37136` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-19 15:15:00 UTC 2021-10-19 15:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2021-37136 The Snappy frame decoder function doesn't restrict the chunk length whichmay lead to excessive memory usage. Beside this it also may buffer reservedskippable chunks until the whole chunk was received which may lead toexcessive memory usage as well. This vulnerability can be triggered bysupplying malicious input that decompresses to a very big size (via anetwork stream or a file) or by sending a huge skippable chunk. Update Instructions: Run `sudo pro fix CVE-2021-37137` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-19 15:15:00 UTC 2021-10-19 15:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2021-37137 A flaw was found in the Linux kernels memory deduplication mechanism.Previous work has shown that memory deduplication can be attacked via alocal exploitation mechanism. The same technique can be used if an attackercan upload page sized files and detect the change in access time from anetworked service to determine if the page has been merged. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-23 16:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1931327 https://bugzilla.suse.com/show_bug.cgi?id=1202680 CVE-2021-3714 wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcomewhen the serial number in an OCSP request differs from the serial number inthe OCSP response. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-07-21 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991443 CVE-2021-37155 A flaw was found in nbdkit due to to improperly caching plaintext stateacross the STARTTLS encryption boundary. A MitM attacker could use thisflaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxyingeverything else a client sends to the server, potentially leading theclient to terminate the NBD session. The highest threat from thisvulnerability is to system availability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-02 23:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3716 CVE-2021-3716 A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499fthrough APar_readX() in src/util.cpp while parsing a crafted mp4 filebecause of the missing boundary check. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-04 10:15:00 UTC CVE-2021-37231 A stack overflow vulnerability occurs in Atomicparsley20210124.204813.840499f through APar_read64() in src/util.cpp due to thelack of buffer size of uint32_buffer while reading more bytes inAPar_read64. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-04 10:15:00 UTC CVE-2021-37232 Buffer Overflow vulnerability in fcitx5 5.0.8 allows attackers to cause adenial of service via crafted message to the application's listening port. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-03 18:15:00 UTC CVE-2021-37311 A deadlock issue was found in the AHCI controller device of QEMU. It occurson a software reset (ahci_reset_port) while handling a host-to-deviceRegister FIS (Frame Information Structure) packet from the guest. Aprivileged user inside the guest could use this flaw to hang the QEMUprocess on the host, resulting in a denial of service condition. Thehighest threat from this vulnerability is to system availability. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-26 16:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=1997184 CVE-2021-3735 axios is vulnerable to Inefficient Regular Expression Complexity Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-31 11:15:00 UTC CVE-2021-3749 Bluetooth LE and BR/EDR Secure Connections pairing and Secure SimplePairing using the Passkey entry protocol in Bluetooth Core Specifications2.1 through 5.3 may permit an unauthenticated man-in-the-middle attacker toidentify the Passkey used during pairing by reflection of a crafted publickey with the same X coordinate as the offered public key and by reflectionof the authentication evidence of the initiating device, potentiallypermitting this attacker to complete authenticated pairing with theresponding device using the correct Passkey for the pairing session. Thisis a related issue to CVE-2020-26558. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-01 15:15:00 UTC CVE-2021-37577 Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a clientwith a crafted TCP/IP stack that can send a certain sequence of segments. Update Instructions: Run `sudo pro fix CVE-2021-37592` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: suricata - 1:6.0.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-19 15:15:00 UTC CVE-2021-37592 ckeditor is an open source WYSIWYG HTML editor with rich content support. Apotential vulnerability has been discovered in CKEditor 4 [FakeObjects](https://ckeditor.com/cke4/addon/fakeobjects) package. Thevulnerability allowed to inject malformed Fake Objects HTML, which couldresult in executing JavaScript code. It affects all users using theCKEditor 4 plugins listed above at version < 4.16.2. The problem has beenrecognized and patched. The fix will be available in version 4.16.2. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-13 00:15:00 UTC 2021-08-13 00:15:00 UTC https://ubuntu.com/security/notices/USN-5340-1 https://ubuntu.com/security/notices/USN-5340-2 CVE-2021-37695 The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and6.1.9 has an arbitrary file creation/overwrite and arbitrary code executionvulnerability. node-tar aims to guarantee that any file whose locationwould be modified by a symbolic link is not extracted. This is, in part,achieved by ensuring that extracted directories are not symlinks.Additionally, in order to prevent unnecessary stat calls to determinewhether a given path is a directory, paths are cached when directories arecreated. This logic was insufficient when extracting tar files thatcontained both a directory and a symlink with names containing unicodevalues that normalized to the same value. Additionally, on Windows systems,long path portions would resolve to the same file system entities as their8.3 "short path" counterparts. A specially crafted tar archive could thusinclude a directory with one form of the path, followed by a symbolic linkwith a different string that resolves to the same file system entity,followed by a file using the first form. By first creating a directory, andthen replacing that directory with a symlink that had a different apparentname that resolved to the same entry in the filesystem, it was thuspossible to bypass node-tar symlink checks on directories, essentiallyallowing an untrusted tar file to symlink into an arbitrary location andsubsequently extracting arbitrary files into that location, thus allowingarbitrary file creation and overwrite. These issues were addressed inreleases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has beendeprecated and did not receive patches for these issues. If you are stillusing a v3 release we recommend you update to a more recent version ofnode-tar. If this is not possible, a workaround is available in thereferenced GHSA-qq89-hq3f-393p. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-31 17:15:00 UTC CVE-2021-37712 textview_uri_security_check in textview.c in Claws Mail before 3.18.0, andSylpheed through 3.7.0, does not have sufficient link checks beforeaccepting a click. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-07-30 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991722 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991723 https://bugs.launchpad.net/ubuntu/+source/claws-mail/+bug/1942927 CVE-2021-37746 stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, leadingto Information Disclosure or Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-02 13:15:00 UTC CVE-2021-37789 PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite loop viathe component /text/pdf/PdfReader.java. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-09 22:15:00 UTC CVE-2021-37819 A flaw was found in openCryptoki. The openCryptoki Soft token does notcheck if an EC key is valid when an EC key is created via C_CreateObject,nor when C_DeriveKey is used with ECDH public data. This may allow amalicious user to extract the private key by performing an invalid curveattack. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-23 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780 CVE-2021-3798 prism is vulnerable to Inefficient Regular Expression Complexity Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-15 13:15:00 UTC CVE-2021-3801 object-path is vulnerable to Improperly Controlled Modification of ObjectPrototype Attributes ('Prototype Pollution') Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-17 06:15:00 UTC 2021-09-17 06:15:00 UTC https://ubuntu.com/security/notices/USN-5967-1 CVE-2021-3805 ansi-regex is vulnerable to Inefficient Regular Expression Complexity Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-17 07:15:00 UTC CVE-2021-3807 An issue was discovered in the POP3 component of Courier Mail Server before1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3STLS command, injecting plaintext commands into an encrypted user session. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-03 22:15:00 UTC CVE-2021-38084 Cacti 1.1.38 allows authenticated users with User Management permissions toinject arbitrary HTML in the group_prefix field during the creation of anew group via "Copy" method at user_group_admin.php. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 21:15:00 UTC CVE-2021-3816 perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initiallyfixed this in 0.4.0-7.) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-05 18:15:00 UTC CVE-2021-38172 Heap/stack buffer overflow in the dlang_lname function in d-demangle.c inlibiberty allows attackers to potentially cause a denial of service(segmentation fault and crash) via a crafted mangled symbol. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-01 21:15:00 UTC CVE-2021-3826 Buffer overflow in usb device class. Zephyr versions >= v2.6.0 containHeap-based Buffer Overflow (CWE-122). For more information, seehttps://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-07 22:15:00 UTC CVE-2021-3835 Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to awrite-what-where condition, which may allow an attacker to write arbitraryvalues in the XML parser. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-05 17:15:00 UTC CVE-2021-38441 Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalidstructures, which may allow an attacker to write arbitrary values in theXML parser. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-05 17:15:00 UTC CVE-2021-38443 golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic withan out-of-bounds read during BCP 47 language tag parsing. Index calculationis mishandled. If parsing untrusted user input, this can be used as avector for a denial-of-service attack. Update Instructions: Run `sudo pro fix CVE-2021-38561` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: golang-golang-x-text-dev - 0.3.7-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-26 06:15:00 UTC 2022-12-26 06:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2100495 https://ubuntu.com/security/notices/USN-5873-1 CVE-2021-38561 Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5,and 5.0 before 5.0.2 allows sensitive information disclosure via a timingattack against lib/RT/REST2/Middleware/Auth.pm. Update Instructions: Run `sudo pro fix CVE-2021-38562` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: request-tracker4 - 4.4.4+dfsg-2ubuntu2 rt4-apache2 - 4.4.4+dfsg-2ubuntu2 rt4-clients - 4.4.4+dfsg-2ubuntu2 rt4-db-mysql - 4.4.4+dfsg-2ubuntu2 rt4-db-postgresql - 4.4.4+dfsg-2ubuntu2 rt4-db-sqlite - 4.4.4+dfsg-2ubuntu2 rt4-fcgi - 4.4.4+dfsg-2ubuntu2 rt4-standalone - 4.4.4+dfsg-2ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-10-18 09:15:00 UTC 2021-10-18 09:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995167 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995175 https://ubuntu.com/security/notices/USN-6529-1 https://ubuntu.com/security/notices/USN-7692-1 CVE-2021-38562 A flaw was found in Undertow that tripped the client-side invocationtimeout with certain calls made over HTTP2. This flaw allows an attacker tocarry out denial of service attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-26 16:15:00 UTC CVE-2021-3859 Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write inQOutlineMapper::convertPath (called from QRasterPaintEngine::fill andQPaintEngineEx::stroke). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-12 02:15:00 UTC 2021-08-12 02:15:00 UTC https://ubuntu.com/security/notices/USN-5081-1 CVE-2021-38593 wolfSSL before 4.8.1 incorrectly skips OCSP verification in certainsituations of irrelevant response data that contains the NoCheck extension. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-12 15:15:00 UTC CVE-2021-38597 The RNDIS USB device class includes a buffer overflow vulnerability. Zephyrversions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For moreinformation, seehttps://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-07 22:15:00 UTC CVE-2021-3861 A flaw was found in the way the dumpable flag setting was handled whencertain SUID binaries executed its descendants. The prerequisite is a SUIDbinary that sets real UID equal to effective UID, and real GID equal toeffective GID. The descendant will then have a dumpable value set to 1. Asa result, if the descendant process crashes and core_pattern is set to arelative value, its core dump is stored in the current directory withuid:gid permissions. An unprivileged local user with eligible root SUIDbinary could use this flaw to place core dumps into root-owned directories,potentially resulting in escalation of privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-26 16:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2015046 https://bugzilla.suse.com/show_bug.cgi?id=1191281 CVE-2021-3864 In gitit before 0.15.0.0, the Export feature can be exploited to leakinformation from files. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-16 04:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992297 CVE-2021-38711 There is a race condition in the 'replaced executable' detection that, withthe correct local configuration, allow an attacker to execute arbitrarycode as root. Update Instructions: Run `sudo pro fix CVE-2021-3899` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Muqing Liu, neoni https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1948376 https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2021-3899 WordPress is a free and open-source content management system written inPHP and paired with a MySQL or MariaDB database. In affected versionsoutput data of the function wp_die() can be leaked under certainconditions, which can include data like nonces. It can then be used toperform actions on your behalf. This has been patched in WordPress 5.8.1,along with any older affected versions via minor releases. It's stronglyrecommended that you keep auto-updates enabled to receive the fix. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-09 22:15:00 UTC CVE-2021-39200 WordPress is a free and open-source content management system written inPHP and paired with a MySQL or MariaDB database. ### Impact The issueallows an authenticated but low-privileged user (like contributor/author)to execute XSS in the editor. This bypasses the restrictions imposed onusers who do not have the permission to post `unfiltered_html`. ### PatchesThis has been patched in WordPress 5.8, and will be pushed to olderversions via minor releases (automatic updates). It's strongly recommendedthat you keep auto-updates enabled to receive the fix. ### Referenceshttps://wordpress.org/news/category/releases/https://hackerone.com/reports/1142140 ### For more information If you haveany questions or comments about this advisory: * Open an issue in[HackerOne](https://hackerone.com/wordpress) Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-09 22:15:00 UTC CVE-2021-39201 WordPress is a free and open-source content management system written inPHP and paired with a MySQL or MariaDB database. In affected versions thewidgets editor introduced in WordPress 5.8 beta 1 has improper handling ofHTML input in the Custom HTML feature. This leads to stored XSS in thecustom HTML widget. This has been patched in WordPress 5.8. It was onlypresent during the testing/beta phase of WordPress 5.8. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-09 22:15:00 UTC CVE-2021-39202 WordPress is a free and open-source content management system written inPHP and paired with a MySQL or MariaDB database. In affected versionsauthenticated users who don't have permission to view private posttypes/data can bypass restrictions in the block editor under certainconditions. This affected WordPress 5.8 beta during the testing period.It's fixed in the final 5.8 release. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-09 22:15:00 UTC CVE-2021-39203 ImageMagick is free software delivered as a ready-to-run binarydistribution or as source code that you may use, copy, modify, anddistribute in both open and proprietary applications. In affected versionsand in certain cases, Postscript files could be read and written whenspecifically excluded by a `module` policy in `policy.xml`. ex. <policydomain="module" rights="none" pattern="PS" />. The issue has been resolvedin ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, fewusers utilize the `module` policy and instead use the `coder` policy thatis also our workaround recommendation: <policy domain="coder" rights="none"pattern="{PS,EPI,EPS,EPSF,EPSI}" />. Update Instructions: Run `sudo pro fix CVE-2021-39212` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-13 18:15:00 UTC 2021-09-13 18:15:00 UTC https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2021-39212 mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Inmitmproxy 7.0.2 and below, a malicious client or server is able to performHTTP request smuggling attacks through mitmproxy. This means that amalicious client/server could smuggle a request/response through mitmproxyas part of another request/response's HTTP message body. While a smuggledrequest is still captured as part of another request's body, it does notappear in the request list and does not go through the usual mitmproxyevent hooks, where users may have implemented custom access control checksor input sanitization. Unless one uses mitmproxy to protect an HTTP/1service, no action is required. The vulnerability has been fixed inmitmproxy 7.0.3 and above. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-16 15:15:00 UTC CVE-2021-39214 A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0,may allow an attacker to execute XML External Entities (XXE), includingexposing the contents of local files to a remote server. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-16 15:15:00 UTC CVE-2021-39239 An integer overflow could occur when OpenEXR processes a crafted file onsystems where size_t < 64 bits. This could cause an invalid bytesPerLineand maxBytesPerLine value, which could lead to problems with applicationstability or lead to other attack paths. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-09 16:11:00 UTC 2021-11-09 16:11:00 UTC https://ubuntu.com/security/notices/USN-5144-1 https://ubuntu.com/security/notices/USN-5620-1 CVE-2021-3933 In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLScertificate verification on the SoupSessionSync objects it creates, leavingusers vulnerable to network MITM attacks. NOTE: this is similar toCVE-2016-20011. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-08-22 19:15:00 UTC CVE-2021-39359 A use-after-free flaw was found in libvirt. The qemuMonitorUnregister()function in qemuProcessHandleMonitorEOF is called using multiple threadswithout being adequately protected by a monitor lock. This flaw could betriggered by the virConnectGetAllDomainStats API when the guest is shuttingdown. An unprivileged client with a read-only connection could use thisflaw to perform a denial of service attack by causing the libvirt daemon tocrash. Update Instructions: Run `sudo pro fix CVE-2021-3975` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-libvirt - 7.6.0-0ubuntu3 libvirt-clients - 7.6.0-0ubuntu3 libvirt-clients-qemu - 7.6.0-0ubuntu3 libvirt-common - 7.6.0-0ubuntu3 libvirt-daemon - 7.6.0-0ubuntu3 libvirt-daemon-common - 7.6.0-0ubuntu3 libvirt-daemon-config-network - 7.6.0-0ubuntu3 libvirt-daemon-config-nwfilter - 7.6.0-0ubuntu3 libvirt-daemon-driver-interface - 7.6.0-0ubuntu3 libvirt-daemon-driver-lxc - 7.6.0-0ubuntu3 libvirt-daemon-driver-network - 7.6.0-0ubuntu3 libvirt-daemon-driver-nodedev - 7.6.0-0ubuntu3 libvirt-daemon-driver-nwfilter - 7.6.0-0ubuntu3 libvirt-daemon-driver-qemu - 7.6.0-0ubuntu3 libvirt-daemon-driver-secret - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-disk - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-gluster - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-iscsi - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-iscsi-direct - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-logical - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-mpath - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-rbd - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-scsi - 7.6.0-0ubuntu3 libvirt-daemon-driver-storage-zfs - 7.6.0-0ubuntu3 libvirt-daemon-driver-vbox - 7.6.0-0ubuntu3 libvirt-daemon-driver-xen - 7.6.0-0ubuntu3 libvirt-daemon-lock - 7.6.0-0ubuntu3 libvirt-daemon-log - 7.6.0-0ubuntu3 libvirt-daemon-plugin-lockd - 7.6.0-0ubuntu3 libvirt-daemon-plugin-sanlock - 7.6.0-0ubuntu3 libvirt-daemon-system - 7.6.0-0ubuntu3 libvirt-daemon-system-systemd - 7.6.0-0ubuntu3 libvirt-daemon-system-sysv - 7.6.0-0ubuntu3 libvirt-l10n - 7.6.0-0ubuntu3 libvirt-login-shell - 7.6.0-0ubuntu3 libvirt-sanlock - 7.6.0-0ubuntu3 libvirt-ssh-proxy - 7.6.0-0ubuntu3 libvirt-wireshark - 7.6.0-0ubuntu3 libvirt0 - 7.6.0-0ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-24 00:00:00 UTC 2021-11-24 00:00:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2024326 https://ubuntu.com/security/notices/USN-5399-1 CVE-2021-3975 In ion_ioctl of ion-ioctl.c, there is a possible way to leak kernel headdata due to a use after free. This could lead to local informationdisclosure with no additional execution privileges needed. User interactionis not needed for exploitation.Product: AndroidVersions: AndroidkernelAndroid ID: A-208277166References: Upstream kernel Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-04-12 17:15:00 UTC CVE-2021-39800 NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9allows denial of service via packet injection or crafted capture file Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-18 19:15:00 UTC https://gitlab.com/wireshark/wireshark/-/issues/17705 CVE-2021-39920 NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3.4.9and 3.2.0 to 3.2.17 allows denial of service via packet injection orcrafted capture file Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-19 17:15:00 UTC CVE-2021-39921 Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 and3.2.0 to 3.2.17 allows denial of service via packet injection or craftedcapture file Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-19 17:15:00 UTC CVE-2021-39922 Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and3.2.0 to 3.2.17 allows denial of service via packet injection or craftedcapture file Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-19 17:15:00 UTC CVE-2021-39924 Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9and 3.2.0 to 3.2.17 allows denial of service via packet injection orcrafted capture file Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-19 17:15:00 UTC CVE-2021-39925 There is a permission control vulnerability in the PMS module. Successfulexploitation of this vulnerability can lead to sensitive system informationbeing obtained without authorization. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-10 17:43:00 UTC CVE-2021-40049 opensysusers through 0.6 does not safely use eval on files in sysusers.dthat may contain shell metacharacters. For example, it allows commandexecution via a crafted GECOS field whereas systemd-sysusers (a programwith the same specification) does not do that. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-08-25 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992058 CVE-2021-40084 A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0,5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an ELF64binary for MIPS architecture can lead to uncontrolled resource consumptionand DoS. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-24 19:15:00 UTC CVE-2021-4021 xpdfreader 4.03 is vulnerable to Buffer Overflow. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-11-10 18:15:00 UTC CVE-2021-40226 xfig 3.2.7 is vulnerable to Buffer Overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 16:15:00 UTC CVE-2021-40241 A stack exhaustion issue was discovered in FreeImage before 1.18.0 via theValidate function in PluginRAW.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055301 CVE-2021-40262 A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad functionin PluginTIFF.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055302 CVE-2021-40263 NULL pointer dereference vulnerability in FreeImage before 1.18.0 via theFreeImage_CloneTag function inFreeImageTag.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055303 CVE-2021-40264 A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function inPluginJPEG.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055304 CVE-2021-40265 FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp isvulnerabile to null pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055305 CVE-2021-40266 An out-of-bounds read vulnerability exists in the RS-274X aperture macromultiple outline primitives functionality of Gerbv 2.7.0 and dev (commitb5f1eacd), and Gerbv forked 2.7.1 and 2.8.0. A specially-crafted Gerberfile can lead to information disclosure. An attacker can provide amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-14 20:15:00 UTC CVE-2021-40402 In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism inthe server allows attackers to upload files of unbounded size, which maylead to denial of service or a server hang. This occurs because a certaingreater-than-zero test does not anticipate an initial -1 value. (Versions1.0.23 through 1.0.49 are affected.) Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-05 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993810 CVE-2021-40524 The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintextrecovery because, during interaction between two cryptographic libraries, acertain dangerous combination of the prime defined by the receiver's publickey, the generator defined by the receiver's public key, and the sender'sephemeral exponents can lead to a cross-configuration attack againstOpenPGP. Update Instructions: Run `sudo pro fix CVE-2021-40528` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libgcrypt-bin - 1.8.7-5ubuntu2 libgcrypt20 - 1.8.7-5ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-06 19:15:00 UTC 2021-09-06 19:15:00 UTC https://dev.gnupg.org/T5328 https://ubuntu.com/security/notices/USN-5080-1 https://ubuntu.com/security/notices/USN-5080-2 CVE-2021-40528 The ElGamal implementation in Crypto++ through 8.5 allows plaintextrecovery because, during interaction between two cryptographic libraries, acertain dangerous combination of the prime defined by the receiver's publickey, the generator defined by the receiver's public key, and the sender'sephemeral exponents can lead to a cross-configuration attack againstOpenPGP. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-09-06 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993841 CVE-2021-40530 ZAngband zangband-data 2.7.5 is affected by an integer underflowvulnerability in src/tk/plat.c through the variable fileheader.bfOffBits. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-08 18:15:00 UTC CVE-2021-40589 In man2html 1.6g, a specific string being read in from a file willoverwrite the size parameter in the top chunk of the heap. This at leastcauses the program to segmentation abort if the heap size parameter isn'taligned correctly. In version before GLIBC version 2.29 and alignedcorrectly, it allows arbitrary write anywhere in the programs memory. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-09 18:15:00 UTC CVE-2021-40647 In man2html 1.6g, a filename can be created to overwrite the previous sizeparameter of the next chunk and the fd, bk, fd_nextsize, bk_nextsize of thecurrent chunk. The next chunk is then freed later on, causing a freeing ofan arbitrary amount of memory. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-09 18:15:00 UTC CVE-2021-40648 libsixel before 1.10 is vulnerable to Buffer Overflow inlibsixel/src/quant.c:867. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-08 16:15:00 UTC CVE-2021-40656 Clementine Music Player through 1.3.1 is vulnerable to a User Mode WriteAccess Violation, affecting the MP3 file parsing functionality atclementine+0x3aa207. The vulnerability is triggered when the user opens acrafted MP3 file or loads a remote stream URL that is mishandled byClementine. Attackers could exploit this issue to cause a crash (DoS) ofthe clementine.exe process or achieve arbitrary code execution in thecontext of the current logged-in Windows user. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-15 07:15:00 UTC CVE-2021-40826 Clementine Music Player through 1.3.1 (when a GLib 2.0.0 DLL is used) isvulnerable to a Read Access Violation on Block Data Move, affecting the MP3file parsing functionality at memcpy+0x265. The vulnerability is triggeredwhen the user opens a crafted MP3 file or loads a remote stream URL that ismishandled by Clementine. Attackers could exploit this issue to cause acrash (DoS) of the clementine.exe process or achieve arbitrary codeexecution in the context of the current logged-in Windows user. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-15 07:15:00 UTC CVE-2021-40827 An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. Whenusing the RESTServer plug-in to operate a REST password validation service(for another LemonLDAP::NG instance, for example) and using the Kerberosauthentication method combined with another method with the Combinationauthentication plug-in, any password will be recognized as valid for anexisting user. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-18 00:15:00 UTC CVE-2021-40874 A double-free was found in the way 389-ds-base handles virtual attributescontext in persistent searches. An attacker could send a series of searchrequests, forcing the server to behave unexpectedly, and crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-18 18:15:00 UTC CVE-2021-4091 Cross-site scripting (XSS) vulnerability in demos/demo.mysqli.php in getID31.X and v2.0.0-beta allows remote attackers to inject arbitrary web scriptor HTML via the showtagfiles parameter. Ubuntu 26.04 LTS Negligible Copyright (C) 2021 Canonical Ltd. 2021-10-01 16:15:00 UTC CVE-2021-40926 In Bento4 1.6.0-638, there is an allocator is out of memory in the functionAP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity in Ap4Array.h:172, asdemonstrated by GPAC. This can cause a denial of service (DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 18:15:00 UTC CVE-2021-40941 In Bento4 1.6.0-638, there is a null pointer reference in the functionAP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , asdemonstrated by GPAC. This can cause a denial of service (DOS). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-28 13:15:00 UTC CVE-2021-40943 In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client doesnot check rem_len size in readpacket. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-03 00:15:00 UTC CVE-2021-41036 Use after free in tcpslice triggers AddressSanitizer, no other confirmedimpact. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-05 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003190 CVE-2021-41043 Elvish is a programming language and interactive shell, combined into onepackage. In versions prior to 0.14.0 Elvish's web UI backend (started by`elvish -web`) hosts an endpoint that allows executing the code sent fromthe web UI. The backend does not check the origin of requests correctly. Asa result, if the user has the web UI backend open and visits a compromisedor malicious website, the website can send arbitrary code to the endpointin localhost. All Elvish releases from 0.14.0 onward no longer include thethe web UI, although it is still possible for the user to build a versionfrom source that includes the web UI. The issue can be patched for previousversions by removing the web UI (found in web, pkg/web or pkg/prog/web,depending on the exact version). Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-23 20:15:00 UTC CVE-2021-41088 mruby is vulnerable to NULL Pointer Dereference Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-15 05:15:00 UTC CVE-2021-4110 CKEditor4 is an open source WYSIWYG HTML editor. In affected versions avulnerability has been discovered in the Advanced Content Filter (ACF)module and may affect all plugins used by CKEditor 4. The vulnerabilityallowed to inject malformed HTML bypassing content sanitization, whichcould result in executing JavaScript code. It affects all users using theCKEditor 4 at version < 4.17.0. The problem has been recognized andpatched. The fix will be available in version 4.17.0. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-17 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999909 CVE-2021-41164 CKEditor4 is an open source WYSIWYG HTML editor. In affected version avulnerability has been discovered in the core HTML processing module andmay affect all plugins used by CKEditor 4. The vulnerability allowed toinject malformed comments HTML bypassing content sanitization, which couldresult in executing JavaScript code. It affects all users using theCKEditor 4 at version < 4.17.0. The problem has been recognized andpatched. The fix will be available in version 4.17.0. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-17 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999909 CVE-2021-41165 BlueZ is a Bluetooth protocol stack for Linux. In affected versions avulnerability exists in sdp_cstate_alloc_buf which allocates memory whichwill always be hung in the singly linked list of cstates and will not befreed. This will cause a memory leak over time. The data can be a verylarge object, which can be caused by an attacker continuously sending sdppackets and this may cause the service of the target device to crash. Update Instructions: Run `sudo pro fix CVE-2021-41229` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bluetooth - 5.62-0ubuntu2 bluez - 5.62-0ubuntu2 bluez-cups - 5.62-0ubuntu2 bluez-hcidump - 5.62-0ubuntu2 bluez-meshd - 5.62-0ubuntu2 bluez-obexd - 5.62-0ubuntu2 bluez-source - 5.62-0ubuntu2 bluez-test-scripts - 5.62-0ubuntu2 bluez-test-tools - 5.62-0ubuntu2 libbluetooth3 - 5.62-0ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-12 23:15:00 UTC 2021-11-12 23:15:00 UTC https://ubuntu.com/security/notices/USN-5155-1 CVE-2021-41229 Memory leaks in LazyPRM.cpp of OMPL v1.5.0 can cause unexpected behavior. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-17 13:15:00 UTC CVE-2021-41490 sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows anout-of-bounds read (in the core interpreter) that can lead to CodeExecution. If a victim executes an attacker-controlled squirrel script, itis possible for the attacker to break out of the squirrel script sandboxeven if all dangerous functionality such as File System functions has beendisabled. An attacker might abuse this bug to target (for example) Cloudservices that allow customization via SquirrelScripts, or distributemalware through video games that embed a Squirrel Engine. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-28 21:15:00 UTC CVE-2021-41556 sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-defaultconfigurations are used, allows privilege escalation because supplementalgroups are not initialized as expected. Helper programs forAuthorizedKeysCommand and AuthorizedPrincipalsCommand may run withprivileges associated with group memberships of the sshd process, if theconfiguration specifies running the command as a different user. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-09-26 19:15:00 UTC 2021-09-26 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995130 https://bugzilla.suse.com/show_bug.cgi?id=1190975 https://ubuntu.com/security/notices/USN-5666-1 https://ubuntu.com/security/notices/USN-6565-1 CVE-2021-41617 libsixel 1.10.0 is vulnerable to Use after free inlibsixel/src/dither.c:379. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-08 15:15:00 UTC CVE-2021-41715 Faust v2.35.0 was discovered to contain a heap-buffer overflow in thefunction realPropagate() at propagate.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-22 18:15:00 UTC CVE-2021-41736 In Faust 2.23.1, an input file with the lines "// r visualisation tCst" and"//process = +: L: abM-^Q;" and "process =route(3333333333333333333,2,1,2,3,1) : *;" leads to stack consumption. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-10 23:15:00 UTC CVE-2021-41737 MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages arenot escaped before being used on the Special:Search results page. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-11 08:15:00 UTC CVE-2021-41798 MediaWiki before 1.36.2 allows a denial of service (resource consumptionbecause of lengthy query processing time). ApiQueryBacklinks(action=query&list=backlinks) can cause a full table scan. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-11 08:15:00 UTC CVE-2021-41799 MediaWiki before 1.36.2 allows a denial of service (resource consumptionbecause of lengthy query processing time). Visiting Special:Contributionscan sometimes result in a long running SQL query because PoolCounterprotection is mishandled. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-11 08:15:00 UTC CVE-2021-41800 The ReplaceText extension through 1.41 for MediaWiki has Incorrect AccessControl. When a user is blocked after submitting a replace job, the job isstill run, even if it may be run at a later time (due to the job queuebacklog) Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-11 08:15:00 UTC CVE-2021-41801 mruby is vulnerable to NULL Pointer Dereference Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-30 07:15:00 UTC CVE-2021-4188 Encode OSS httpx < 0.23.0 is affected by improper input validation in`httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-28 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010336 CVE-2021-41945 The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow viaa crafted certificate with an RSASSA-PSS signature. For example, this canbe triggered by an unrelated self-signed CA certificate sent by aninitiator. Remote code execution cannot occur. Update Instructions: Run `sudo pro fix CVE-2021-41990` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 5.9.1-1ubuntu3.1 charon-systemd - 5.9.1-1ubuntu3.1 libcharon-extauth-plugins - 5.9.1-1ubuntu3.1 libcharon-extra-plugins - 5.9.1-1ubuntu3.1 libstrongswan - 5.9.1-1ubuntu3.1 libstrongswan-extra-plugins - 5.9.1-1ubuntu3.1 libstrongswan-standard-plugins - 5.9.1-1ubuntu3.1 strongswan - 5.9.1-1ubuntu3.1 strongswan-charon - 5.9.1-1ubuntu3.1 strongswan-libcharon - 5.9.1-1ubuntu3.1 strongswan-nm - 5.9.1-1ubuntu3.1 strongswan-pki - 5.9.1-1ubuntu3.1 strongswan-starter - 5.9.1-1ubuntu3.1 strongswan-swanctl - 5.9.1-1ubuntu3.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-18 12:00:00 UTC 2021-10-18 12:00:00 UTC https://ubuntu.com/security/notices/USN-5111-1 CVE-2021-41990 The in-memory certificate cache in strongSwan before 5.9.4 has a remoteinteger overflow upon receiving many requests with different certificatesto fill the cache and later trigger the replacement of cache entries. Thecode attempts to select a less-often-used cache entry by means of a randomnumber generator, but this is not done correctly. Remote code executionmight be a slight possibility. Update Instructions: Run `sudo pro fix CVE-2021-41991` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 5.9.1-1ubuntu3.1 charon-systemd - 5.9.1-1ubuntu3.1 libcharon-extauth-plugins - 5.9.1-1ubuntu3.1 libcharon-extra-plugins - 5.9.1-1ubuntu3.1 libstrongswan - 5.9.1-1ubuntu3.1 libstrongswan-extra-plugins - 5.9.1-1ubuntu3.1 libstrongswan-standard-plugins - 5.9.1-1ubuntu3.1 strongswan - 5.9.1-1ubuntu3.1 strongswan-charon - 5.9.1-1ubuntu3.1 strongswan-libcharon - 5.9.1-1ubuntu3.1 strongswan-nm - 5.9.1-1ubuntu3.1 strongswan-pki - 5.9.1-1ubuntu3.1 strongswan-starter - 5.9.1-1ubuntu3.1 strongswan-swanctl - 5.9.1-1ubuntu3.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-18 12:00:00 UTC 2021-10-18 12:00:00 UTC https://ubuntu.com/security/notices/USN-5111-1 https://ubuntu.com/security/notices/USN-5111-2 CVE-2021-41991 An out-of-bounds access in GffLine::GffLine in gff.cpp in GCLib 0.12.7allows an attacker to cause a segmentation fault or possibly haveunspecified other impact via a crafted GFF file. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-10-04 23:15:00 UTC CVE-2021-42006 An issue was discovered in MediaWiki through 1.36.2. A parser functionrelated to loop control allowed for an infinite loop (and php-fpm hang)within the Loops extension because egLoopsCountLimit is mishandled. Thiscould lead to memory exhaustion. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-06 21:15:00 UTC CVE-2021-42040 A flaw was found in the QXL display device emulation in QEMU. An integeroverflow in the cursor_alloc() function can lead to the allocation of asmall cursor object followed by a subsequent heap-based buffer overflow.This flaw allows a malicious privileged guest user to crash the QEMUprocess on the host or potentially execute arbitrary code within thecontext of the QEMU process. Update Instructions: Run `sudo pro fix CVE-2021-4206` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu8 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu8 qemu-guest-agent - 1:6.2+dfsg-2ubuntu8 qemu-system - 1:6.2+dfsg-2ubuntu8 qemu-system-arm - 1:6.2+dfsg-2ubuntu8 qemu-system-common - 1:6.2+dfsg-2ubuntu8 qemu-system-data - 1:6.2+dfsg-2ubuntu8 qemu-system-gui - 1:6.2+dfsg-2ubuntu8 qemu-system-mips - 1:6.2+dfsg-2ubuntu8 qemu-system-misc - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu8 qemu-system-ppc - 1:6.2+dfsg-2ubuntu8 qemu-system-riscv - 1:6.2+dfsg-2ubuntu8 qemu-system-s390x - 1:6.2+dfsg-2ubuntu8 qemu-system-sparc - 1:6.2+dfsg-2ubuntu8 qemu-system-x86 - 1:6.2+dfsg-2ubuntu8 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu8 qemu-system-xen - 1:6.2+dfsg-2ubuntu8 qemu-user - 1:6.2+dfsg-2ubuntu8 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu8 qemu-utils - 1:6.2+dfsg-2ubuntu8 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-29 17:15:00 UTC 2022-04-29 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2036998 https://ubuntu.com/security/notices/USN-5489-1 CVE-2021-4206 A flaw was found in the QXL display device emulation in QEMU. A doublefetch of guest controlled values `cursor->header.width` and`cursor->header.height` can lead to the allocation of a small cursor objectfollowed by a subsequent heap-based buffer overflow. A malicious privilegedguest user could use this flaw to crash the QEMU process on the host orpotentially execute arbitrary code within the context of the QEMU process. Update Instructions: Run `sudo pro fix CVE-2021-4207` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu8 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu8 qemu-guest-agent - 1:6.2+dfsg-2ubuntu8 qemu-system - 1:6.2+dfsg-2ubuntu8 qemu-system-arm - 1:6.2+dfsg-2ubuntu8 qemu-system-common - 1:6.2+dfsg-2ubuntu8 qemu-system-data - 1:6.2+dfsg-2ubuntu8 qemu-system-gui - 1:6.2+dfsg-2ubuntu8 qemu-system-mips - 1:6.2+dfsg-2ubuntu8 qemu-system-misc - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu8 qemu-system-ppc - 1:6.2+dfsg-2ubuntu8 qemu-system-riscv - 1:6.2+dfsg-2ubuntu8 qemu-system-s390x - 1:6.2+dfsg-2ubuntu8 qemu-system-sparc - 1:6.2+dfsg-2ubuntu8 qemu-system-x86 - 1:6.2+dfsg-2ubuntu8 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu8 qemu-system-xen - 1:6.2+dfsg-2ubuntu8 qemu-user - 1:6.2+dfsg-2ubuntu8 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu8 qemu-utils - 1:6.2+dfsg-2ubuntu8 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-29 17:15:00 UTC 2022-04-29 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2036966 https://ubuntu.com/security/notices/USN-5489-1 CVE-2021-4207 A flaw was found in JSS, where it did not properly free up all memory. Overtime, the wasted memory builds up in the server memory, saturating theserver’s RAM. This flaw allows an attacker to force the invocation of anout-of-memory process, causing a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-24 16:15:00 UTC CVE-2021-4213 A flaw was found in ImageMagick. The vulnerability occurs due to improperuse of open functions and leads to a denial of service. This flaw allows anattacker to crash the system. Update Instructions: Run `sudo pro fix CVE-2021-4219` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-23 20:15:00 UTC 2022-03-23 20:15:00 UTC Harold Kim https://github.com/ImageMagick/ImageMagick/issues/4626 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 CVE-2021-4219 OMPL v1.5.2 contains a memory leak in VFRRT.cpp Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-03 11:15:00 UTC CVE-2021-42218 Due to unbounded alias chasing, a maliciously crafted YAML file can causethe system to consume significant system resources. If parsing user input,this may be used as a denial of service vector. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 22:15:00 UTC 2022-12-27 22:15:00 UTC https://ubuntu.com/security/notices/USN-6287-1 CVE-2021-4235 A buffer overflow vulnerability in stm32_mw_usb_host of STMicroelectronicsin versions before 3.5.1 allows an attacker to execute arbitrary code whenthe descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS. Thelibrary is typically integrated when using a RTOS such as FreeRTOS on STM32MCUs. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-21 10:15:00 UTC 2022-10-21 10:15:00 UTC https://ubuntu.com/security/notices/USN-7472-1 CVE-2021-42553 A use after free in cleanup_index in index.c in Halibut 1.2 allows anattacker to cause a segmentation fault or possibly have other unspecifiedimpact via a crafted text document. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-24 19:15:00 UTC CVE-2021-42612 A double free in cleanup_index in index.c in Halibut 1.2 allows an attackerto cause a denial of service or possibly have other unspecified impact viaa crafted text document. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-24 19:15:00 UTC CVE-2021-42613 A use after free in info_width_internal in bk_info.c in Halibut 1.2 allowsan attacker to cause a segmentation fault or possibly have unspecifiedother impact via a crafted text document. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-24 19:15:00 UTC CVE-2021-42614 An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDRloader parsed truncated end-of-file RLE scanlines as an infinite sequenceof zero-length runs. An attacker could potentially have caused denial ofservice in applications using stb_image by submitting crafted HDR files. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-21 19:15:00 UTC CVE-2021-42715 An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectlyinterpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to abuffer overflow when later reinterpreting the result as a 16-bit buffer. Anattacker could potentially have crashed a service using stb_image, or readup to 1024 bytes of non-consecutive heap data without control over the readlocation. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-10-21 19:15:00 UTC CVE-2021-42716 ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects.Crafted JSON objects with nesting tens-of-thousands deep could result inthe web server being unable to service legitimate requests. Even amoderately large (e.g., 300KB) HTTP request can occupy one of the limitedNGINX worker processes for minutes and consume almost all of the availableCPU on the machine. Modsecurity 2 is similarly vulnerable: the affectedversions include 2.8.0 through 2.9.4. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-07 22:15:00 UTC 2021-12-07 22:15:00 UTC https://ubuntu.com/security/notices/USN-6370-1 CVE-2021-42717 A vulnerability, which was classified as problematic, has been found incocagne pysrp up to 1.0.16. This issue affects the function calculate_x ofthe file srp/_ctsrp.py. The manipulation leads to information exposurethrough discrepancy. Upgrading to version 1.0.17 is able to address thisissue. The name of the patch is dba52642f5e95d3da7af1780561213ee6053195f.It is recommended to upgrade the affected component. The associatedidentifier of this vulnerability is VDB-216875. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 11:15:00 UTC CVE-2021-4286 Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attackers tocause a denial of service due to improper length of values passed toistream. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-01 19:15:00 UTC CVE-2021-42917 Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed inversion 4.6.3) allows an attacker to achieve Arbitrary File Read on theremote server by requesting the Adminer to connect to a remote MySQLdatabase. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 02:15:00 UTC CVE-2021-43008 ARM astcenc 3.2.0 is vulnerable to Buffer Overflow. When the compressionfunction of the astc-encoder project with -cl option was used, astack-buffer-overflow occurred in function encode_ise() in functioncompress_symbolic_block_for_partition_2planes() in"/Source/astcenc_compress_symbolic.cpp". Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-28 15:15:00 UTC CVE-2021-43086 iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows commandinjection via a CompareTool filename that is mishandled on the gs (akaGhostscript) command line in GhostscriptHelper.java. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-15 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014597 CVE-2021-43113 Stack overflow in PJSUA API when calling pjsua_player_create. Anattacker-controlled 'filename' argument may cause a buffer overflow sinceit is copied to a fixed-size stack buffer without any size validation. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 21:15:00 UTC 2022-02-16 21:15:00 UTC Uriya Yavnieli https://ubuntu.com/security/notices/USN-6422-1 https://ubuntu.com/security/notices/USN-8122-1 CVE-2021-43299 Stack overflow in PJSUA API when calling pjsua_recorder_create. Anattacker-controlled 'filename' argument may cause a buffer overflow sinceit is copied to a fixed-size stack buffer without any size validation. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 21:15:00 UTC 2022-02-16 21:15:00 UTC Uriya Yavnieli https://ubuntu.com/security/notices/USN-6422-1 https://ubuntu.com/security/notices/USN-8122-1 CVE-2021-43300 Stack overflow in PJSUA API when calling pjsua_playlist_create. Anattacker-controlled 'file_names' argument may cause a buffer overflow sinceit is copied to a fixed-size stack buffer without any size validation. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 21:15:00 UTC 2022-02-16 21:15:00 UTC Uriya Yavnieli https://ubuntu.com/security/notices/USN-6422-1 https://ubuntu.com/security/notices/USN-8122-1 CVE-2021-43301 Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. Anattacker-controlled 'filename' argument may cause an out-of-bounds readwhen the filename is shorter than 4 characters. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 21:15:00 UTC 2022-02-16 21:15:00 UTC Uriya Yavnieli https://ubuntu.com/security/notices/USN-6422-1 https://ubuntu.com/security/notices/USN-8122-1 CVE-2021-43302 Buffer overflow in PJSUA API when calling pjsua_call_dump. Anattacker-controlled 'buffer' argument may cause a buffer overflow, sincesupplying an output buffer smaller than 128 characters may overflow theoutput buffer, regardless of the 'maxlen' argument supplied Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 21:15:00 UTC 2022-02-16 21:15:00 UTC Uriya Yavnieli https://ubuntu.com/security/notices/USN-6422-1 https://ubuntu.com/security/notices/USN-8122-1 CVE-2021-43303 A heap-based buffer overflow was discovered in upx, during the genericpointer 'p' points to an inaccessible address in func get_le32(). Theproblem is essentially caused in PackLinuxElf32::elf_lookup() atp_lx_elf.cpp:5382. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43311 A heap-based buffer overflow was discovered in upx, during the variable'bucket' points to an inaccessible address. The issue is being triggered inthe function PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43312 A heap-based buffer overflow was discovered in upx, during the variable'bucket' points to an inaccessible address. The issue is being triggered inthe function PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43313 A heap-based buffer overflows was discovered in upx, during the genericpointer 'p' points to an inaccessible address in func get_le32(). Theproblem is essentially caused in PackLinuxElf32::elf_lookup() atp_lx_elf.cpp:5368 Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43314 A heap-based buffer overflows was discovered in upx, during the genericpointer 'p' points to an inaccessible address in func get_le32(). Theproblem is essentially caused in PackLinuxElf32::elf_lookup() atp_lx_elf.cpp:5349 Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43315 A heap-based buffer overflow was discovered in upx, during the genericpointer 'p' points to an inaccessible address in func get_le64(). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43316 A heap-based buffer overflows was discovered in upx, during the genericpointer 'p' points to an inaccessible address in func get_le32(). Theproblem is essentially caused in PackLinuxElf64::elf_lookup() atp_lx_elf.cpp:5404 Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-24 20:15:00 UTC CVE-2021-43317 Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A mapparser does not validate m_Channels value coming from a map file, leadingto a buffer overflow. A malicious server may offer a specially crafted mapthat will overwrite client's stack causing denial of service or codeexecution. Update Instructions: Run `sudo pro fix CVE-2021-43518` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: teeworlds - 0.7.5-2 teeworlds-data - 0.7.5-2 teeworlds-server - 0.7.5-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-15 15:15:00 UTC CVE-2021-43518 Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allowsattackers to perform a Denial of Service via a crafted script file. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-11-09 13:15:00 UTC Jihoi Kim https://bugzilla.suse.com/show_bug.cgi?id=CVE-2021-43519 CVE-2021-43519 The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e ofgolang.org/x/crypto allows an attacker to panic an SSH server. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-06 18:15:00 UTC https://github.com/golang/go/issues/49932 CVE-2021-43565 All versions of Samba prior to 4.13.16 are vulnerable to a malicious clientusing an SMB1 or NFS race to allow a directory to be created in an area ofthe server file system not exported under the share definition. Note thatSMB1 has to be enabled, or the share also available via NFS in order forthis attack to succeed. Update Instructions: Run `sudo pro fix CVE-2021-43566` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-11 16:15:00 UTC 2022-01-11 16:15:00 UTC Michael Hanselmann https://bugzilla.samba.org/show_bug.cgi?id=13979 https://ubuntu.com/security/notices/USN-5260-1 CVE-2021-43566 In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decodefunction, it's possible to trigger an out-of-bounds heap read via shortSONMP packets. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-15 22:15:00 UTC CVE-2021-43612 The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with aninstallation even if dependency information in package-lock.json differsfrom package.json. This behavior is inconsistent with the documentation,and makes it easier for attackers to install malware that was supposed tohave been blocked by an exact version match requirement inpackage-lock.json. NOTE: The npm team believes this is not a vulnerability.It would require someone to socially engineer package.json which hasdifferent dependencies than package-lock.json. That user would have to havefile system or write access to change dependencies. The npm team statespreventing malicious actors from socially engineering or gaining filesystem access is outside the scope of the npm CLI. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-13 18:15:00 UTC CVE-2021-43616 Netty is an asynchronous event-driven network application framework forrapid development of maintainable high performance protocol servers &clients. Netty prior to version 4.1.71.Final skips control chars when theyare present at the beginning / end of the header name. It should insteadfail fast as these are not allowed by the spec and could lead to HTTPrequest smuggling. Failing to do the validation might cause netty to"sanitize" header names before it forward these to another remote systemwhen used as proxy. This remote system can't see the invalid usage anymore,and therefore does not do the validation itself. Users should upgrade toversion 4.1.71.Final. Update Instructions: Run `sudo pro fix CVE-2021-43797` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-09 19:15:00 UTC 2021-12-09 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001437 https://ubuntu.com/security/notices/USN-6049-1 CVE-2021-43797 PJSIP is a free and open source multimedia communication library. Inversion 2.11.1 and prior, if incoming RTCP XR message contain block, thedata field is not checked against the received packet size, potentiallyresulting in an out-of-bound read access. This affects all users that usePJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with aninvalid packet size. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-27 18:15:00 UTC 2021-12-27 18:15:00 UTC ej7367 https://ubuntu.com/security/notices/USN-6422-1 CVE-2021-43845 XStream is an open source java library to serialize objects to XML and backagain. Versions prior to 1.4.19 may allow a remote attacker to allocate100% CPU time on the target system depending on CPU type or parallelexecution of such a payload resulting in a denial of service only bymanipulating the processed input stream. XStream 1.4.19 monitors andaccumulates the time it takes to add elements to collections and throws anexception if a set threshold is exceeded. Users are advised to upgrade assoon as possible. Users unable to upgrade may set the NO_REFERENCE mode toprevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on aworkaround if an upgrade is not possible. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-01 12:15:00 UTC CVE-2021-43859 A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to anunchecked condition, a malicious or compromised IMAP server could use acrafted mail message that lacks headers (i.e., one that starts with anempty line) to provoke a heap overflow, which could conceivably beexploited for remote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-11-22 20:15:00 UTC CVE-2021-44143 An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files.This issue triggered in function WavpackPackSamples of filesrc/pack_utils.c, tainted variable cnt is too large, that makes pointersptr read beyond heap bound. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-03-10 17:44:00 UTC CVE-2021-44269 e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificatevalidation in the SSL MITM engine. In standalone mode (i.e., acting as aproxy or a transparent proxy), with SSL MITM enabled, e2guardian, if builtwith OpenSSL v1.1.x, did not validate hostnames in certificates of the webservers that it connected to, and thus was itself vulnerable to MITMattacks. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-23 12:15:00 UTC CVE-2021-44273 ARM astcenc 3.2.0 is vulnerable to Buffer Overflow in functionencode_ise(). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-28 17:15:00 UTC CVE-2021-44331 An untrusted search path vulnerability was found in Yarn. When a victimruns certain Yarn commands in a directory with attacker-controlled content,malicious commands could be executed in unexpected ways. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-04 20:15:00 UTC CVE-2021-4435 Improper access control in Odoo Community 13.0 and earlier and OdooEnterprise 13.0 and earlier allows users with deactivated accounts toaccess the system with the deactivated account and any permission it stillholds, via crafted RPC requests. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-44460 Improper access control in Odoo Community 13.0 and earlier and OdooEnterprise 13.0 and earlier allows authenticated attackers to subscribe toreceive future notifications and comments related to arbitrary businessrecords in the system, via crafted RPC requests. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-44465 A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise15.0 and earlier allows authenticated administrators to read local files onthe server, including sensitive configuration files. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-44476 An issue was discovered in YottaDB through r1.32 and V7.0-000. A lack ofinput validation in calls to do_verify in sr_unix/do_verify.c allowsattackers to attempt to jump to a NULL pointer by corrupting a functionpointer. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 18:15:00 UTC CVE-2021-44482 World-writable permissions on the /tmp/tmate/sessions directory intmate-ssh-server 2.3.0 allow a local attacker to compromise the integrityof session handling, or obtain the read-write session ID from a read-onlysession symlink in this directory. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-07 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001225 CVE-2021-44512 Insecure creation of temporary directories in tmate-ssh-server 2.3.0 allowsa local attacker to compromise the integrity of session handling. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-07 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001225 CVE-2021-44513 A open redirect vulnerability exists in Action Pack >= 6.0.0 that couldallow an attacker to craft a "X-Forwarded-Host" headers in combination withcertain "allowed host" formats can cause the Host Authorization middlewarein Action Pack to redirect users to a malicious website. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:10:00 UTC CVE-2021-44528 Insufficient user input filtering leads to arbitrary file read bynon-authenticated attacker, which results in sensitive informationdisclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-31 18:15:00 UTC CVE-2021-44534 The olm_session_describe function in Matrix libolm before 3.2.7 isvulnerable to a buffer overflow. The Olm session object represents acryptographic channel between two parties. Therefore, its state ispartially controllable by the remote party of the channel. Attackers canconstruct a crafted sequence of messages to manipulate the state of thereceiver's session in such a way that, for some buffer sizes, a bufferoverflow happens on a call to olm_session_describe. Furthermore, safebuffer sizes were undocumented. The overflow content is partiallycontrollable by the attacker and limited to ASCII spaces and digits. Theknown affected products are Element Web And SchildiChat Web. Update Instructions: Run `sudo pro fix CVE-2021-44538` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: thunderbird - 1:91.5.0+build1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-14 14:15:00 UTC 2021-12-14 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866502 https://ubuntu.com/security/notices/USN-5246-1 https://ubuntu.com/security/notices/USN-5248-1 CVE-2021-44538 A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allowsauthenticated administrators to executed arbitrary code, leading toprivilege escalation. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-44547 calibre before 5.32.0 contains a regular expression that is vulnerable toReDoS (Regular Expression Denial of Service) in html_preprocess_rules inebooks/conversion/preprocess.py. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-12-07 00:15:00 UTC https://bugs.launchpad.net/calibre/+bug/1951979 CVE-2021-44686 net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolledmemory consumption in the header canonicalization cache via HTTP/2requests. Update Instructions: Run `sudo pro fix CVE-2021-44716` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: google-guest-agent - 20230426.00-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-01 05:15:00 UTC https://github.com/golang/go/issues/50058 CVE-2021-44716 The mistral-dashboard plugin for openstack has a local file inclusionvulnerability through the 'Create Workbook' feature that may result indisclosure of arbitrary local files content. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-26 19:15:00 UTC https://bugs.launchpad.net/horizon/+bug/1931558 CVE-2021-4472 Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereferencein a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and anonzero initial_response value to send_accept. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-26 05:15:00 UTC 2022-12-26 05:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187 https://ubuntu.com/security/notices/USN-5800-1 CVE-2021-44758 Cross-site scripting (XSS) issue in Website app of Odoo Community 15.0 andearlier and Odoo Enterprise 15.0 and earlier, allows remote attackers toinject arbitrary web script in the browser of a victim, by posting craftedcontents. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-44775 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fixreleases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE)attack when a configuration uses a JDBC Appender with a JNDI LDAP datasource URI when an attacker has control of the target LDAP server. Thisissue is fixed by limiting JNDI data source names to the java protocol inLog4j2 versions 2.17.1, 2.12.4, and 2.3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-28 20:15:00 UTC 2021-12-28 20:15:00 UTC https://ubuntu.com/security/notices/USN-5222-1 CVE-2021-44832 A stack-based buffer overflow in handle_request function in DHT.c intoxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by animproper length calculation during the handling of received networkpackets) allows remote attackers to crash the process or potentiallyexecute arbitrary code via a network packet. Update Instructions: Run `sudo pro fix CVE-2021-44847` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtoxcore2 - 0.2.13-1 toxcore-utils - 0.2.13-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-13 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001711 https://bugs.launchpad.net/ubuntu/+source/libtoxcore/+bug/1955700 CVE-2021-44847 Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js,function setKey() (lines 69-95). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-17 16:15:00 UTC CVE-2021-44906 radareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereferencevia libr/bin/p/bin_symbols.c binary symbol parser. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-25 12:15:00 UTC CVE-2021-44974 radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via/libr/core/anal_objc.c mach-o parser. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-24 15:15:00 UTC CVE-2021-44975 Cross-site scripting (XSS) issue Odoo Community 15.0 and earlier and OdooEnterprise 15.0 and earlier, allows remote attackers to inject arbitraryweb script in the browser of a victim, via crafted uploaded file names. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-45071 In strongSwan before 5.9.5, a malicious responder can send an EAP-Successmessage too early without actually authenticating the client and (in thecase of EAP methods with mutual authentication and EAP-only authenticationfor IKEv2) even without server authentication. Update Instructions: Run `sudo pro fix CVE-2021-45079` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 5.9.4-1ubuntu4 charon-systemd - 5.9.4-1ubuntu4 libcharon-extauth-plugins - 5.9.4-1ubuntu4 libcharon-extra-plugins - 5.9.4-1ubuntu4 libstrongswan - 5.9.4-1ubuntu4 libstrongswan-extra-plugins - 5.9.4-1ubuntu4 libstrongswan-standard-plugins - 5.9.4-1ubuntu4 strongswan - 5.9.4-1ubuntu4 strongswan-charon - 5.9.4-1ubuntu4 strongswan-libcharon - 5.9.4-1ubuntu4 strongswan-nm - 5.9.4-1ubuntu4 strongswan-pki - 5.9.4-1ubuntu4 strongswan-starter - 5.9.4-1ubuntu4 strongswan-swanctl - 5.9.4-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-24 13:00:00 UTC 2022-01-24 13:00:00 UTC Zhuowei Zhang https://ubuntu.com/security/notices/USN-5250-1 https://ubuntu.com/security/notices/USN-5250-2 CVE-2021-45079 An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, and9.1.x before 9.1.2. Using standard command-line tools, a user with onlyREAD access to an HTCondor SchedD or Collector daemon can discover secretsthat could allow them to control other users' jobs and/or read their data. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-16 05:15:00 UTC CVE-2021-45101 An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x before9.1.2. When authenticating to an HTCondor daemon using a SciToken, a usermay be granted authorizations beyond what the token should allow. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-16 05:15:00 UTC CVE-2021-45102 An issue was discovered in HTCondor 9.0.x before 9.0.10 and 9.1.x before9.5.1. An attacker can access files stored in S3 cloud storage that a userhas asked HTCondor to transfer. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-06 01:15:00 UTC CVE-2021-45103 An issue was discovered in HTCondor 9.0.x before 9.0.10 and 9.1.x before9.5.1. An attacker who can capture HTCondor network data can interfere withusers' jobs and data. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-06 02:15:00 UTC CVE-2021-45104 Improper access control in Odoo Community 15.0 and earlier and OdooEnterprise 15.0 and earlier allows remote authenticated users to triggerthe creation of demonstration data, including user accounts with knowncredentials. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-25 19:15:00 UTC CVE-2021-45111 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significantoverhead in evaluating a submitted password that was artificially large inrelation to the comparison values. In a situation where access to userregistration was unrestricted, this provided a potential vector for adenial-of-service attack. Update Instructions: Run `sudo pro fix CVE-2021-45115` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 2:3.2.11-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-04 10:00:00 UTC 2022-01-04 10:00:00 UTC Chris Bailey https://ubuntu.com/security/notices/USN-5204-1 CVE-2021-45115 An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and4.0 before 4.0.1. Due to leveraging the Django Template Language's variableresolution logic, the dictsort template filter was potentially vulnerableto information disclosure, or an unintended method call, if passed asuitably crafted key. Update Instructions: Run `sudo pro fix CVE-2021-45116` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 2:3.2.11-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-04 10:00:00 UTC 2022-01-04 10:00:00 UTC Dennis Brinkrolf https://ubuntu.com/security/notices/USN-5204-1 CVE-2021-45116 A Null Pointer Dereference vulnerability existfs in nasm 2.16rc0 viaasm/preproc.c. Ubuntu 26.04 LTS Low Copyright (C) 2021 Canonical Ltd. 2021-12-22 17:15:00 UTC CVE-2021-45256 An infinite loop vulnerability exists in nasm 2.16rc0 via the gpaste_tokensfunction. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-22 17:15:00 UTC CVE-2021-45257 An Invalid Pointer vulnerability exists in GNU patch 2.7 via theanother_hunk function, which causes a Denial of Service. Ubuntu 26.04 LTS Negligible Copyright (C) 2021 Canonical Ltd. 2021-12-22 18:15:00 UTC https://savannah.gnu.org/bugs/?61685 CVE-2021-45261 In Libsixel prior to and including v1.10.3, a NULL pointer dereference inthe stb_image.h component of libsixel allows attackers to cause a denial ofservice (DOS) via a crafted PICT file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-25 12:15:00 UTC CVE-2021-45340 Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before4.0.1 allows directory traversal if crafted filenames are directly passedto it. Update Instructions: Run `sudo pro fix CVE-2021-45452` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 2:3.2.11-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-04 10:00:00 UTC 2022-01-04 10:00:00 UTC Dennis Brinkrolf https://ubuntu.com/security/notices/USN-5204-1 CVE-2021-45452 In MediaWiki through 1.37, blocked IP addresses are allowed to editEntitySchema items. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-24 02:15:00 UTC CVE-2021-45471 In MediaWiki through 1.37, XSS can occur in Wikibase because an externalidentifier property can have a URL format that includes a $1 formattersubstitution marker, and the javascript: URL scheme (among others) can beused. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-24 02:15:00 UTC CVE-2021-45472 In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which istriggered upon a visit to an action=info URL (aka a page-informationsidebar). Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-24 02:15:00 UTC CVE-2021-45473 In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporter)allows XSS, as demonstrated by the clientUrl parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-24 02:15:00 UTC CVE-2021-45474 HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial ofService. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-03 22:15:00 UTC CVE-2021-45829 A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 viaH5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial ofService. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-05 20:15:00 UTC CVE-2021-45830 A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 at athdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent). Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-05 21:15:00 UTC CVE-2021-45832 A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 via theH5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, whichcauses a Denial of Service (context-dependent). Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-05 21:15:00 UTC CVE-2021-45833 MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at0x7ffd0c689be0) in mdb_numeric_to_string (called from mdb_xfer_bound_dataand _mdb_attempt_bind). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-01 01:15:00 UTC CVE-2021-45926 MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at0x7ffd6e029ee0) in mdb_numeric_to_string (called from mdb_xfer_bound_dataand _mdb_attempt_bind). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-01 01:15:00 UTC CVE-2021-45927 OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow inImf_3_1::LineCompositeTask::execute (called fromIlmThread_3_1::NullThreadPoolProvider::addTask andIlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may beinapplicable. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-01 01:15:00 UTC https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 CVE-2021-45942 UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow inBuffer_AppendIndentUnchecked (called from encode). Exploitation can, forexample, use a large amount of indentation. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-01 00:15:00 UTC 2022-01-01 00:15:00 UTC https://ubuntu.com/security/notices/USN-6629-1 https://ubuntu.com/security/notices/USN-6629-2 CVE-2021-45958 In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) placesin the storeAtts function in xmlparse.c can lead to realloc misbehavior(e.g., allocating too few bytes, or only freeing memory). Update Instructions: Run `sudo pro fix CVE-2021-45960` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-01 19:15:00 UTC 2022-01-01 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002994 https://github.com/libexpat/libexpat/issues/531 https://bugzilla.mozilla.org/show_bug.cgi?id=1217609 https://ubuntu.com/security/notices/USN-5288-1 CVE-2021-45960 The giftrans function in giftrans 1.12.2 contains a stack-based bufferoverflow because a value inside the input file determines the amount ofdata to write. This allows an attacker to overwrite up to 250 bytes outsideof the allocated buffer with arbitrary data. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-01 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002739 CVE-2021-45972 In Lua 5.4.3, an erroneous finalizer called during a tail call leads to aheap-based buffer over-read. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-10 09:15:00 UTC Minseok Kang https://www.lua.org/bugs.html#5.4.3-11 CVE-2021-45985 An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can leadto a segmentation fault or application crash. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-14 20:15:00 UTC CVE-2021-46020 An Untrusted Pointer Dereference was discovered in function mrb_vm_exec inmruby before 3.1.0-rc. The vulnerability causes a segmentation fault andapplication crash. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-14 16:15:00 UTC CVE-2021-46023 A Denial of Service vulnerability exists in Binaryen 104 due to anassertion abort in wasm::WasmBinaryBuilder::readFunctions. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:11:00 UTC CVE-2021-46048 A Stack Overflow vulnerability exists in Binaryen 103 via the printf_commonfunction. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:11:00 UTC CVE-2021-46050 A Denial of Service vulnerability exists in Binaryen 104 due to anassertion abort in wasm::Tuple::validate. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:11:00 UTC CVE-2021-46052 A Denial of Service vulnerability exists in Binaryen 103. The programterminates with signal SIGKILL. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:11:00 UTC CVE-2021-46053 A Denial of Service vulnerability exists in Binaryen 104 due to anassertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*). Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:11:00 UTC CVE-2021-46054 A Denial of Service vulnerability exists in Binaryen 104 due to anassertion abort in wasm::WasmBinaryBuilder::visitRethrow(wasm::Rethrow*). Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:11:00 UTC CVE-2021-46055 Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote CodeExecution (RCE). Any user with the "Zabbix Admin" role is able to runcustom shell script on the application server in the context of theapplication user. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-27 16:15:00 UTC CVE-2021-46088 In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integeroverflow exists for m_groupSize. Update Instructions: Run `sudo pro fix CVE-2021-46143` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required mame - 0.281+dfsg1-1build1 mame-data - 0.281+dfsg1-1build1 mame-tools - 0.281+dfsg1-1build1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-06 04:15:00 UTC 2022-01-06 04:15:00 UTC https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 https://ubuntu.com/security/notices/USN-7913-1 CVE-2021-46143 Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() atspinlex.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-14 21:15:00 UTC CVE-2021-46168 Reachable Assertion vulnerability in upx before 4.0.0 allows attackers tocause a denial of service via crafted file passed to the the readxfunction. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2021-46179 GCC v12.0 was discovered to contain an uncontrolled recursion via thecomponent libiberty/rust-demangle.c. This vulnerability allows attackers tocause a Denial of Service (DoS) by consuming excessive CPU and memoryresources. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-14 20:15:00 UTC chengxianglin https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841 (dupe bug) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98886 CVE-2021-46195 A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allowsattackers to cause a Denial of Service (DoS) via a crafted MESH file. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-12 20:15:00 UTC CVE-2021-46225 HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via thecomponent H5AC_unpin_entry. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-21 21:15:00 UTC CVE-2021-46242 An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 viathe function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. Thisvulnerability can lead to a Denial of Service (DoS). Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-21 21:15:00 UTC CVE-2021-46243 A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the functionH5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes anaritmetic exception, leading to a Denial of Service (DoS). Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-01-21 21:15:00 UTC CVE-2021-46244 In libsixel 1.8.6, sixel_encoder_output_without_macro (called fromsixel_encoder_encode_frame in encoder.c) has a double free. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-19 19:15:00 UTC CVE-2021-46700 In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due toimproper buffer management, a Denial of Service can occur when processinglong Gopher server responses. Update Instructions: Run `sudo pro fix CVE-2021-46784` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 5.2-1ubuntu5 squid-cgi - 5.2-1ubuntu5 squid-common - 5.2-1ubuntu5 squid-openssl - 5.2-1ubuntu5 squid-purge - 5.2-1ubuntu5 squidclient - 5.2-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2021 Canonical Ltd. 2021-12-31 00:00:00 UTC 2021-12-31 00:00:00 UTC Joshua Rogers https://ubuntu.com/security/notices/USN-5491-1 CVE-2021-46784 The AMS module has a vulnerability of improper permissioncontrol.Successful exploitation of this vulnerability may cause non-systemapplication processes to crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-13 15:15:00 UTC CVE-2021-46787 An issue was discovered in Nim before 1.6.2. The RST module of the Nimlanguage stdlib, as used in NimForum and other products, permits thejavascript: URI scheme and thus can lead to XSS in some applications. (Nimversions 1.6.2 and later are fixed; there may be backports of the fix tosome earlier versions. NimForum 2.2.0 is fixed.) Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-13 06:15:00 UTC CVE-2021-46872 WireGuard, such as WireGuard 0.5.3 on Windows, does not fully account forthe possibility that an adversary might be able to set a victim's systemtime to a future value, e.g., because unauthenticated NTP is used. This canlead to an outcome in which one static private key becomes permanentlyuseless. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-01-29 23:15:00 UTC CVE-2021-46873 The Net::IPV4Addr module 0.10 for Perl does not properly considerextraneous zero characters in an IP address string, which (in somesituations) allows attackers to bypass access control that is based on IPaddresses. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-18 05:15:00 UTC CVE-2021-47155 ProFTPD 1.3.7a contains a denial of service vulnerability that allowsattackers to overwhelm the server by creating multiple simultaneous FTPconnections. Attackers can repeatedly establish connections using threadingto exhaust server connection limits and block legitimate user access. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-21 18:16:00 UTC CVE-2021-47865 python jsonpickle 2.0.0 contains a remote code execution vulnerability thatallows attackers to execute arbitrary Python commands by deserializingmalicious JSON payloads containing py/repr objects. Attackers can craftJSON strings with py/repr directives that invoke the eval function duringdeserialization to execute system commands and arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-16 16:16:00 UTC CVE-2021-47952 mruby is vulnerable to Heap-based Buffer Overflow Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-02 12:15:00 UTC CVE-2022-0080 A flaw was found in XNIO, specifically in the notifyReadClosed method. Theissue revealed this method was logging a message to another expected end.This flaw allows an attacker to send flawed requests to a server, possiblycausing log contention-related performance concerns or an unwanted diskfill-up. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-26 18:15:00 UTC CVE-2022-0084 An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer(virglrenderer). This flaw allows a malicious guest to create a speciallycrafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leadingto a denial of service or possible code execution. Update Instructions: Run `sudo pro fix CVE-2022-0135` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvirglrenderer1 - 0.9.1-1~exp1ubuntu2 virgl-server - 0.9.1-1~exp1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-01 00:00:00 UTC 2022-02-01 00:00:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2037790 https://ubuntu.com/security/notices/USN-5309-1 CVE-2022-0135 Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 19:15:00 UTC CVE-2022-0139 radare2 is vulnerable to Out-of-bounds Read Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-11 17:15:00 UTC CVE-2022-0173 A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). Thevirgl did not properly initialize memory when allocating a host-backedmemory resource. A malicious guest could use this flaw to mmap from theguest kernel and read this uninitialized memory from the host, possiblyleading to information disclosure. Update Instructions: Run `sudo pro fix CVE-2022-0175` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvirglrenderer1 - 0.9.1-1~exp1ubuntu2 virgl-server - 0.9.1-1~exp1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-01 00:00:00 UTC 2022-02-01 00:00:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2039003 https://bugs.launchpad.net/ubuntu/+source/virglrenderer/+bug/1950784 https://ubuntu.com/security/notices/USN-5309-1 CVE-2022-0175 It was discovered that an internal Prosody library to load XML based onlibexpat does not properly restrict the XML features allowed in parsed XMLdata. Given suitable attacker input, this results in expansion of recursiveentity references from DTDs (CWE-776). In addition, depending on thelibexpat version used, it may also allow injections using XML ExternalEntity References (CWE-611). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-26 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003696 CVE-2022-0217 mruby is vulnerable to NULL Pointer Dereference Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-17 14:15:00 UTC CVE-2022-0240 NULL Pointer Dereference in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-21 07:15:00 UTC CVE-2022-0326 Insertion of Sensitive Information into Log File in Conda loguru prior to0.5.3. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-25 09:15:00 UTC CVE-2022-0338 A heap-based buffer overflow flaw was found in libmodbus in functionmodbus_reply() in src/modbus.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-29 15:15:00 UTC CVE-2022-0367 An out-of-bounds read vulnerability was discovered in linux kernel in thesmc protocol stack, causing remote dos. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-29 15:15:00 UTC Ziming Zhang https://bugzilla.redhat.com/show_bug.cgi?id=2044575 https://bugzilla.suse.com/show_bug.cgi?id=1195329 CVE-2022-0400 NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to5.6.0. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-01 11:15:00 UTC CVE-2022-0419 Exposure of Sensitive Information to an Unauthorized Actor in GitHubrepository httpie/httpie prior to 3.1.0. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-15 15:15:00 UTC CVE-2022-0430 Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-23 17:15:00 UTC CVE-2022-0476 A flaw was found in the filelock_init in fs/locks.c function in the Linuxkernel. This issue can lead to host memory exhaustion due to memcg notlimiting the number of Portable Operating System Interface (POSIX) filelocks. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-29 15:15:00 UTC CVE-2022-0480 NULL Pointer Dereference in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-04 23:15:00 UTC CVE-2022-0481 A flaw was found in the copying tool `nbdcopy` of libnbd. When performingmulti-threaded copies using asynchronous nbd calls, nbdcopy was blindlytreating the completion of an asynchronous command as successful, ratherthan checking the *error parameter. This could result in the silentcreation of a corrupted destination image. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-29 15:15:00 UTC CVE-2022-0485 Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 21:15:00 UTC CVE-2022-0518 Buffer Access with Incorrect Length Value in GitHub repositoryradareorg/radare2 prior to 5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 21:15:00 UTC CVE-2022-0519 Use After Free in NPM radare2.js prior to 5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 21:15:00 UTC CVE-2022-0520 Access of Memory Location After End of Buffer in GitHub repositoryradareorg/radare2 prior to 5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 21:15:00 UTC CVE-2022-0521 Access of Memory Location Before Start of Buffer in NPM radare2.js prior to5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 21:15:00 UTC CVE-2022-0522 Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-08 21:15:00 UTC CVE-2022-0523 Out-of-bounds Read in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-09 04:15:00 UTC CVE-2022-0525 An integer underflow in the DDS loader of Blender leads to an out-of-boundsread, possibly allowing an attacker to read sensitive data using a craftedDDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8and 3.1. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-24 19:15:00 UTC CVE-2022-0544 An integer overflow in the processing of loaded 2D images leads to awrite-what-where vulnerability and an out-of-bounds read vulnerability,allowing an attacker to leak sensitive information or achieve codeexecution in the context of the Blender process when a specially craftedimage file is loaded. This flaw affects Blender versions prior to 2.83.19,2.93.8 and 3.1. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-24 19:15:00 UTC CVE-2022-0545 A missing bounds check in the image loader used in Blender 3.x and 2.93.8leads to out-of-bounds heap access, allowing an attacker to cause denial ofservice, memory corruption or potentially code execution. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-24 19:15:00 UTC CVE-2022-0546 Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 11:15:00 UTC CVE-2022-0559 Heap-based Buffer Overflow in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-14 12:15:00 UTC CVE-2022-0570 Authorization Bypass Through User-Controlled Key in NPM urijs prior to1.19.8. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 09:15:00 UTC CVE-2022-0613 Use of Out-of-range Pointer Offset in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 10:15:00 UTC CVE-2022-0614 Out-of-bounds Read in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-17 07:15:00 UTC CVE-2022-0623 Out-of-bounds Read in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-19 14:15:00 UTC CVE-2022-0630 Heap-based Buffer Overflow in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-18 14:15:00 UTC CVE-2022-0631 NULL Pointer Dereference in Homebrew mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-19 14:15:00 UTC CVE-2022-0632 In certain situations it is possible for an unmanaged rule to exist on thetarget system that has the same comment as the rule specified in themanifest. This could allow for unmanaged rules to exist on the targetsystem and leave the system in an unsafe state. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-02 21:15:00 UTC CVE-2022-0675 Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to5.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-22 00:15:00 UTC CVE-2022-0676 Denial of Service in GitHub repository radareorg/radare2 prior to 5.6.4. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-24 13:15:00 UTC CVE-2022-0695 NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to5.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-22 18:15:00 UTC CVE-2022-0712 Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to5.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-22 19:15:00 UTC CVE-2022-0713 Out-of-bounds Read in GitHub repository mruby/mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-23 02:15:00 UTC CVE-2022-0717 A flaw was found in keepass. The vulnerability occurs due to logging theplain text passwords in system log and leads to an Information Exposurevulnerability. This flaw allows an attacker to interact and read sensitivepasswords and logs. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-10 17:44:00 UTC CVE-2022-0725 Under certain ldap conditions, Cacti authentication can be bypassed withcertain credential types. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-03 23:15:00 UTC CVE-2022-0730 A flaw was found in all versions of kubeclient up to (but not including)v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsedkubeconfig files. When the kubeconfig file does not configure custom CA toverify certs, kubeclient ends up accepting any certificate (it wronglyreturns VERIFY_NONE). Ruby applications that leverage kubeclient to parsekubeconfig files are susceptible to Man-in-the-middle attacks (MITM). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-25 19:15:00 UTC CVE-2022-0759 The BN_mod_sqrt() function, which computes a modular square root, containsa bug that can cause it to loop forever for non-prime moduli. Internallythis function is used when parsing certificates that contain elliptic curvepublic keys in compressed form or explicit elliptic curve parameters with abase point encoded in compressed form. It is possible to trigger theinfinite loop by crafting a certificate that has invalid explicit curveparameters. Since certificate parsing happens prior to verification of thecertificate signature, any process that parses an externally suppliedcertificate may thus be subject to a denial of service attack. The infiniteloop can also be reached when parsing crafted private keys as they cancontain explicit elliptic curve parameters. Thus vulnerable situationsinclude: - TLS clients consuming server certificates - TLS serversconsuming client certificates - Hosting providers taking certificates orprivate keys from customers - Certificate authorities parsing certificationrequests from subscribers - Anything else which parses ASN.1 elliptic curveparameters Also any other applications that use the BN_mod_sqrt() where theattacker can control the parameter values are vulnerable to this DoS issue.In the OpenSSL 1.0.2 version the public key is not parsed during initialparsing of the certificate which makes it slightly harder to trigger theinfinite loop. However any operation which requires the public key from thecertificate will trigger the infinite loop. In particular the attacker canuse a self-signed certificate to trigger the loop during verification ofthe certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15thMarch 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected1.0.2-1.0.2zc). Update Instructions: Run `sudo pro fix CVE-2022-0778` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.2-0ubuntu1 openssl - 3.0.2-0ubuntu1 openssl-provider-legacy - 3.0.2-0ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2022 Canonical Ltd. 2022-03-15 2022-03-15 Tavis Ormandy https://ubuntu.com/security/notices/USN-5328-1 https://ubuntu.com/security/notices/USN-5328-2 https://ubuntu.com/security/notices/USN-6457-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2022-0778 PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentiallysensitive information by creating invalid requests. This affects the langparameter, the pma_parameter, and the cookie section. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-10 17:44:00 UTC CVE-2022-0813 Use After Free in r_reg_get_name_idx in GitHub repository radareorg/radare2prior to 5.6.6. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-05 10:15:00 UTC CVE-2022-0849 NULL Pointer Dereference in GitHub repository mruby/mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-10 01:15:00 UTC CVE-2022-0890 A vulnerability was discovered in the 389 Directory Server that allows anunauthenticated attacker with network access to the LDAP port to cause adenial of service. The denial of service is triggered by a single messagesent over a TCP connection, no bind or other authentication is required.The message triggers a segmentation fault that results in slapd crashing. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-16 15:15:00 UTC CVE-2022-0918 A flaw was found in PackageKit in the way some of the methods exposed bythe Transaction interface examines files. This issue allows a local user tomeasure the time the methods take to execute and know whether a file ownedby root or other users exists. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-28 17:15:00 UTC CVE-2022-0987 A vulnerability was found in the 389 Directory Server that allows expiredpasswords to access the database to cause improper authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-23 20:15:00 UTC CVE-2022-0996 Use After Free in op_is_set_bp in GitHub repository radareorg/radare2 priorto 5.6.6. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-22 20:15:00 UTC CVE-2022-1031 Heap Buffer Overflow in iterate_chained_fixups in GitHub repositoryradareorg/radare2 prior to 5.6.6. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-24 13:15:00 UTC CVE-2022-1052 Heap Buffer Overflow in parseDragons in GitHub repository radareorg/radare2prior to 5.6.8. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-24 10:15:00 UTC CVE-2022-1061 User after free in mrb_vm_exec in GitHub repository mruby/mruby prior to3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-26 04:15:00 UTC CVE-2022-1071 use after free in mrb_vm_exec in GitHub repository mruby/mruby prior to3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-27 14:15:00 UTC CVE-2022-1106 A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo()function of dcm.c file. This vulnerability is triggered when an attackerpasses a specially crafted DICOM image file to ImageMagick for conversion,potentially leading to information disclosure and a denial of service. Update Instructions: Run `sudo pro fix CVE-2022-1114` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-29 16:15:00 UTC 2022-04-29 16:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/4947 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 CVE-2022-1114 A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in theway it handles an input directory with a large number of files. When itfails to allocate a buffer to store the filenames of the input directory,it calls free() on an uninitialized pointer, leading to a segmentationfault and a denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-29 18:15:00 UTC 2022-03-29 18:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1368 https://ubuntu.com/security/notices/USN-7083-1 CVE-2022-1122 NULL Pointer Dereference in mrb_vm_exec with super in GitHub repositorymruby/mruby prior to 3.2. This vulnerability is capable of making the mrubyinterpreter crash, thus affecting the availability of the system. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-02 08:15:00 UTC CVE-2022-1201 Out-of-bounds read in GitHub repository radareorg/radare2 prior to 5.6.8.This vulnerability allows attackers to read sensitive information fromoutside the allocated buffer boundary. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-01 19:15:00 UTC CVE-2022-1207 Use-After-Free in str_escape in mruby/mruby in GitHub repositorymruby/mruby prior to 3.2. Possible arbitrary code execution if beingexploited. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 04:15:00 UTC CVE-2022-1212 Improper Validation of Array Index in GitHub repository radareorg/radare2prior to 5.6.8. This vulnerability is heap overflow and may be exploitable.For more general description of heap buffer overflow, see[CWE](https://cwe.mitre.org/data/definitions/122.html). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-06 10:15:00 UTC CVE-2022-1237 Out-of-bounds Write in libr/bin/format/ne/ne.c in GitHub repositoryradareorg/radare2 prior to 5.6.8. This vulnerability is heap overflow andmay be exploitable. For more general description of heap buffer overflow,see [CWE](https://cwe.mitre.org/data/definitions/122.html). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-06 10:15:00 UTC CVE-2022-1238 Heap buffer overflow in libr/bin/format/mach0/mach0.c in GitHub repositoryradareorg/radare2 prior to 5.8.6. If address sanitizer is disabled duringthe compiling, the program should executes into the `r_str_ncpy` function.Therefore I think it is very likely to be exploitable. For more generaldescription of heap buffer overflow, see[CWE](https://cwe.mitre.org/data/definitions/122.html). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-06 11:15:00 UTC CVE-2022-1240 Apport can be tricked into connecting to arbitrary sockets as the root user Update Instructions: Run `sudo pro fix CVE-2022-1242` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-1242 heap-buffer-overflow in GitHub repository radareorg/radare2 prior to 5.6.8.This vulnerability is capable of inducing denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 19:15:00 UTC CVE-2022-1244 An issue found in linux-kernel that leads to a race condition inrose_connect(). The rose driver uses rose_neigh->use to represent how manyobjects are using the rose_neigh. When a user wants to delete a rose_routevia rose_ioctl(), the rose driver calls rose_del_node() and removesneighbours only if their “count” and “use” are zero. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-31 16:15:00 UTC Duoming Zhou https://bugzilla.redhat.com/show_bug.cgi?id=2066799 https://bugzilla.suse.com/show_bug.cgi?id=1199434 CVE-2022-1247 A NULL pointer dereference flaw was found in pesign's cms_set_pw_data()function of the cms_common.c file. The function fails to handle the NULLpwdata invocation from daemon.c, which leads to an explicit NULLdereference and crash on all attempts to daemonize pesign. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-04-29 16:15:00 UTC CVE-2022-1249 A flaw was found in Undertow. A potential security issue in flow controlhandling by the browser over HTTP/2 may cause overhead or a denial ofservice in the server. This flaw exists because of an incomplete fix forCVE-2021-3629. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-31 16:15:00 UTC CVE-2022-1259 Out-of-bounds Read in mrb_get_args in GitHub repository mruby/mruby priorto 3.2. Possible arbitrary code execution if being exploited. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-10 10:15:00 UTC CVE-2022-1276 NULL Pointer Dereference in r_bin_ne_get_entrypoints function in GitHubrepository radareorg/radare2 prior to 5.6.8. This vulnerability allowsattackers to cause a denial of service (application crash). Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-04-08 18:15:00 UTC CVE-2022-1283 heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.6.8.This vulnerability is capable of inducing denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-08 19:15:00 UTC CVE-2022-1284 heap-buffer-overflow in mrb_vm_exec in mruby/mruby in GitHub repositorymruby/mruby prior to 3.2. Possible arbitrary code execution if beingexploited. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-10 11:15:00 UTC CVE-2022-1286 The c_rehash script does not properly sanitise shell metacharacters toprevent command injection. This script is distributed by some operatingsystems in a manner where it is automatically executed. On such operatingsystems, an attacker could execute arbitrary commands with the privilegesof the script. Use of the c_rehash script is considered obsolete and shouldbe replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3(Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). Update Instructions: Run `sudo pro fix CVE-2022-1292` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.2-0ubuntu2 openssl - 3.0.2-0ubuntu2 openssl-provider-legacy - 3.0.2-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-03 2022-05-03 Elison Niven https://ubuntu.com/security/notices/USN-5402-1 https://ubuntu.com/security/notices/USN-5402-2 https://ubuntu.com/security/notices/USN-6457-1 https://ubuntu.com/security/notices/USN-7018-1 https://ubuntu.com/security/notices/USN-7060-1 CVE-2022-1292 Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repositoryradareorg/radare2 prior to 5.6.8. This vulnerability may allow attackers toread sensitive information or cause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-11 12:15:00 UTC CVE-2022-1296 Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHubrepository radareorg/radare2 prior to 5.6.8. This vulnerability may allowattackers to read sensitive information or cause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-11 12:15:00 UTC CVE-2022-1297 Buffer Overflow in uudecoder in Mutt affecting all versions starting from0.94.13 before 2.2.3 allows read past end of input line Update Instructions: Run `sudo pro fix CVE-2022-1328` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: mutt - 2.2.3-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-14 21:15:00 UTC 2022-04-14 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009734 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009735 https://ubuntu.com/security/notices/USN-5392-1 https://ubuntu.com/security/notices/USN-7204-1 CVE-2022-1328 An issue was discovered in in bwm-ng v0.6.2. An arbitrary null write existsin get_cmdln_options() function in src/options.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-18 17:15:00 UTC CVE-2022-1341 NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to5.6.8. This vulnerability is capable of making the radare2 crash, thusaffecting the availability of the system. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-18 01:15:00 UTC CVE-2022-1382 Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repositorymruby/mruby prior to 3.2. # Impact: Possible arbitrary code execution ifbeing exploited. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-23 00:15:00 UTC CVE-2022-1427 The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly usesthe AAD data as the MAC key. This makes the MAC key trivially predictable.An attacker could exploit this issue by performing a man-in-the-middleattack to modify data being sent from one endpoint to an OpenSSL 3.0recipient such that the modified data would still pass the MAC integritycheck. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL3.0 endpoint will always be rejected by the recipient and the connectionwill fail at that point. Many application protocols require data to be sentfrom the client to the server first. Therefore, in such a case, only anOpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0client. If both endpoints are OpenSSL 3.0 then the attacker could modifydata being sent in both directions. In this case both clients and serverscould be affected, regardless of the application protocol. Note that in theabsence of an attacker this bug means that an OpenSSL 3.0 endpointcommunicating with a non-OpenSSL 3.0 endpoint will fail to complete thehandshake when using this ciphersuite. The confidentiality of data is notimpacted by this issue, i.e. an attacker cannot decrypt data that has beenencrypted using this ciphersuite - they can only modify it. In order forthis attack to work both endpoints must legitimately negotiate the RC4-MD5ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0,and is not available within the default provider or the default ciphersuitelist. This ciphersuite will never be used if TLSv1.3 has been negotiated.In order for an OpenSSL 3.0 endpoint to use this ciphersuite the followingmust have occurred: 1) OpenSSL must have been compiled with the(non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL musthave had the legacy provider explicitly loaded (either through applicationcode or via configuration) 3) The ciphersuite must have been explicitlyadded to the ciphersuite list 4) The libssl security level must have beenset to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must havebeen negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite inpreference to any others that both endpoints have in common Fixed inOpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Update Instructions: Run `sudo pro fix CVE-2022-1434` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.2-0ubuntu2 openssl - 3.0.2-0ubuntu2 openssl-provider-legacy - 3.0.2-0ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-03 2022-05-03 Tom Colley https://ubuntu.com/security/notices/USN-5402-1 CVE-2022-1434 Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to5.7.0. The bug causes the program reads data past the end of the intentedbuffer. Typically, this can allow attackers to read sensitive informationfrom other memory locations or cause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-22 15:15:00 UTC CVE-2022-1437 heap-use-after-free in GitHub repository radareorg/radare2 prior to 5.7.0.This vulnerability is capable of inducing denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-23 22:15:00 UTC CVE-2022-1444 Out-of-bounds Read in r_bin_java_constant_value_attr_new function in GitHubrepository radareorg/radare2 prior to 5.7.0. The bug causes the programreads data past the end 2f the intented buffer. Typically, this can allowattackers to read sensitive information from other memory locations orcause a crash. More details see [CWE-125: Out-of-boundsread](https://cwe.mitre.org/data/definitions/125.html). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-24 21:15:00 UTC CVE-2022-1451 Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function inGitHub repository radareorg/radare2 prior to 5.7.0. The bug causes theprogram reads data past the end 2f the intented buffer. Typically, this canallow attackers to read sensitive information from other memory locationsor cause a crash. More details see [CWE-125: Out-of-boundsread](https://cwe.mitre.org/data/definitions/125.html). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-24 21:15:00 UTC CVE-2022-1452 The OPENSSL_LH_flush() function, which empties a hash table, contains a bugthat breaks reuse of the memory occuppied by the removed hash tableentries. This function is used when decoding certificates or keys. If along lived process periodically decodes certificates or keys its memoryusage will expand without bounds and the process might be terminated by theoperating system causing a denial of service. Also traversing the emptyhash table entries will take increasingly more time. Typically such longlived processes might be TLS clients or TLS servers configured to acceptclient certificate authentication. The function was added in the OpenSSL3.0 version thus older releases are not affected by the issue. Fixed inOpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Update Instructions: Run `sudo pro fix CVE-2022-1473` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.2-0ubuntu2 openssl - 3.0.2-0ubuntu2 openssl-provider-legacy - 3.0.2-0ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-03 2022-05-03 Aliaksei Levin https://ubuntu.com/security/notices/USN-5402-1 https://ubuntu.com/security/notices/USN-5402-2 CVE-2022-1473 Null pointer dereference in libr/bin/format/mach0/mach0.c inradareorg/radare2 in GitHub repository radareorg/radare2 prior to 5.7.0. Itis likely to be exploitable. For more general description of heap bufferoverflow, see [CWE](https://cwe.mitre.org/data/definitions/476.html). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-10 17:15:00 UTC CVE-2022-1649 Dpkg::Source::Archive in dpkg, the Debian package management system, beforeversion 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversalvulnerability. When extracting untrusted source packages in v2 and v3source package formats that include a debian.tar, the in-place extractioncan lead to directory traversal situations on specially crafted orig.tarand debian.tar tarballs. Update Instructions: Run `sudo pro fix CVE-2022-1664` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dpkg - 1.21.9ubuntu1 dselect - 1.21.9ubuntu1 libdpkg-perl - 1.21.9ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-25 15:00:00 UTC 2022-05-25 15:00:00 UTC Max Justicz https://ubuntu.com/security/notices/USN-5446-1 https://ubuntu.com/security/notices/USN-5446-2 CVE-2022-1664 A vulnerability was found in Ignition where ignition configs are accessiblefrom unprivileged containers in VMs running on VMware products. This issueis only relevant in user environments where the Ignition config containssecrets. The highest threat from this vulnerability is to dataconfidentiality. Possible workaround is to not put secrets in the Ignitionconfig. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2082274 https://github.com/coreos/ignition/issues/1315 https://github.com/coreos/ignition/issues/1300 CVE-2022-1706 Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0.The bug causes the program reads data past the end of the intented buffer.Typically, this can allow attackers to read sensitive information fromother memory locations or cause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-13 15:15:00 UTC CVE-2022-1714 Bootstrap Tables XSS vulnerability with Table Export plug-in whenexportOptions: htmlContent is true in GitHub repositorywenzhixin/bootstrap-table prior to 1.20.2. Disclosing session cookies,disclosing secure session data, exfiltrating data to third-parties. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-16 15:15:00 UTC CVE-2022-1726 Access of Uninitialized Pointer in GitHub repository radareorg/radare2prior to 5.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-21 23:16:00 UTC CVE-2022-1809 Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-26 17:15:00 UTC CVE-2022-1899 Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-27 09:15:00 UTC 2022-05-27 09:15:00 UTC https://ubuntu.com/security/notices/USN-7638-1 CVE-2022-1907 Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-27 09:15:00 UTC 2022-05-27 09:15:00 UTC https://ubuntu.com/security/notices/USN-7638-1 CVE-2022-1908 Use After Free in GitHub repository mruby/mruby prior to 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-31 03:15:00 UTC CVE-2022-1934 An access control bypass vulnerability found in 389-ds-base. Thatmishandling of the filter that would yield incorrect results, but as thathas progressed, can be determined that it actually is an access controlbypass. This may allow any remote unauthenticated user to issue a filterthat allows searching for database items they do not have access to,including but not limited to potentially userPassword hashes and othersensitive data. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:15:00 UTC CVE-2022-1949 In multiple locations of the nanopb library, there is a possible way tocorrupt memory when decoding untrusted protobuf files. This could lead tolocal escalation of privilege,with no additional execution privilegesneeded. User interaction is not needed for exploitation. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-15 22:15:00 UTC CVE-2022-20203 A flaw was found in Samba. The security vulnerability occurs when KDC andthe kpasswd service share a single account and set of keys, allowing themto decrypt each other's tickets. A user who has been requested to changetheir password, can exploit this flaw to obtain and use tickets to otherservices. Update Instructions: Run `sudo pro fix CVE-2022-2031` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-27 2022-07-27 Luke Howard https://bugzilla.samba.org/show_bug.cgi?id=15047 https://bugzilla.samba.org/show_bug.cgi?id=15109 (tracking bug) https://ubuntu.com/security/notices/USN-5542-1 CVE-2022-2031 When a POST request comes through AJP and the request exceeds themax-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduitimplementation closes a connection without sending any response to theclient/proxy. This behavior results in that a front-end proxy marking thebackend worker (application server) as an error state and not forwardrequests to the worker for a while. In mod_cluster, this continues untilthe next STATUS request (10 seconds intervals) from the application serverupdates the server state. So, in the worst case, it can result in "Allworkers are in error state" and mod_cluster responds "503 ServiceUnavailable" for a while (up to 10 seconds). In mod_proxy_balancer, it doesnot forward requests to the worker until the "retry" timeout passes.However, luckily, mod_proxy_balancer has "forcerecovery" setting (On bydefault; this parameter can force the immediate recovery of all workerswithout considering the retry parameter of the workers if all workers of abalancer are in error state.). So, unlike mod_cluster, mod_proxy_balancerdoes not result in responding "503 Service Unavailable". An attacker coulduse this behavior to send a malicious request and trigger server errors,resulting in DoS (denial of service). This flaw was fixed in Undertow2.2.19.Final, Undertow 2.3.0.Alpha2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-05 16:15:00 UTC CVE-2022-2053 Code Injection in GitHub repository nuitka/nuitka prior to 0.9. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-12 14:15:00 UTC CVE-2022-2054 Heap-based Buffer Overflow in GitHub repository hpjansson/chafa prior to1.12.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-13 12:15:00 UTC CVE-2022-2061 AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimisedimplementation will not encrypt the entirety of the data under somecircumstances. This could reveal sixteen bytes of data that was preexistingin the memory that wasn't written. In the special case of "in place"encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSLdoes not support OCB based cipher suites for TLS and DTLS, they are bothunaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL1.1.1q (Affected 1.1.1-1.1.1p). Update Instructions: Run `sudo pro fix CVE-2022-2097` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.5-2ubuntu1 openssl - 3.0.5-2ubuntu1 openssl-provider-legacy - 3.0.5-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 2022-07-05 Alex Chernyakhovsky https://ubuntu.com/security/notices/USN-5502-1 https://ubuntu.com/security/notices/USN-6457-1 CVE-2022-2097 Incomplete cleanup of multi-core shared buffers for some Intel(R)Processors may allow an authenticated user to potentially enableinformation disclosure via local access. Update Instructions: Run `sudo pro fix CVE-2022-21123` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: intel-microcode - 3.20220510.0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-15 20:15:00 UTC 2022-06-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-5484-1 https://ubuntu.com/security/notices/USN-5485-1 https://ubuntu.com/security/notices/USN-5486-1 https://ubuntu.com/security/notices/USN-5485-2 https://ubuntu.com/security/notices/USN-5505-1 https://ubuntu.com/security/notices/USN-5513-1 https://ubuntu.com/security/notices/USN-5529-1 https://ubuntu.com/security/notices/USN-5535-1 CVE-2022-21123 Incomplete cleanup of microarchitectural fill buffers on some Intel(R)Processors may allow an authenticated user to potentially enableinformation disclosure via local access. Update Instructions: Run `sudo pro fix CVE-2022-21125` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: intel-microcode - 3.20220510.0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-15 20:15:00 UTC 2022-06-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-5484-1 https://ubuntu.com/security/notices/USN-5485-1 https://ubuntu.com/security/notices/USN-5485-2 https://ubuntu.com/security/notices/USN-5505-1 https://ubuntu.com/security/notices/USN-5513-1 https://ubuntu.com/security/notices/USN-5529-1 https://ubuntu.com/security/notices/USN-5535-1 CVE-2022-21125 The package com.github.samtools:htsjdk before 3.0.1 are vulnerable toCreation of Temporary File in Directory with Insecure Permissions due tothe createTempDir() function in util/IOUtil.java not checking for theexistence of the temporary directory before attempting to create it. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-29 17:15:00 UTC CVE-2022-21126 Incomplete cleanup in specific special register write operations for someIntel(R) Processors may allow an authenticated user to potentially enableinformation disclosure via local access. Update Instructions: Run `sudo pro fix CVE-2022-21166` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: intel-microcode - 3.20220510.0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-15 21:15:00 UTC 2022-06-15 21:15:00 UTC https://ubuntu.com/security/notices/USN-5484-1 https://ubuntu.com/security/notices/USN-5485-1 https://ubuntu.com/security/notices/USN-5486-1 https://ubuntu.com/security/notices/USN-5485-2 https://ubuntu.com/security/notices/USN-5505-1 https://ubuntu.com/security/notices/USN-5513-1 https://ubuntu.com/security/notices/USN-5529-1 https://ubuntu.com/security/notices/USN-5535-1 CVE-2022-21166 OFFIS DCMTK's (All versions prior to 3.6.7) service class provider (SCP) isvulnerable to path traversal, allowing an attacker to write DICOM filesinto arbitrary directories under controlled names. This could allow remotecode execution. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-24 15:15:00 UTC 2022-06-24 15:15:00 UTC Sharon Brizinov and Noam Moshe http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014044 https://ubuntu.com/security/notices/USN-5882-1 CVE-2022-2119 OFFIS DCMTK's (All versions prior to 3.6.7) service class user (SCU) isvulnerable to relative path traversal, allowing an attacker to write DICOMfiles into arbitrary directories under controlled names. This could allowremote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-24 15:15:00 UTC 2022-06-24 15:15:00 UTC Sharon Brizinov and Noam Moshe http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014044 https://ubuntu.com/security/notices/USN-5882-1 CVE-2022-2120 OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer dereferencevulnerability while processing DICOM files, which may result in adenial-of-service condition. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-24 15:15:00 UTC 2022-06-24 15:15:00 UTC Sharon Brizinov and Noam Moshe http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014044 https://ubuntu.com/security/notices/USN-5882-1 https://ubuntu.com/security/notices/USN-7010-1 CVE-2022-2121 DOS / potential heap overwrite in qtdemux using zlib decompression. Integeroverflow in qtdemux element in qtdemux_inflate function which causes asegfault, or could cause a heap overwrite, depending on libc and OS.Depending on the libc used, and the underlying OS capabilities, it could bejust a segfault or a heap overwrite. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 20:15:00 UTC 2022-07-19 20:15:00 UTC https://ubuntu.com/security/notices/USN-5555-1 CVE-2022-2122 The package css-what before 2.1.3 are vulnerable to Regular ExpressionDenial of Service (ReDoS) due to the usage of insecure regular expressionin the re_attr variable of index.js. The exploitation of this vulnerabilitycould be triggered via the parse function. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC 2022-09-30 05:15:00 UTC https://ubuntu.com/security/notices/USN-6065-1 CVE-2022-21222 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Serialization). Supported versionsthat are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; OracleGraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21248 An out-of-bounds read vulnerability was found in Samba due to insufficientlength checks in winbindd_pam_auth_crap.c. When performing NTLMauthentication, the client replies to cryptographic challenges back to theserver. These replies have variable lengths, and Winbind fails to check thelan manager response length. When Winbind is used for NTLM authentication,a maliciously crafted request can trigger an out-of-bounds read in Winbind,possibly resulting in a crash. Update Instructions: Run `sudo pro fix CVE-2022-2127` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-19 2023-07-19 https://bugzilla.samba.org/show_bug.cgi?id=15072 https://ubuntu.com/security/notices/USN-6238-1 CVE-2022-2127 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u321, 8u311, 11.0.13; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC CVE-2022-21271 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: ImageIO). Supported versions that areaffected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM EnterpriseEdition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21277 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JAXP). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized read access to asubset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessibledata. Note: This vulnerability applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. This vulnerability canalso be exploited by using APIs in the specified Component, e.g., through aweb service which supplies data to the APIs. CVSS 3.1 Base Score 5.3(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21282 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM EnterpriseEdition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21283 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Hotspot). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Oracle Java SE, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21291 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; OracleGraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21293 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; OracleGraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21294 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.32. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in unauthorized readaccess to a subset of Oracle VM VirtualBox accessible data. Note: Thisvulnerability applies to Windows systems only. CVSS 3.1 Base Score 3.8(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC CVE-2022-21295 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JAXP). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized read access to asubset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessibledata. Note: This vulnerability applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. This vulnerability canalso be exploited by using APIs in the specified Component, e.g., through aweb service which supplies data to the APIs. CVSS 3.1 Base Score 5.3(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21296 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JAXP). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21299 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Hotspot). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Oracle Java SE, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21305 A permissive list of allowed inputs flaw was found in DPDK. This issueallows a remote attacker to cause a denial of service triggered by sendinga crafted Vhost header to DPDK. Update Instructions: Run `sudo pro fix CVE-2022-2132` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dpdk - 21.11.2-0ubuntu1 librte-acl25 - 21.11.2-0ubuntu1 librte-argparse25 - 21.11.2-0ubuntu1 librte-baseband-acc25 - 21.11.2-0ubuntu1 librte-baseband-fpga-5gnr-fec25 - 21.11.2-0ubuntu1 librte-baseband-fpga-lte-fec25 - 21.11.2-0ubuntu1 librte-baseband-la12xx25 - 21.11.2-0ubuntu1 librte-baseband-null25 - 21.11.2-0ubuntu1 librte-baseband-turbo-sw25 - 21.11.2-0ubuntu1 librte-bbdev25 - 21.11.2-0ubuntu1 librte-bitratestats25 - 21.11.2-0ubuntu1 librte-bpf25 - 21.11.2-0ubuntu1 librte-bus-auxiliary25 - 21.11.2-0ubuntu1 librte-bus-cdx25 - 21.11.2-0ubuntu1 librte-bus-dpaa25 - 21.11.2-0ubuntu1 librte-bus-fslmc25 - 21.11.2-0ubuntu1 librte-bus-ifpga25 - 21.11.2-0ubuntu1 librte-bus-pci25 - 21.11.2-0ubuntu1 librte-bus-platform25 - 21.11.2-0ubuntu1 librte-bus-uacce25 - 21.11.2-0ubuntu1 librte-bus-vdev25 - 21.11.2-0ubuntu1 librte-bus-vmbus25 - 21.11.2-0ubuntu1 librte-cfgfile25 - 21.11.2-0ubuntu1 librte-cmdline25 - 21.11.2-0ubuntu1 librte-common-cnxk25 - 21.11.2-0ubuntu1 librte-common-cpt25 - 21.11.2-0ubuntu1 librte-common-dpaax25 - 21.11.2-0ubuntu1 librte-common-iavf25 - 21.11.2-0ubuntu1 librte-common-idpf25 - 21.11.2-0ubuntu1 librte-common-ionic25 - 21.11.2-0ubuntu1 librte-common-mlx5-25 - 21.11.2-0ubuntu1 librte-common-nfp25 - 21.11.2-0ubuntu1 librte-common-nitrox25 - 21.11.2-0ubuntu1 librte-common-octeontx25 - 21.11.2-0ubuntu1 librte-common-qat25 - 21.11.2-0ubuntu1 librte-common-sfc-efx25 - 21.11.2-0ubuntu1 librte-compress-isal25 - 21.11.2-0ubuntu1 librte-compress-mlx5-25 - 21.11.2-0ubuntu1 librte-compress-nitrox25 - 21.11.2-0ubuntu1 librte-compress-octeontx25 - 21.11.2-0ubuntu1 librte-compress-zlib25 - 21.11.2-0ubuntu1 librte-compressdev25 - 21.11.2-0ubuntu1 librte-crypto-bcmfs25 - 21.11.2-0ubuntu1 librte-crypto-caam-jr25 - 21.11.2-0ubuntu1 librte-crypto-ccp25 - 21.11.2-0ubuntu1 librte-crypto-cnxk25 - 21.11.2-0ubuntu1 librte-crypto-dpaa-sec25 - 21.11.2-0ubuntu1 librte-crypto-dpaa2-sec25 - 21.11.2-0ubuntu1 librte-crypto-ionic25 - 21.11.2-0ubuntu1 librte-crypto-ipsec-mb25 - 21.11.2-0ubuntu1 librte-crypto-mlx5-25 - 21.11.2-0ubuntu1 librte-crypto-nitrox25 - 21.11.2-0ubuntu1 librte-crypto-null25 - 21.11.2-0ubuntu1 librte-crypto-octeontx25 - 21.11.2-0ubuntu1 librte-crypto-openssl25 - 21.11.2-0ubuntu1 librte-crypto-scheduler25 - 21.11.2-0ubuntu1 librte-crypto-virtio25 - 21.11.2-0ubuntu1 librte-cryptodev25 - 21.11.2-0ubuntu1 librte-dispatcher25 - 21.11.2-0ubuntu1 librte-distributor25 - 21.11.2-0ubuntu1 librte-dma-cnxk25 - 21.11.2-0ubuntu1 librte-dma-dpaa2-25 - 21.11.2-0ubuntu1 librte-dma-dpaa25 - 21.11.2-0ubuntu1 librte-dma-hisilicon25 - 21.11.2-0ubuntu1 librte-dma-idxd25 - 21.11.2-0ubuntu1 librte-dma-ioat25 - 21.11.2-0ubuntu1 librte-dma-odm25 - 21.11.2-0ubuntu1 librte-dma-skeleton25 - 21.11.2-0ubuntu1 librte-dmadev25 - 21.11.2-0ubuntu1 librte-eal25 - 21.11.2-0ubuntu1 librte-efd25 - 21.11.2-0ubuntu1 librte-ethdev25 - 21.11.2-0ubuntu1 librte-event-cnxk25 - 21.11.2-0ubuntu1 librte-event-dlb2-25 - 21.11.2-0ubuntu1 librte-event-dpaa2-25 - 21.11.2-0ubuntu1 librte-event-dpaa25 - 21.11.2-0ubuntu1 librte-event-dsw25 - 21.11.2-0ubuntu1 librte-event-octeontx25 - 21.11.2-0ubuntu1 librte-event-opdl25 - 21.11.2-0ubuntu1 librte-event-skeleton25 - 21.11.2-0ubuntu1 librte-event-sw25 - 21.11.2-0ubuntu1 librte-eventdev25 - 21.11.2-0ubuntu1 librte-fib25 - 21.11.2-0ubuntu1 librte-gpudev25 - 21.11.2-0ubuntu1 librte-graph25 - 21.11.2-0ubuntu1 librte-gro25 - 21.11.2-0ubuntu1 librte-gso25 - 21.11.2-0ubuntu1 librte-hash25 - 21.11.2-0ubuntu1 librte-ip-frag25 - 21.11.2-0ubuntu1 librte-ipsec25 - 21.11.2-0ubuntu1 librte-jobstats25 - 21.11.2-0ubuntu1 librte-kvargs25 - 21.11.2-0ubuntu1 librte-latencystats25 - 21.11.2-0ubuntu1 librte-log25 - 21.11.2-0ubuntu1 librte-lpm25 - 21.11.2-0ubuntu1 librte-mbuf25 - 21.11.2-0ubuntu1 librte-member25 - 21.11.2-0ubuntu1 librte-mempool-bucket25 - 21.11.2-0ubuntu1 librte-mempool-cnxk25 - 21.11.2-0ubuntu1 librte-mempool-dpaa2-25 - 21.11.2-0ubuntu1 librte-mempool-dpaa25 - 21.11.2-0ubuntu1 librte-mempool-octeontx25 - 21.11.2-0ubuntu1 librte-mempool-ring25 - 21.11.2-0ubuntu1 librte-mempool-stack25 - 21.11.2-0ubuntu1 librte-mempool25 - 21.11.2-0ubuntu1 librte-meta-all - 21.11.2-0ubuntu1 librte-meta-allpmds - 21.11.2-0ubuntu1 librte-meta-baseband - 21.11.2-0ubuntu1 librte-meta-bus - 21.11.2-0ubuntu1 librte-meta-common - 21.11.2-0ubuntu1 librte-meta-compress - 21.11.2-0ubuntu1 librte-meta-crypto - 21.11.2-0ubuntu1 librte-meta-dma - 21.11.2-0ubuntu1 librte-meta-event - 21.11.2-0ubuntu1 librte-meta-mempool - 21.11.2-0ubuntu1 librte-meta-net - 21.11.2-0ubuntu1 librte-meta-raw - 21.11.2-0ubuntu1 librte-meter25 - 21.11.2-0ubuntu1 librte-metrics25 - 21.11.2-0ubuntu1 librte-ml-cnxk25 - 21.11.2-0ubuntu1 librte-mldev25 - 21.11.2-0ubuntu1 librte-net-af-packet25 - 21.11.2-0ubuntu1 librte-net-af-xdp25 - 21.11.2-0ubuntu1 librte-net-ark25 - 21.11.2-0ubuntu1 librte-net-atlantic25 - 21.11.2-0ubuntu1 librte-net-avp25 - 21.11.2-0ubuntu1 librte-net-axgbe25 - 21.11.2-0ubuntu1 librte-net-bnx2x25 - 21.11.2-0ubuntu1 librte-net-bnxt25 - 21.11.2-0ubuntu1 librte-net-bond25 - 21.11.2-0ubuntu1 librte-net-cnxk25 - 21.11.2-0ubuntu1 librte-net-cpfl25 - 21.11.2-0ubuntu1 librte-net-cxgbe25 - 21.11.2-0ubuntu1 librte-net-dpaa2-25 - 21.11.2-0ubuntu1 librte-net-dpaa25 - 21.11.2-0ubuntu1 librte-net-e1000-25 - 21.11.2-0ubuntu1 librte-net-ena25 - 21.11.2-0ubuntu1 librte-net-enetc25 - 21.11.2-0ubuntu1 librte-net-enetfec25 - 21.11.2-0ubuntu1 librte-net-enic25 - 21.11.2-0ubuntu1 librte-net-failsafe25 - 21.11.2-0ubuntu1 librte-net-fm10k25 - 21.11.2-0ubuntu1 librte-net-gve25 - 21.11.2-0ubuntu1 librte-net-hinic25 - 21.11.2-0ubuntu1 librte-net-hns3-25 - 21.11.2-0ubuntu1 librte-net-i40e25 - 21.11.2-0ubuntu1 librte-net-iavf25 - 21.11.2-0ubuntu1 librte-net-ice25 - 21.11.2-0ubuntu1 librte-net-idpf25 - 21.11.2-0ubuntu1 librte-net-igc25 - 21.11.2-0ubuntu1 librte-net-ionic25 - 21.11.2-0ubuntu1 librte-net-ipn3ke25 - 21.11.2-0ubuntu1 librte-net-ixgbe25 - 21.11.2-0ubuntu1 librte-net-mana25 - 21.11.2-0ubuntu1 librte-net-memif25 - 21.11.2-0ubuntu1 librte-net-mlx4-25 - 21.11.2-0ubuntu1 librte-net-mlx5-25 - 21.11.2-0ubuntu1 librte-net-netvsc25 - 21.11.2-0ubuntu1 librte-net-nfp25 - 21.11.2-0ubuntu1 librte-net-ngbe25 - 21.11.2-0ubuntu1 librte-net-ntnic25 - 21.11.2-0ubuntu1 librte-net-null25 - 21.11.2-0ubuntu1 librte-net-octeon-ep25 - 21.11.2-0ubuntu1 librte-net-octeontx25 - 21.11.2-0ubuntu1 librte-net-pcap25 - 21.11.2-0ubuntu1 librte-net-pfe25 - 21.11.2-0ubuntu1 librte-net-qede25 - 21.11.2-0ubuntu1 librte-net-r8169-25 - 21.11.2-0ubuntu1 librte-net-ring25 - 21.11.2-0ubuntu1 librte-net-sfc25 - 21.11.2-0ubuntu1 librte-net-softnic25 - 21.11.2-0ubuntu1 librte-net-tap25 - 21.11.2-0ubuntu1 librte-net-thunderx25 - 21.11.2-0ubuntu1 librte-net-txgbe25 - 21.11.2-0ubuntu1 librte-net-vdev-netvsc25 - 21.11.2-0ubuntu1 librte-net-vhost25 - 21.11.2-0ubuntu1 librte-net-virtio25 - 21.11.2-0ubuntu1 librte-net-vmxnet3-25 - 21.11.2-0ubuntu1 librte-net-zxdh25 - 21.11.2-0ubuntu1 librte-net25 - 21.11.2-0ubuntu1 librte-node25 - 21.11.2-0ubuntu1 librte-pcapng25 - 21.11.2-0ubuntu1 librte-pci25 - 21.11.2-0ubuntu1 librte-pdcp25 - 21.11.2-0ubuntu1 librte-pdump25 - 21.11.2-0ubuntu1 librte-pipeline25 - 21.11.2-0ubuntu1 librte-port25 - 21.11.2-0ubuntu1 librte-power-acpi25 - 21.11.2-0ubuntu1 librte-power-amd-pstate25 - 21.11.2-0ubuntu1 librte-power-cppc25 - 21.11.2-0ubuntu1 librte-power-intel-pstate25 - 21.11.2-0ubuntu1 librte-power-intel-uncore25 - 21.11.2-0ubuntu1 librte-power-kvm-vm25 - 21.11.2-0ubuntu1 librte-power25 - 21.11.2-0ubuntu1 librte-raw-cnxk-bphy25 - 21.11.2-0ubuntu1 librte-raw-cnxk-gpio25 - 21.11.2-0ubuntu1 librte-raw-cnxk-rvu-lf25 - 21.11.2-0ubuntu1 librte-raw-dpaa2-cmdif25 - 21.11.2-0ubuntu1 librte-raw-gdtc25 - 21.11.2-0ubuntu1 librte-raw-ifpga25 - 21.11.2-0ubuntu1 librte-raw-ntb25 - 21.11.2-0ubuntu1 librte-raw-skeleton25 - 21.11.2-0ubuntu1 librte-rawdev25 - 21.11.2-0ubuntu1 librte-rcu25 - 21.11.2-0ubuntu1 librte-regex-cn9k25 - 21.11.2-0ubuntu1 librte-regex-mlx5-25 - 21.11.2-0ubuntu1 librte-regexdev25 - 21.11.2-0ubuntu1 librte-reorder25 - 21.11.2-0ubuntu1 librte-rib25 - 21.11.2-0ubuntu1 librte-ring25 - 21.11.2-0ubuntu1 librte-sched25 - 21.11.2-0ubuntu1 librte-security25 - 21.11.2-0ubuntu1 librte-stack25 - 21.11.2-0ubuntu1 librte-table25 - 21.11.2-0ubuntu1 librte-telemetry25 - 21.11.2-0ubuntu1 librte-timer25 - 21.11.2-0ubuntu1 librte-vdpa-ifc25 - 21.11.2-0ubuntu1 librte-vdpa-mlx5-25 - 21.11.2-0ubuntu1 librte-vdpa-nfp25 - 21.11.2-0ubuntu1 librte-vdpa-sfc25 - 21.11.2-0ubuntu1 librte-vhost25 - 21.11.2-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-31 16:15:00 UTC 2022-08-31 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1975764 https://bugs.dpdk.org/show_bug.cgi?id=1031 https://ubuntu.com/security/notices/USN-5608-1 CVE-2022-2132 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; OracleGraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21340 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Serialization). Supported versionsthat are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; OracleGraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21341 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: 2D). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM EnterpriseEdition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC CVE-2022-21349 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: ImageIO). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21360 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: ImageIO). Supported versions that areaffected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVMEnterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21365 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: ImageIO). Supported versions that areaffected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM EnterpriseEdition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMEnterprise Edition. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC 2022-01-19 12:15:00 UTC https://ubuntu.com/security/notices/USN-5313-1 https://ubuntu.com/security/notices/USN-5313-2 CVE-2022-21366 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.32. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products.Successful attacks of this vulnerability can result in unauthorized accessto critical data or complete access to all Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-19 12:15:00 UTC CVE-2022-21394 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JAXP). Supported versions that areaffected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; OracleGraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2022-21426` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-zero - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-source - 11.0.15+10-0ubuntu0.22.04.1 No subscription required openjdk-17-demo - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-zero - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-source - 17.0.3+7-0ubuntu0.22.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC 2022-04-19 21:15:00 UTC https://ubuntu.com/security/notices/USN-5388-1 https://ubuntu.com/security/notices/USN-5388-2 https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21426 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; OracleGraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2022-21434` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-zero - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-source - 11.0.15+10-0ubuntu0.22.04.1 No subscription required openjdk-17-demo - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-zero - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-source - 17.0.3+7-0ubuntu0.22.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC 2022-04-19 21:15:00 UTC https://ubuntu.com/security/notices/USN-5388-1 https://ubuntu.com/security/notices/USN-5388-2 https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21434 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; OracleGraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2022-21443` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-zero - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-source - 11.0.15+10-0ubuntu0.22.04.1 No subscription required openjdk-17-demo - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-zero - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-source - 17.0.3+7-0ubuntu0.22.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC 2022-04-19 21:15:00 UTC https://ubuntu.com/security/notices/USN-5388-1 https://ubuntu.com/security/notices/USN-5388-2 https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21443 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.34. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of Oracle VM VirtualBox as well as unauthorized update,insert or delete access to some of Oracle VM VirtualBox accessible data.CVSS 3.1 Base Score 6.7 (Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21465 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.34. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.5(Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21471 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; OracleGraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle JavaSE, Oracle GraalVM Enterprise Edition accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability can also be exploitedby using APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2022-21476` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-zero - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-source - 11.0.15+10-0ubuntu0.22.04.1 No subscription required openjdk-17-demo - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-zero - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-source - 17.0.3+7-0ubuntu0.22.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC 2022-04-19 21:15:00 UTC https://ubuntu.com/security/notices/USN-5388-1 https://ubuntu.com/security/notices/USN-5388-2 https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21476 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 8.0.28 andprior. Difficult to exploit vulnerability allows high privileged attackerwith access to the physical communication segment attached to the hardwarewhere the MySQL Cluster executes to compromise MySQL Cluster. Successfulattacks require human interaction from a person other than the attacker.Successful attacks of this vulnerability can result in takeover of MySQLCluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21482 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 7.4.35 andprior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficultto exploit vulnerability allows high privileged attacker with access to thephysical communication segment attached to the hardware where the MySQLCluster executes to compromise MySQL Cluster. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21483 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 7.4.35 andprior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficultto exploit vulnerability allows high privileged attacker with access to thephysical communication segment attached to the hardware where the MySQLCluster executes to compromise MySQL Cluster. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in unauthorized read access to a subset ofMySQL Cluster accessible data and unauthorized ability to cause a partialdenial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9(Confidentiality and Availability impacts). CVSS Vector:(CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21484 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 7.4.35 andprior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficultto exploit vulnerability allows high privileged attacker with access to thephysical communication segment attached to the hardware where the MySQLCluster executes to compromise MySQL Cluster. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in unauthorized read access to a subset ofMySQL Cluster accessible data and unauthorized ability to cause a partialdenial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9(Confidentiality and Availability impacts). CVSS Vector:(CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21485 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 7.4.35 andprior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficultto exploit vulnerability allows high privileged attacker with access to thephysical communication segment attached to the hardware where the MySQLCluster executes to compromise MySQL Cluster. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in unauthorized read access to a subset ofMySQL Cluster accessible data and unauthorized ability to cause a partialdenial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9(Confidentiality and Availability impacts). CVSS Vector:(CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21486 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.34. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 3.8 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21487 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.34. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle VMVirtualBox accessible data. CVSS 3.1 Base Score 3.8 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21488 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 7.4.35 andprior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficultto exploit vulnerability allows high privileged attacker with access to thephysical communication segment attached to the hardware where the MySQLCluster executes to compromise MySQL Cluster. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21489 Vulnerability in the MySQL Cluster product of Oracle MySQL (component:Cluster: General). Supported versions that are affected are 7.4.35 andprior, 7.5.25 and prior, 7.6.21 and prior and 8.0.28 and prior. Difficultto exploit vulnerability allows high privileged attacker with access to thephysical communication segment attached to the hardware where the MySQLCluster executes to compromise MySQL Cluster. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21490 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.34. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in takeover of Oracle VM VirtualBox. Note: This vulnerabilityapplies to Windows systems only. CVSS 3.1 Base Score 7.8 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 21:15:00 UTC CVE-2022-21491 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JNDI). Supported versions that areaffected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; OracleGraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM EnterpriseEdition. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2022-21496` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jdk-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-headless - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-jre-zero - 11.0.15+10-0ubuntu0.22.04.1 openjdk-11-source - 11.0.15+10-0ubuntu0.22.04.1 No subscription required openjdk-17-demo - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jdk-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-headless - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-jre-zero - 17.0.3+7-0ubuntu0.22.04.1 openjdk-17-source - 17.0.3+7-0ubuntu0.22.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-26 2022-04-26 https://ubuntu.com/security/notices/USN-5388-1 https://ubuntu.com/security/notices/USN-5388-2 https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21496 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Hotspot). Supported versions that areaffected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1;Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easilyexploitable vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle Java SE, Oracle GraalVMEnterprise Edition accessible data. Note: This vulnerability applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability can also be exploited by using APIs in thespecified Component, e.g., through a web service which supplies data to theAPIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2022-21540` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.16+8-0ubuntu1 openjdk-11-jdk - 11.0.16+8-0ubuntu1 openjdk-11-jdk-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre - 11.0.16+8-0ubuntu1 openjdk-11-jre-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre-zero - 11.0.16+8-0ubuntu1 openjdk-11-source - 11.0.16+8-0ubuntu1 No subscription required openjdk-17-demo - 17.0.4+8-1 openjdk-17-jdk - 17.0.4+8-1 openjdk-17-jdk-headless - 17.0.4+8-1 openjdk-17-jre - 17.0.4+8-1 openjdk-17-jre-headless - 17.0.4+8-1 openjdk-17-jre-zero - 17.0.4+8-1 openjdk-17-source - 17.0.4+8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 22:15:00 UTC 2022-07-19 22:15:00 UTC https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21540 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Hotspot). Supported versions that areaffected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1;Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data orall Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.Note: This vulnerability applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. This vulnerability can also beexploited by using APIs in the specified Component, e.g., through a webservice which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2022-21541` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.16+8-0ubuntu1 openjdk-11-jdk - 11.0.16+8-0ubuntu1 openjdk-11-jdk-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre - 11.0.16+8-0ubuntu1 openjdk-11-jre-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre-zero - 11.0.16+8-0ubuntu1 openjdk-11-source - 11.0.16+8-0ubuntu1 No subscription required openjdk-17-demo - 17.0.4+8-1 openjdk-17-jdk - 17.0.4+8-1 openjdk-17-jdk-headless - 17.0.4+8-1 openjdk-17-jre - 17.0.4+8-1 openjdk-17-jre-headless - 17.0.4+8-1 openjdk-17-jre-zero - 17.0.4+8-1 openjdk-17-source - 17.0.4+8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 22:15:00 UTC 2022-07-19 22:15:00 UTC https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-21541 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM EnterpriseEdition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Oracle Java SE, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability can also be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2022-21549` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.16+8-0ubuntu1 openjdk-11-jdk - 11.0.16+8-0ubuntu1 openjdk-11-jdk-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre - 11.0.16+8-0ubuntu1 openjdk-11-jre-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre-zero - 11.0.16+8-0ubuntu1 openjdk-11-source - 11.0.16+8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 22:15:00 UTC 2022-07-19 22:15:00 UTC https://ubuntu.com/security/notices/USN-5546-1 CVE-2022-21549 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.36. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.4(Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 22:15:00 UTC CVE-2022-21554 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is Prior to6.1.36. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeover ofOracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrityand Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 22:15:00 UTC CVE-2022-21571 Jawn is an open source JSON parser. Extenders of the`org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade`who don't override `objectContext()` are vulnerable to a hash collisionattack which may result in a denial of service. Most applications do notimplement these traits directly, but inherit from a library.`jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. Forusers unable to upgrade override `objectContext()` to use a collision-safecollection. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-05 21:15:00 UTC CVE-2022-21653 pipenv is a Python development workflow tool. Starting with version2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing ofrequirements files allows an attacker to insert a specially crafted stringinside a comment anywhere within a requirements.txt file, which will causevictims who use pipenv to install the requirements file to downloaddependencies from a package index server controlled by the attacker. Byembedding malicious code in packages served from their malicious indexserver, the attacker can trigger arbitrary remote code execution (RCE) onthe victims' systems. If an attacker is able to hide a malicious`--index-url` option in a requirements file that a victim installs withpipenv, the attacker can embed arbitrary malicious code in packages servedfrom their malicious index server that will be executed on the victim'shost during installation (remote code execution/RCE). When pip installsfrom a source distribution, any code in the setup.py is executed by theinstall process. This issue is patched in version 2022.1.8. The GitHubSecurity Advisory contains more information about this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 21:15:00 UTC CVE-2022-21668 markdown-it is a Markdown parser. Prior to version 1.3.2, special patternswith length greater than 50 thousand characterss could slow down the parsersignificantly. Users should upgrade to version 12.3.2 to receive a patch.There are no known workarounds aside from upgrading. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 21:15:00 UTC CVE-2022-21670 Marked is a markdown parser and compiler. Prior to version 4.0.10, theregular expression `block.def` may cause catastrophic backtracking againstsome strings and lead to a regular expression denial of service (ReDoS).Anyone who runs untrusted markdown through a vulnerable version of markedand does not use a worker with a time limit may be affected. This issue ispatched in version 4.0.10. As a workaround, avoid running untrustedmarkdown through marked or run marked on a worker thread and set areasonable time limit to prevent draining resources. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-14 17:15:00 UTC CVE-2022-21680 Marked is a markdown parser and compiler. Prior to version 4.0.10, theregular expression `inline.reflinkSearch` may cause catastrophicbacktracking against some strings and lead to a denial of service (DoS).Anyone who runs untrusted markdown through a vulnerable version of markedand does not use a worker with a time limit may be affected. This issue ispatched in version 4.0.10. As a workaround, avoid running untrustedmarkdown through marked or run marked on a worker thread and set areasonable time limit to prevent draining resources. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-14 17:15:00 UTC CVE-2022-21681 twisted is an event-driven networking engine written in Python. In affectedversions twisted exposes cookies and authorization headers when followingcross-origin redirects. This issue is present in the`twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent`functions. Users are advised to upgrade. There are no known workarounds. Update Instructions: Run `sudo pro fix CVE-2022-21712` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-twisted - 22.1.0-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-07 22:15:00 UTC 2022-02-07 22:15:00 UTC https://ubuntu.com/security/notices/USN-5354-1 CVE-2022-21712 NVIDIA CUDA Toolkit SDK contains an integer overflow vulnerability incuobjdump.To exploit this vulnerability, a remote attacker would require alocal user to download a specially crafted, corrupted file and locallyexecute cuobjdump against the file. Such an attack may lead to remote codeexecution that causes complete denial of service and an impact on dataconfidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-29 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008695 CVE-2022-21821 A code injection vulnerability exists in the Active Storage >= v5.2.0 thatcould allow an attacker to execute code via image_processing arguments. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-26 17:15:00 UTC CVE-2022-21831 A vulnerability was found in libguestfs. This issue occurs whilecalculating the greatest possible number of matching keys in the get_keys()function. This flaw leads to a denial of service, either by mistake ormalicious actor. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-12 21:15:00 UTC CVE-2022-2211 An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allowan attacker to bypass CSP for non HTML like responses. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-26 17:15:00 UTC CVE-2022-22577 A flaw in Apache libapreq2 versions 2.16 and earlier could cause a bufferoverflow while processing multipart form uploads. A remote attacker couldsend a request causing a process crash which could lead to a denial ofservice attack. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-25 15:15:00 UTC CVE-2022-22728 path_getbbox in path.c in Pillow before 9.0.0 improperly initializesImagePath.Path. Update Instructions: Run `sudo pro fix CVE-2022-22815` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 9.0.0-1 python3-pil.imagetk - 9.0.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC https://ubuntu.com/security/notices/USN-5227-1 https://ubuntu.com/security/notices/USN-5227-2 CVE-2022-22815 path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read duringinitialization of ImagePath.Path. Update Instructions: Run `sudo pro fix CVE-2022-22816` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 9.0.0-1 python3-pil.imagetk - 9.0.0-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC https://ubuntu.com/security/notices/USN-5227-1 https://ubuntu.com/security/notices/USN-5227-2 CVE-2022-22816 addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has aninteger overflow. Update Instructions: Run `sudo pro fix CVE-2022-22822` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2022-22822 build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has aninteger overflow. Update Instructions: Run `sudo pro fix CVE-2022-22823` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2022-22823 defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has aninteger overflow. Update Instructions: Run `sudo pro fix CVE-2022-22824` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2022-22824 lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integeroverflow. Update Instructions: Run `sudo pro fix CVE-2022-22825` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2022-22825 nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has aninteger overflow. Update Instructions: Run `sudo pro fix CVE-2022-22826` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2022-22826 storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integeroverflow. Update Instructions: Run `sudo pro fix CVE-2022-22827` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-1 libexpat1 - 2.4.3-1 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC 2022-01-10 14:12:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-7199-1 CVE-2022-22827 The dnslib package through 0.9.16 for Python does not verify that the IDvalue in a DNS reply matches an ID value in a query. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-10 14:12:00 UTC https://github.com/paulc/dnslib/issues/30 CVE-2022-22846 n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions,it is possible for a user to provide a specially crafted SpEL expressionthat may cause a denial of service condition. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-01 23:15:00 UTC CVE-2022-22950 A Spring MVC or Spring WebFlux application running on JDK 9+ may bevulnerable to remote code execution (RCE) via data binding. The specificexploit requires the application to run on Tomcat as a WAR deployment. Ifthe application is deployed as a Spring Boot executable jar, i.e. thedefault, it is not vulnerable to the exploit. However, the nature of thevulnerability is more general, and there may be other ways to exploit it. Update Instructions: Run `sudo pro fix CVE-2022-22965` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libspring-aop-java - 4.3.30-2ubuntu1 libspring-beans-java - 4.3.30-2ubuntu1 libspring-context-java - 4.3.30-2ubuntu1 libspring-context-support-java - 4.3.30-2ubuntu1 libspring-core-java - 4.3.30-2ubuntu1 libspring-expression-java - 4.3.30-2ubuntu1 libspring-instrument-java - 4.3.30-2ubuntu1 libspring-jdbc-java - 4.3.30-2ubuntu1 libspring-jms-java - 4.3.30-2ubuntu1 libspring-messaging-java - 4.3.30-2ubuntu1 libspring-orm-java - 4.3.30-2ubuntu1 libspring-oxm-java - 4.3.30-2ubuntu1 libspring-test-java - 4.3.30-2ubuntu1 libspring-transaction-java - 4.3.30-2ubuntu1 libspring-web-java - 4.3.30-2ubuntu1 libspring-web-portlet-java - 4.3.30-2ubuntu1 libspring-web-servlet-java - 4.3.30-2ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2022 Canonical Ltd. 2022-04-01 23:15:00 UTC 2022-04-01 23:15:00 UTC https://ubuntu.com/security/notices/USN-7165-1 CVE-2022-22965 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and olderunsupported versions, the patterns for disallowedFields on a DataBinder arecase sensitive which means a field is not effectively protected unless itis listed with both upper and lower case for the first character of thefield, including upper and lower case for the first character of all nestedfields within the property path. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-14 21:15:00 UTC CVE-2022-22968 In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupportedversions, applications that handle file uploads are vulnerable to DoSattack if they rely on data binding to set a MultipartFile orjavax.servlet.Part to a field in a model object. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-12 20:15:00 UTC Rob Ryan, WeBin Lab, and Vivek Sharm CVE-2022-22970 In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupportedversions, application with a STOMP over WebSocket endpoint is vulnerable toa denial of service attack by an authenticated user. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-12 20:15:00 UTC David Delbecq and Rémy Vermeiren https://github.com/spring-projects/spring-framework/issues/28443 CVE-2022-22971 Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, andearlier unsupported versions contain an integer overflow vulnerability.When using the BCrypt class with the maximum work factor (31), the encoderdoes not perform any salt rounds, due to an integer overflow error. Thedefault settings are not affected by this CVE. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-19 15:15:00 UTC CVE-2022-22976 In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and olderunsupported versions, RegexRequestMatcher can easily be misconfigured to bebypassed on some servlet containers. Applications using RegexRequestMatcherwith `.` in the regular expression are possibly vulnerable to anauthorization bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-19 15:15:00 UTC CVE-2022-22978 arm: guest_physmap_remove_page not removing the p2m mappings The functionsto remove one or more entries from a guest p2m pagetable on Arm(p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfnset to INVALID_MFN) do not actually clear the pagetable entry if the entrydoesn't have the valid bit set. It is possible to have a valid pagetableentry without the valid bit set when a guest operating system uses set/waycache maintenance instructions. For instance, a guest issuing a set/waycache maintenance instruction, then calling the XENMEM_decrease_reservationhypercall to give back memory pages to Xen, might be able to retain accessto those pages even after Xen started reusing them for other purposes. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-25 14:15:00 UTC CVE-2022-23033 A PV guest could DoS Xen while unmapping a grant To address XSA-380,reference counting was introduced for grant mappings for the case where aPV guest would have the IOMMU enabled. PV guests can request two forms ofmappings. When both are in use for any individual mapping, unmapping ofsuch a mapping can be requested in two steps. The reference count for sucha mapping would then mistakenly be decremented twice. Underflow of thecounters gets detected, resulting in the triggering of a hypervisor bugcheck. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-25 14:15:00 UTC CVE-2022-23034 Insufficient cleanup of passed-through device IRQs The management of IRQsassociated with physical devices exposed to x86 HVM guests involves aniterative operation in particular when cleaning up after the guest's use ofthe device. In the case where an interrupt is not quiescent yet at the timethis cleanup gets invoked, the cleanup attempt may be scheduled to beretried. When multiple interrupts are involved, this scheduling of a retrymay get erroneously skipped. At the same time pointers may get cleared(resulting in a de-reference of NULL) and freed (resulting in ause-after-free), while other code would continue to assume them to bevalid. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-25 14:15:00 UTC CVE-2022-23035 A flaw was found in the Xorg-x11-server. An out-of-bounds access issue canoccur in the ProcXkbSetGeometry function due to improper validation of therequest length. Update Instructions: Run `sudo pro fix CVE-2022-2319` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.3-2ubuntu3 xorg-server-source - 2:21.1.3-2ubuntu3 xserver-common - 2:21.1.3-2ubuntu3 xserver-xephyr - 2:21.1.3-2ubuntu3 xserver-xorg-core - 2:21.1.3-2ubuntu3 xserver-xorg-legacy - 2:21.1.3-2ubuntu3 xvfb - 2:21.1.3-2ubuntu3 No subscription required xwayland - 2:22.1.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-12 12:00:00 UTC 2022-07-12 12:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-5510-1 https://ubuntu.com/security/notices/USN-5510-2 CVE-2022-2319 A flaw was found in the Xorg-x11-server. The specific flaw exists withinthe handling of ProcXkbSetDeviceInfo requests. The issue results from thelack of proper validation of user-supplied data, which can result in amemory access past the end of an allocated buffer. This flaw allows anattacker to escalate privileges and execute arbitrary code in the contextof root. Update Instructions: Run `sudo pro fix CVE-2022-2320` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.3-2ubuntu3 xorg-server-source - 2:21.1.3-2ubuntu3 xserver-common - 2:21.1.3-2ubuntu3 xserver-xephyr - 2:21.1.3-2ubuntu3 xserver-xorg-core - 2:21.1.3-2ubuntu3 xserver-xorg-legacy - 2:21.1.3-2ubuntu3 xvfb - 2:21.1.3-2ubuntu3 No subscription required xwayland - 2:22.1.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-12 12:00:00 UTC 2022-07-12 12:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-5510-1 https://ubuntu.com/security/notices/USN-5510-2 CVE-2022-2320 A heap-buffer-overflow in pcf2bdf, versions >= 1.05 allows an attacker totrigger unsafe memory access via a specially crafted PCF font file. Thisout-of-bound read may lead to an application crash, information disclosurevia program memory or other context-dependent impact. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-17 13:15:00 UTC CVE-2022-23318 A segmentation fault during PCF file parsing in pcf2bdf versions >=1.05allows an attacker to trigger a program crash via a specially crafted PCFfont file. This crash affects the availability of the software anddependent downstream components. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-17 14:15:00 UTC CVE-2022-23319 wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations.This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memoryinitialization in BuildMessage in internal.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-18 21:15:00 UTC CVE-2022-23408 There's a vulnerability within the Apache Xerces Java (XercesJ) XML parserwhen handling specially crafted XML document payloads. This causes, theXercesJ XML parser to wait in an infinite loop, which may sometimes consumesystem resources for prolonged duration. This vulnerability is presentwithin XercesJ version 2.12.1 and the previous versions. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-24 15:15:00 UTC CVE-2022-23437 OpenRazer is an open source driver and user-space daemon to control Razerdevice lighting and other features on GNU/Linux. Using a modified USBdevice an attacker can leak stack addresses of the`razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit thisvulnerability an attacker would need to access to a users keyboard or mouseor would need to convince a user to use a modified device. The issue hasbeen patched in v3.5.1. Users are advised to upgrade and should be remindednot to plug in unknown USB devices. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-12-05 20:15:00 UTC CVE-2022-23467 There exists an unchecked length field in UBoot. The U-Boot DFUimplementation does not bound the length field in USB DFU download setuppackets, and it does not verify that the transfer direction corresponds tothe specified command. Consequently, if a physical attacker crafts a USBDFU download setup packet with a `wLength` greater than 4096 bytes, theycan write beyond the heap-allocated request buffer. Update Instructions: Run `sudo pro fix CVE-2022-2347` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: u-boot-amlogic - 2022.07+dfsg-1ubuntu7 u-boot-amlogic-binaries - 2022.07+dfsg-1ubuntu7 u-boot-asahi - 2022.07+dfsg-1ubuntu7 u-boot-exynos - 2022.07+dfsg-1ubuntu7 u-boot-exynos-binaries - 2022.07+dfsg-1ubuntu7 u-boot-imx - 2022.07+dfsg-1ubuntu7 u-boot-microchip - 2022.07+dfsg-1ubuntu7 u-boot-mvebu - 2022.07+dfsg-1ubuntu7 u-boot-omap - 2022.07+dfsg-1ubuntu7 u-boot-qcom - 2022.07+dfsg-1ubuntu7 u-boot-qemu - 2022.07+dfsg-1ubuntu7 u-boot-rockchip - 2022.07+dfsg-1ubuntu7 u-boot-rpi - 2022.07+dfsg-1ubuntu7 u-boot-sifive - 2022.07+dfsg-1ubuntu7 u-boot-sitara-binaries - 2022.07+dfsg-1ubuntu7 u-boot-starfive - 2022.07+dfsg-1ubuntu7 u-boot-stm32 - 2022.07+dfsg-1ubuntu7 u-boot-sunxi - 2022.07+dfsg-1ubuntu7 u-boot-tegra - 2022.07+dfsg-1ubuntu7 u-boot-tools - 2022.07+dfsg-1ubuntu7 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-23 13:15:00 UTC 2022-09-23 13:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014959 https://ubuntu.com/security/notices/USN-5764-1 https://ubuntu.com/security/notices/USN-6523-1 CVE-2022-2347 Sentry is an error tracking and performance monitoring platform. Inversions of the sentry python library prior to 22.11.0 an attacker with aknown valid invite link could manipulate a cookie to allow the same invitelink to be reused on multiple accounts when joining an organization. As aresult an attacker with a valid invite link can create multiple users andjoin an organization they may not have been originally invited to. Thisissue was patched in version 22.11.0. Sentry SaaS customers do not need totake action. Self-hosted Sentry installs on systems which can not upgradecan disable the invite functionality until they are ready to deploy thepatched version by editing their `sentry.conf.py` file (usually located at`~/.sentry/`). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-10 01:15:00 UTC CVE-2022-23485 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. Certain configurations of rails-html-sanitizer < 1.4.4 use aninefficient regular expression that is susceptible to excessivebacktracking when attempting to sanitize certain SVG attributes. This maylead to a denial of service through CPU resource consumption. This issuehas been patched in version 1.4.4. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-14 17:15:00 UTC CVE-2022-23517 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-sitescripting via data URIs when used in combination with Loofah >= 2.1.0. Thisissue is patched in version 1.4.4. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-14 17:15:00 UTC CVE-2022-23518 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. Prior to version 1.4.4, a possible XSS vulnerability withcertain configurations of Rails::Html::Sanitizer may allow an attacker toinject content if the application developer has overridden the sanitizer'sallowed tags in either of the following ways: allow both "math" and "style"elements, or allow both "svg" and "style" elements. Code is only impactedif allowed tags are being overridden. . This issue is fixed in version1.4.4. All users overriding the allowed tags to include "math" or "svg" and"style" should either upgrade or use the following workaround immediately:Remove "style" from the overridden allowed tags, or remove "math" and "svg"from the overridden allowed tags. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-14 17:15:00 UTC CVE-2022-23519 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. Prior to version 1.4.4, there is a possible XSS vulnerabilitywith certain configurations of Rails::Html::Sanitizer due to an incompletefix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker toinject content if the application developer has overridden the sanitizer'sallowed tags to allow both "select" and "style" elements. Code is onlyimpacted if allowed tags are being overridden. This issue is patched inversion 1.4.4. All users overriding the allowed tags to include both"select" and "style" should either upgrade or use this workaround: Removeeither "select" or "style" from the overridden allowed tags. NOTE: Code is_not_ impacted if allowed tags are overridden using either the :tags optionto the Action View helper method sanitize or the :tags option to theinstance method SafeListSanitizer#sanitize. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-14 18:15:00 UTC CVE-2022-23520 PJSIP is a free and open source multimedia communication library written inC language implementing standard based protocols such as SIP, SDP, RTP,STUN, TURN, and ICE. Buffer overread is possible when parsing a speciallycrafted STUN message with unknown attribute. The vulnerability affectsapplications that uses STUN including PJNATH and PJSUA-LIB. The patch isavailable as a commit in the master branch (2.13.1). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-20 19:15:00 UTC 2022-12-20 19:15:00 UTC ej7367 https://ubuntu.com/security/notices/USN-6422-1 CVE-2022-23537 github.com/sylabs/scs-library-client is the Go client for the SingularityContainer Services (SCS) Container Library Service. When thescs-library-client is used to pull a container image, with authentication,the HTTP Authorization header sent by the client to the library service maybe incorrectly leaked to an S3 backing storage provider. This occurs in aspecific flow, where the library service redirects the client to a backingS3 storage server, to perform a multi-part concurrent download. Dependingon site configuration, the S3 service may be provided by a third party. Anattacker with access to the S3 service may be able to extract usercredentials, allowing them to impersonate the user. The vulnerablemulti-part concurrent download flow, with redirect to S3, is only used whencommunicating with a Singularity Enterprise 1.x installation, or thirdparty server implementing this flow. Interaction with SingularityEnterprise 2.x, and Singularity Container Services (cloud.sylabs.io), doesnot trigger the vulnerable flow. We encourage all users to update. Userswho interact with a Singularity Enterprise 1.x installation, using a 3rdparty S3 storage service, are advised to revoke and recreate theirauthentication tokens within Singularity Enterprise. There is no workaroundavailable at this time. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 21:15:00 UTC CVE-2022-23538 treq is an HTTP library inspired by requests but written on top ofTwisted's Agents. Treq's request methods (`treq.get`, `treq.post`, etc.)and `treq.client.HTTPClient` constructor accept cookies as a dictionary.Such cookies are not bound to a single domain, and are therefore sent to*every* domain ("supercookies"). This can potentially cause sensitiveinformation to leak upon an HTTP redirect to a different domain., e.g.should `https://example.com` redirect to `http://cloudstorageprovider.com`the latter will receive the cookie `session`. Treq 2021.1.0 and later bindcookies given to request methods (`treq.request`, `treq.get`,`HTTPClient.request`, `HTTPClient.get`, etc.) to the origin of the *url*parameter. Users are advised to upgrade. For users unable to upgradeInstead of passing a dictionary as the *cookies* argument, pass a`http.cookiejar.CookieJar` instance with properly domain- and scheme-scopedcookies in it. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-01 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005041 CVE-2022-23607 PJSIP is a free and open source multimedia communication library written inC language implementing standard based protocols such as SIP, SDP, RTP,STUN, TURN, and ICE. In versions up to and including 2.11.1 when in adialog set (or forking) scenario, a hash key shared by multiple UAC dialogscan potentially be prematurely freed when one of the dialogs is destroyed .The issue may cause a dialog set to be registered in the hash tablemultiple times (with different hash keys) leading to undefined behaviorsuch as dialog list collision which eventually leading to endless loop. Apatch is available in commit db3235953baa56d2fb0e276ca510fefca751643f whichwill be included in the next release. There are no known workarounds forthis issue. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-22 20:15:00 UTC 2022-02-22 20:15:00 UTC ej7367 https://ubuntu.com/security/notices/USN-6422-1 CVE-2022-23608 xrdp is an open source remote desktop protocol (RDP) server. In affectedversions an integer underflow leading to a heap overflow in the sesmanserver allows any unauthenticated attacker which is able to locally accessa sesman server to execute code as root. This vulnerability has beenpatched in version 0.9.18.1 and above. Users are advised to upgrade. Thereare no known workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-07 22:15:00 UTC 2022-02-07 22:15:00 UTC https://ubuntu.com/security/notices/USN-6474-1 CVE-2022-23613 Gradle is a build tool with a focus on build automation and support formulti-language development. In some cases, Gradle may skip thatverification and accept a dependency that would otherwise fail the build asan untrusted external artifact. This occurs when dependency verification isdisabled on one or more configurations and those configurations have commondependencies with other configurations that have dependency verificationenabled. If the configuration that has dependency verification disabled isresolved first, Gradle does not verify the common dependencies for theconfiguration that has dependency verification enabled. Gradle 7.4 fixesthat issue by validating artifacts at least once if they are present in aresolved configuration that has dependency verification active. For userswho cannot update either do not use`ResolutionStrategy.disableDependencyVerification()` and do not use pluginsthat use that method to disable dependency verification for a singleconfiguration or make sure resolution of configuration that disable thatfeature do not happen in builds that resolve configuration where thefeature is enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-10 20:15:00 UTC CVE-2022-23630 Action Pack is a framework for handling and responding to web requests.Under certain circumstances response bodies will not be closed. In theevent a response is *not* notified of a `close`, `ActionDispatch::Executor`will not know to reset thread local state for the next request. This canlead to data being leaked to subsequent requests.This has been fixed inRails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highlyrecommended, but to work around this problem a middleware described inGHSA-wh98-p28r-vrc9 can be used. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-11 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389 CVE-2022-23633 svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scriptingvulnerability impacts all users of the `svg-sanitizer` library prior toversion 0.15.0. This issue is fixed in version 0.15.0. There is currentlyno workaround available. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-14 21:15:00 UTC 2022-02-14 21:15:00 UTC https://ubuntu.com/security/notices/USN-7318-1 CVE-2022-23638 crossbeam-utils provides atomics, synchronization primitives, scopedthreads, and other utilities for concurrent programming in Rust.crossbeam-utils prior to version 0.8.7 incorrectly assumed that thealignment of `{i,u}64` was always the same as `Atomic{I,U}64`. However, thealignment of `{i,u}64` on a 32-bit target can be smaller than`Atomic{I,U}64`. This can cause unaligned memory accesses and data race.Crates using `fetch_*` methods with `AtomicCell<{i,u}64>` are affected bythis issue. 32-bit targets without `Atomic{I,U}64` and 64-bit targets arenot affected by this issue. This has been fixed in crossbeam-utils 0.8.7.There are currently no known workarounds. Update Instructions: Run `sudo pro fix CVE-2022-23639` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-15 19:15:00 UTC CVE-2022-23639 Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before1.17.7 can incorrectly return true in situations with a big.Int value thatis not a valid field element. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-11 01:15:00 UTC CVE-2022-23806 An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before5.1.2. A valid user who is already authenticated to phpMyAdmin canmanipulate their account to bypass two-factor authentication for futurelogin instances. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-22 02:15:00 UTC CVE-2022-23807 An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker caninject malicious code into aspects of the setup script, which can allow XSSor HTML injection. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-22 02:15:00 UTC CVE-2022-23808 IBPB may not prevent return branch predictions from being specified bypre-IBPB branch targets leading to a potential information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-09 21:15:00 UTC CVE-2022-23824 Expat (aka libexpat) before 2.4.4 has a signed integer overflow inXML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. Update Instructions: Run `sudo pro fix CVE-2022-23852` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-2 libexpat1 - 2.4.3-2 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-24 02:15:00 UTC 2022-01-24 02:15:00 UTC https://ubuntu.com/security/notices/USN-5288-1 CVE-2022-23852 The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 andKTextEditor before 5.91.0 tries to execute the associated LSP server binarywhen opening a file of a given type. If this binary is absent from thePATH, it will try running the LSP server binary in the directory of thefile that was just opened (due to a misunderstanding of the QProcess API,that was never intended). This can be an untrusted directory. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-11 18:15:00 UTC CVE-2022-23853 Apache Doris, prior to 1.0.0, used a hardcoded key and IV to initialize thecipher used for ldap password, which may lead to information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-26 16:15:00 UTC CVE-2022-23942 In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 LTSbefore 6.0.10, and and Varnish Enterprise (Cache Plus) 4.1.x before4.1.11r6 and 6.0.x before 6.0.9r4, request smuggling can occur for HTTP/1connections. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-26 01:15:00 UTC 2022-01-26 01:15:00 UTC https://ubuntu.com/security/notices/USN-5474-1 CVE-2022-23959 Expat (aka libexpat) before 2.4.4 has an integer overflow in the doPrologfunction. Update Instructions: Run `sudo pro fix CVE-2022-23990` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.3-3 libexpat1 - 2.4.3-3 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-01-26 19:15:00 UTC 2022-01-26 19:15:00 UTC https://ubuntu.com/security/notices/USN-5288-1 CVE-2022-23990 External Control of File Name or Path in GitHub repository dompdf/dompdfprior to 2.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-18 15:15:00 UTC 2022-07-18 15:15:00 UTC https://ubuntu.com/security/notices/USN-6277-1 https://ubuntu.com/security/notices/USN-6277-2 CVE-2022-2400 In Xpdf prior to 4.04, the DCT (JPEG) decoder was incorrectly allowing the'interleaved' flag to be changed after the first scan of the image, leadingto an unknown integer-related vulnerability in Stream.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-30 04:15:00 UTC 2022-08-30 04:15:00 UTC Shin Ando https://ubuntu.com/security/notices/USN-7985-1 CVE-2022-24106 Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-30 04:15:00 UTC 2022-08-30 04:15:00 UTC Shin Ando https://ubuntu.com/security/notices/USN-7985-1 CVE-2022-24107 xterm through Patch 370, when Sixel support is enabled, allows attackers totrigger a buffer overflow in set_sixel in graphics_sixel.c via craftedtext. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-01-31 05:15:00 UTC CVE-2022-24130 The package madlib-object-utils before 0.1.8 are vulnerable to PrototypePollution via the setValue method, as it allows an attacker to merge objectprototypes into it. *Note:* This vulnerability derives from an incompletefix of[CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 20:15:00 UTC CVE-2022-24279 In Paramiko before 2.10.1, a race condition (between creation and chmod) inthe write_private_key_file function could allow unauthorized informationdisclosure. Update Instructions: Run `sudo pro fix CVE-2022-24302` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-paramiko - 2.8.1-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-17 22:15:00 UTC 2022-03-17 22:15:00 UTC Jan Schejbal http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008012 https://ubuntu.com/security/notices/USN-5351-1 https://ubuntu.com/security/notices/USN-5351-2 CVE-2022-24302 In JetBrains Kotlin before 1.6.0, it was not possible to lock dependenciesfor Multiplatform Gradle Projects. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-25 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007243 CVE-2022-24329 All versions of package gitpython are vulnerable to Remote Code Execution(RCE) due to improper user input validation, which makes it possible toinject a maliciously crafted remote URL into the clone command. Exploitingthis vulnerability is possible because the library makes external calls togit without sufficient sanitization of input arguments. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-06 05:15:00 UTC 2022-12-06 05:15:00 UTC https://ubuntu.com/security/notices/USN-5968-1 CVE-2022-24439 metadata-extractor up to 2.16.0 can throw various uncaught exceptions whileparsing a specially crafted JPEG file, which could result in an applicationcrash. This could be used to mount a denial of service attack againstservices that use metadata-extractor library. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-24 15:15:00 UTC CVE-2022-24613 When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0can be made to allocate large amounts of memory that finally leads to anout-of-memory error even for very small inputs. This could be used to mounta denial of service attack against services that use metadata-extractorlibrary. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-24 15:15:00 UTC CVE-2022-24614 zip4j up to v2.10.0 can throw various uncaught exceptions while parsing aspecially crafted ZIP file, which could result in an application crash.This could be used to mount a denial of service attack against servicesthat use zip4j library. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-02-24 15:15:00 UTC CVE-2022-24615 URI.js is a Javascript URL mutation library. Before version 1.19.9,whitespace characters are not removed from the beginning of the protocol,so URLs are not parsed properly. This issue has been patched in version1.19.9. Removing leading whitespace from values before passing them toURI.parse can be used as a workaround. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-03 21:15:00 UTC CVE-2022-24723 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Avulnerability has been discovered in the core HTML processing module andmay affect all plugins used by CKEditor 4 prior to version 4.18.0. Thevulnerability allows someone to inject malformed HTML bypassing contentsanitization, which could result in executing JavaScript code. This problemhas been patched in version 4.18.0. There are currently no knownworkarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-16 16:15:00 UTC 2022-03-16 16:15:00 UTC CVE-2022-24728 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor.CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog`plugin. The vulnerability allows abuse of a dialog input validator regularexpression, which can cause a significant performance drop resulting in abrowser tab freeze. A patch is available in version 4.18.0. There arecurrently no known workarounds. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-16 17:15:00 UTC CVE-2022-24729 HTTPie is a command-line HTTP client. HTTPie has the practical concept ofsessions, which help users to persistently store some of the state thatbelongs to the outgoing requests and incoming responses on the disk forfurther usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies andhosts they belonged. This behavior resulted in the exposure of some cookieswhen there are redirects originating from the actual host to a third partywebsite. Users are advised to upgrade. There are no known workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-07 23:15:00 UTC CVE-2022-24737 A null pointer dereference bug was found in wavpack-5.4.0 The results fromthe ASAN log: AddressSanitizer:DEADLYSIGNAL===================================================================84257==ERROR:AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by aWRITE memory access. ==84257==Hint: address points to the zero page. #00x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in__libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #20x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizercan not provide additional info. SUMMARY: AddressSanitizer: SEGVcli/wvunpack.c:834 in main ==84257==ABORTING Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-19 20:15:00 UTC 2022-07-19 20:15:00 UTC https://ubuntu.com/security/notices/USN-5721-1 CVE-2022-2476 mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. Inmitmproxy 7.0.4 and below, a malicious client or server is able to performHTTP request smuggling attacks through mitmproxy. This means that amalicious client/server could smuggle a request/response through mitmproxyas part of another request/response's HTTP message body. While mitmproxywould only see one request, the target server would see multiple requests.A smuggled request is still captured as part of another request's body, butit does not appear in the request list and does not go through the usualmitmproxy event hooks, where users may have implemented custom accesscontrol checks or input sanitization. Unless mitmproxy is used to protectan HTTP/1 service, no action is required. The vulnerability has been fixedin mitmproxy 8.0.0 and above. There are currently no known workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-21 19:15:00 UTC CVE-2022-24766 PJSIP is a free and open source multimedia communication library written inC. A denial-of-service vulnerability affects applications on a 32-bitsystems that use PJSIP versions 2.12 and prior to play/read invalid WAVfiles. The vulnerability occurs when reading WAV file data chunks withlength greater than 31-bit integers. The vulnerability does not affect64-bit apps and should not affect apps that only plays trusted WAV files. Apatch is available on the `master` branch of the `pjsip/project` GitHubrepository. As a workaround, apps can reject a WAV file received from anunknown source or validate the file first. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-25 16:16:00 UTC ej7367 CVE-2022-24792 yajl-ruby is a C binding to the YAJL JSON parsing and generation library.The 1.x branch and the 2.x branch of `yajl` contain an integer overflowwhich leads to subsequent heap memory corruption when dealing with large(~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the`need` 32bit integer wrapping to 0 when `need` approaches a value of0x80000000 (i.e. ~2GB of data), which results in a reallocation ofbuf->alloc into a small heap chunk. These integers are declared as `size_t`in the 2.x branch of `yajl`, which practically prevents the issue fromtriggering on 64bit platforms, however this does not preclude this issuetriggering on 32bit builds on which `size_t` is a 32bit integer. Subsequentpopulation of this under-allocated heap chunk is based on the originalbuffer size, leading to heap memory corruption. This vulnerability mostlyimpacts process availability. Maintainers believe exploitation forarbitrary code execution is unlikely. A patch is available and anticipatedto be part of yajl-ruby version 1.4.2. As a workaround, avoid passing largeinputs to YAJL. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 16:15:00 UTC 2022-04-05 16:15:00 UTC https://github.com/lloyd/yajl/issues/239 https://ubuntu.com/security/notices/USN-6233-1 https://ubuntu.com/security/notices/USN-6233-2 CVE-2022-24795 Twisted is an event-based framework for internet applications, supportingPython 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server,located in the `twisted.web.http` module, parsed several HTTP requestconstructs more leniently than permitted by RFC 7230. This non-conformantparsing can lead to desync if requests pass through multiple HTTP parsers,potentially resulting in HTTP request smuggling. Users who may be affecteduse Twisted Web's HTTP 1.1 server and/or proxy and also pass requeststhrough a different HTTP server and/or proxy. The Twisted Web client is notaffected. The HTTP 2.0 server uses a different parser, so it is notaffected. The issue has been addressed in Twisted 22.4.0rc1. Twoworkarounds are available: Ensure any vulnerabilities in upstream proxieshave been addressed, such as by upgrading them; or filter malformedrequests by other means, such as configuration of an upstream proxy. Update Instructions: Run `sudo pro fix CVE-2022-24801` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-twisted - 22.4.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-04 18:15:00 UTC 2022-04-04 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009030 https://ubuntu.com/security/notices/USN-5576-1 CVE-2022-24801 Asciidoctor-include-ext is Asciidoctor’s standard include processorreimplemented as an extension. Versions prior to 0.4.0, when used to renderuser-supplied input in AsciiDoc markup, may allow an attacker to executearbitrary system commands on the host operating system. This attack ispossible even when `allow-uri-read` is disabled! The problem has beenpatched in the referenced commits. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-01 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009035 CVE-2022-24803 Netty is an open-source, asynchronous event-driven network applicationframework. The package `io.netty:netty-codec-http` prior to version4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty'smultipart decoders are used local information disclosure can occur via thelocal system temporary directory if temporary storing uploads on the diskis enabled. This only impacts applications running on Java version 6 andlower. Additionally, this vulnerability impacts code running on Unix-likesystems, and very old versions of Mac OSX and Windows as they all share thesystem temporary directory between all users. Version 4.1.77.Final containsa patch for this vulnerability. As a workaround, specify one's own`java.io.tmpdir` when starting the JVM or useDefaultHttpDataFactory.setBaseDir(...) to set the directory to somethingthat is only readable by the current user. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-06 12:15:00 UTC 2022-05-06 12:15:00 UTC https://ubuntu.com/security/notices/USN-7284-1 CVE-2022-24823 Redis is an in-memory database that persists on disk. A specially craftedLua script executing in Redis can trigger a heap overflow in the cjsonlibrary, and result with heap corruption and potentially remote codeexecution. The problem exists in all versions of Redis with Lua scriptingsupport, starting from 2.6, and affects only authenticated and authorizedusers. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 15:15:00 UTC 2023-07-13 15:15:00 UTC Seiya Nakata and Yudai Fujiwara https://ubuntu.com/security/notices/USN-6531-1 https://ubuntu.com/security/notices/USN-8169-1 CVE-2022-24834 org.cyberneko.html is an html parser written in Java. The fork of`org.cyberneko.html` used by Nokogiri (Rubygem) raises a`java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstreamlibrary `org.cyberneko.html` is no longer maintained. Nokogiri uses its ownfork of this library located at https://github.com/sparklemotion/nekohtmland this CVE applies only to that fork. Other forks of nekohtml may have asimilar vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-11 22:15:00 UTC CVE-2022-24839 Rsyslog is a rocket-fast system for log processing. Modules for TCP syslogreception have a potential heap buffer overflow when octet-counted framingis used. This can result in a segfault or some other malfunction. As of ourunderstanding, this vulnerability can not be used for remote codeexecution. But there may still be a slight chance for experts to do that.The bug occurs when the octet count is read. While there is a check for themaximum number of octets, digits are written to a heap buffer even when theoctet count is over the maximum, This can be used to overrun the memorybuffer. However, once the sequence of digits stop, no additional characterscan be added to the buffer. In our opinion, this makes remote exploitsimpossible or at least highly complex. Octet-counted framing is one of twopotential framing modes. It is relatively uncommon, but enabled by defaulton receivers. Modules `imtcp`, `imptcp`, `imgssapi`, and `imhttp` are usedfor regular syslog message reception. It is best practice not to directlyexpose them to the public. When this practice is followed, the risk isconsiderably lower. Module `imdiag` is a diagnostics module primarilyintended for testbench runs. We do not expect it to be present on anyproduction installation. Octet-counted framing is not very common. Usually,it needs to be specifically enabled at senders. If users do not need it,they can turn it off for the most important modules. This will mitigate thevulnerability. Update Instructions: Run `sudo pro fix CVE-2022-24903` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsyslog - 8.2204.0-1ubuntu1 rsyslog-clickhouse - 8.2204.0-1ubuntu1 rsyslog-czmq - 8.2204.0-1ubuntu1 rsyslog-elasticsearch - 8.2204.0-1ubuntu1 rsyslog-gnutls - 8.2204.0-1ubuntu1 rsyslog-gssapi - 8.2204.0-1ubuntu1 rsyslog-hiredis - 8.2204.0-1ubuntu1 rsyslog-kafka - 8.2204.0-1ubuntu1 rsyslog-kubernetes - 8.2204.0-1ubuntu1 rsyslog-mongodb - 8.2204.0-1ubuntu1 rsyslog-mysql - 8.2204.0-1ubuntu1 rsyslog-openssl - 8.2204.0-1ubuntu1 rsyslog-pgsql - 8.2204.0-1ubuntu1 rsyslog-relp - 8.2204.0-1ubuntu1 rsyslog-snmp - 8.2204.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-05 2022-05-05 Pieter Agten https://ubuntu.com/security/notices/USN-5404-1 https://ubuntu.com/security/notices/USN-5404-2 CVE-2022-24903 Atheme IRC Services before 7.2.12, when used in conjunction with InspIRCd,allows authentication bypass by ending an IRC handshake at a certain pointduring a challenge-response login sequence. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-14 12:15:00 UTC CVE-2022-24976 KDE KCron through 21.12.2 uses a temporary file in /tmp when saving, butreuses the filename during an editing session. Thus, someone watching it becreated the first time could potentially intercept the file the followingtime, enabling that person to run unauthorized commands. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-26 05:15:00 UTC CVE-2022-24986 rtl_433 21.12 was discovered to contain a stack overflow in the functionsomfy_iohc_decode(). This vulnerability allows attackers to cause a Denialof Service (DoS) via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-02 00:15:00 UTC CVE-2022-25050 An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when decodinga crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-02 00:15:00 UTC CVE-2022-25051 The time and filter parameters in Fava prior to v1.22 are vulnerable toreflected XSS due to the lack of escaping of error messages which containedthe parameters in verbatim. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-25 14:15:00 UTC CVE-2022-2514 The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 mayallocate an unreasonable amount of memory on carefully crafted files. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-16 17:15:00 UTC CVE-2022-25169 Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/favaprior to 1.22.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-25 14:15:00 UTC CVE-2022-2523 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validationof encoding, such as checks for whether a UTF-8 character is valid in acertain context. Update Instructions: Run `sudo pro fix CVE-2022-25235` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.5-2 libexpat1 - 2.4.5-2 No subscription required swish-e - 2.4.7-7.1ubuntu0.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2022 Canonical Ltd. 2022-02-15 2022-02-15 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-8240-1 https://ubuntu.com/security/notices/USN-8235-1 CVE-2022-25235 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insertnamespace-separator characters into namespace URIs. Update Instructions: Run `sudo pro fix CVE-2022-25236` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.5-2 libexpat1 - 2.4.5-2 No subscription required swish-e - 2.4.7-7.1ubuntu0.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2022 Canonical Ltd. 2022-02-15 2022-02-15 https://ubuntu.com/security/notices/USN-5288-1 https://ubuntu.com/security/notices/USN-5455-1 https://ubuntu.com/security/notices/USN-8241-1 https://ubuntu.com/security/notices/USN-8240-1 https://ubuntu.com/security/notices/USN-8235-1 CVE-2022-25236 In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux andUNIX, QProcess could execute a binary from the current working directorywhen not found in the PATH. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-16 19:15:00 UTC 2022-02-16 19:15:00 UTC https://ubuntu.com/security/notices/USN-8076-1 CVE-2022-25255 In the Linux kernel through 5.16.10, certain binary files may have theexec-all attribute if they were built in approximately 2003 (e.g., with GCC3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes locatedin supposedly non-executable regions of a file. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-02-16 21:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1196134 https://bugzilla.redhat.com/show_bug.cgi?id=2055499 CVE-2022-25265 In Expat (aka libexpat) before 2.4.5, an attacker can trigger stackexhaustion in build_model via a large nesting depth in the DTD element. Update Instructions: Run `sudo pro fix CVE-2022-25313` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.5-2 libexpat1 - 2.4.5-2 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-18 05:15:00 UTC 2022-02-18 05:15:00 UTC https://ubuntu.com/security/notices/USN-5320-1 CVE-2022-25313 In Expat (aka libexpat) before 2.4.5, there is an integer overflow incopyString. Update Instructions: Run `sudo pro fix CVE-2022-25314` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.5-2 libexpat1 - 2.4.5-2 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-18 05:15:00 UTC 2022-02-18 05:15:00 UTC https://ubuntu.com/security/notices/USN-5320-1 CVE-2022-25314 In Expat (aka libexpat) before 2.4.5, there is an integer overflow instoreRawNames. Update Instructions: Run `sudo pro fix CVE-2022-25315` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.4.5-2 libexpat1 - 2.4.5-2 No subscription required firefox - 1:1snap1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-02-18 05:15:00 UTC 2022-02-18 05:15:00 UTC https://ubuntu.com/security/notices/USN-5320-1 CVE-2022-25315 The authfile directive in the booth config file is ignored, preventing useof authentication in communications from node to node. As a result, nodesthat do not have the correct authentication key are not prevented fromcommunicating with other nodes in the cluster. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-28 15:15:00 UTC 2022-07-28 15:15:00 UTC https://ubuntu.com/security/notices/USN-5556-1 CVE-2022-2553 The package git before 1.11.0 are vulnerable to Command Injection via gitargument injection. When calling the fetch(remote = 'origin', opts = {})function, the remote parameter is passed to the git fetch subcommand in away that additional flags can be set. The additional flags can be used toperform a command injection. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-19 17:15:00 UTC CVE-2022-25648 A privilege escalation flaw was found in the Ansible Automation Platform.This flaw allows a remote authenticated user with 'change user' permissionsto modify the account settings of the superuser account and also remove thesuperuser privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-18 20:15:00 UTC CVE-2022-2568 All versions of package scss-tokenizer are vulnerable to Regular ExpressionDenial of Service (ReDoS) via the loadAnnotation() function, due to theusage of insecure regex. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-01 20:15:00 UTC CVE-2022-25758 Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4.0 throughv5.3 may permit an unauthenticated MITM to acquire credentials with twopairing devices via adjacent access when the MITM negotiates Legacy PasskeyPairing with the pairing Initiator and Secure Connections Passkey Pairingwith the pairing Responder and brute forces the Passkey entered by the userinto the Initiator. The MITM attacker can use the identified Passkey valueto complete authentication with the Responder via Bluetooth pairing methodconfusion. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-12 04:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1206327 CVE-2022-25836 The package terser before 4.8.1, from 5.0.0 and before 5.14.2 arevulnerable to Regular Expression Denial of Service (ReDoS) due to insecureusage of regular expressions. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-15 20:15:00 UTC CVE-2022-25858 All versions of the package angular; all versions of the packageangularjs.core; all versions of the package angularjs are vulnerable toCross-site Scripting (XSS) due to insecure page caching in the InternetExplorer browser, which allows interpolation of <textarea> elements. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-15 20:15:00 UTC CVE-2022-25869 Versions of the package onnx before 1.13.0 are vulnerable to DirectoryTraversal as the external_data field of the tensor proto can have a path tothe file which is outside the model current directory or user-provideddirectory, for example "../../../etc/passwd" Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-26 21:15:00 UTC CVE-2022-25882 Versions of the package semver before 7.5.2 are vulnerable to RegularExpression Denial of Service (ReDoS) via the function new Range, whenuntrusted user data is provided as a range. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-21 05:15:00 UTC CVE-2022-25883 The package sanitize-html before 2.7.1 are vulnerable to Regular ExpressionDenial of Service (ReDoS) due to insecure global regular expressionreplacement logic of HTML comment removal. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-30 05:15:00 UTC 2022-08-30 05:15:00 UTC https://ubuntu.com/security/notices/USN-7464-1 CVE-2022-25887 Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/favaprior to 1.22.3. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 15:15:00 UTC CVE-2022-2589 Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial ofService (ReDoS) via the trim() function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-26 21:15:00 UTC CVE-2022-25927 Inefficient Regular Expression Complexity in GitHub repositorynode-fetch/node-fetch prior to 3.2.10. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 15:15:00 UTC CVE-2022-2596 Uncontrolled search path element in the Intel(R) oneAPI Deep Neural Network(oneDNN) before version 2022.1 may allow an authenticated user topotentially enable escalation of privilege via local access. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-16 20:15:00 UTC CVE-2022-26076 An issue was discovered in HTCondor 8.8.x before 8.8.16, 9.0.x before9.0.10, and 9.1.x before 9.6.0. When a user authenticates to an HTCondordaemon via the CLAIMTOBE method, the user can then impersonate any entitywhen issuing additional commands to that daemon. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-04-06 02:15:00 UTC CVE-2022-26110 Poetry v1.1.9 and below was discovered to contain an untrusted search pathwhich causes the application to behave in unexpected ways when usersexecute Poetry commands in a directory containing malicious content. Thisvulnerability occurs when the application is ran on Windows OS. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-21 22:15:00 UTC CVE-2022-26184 The default privileges for the running service Normand Message Buffer inBeckman Coulter Remisol Advance v2.0.12.1 and prior allows non-privilegedusers to overwrite and manipulate executables and libraries. This allowsattackers to access sensitive data. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-06 18:15:00 UTC CVE-2022-26240 The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitiseand escape some of its settings, which could allow high privilege userssuch as admin to perform Stored Cross-Site Scripting attacks even when theunfiltered_html capability is disallowed (for example in multisite setup) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-2628 Pandora FMS v7.0NG.760 and below allows an improper access control inConfiguration (Credential store) where a user with the role of Operator(Write) could create, delete, view existing keys which are outside theintended role. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 13:15:00 UTC CVE-2022-26308 Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation(User operation) resulting in elevation of privilege to Administratorgroup. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 13:15:00 UTC CVE-2022-26309 Pandora FMS v7.0NG.760 and below allows an improper authorization in UserManagement where any authenticated user with access to the User Managementmodule could create, modify or delete any user with full admin privilege.The impact could lead to a vertical privilege escalation to access theprivileges of a higher-level user or typically an admin user. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 13:15:00 UTC CVE-2022-26310 A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows anattacker to cause an Out of Memory exception. This package is used to readTNEF files (Microsoft Outlook and Microsoft Exchange Server). If anapplication uses poi-scratchpad to parse TNEF files and the applicationallows untrusted users to supply them, then a carefully crafted file cancause an Out of Memory exception. This issue affects poi-scratchpad version5.2.0 and prior versions. Users are recommended to upgrade topoi-scratchpad 5.2.1. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-04 16:15:00 UTC CVE-2022-26336 A flaw was found in the virtio-net device of QEMU. This flaw wasinadvertently introduced with the fix for CVE-2021-3748, which forgot tounmap the cached virtqueue elements on error, leading to memory leakage andother unexpected results. Affected QEMU version: 6.2.0. Update Instructions: Run `sudo pro fix CVE-2022-26353` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu8 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu8 qemu-guest-agent - 1:6.2+dfsg-2ubuntu8 qemu-system - 1:6.2+dfsg-2ubuntu8 qemu-system-arm - 1:6.2+dfsg-2ubuntu8 qemu-system-common - 1:6.2+dfsg-2ubuntu8 qemu-system-data - 1:6.2+dfsg-2ubuntu8 qemu-system-gui - 1:6.2+dfsg-2ubuntu8 qemu-system-mips - 1:6.2+dfsg-2ubuntu8 qemu-system-misc - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu8 qemu-system-ppc - 1:6.2+dfsg-2ubuntu8 qemu-system-riscv - 1:6.2+dfsg-2ubuntu8 qemu-system-s390x - 1:6.2+dfsg-2ubuntu8 qemu-system-sparc - 1:6.2+dfsg-2ubuntu8 qemu-system-x86 - 1:6.2+dfsg-2ubuntu8 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu8 qemu-system-xen - 1:6.2+dfsg-2ubuntu8 qemu-user - 1:6.2+dfsg-2ubuntu8 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu8 qemu-utils - 1:6.2+dfsg-2ubuntu8 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-16 15:15:00 UTC 2022-03-16 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2063197 https://ubuntu.com/security/notices/USN-5489-1 CVE-2022-26353 A flaw was found in the vhost-vsock device of QEMU. In case of error, aninvalid element was not detached from the virtqueue before freeing itsmemory, leading to memory leakage and other unexpected results. AffectedQEMU versions <= 6.2.0. Update Instructions: Run `sudo pro fix CVE-2022-26354` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:6.2+dfsg-2ubuntu8 qemu-block-supplemental - 1:6.2+dfsg-2ubuntu8 qemu-guest-agent - 1:6.2+dfsg-2ubuntu8 qemu-system - 1:6.2+dfsg-2ubuntu8 qemu-system-arm - 1:6.2+dfsg-2ubuntu8 qemu-system-common - 1:6.2+dfsg-2ubuntu8 qemu-system-data - 1:6.2+dfsg-2ubuntu8 qemu-system-gui - 1:6.2+dfsg-2ubuntu8 qemu-system-mips - 1:6.2+dfsg-2ubuntu8 qemu-system-misc - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-opengl - 1:6.2+dfsg-2ubuntu8 qemu-system-modules-spice - 1:6.2+dfsg-2ubuntu8 qemu-system-ppc - 1:6.2+dfsg-2ubuntu8 qemu-system-riscv - 1:6.2+dfsg-2ubuntu8 qemu-system-s390x - 1:6.2+dfsg-2ubuntu8 qemu-system-sparc - 1:6.2+dfsg-2ubuntu8 qemu-system-x86 - 1:6.2+dfsg-2ubuntu8 qemu-system-x86-xen - 1:6.2+dfsg-2ubuntu8 qemu-system-xen - 1:6.2+dfsg-2ubuntu8 qemu-user - 1:6.2+dfsg-2ubuntu8 qemu-user-binfmt - 1:6.2+dfsg-2ubuntu8 qemu-utils - 1:6.2+dfsg-2ubuntu8 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-16 15:15:00 UTC 2022-03-16 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2063257 https://ubuntu.com/security/notices/USN-5489-1 CVE-2022-26354 Racy interactions between dirty vram tracking and paging log dirtyhypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram(was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing logdirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram canenable log dirty while another CPU is still in the process of tearing downthe structures related to a previously enabled log dirty mode(XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusivelocking between both operations and can lead to entries being added inalready freed slots, resulting in a memory leak. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 13:15:00 UTC CVE-2022-26356 race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-dhardware may allow for only less than 15 bits to hold a domain IDassociating a physical device with a particular domain. Thereforeinternally Xen domain IDs are mapped to the smaller value range. Thecleaning up of the housekeeping structures has a race, allowing for VT-ddomain IDs to be leaked and flushes to be bypassed. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 13:15:00 UTC CVE-2022-26357 IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNAinformation record relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Certain PCI devices in asystem might be assigned Reserved Memory Regions (specified via ReservedMemory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges forAMD-Vi. These are typically used for platform tasks such as legacy USBemulation. Since the precise purpose of these regions is unknown, once adevice associated with such a region is active, the mappings of theseregions need to remain continuouly accessible by the device. Thisrequirement has been violated. Subsequent DMA or interrupts from the devicemay have unpredictable behaviour, ranging from IOMMU faults to memorycorruption. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 13:15:00 UTC CVE-2022-26358 IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNAinformation record relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Certain PCI devices in asystem might be assigned Reserved Memory Regions (specified via ReservedMemory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges forAMD-Vi. These are typically used for platform tasks such as legacy USBemulation. Since the precise purpose of these regions is unknown, once adevice associated with such a region is active, the mappings of theseregions need to remain continuouly accessible by the device. Thisrequirement has been violated. Subsequent DMA or interrupts from the devicemay have unpredictable behaviour, ranging from IOMMU faults to memorycorruption. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 13:15:00 UTC CVE-2022-26359 IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNAinformation record relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Certain PCI devices in asystem might be assigned Reserved Memory Regions (specified via ReservedMemory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges forAMD-Vi. These are typically used for platform tasks such as legacy USBemulation. Since the precise purpose of these regions is unknown, once adevice associated with such a region is active, the mappings of theseregions need to remain continuouly accessible by the device. Thisrequirement has been violated. Subsequent DMA or interrupts from the devicemay have unpredictable behaviour, ranging from IOMMU faults to memorycorruption. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 13:15:00 UTC CVE-2022-26360 IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNAinformation record relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Certain PCI devices in asystem might be assigned Reserved Memory Regions (specified via ReservedMemory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges forAMD-Vi. These are typically used for platform tasks such as legacy USBemulation. Since the precise purpose of these regions is unknown, once adevice associated with such a region is active, the mappings of theseregions need to remain continuouly accessible by the device. Thisrequirement has been violated. Subsequent DMA or interrupts from the devicemay have unpredictable behaviour, ranging from IOMMU faults to memorycorruption. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-05 13:15:00 UTC CVE-2022-26361 x86 pv: Race condition in typeref acquisition Xen maintains a typereference count for pages, in addition to a regular reference count. Thisscheme is used to maintain invariants required for Xen's safety, e.g. PVguests may not have direct writeable access to pagetables; updates needauditing by Xen. Unfortunately, the logic for acquiring a type referencehas a race condition, whereby a safely TLB flush is issued too early andcreates a window where the guest can re-establish the read/write mappingbefore writeability is prohibited. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-09 17:15:00 UTC CVE-2022-26362 x86 pv: Insufficient care with non-coherent mappings T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Xen maintains a typereference count for pages, in addition to a regular reference count. Thisscheme is used to maintain invariants required for Xen's safety, e.g. PVguests may not have direct writeable access to pagetables; updates needauditing by Xen. Unfortunately, Xen's safety logic doesn't account forCPU-induced cache non-coherency; cases where the CPU can cause the contentof the cache to be different to the content in main memory. In such cases,Xen's safety logic can incorrectly conclude that the contents of a page issafe. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-09 17:15:00 UTC CVE-2022-26363 x86 pv: Insufficient care with non-coherent mappings T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Xen maintains a typereference count for pages, in addition to a regular reference count. Thisscheme is used to maintain invariants required for Xen's safety, e.g. PVguests may not have direct writeable access to pagetables; updates needauditing by Xen. Unfortunately, Xen's safety logic doesn't account forCPU-induced cache non-coherency; cases where the CPU can cause the contentof the cache to be different to the content in main memory. In such cases,Xen's safety logic can incorrectly conclude that the contents of a page issafe. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-09 17:15:00 UTC CVE-2022-26364 Linux disk/nic frontends data leaks T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Linux Block and Network PV device frontends don't zeromemory regions before sharing them with the backend (CVE-2022-26365,CVE-2022-33740). Additionally the granularity of the grant table doesn'tallow sharing less than a 4K page, leading to unrelated data residing inthe same 4K page as data shared with a backend being accessible by suchbackend (CVE-2022-33741, CVE-2022-33742). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 13:15:00 UTC 2022-07-05 13:15:00 UTC Roger Pau Monné https://ubuntu.com/security/notices/USN-5572-1 https://ubuntu.com/security/notices/USN-5579-1 https://ubuntu.com/security/notices/USN-5572-2 https://ubuntu.com/security/notices/USN-5623-1 https://ubuntu.com/security/notices/USN-5624-1 https://ubuntu.com/security/notices/USN-5633-1 https://ubuntu.com/security/notices/USN-5635-1 https://ubuntu.com/security/notices/USN-5640-1 https://ubuntu.com/security/notices/USN-5644-1 https://ubuntu.com/security/notices/USN-5648-1 https://ubuntu.com/security/notices/USN-5655-1 https://ubuntu.com/security/notices/USN-5668-1 https://ubuntu.com/security/notices/USN-5669-1 https://ubuntu.com/security/notices/USN-5669-2 https://ubuntu.com/security/notices/USN-5677-1 https://ubuntu.com/security/notices/USN-5678-1 https://ubuntu.com/security/notices/USN-5679-1 https://ubuntu.com/security/notices/USN-5682-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5684-1 https://ubuntu.com/security/notices/USN-5687-1 https://ubuntu.com/security/notices/USN-5695-1 https://ubuntu.com/security/notices/USN-5706-1 https://ubuntu.com/security/notices/USN-5773-1 https://ubuntu.com/security/notices/USN-5789-1 CVE-2022-26365 Non-transparent sharing of return predictor targets between contexts insome Intel(R) Processors may allow an authorized user to potentially enableinformation disclosure via local access. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-18 20:15:00 UTC 2022-08-18 20:15:00 UTC Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba https://ubuntu.com/security/notices/USN-5667-1 https://ubuntu.com/security/notices/USN-5668-1 https://ubuntu.com/security/notices/USN-5677-1 https://ubuntu.com/security/notices/USN-5682-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5703-1 https://ubuntu.com/security/notices/USN-5706-1 https://ubuntu.com/security/notices/USN-5854-1 https://ubuntu.com/security/notices/USN-5861-1 https://ubuntu.com/security/notices/USN-5862-1 https://ubuntu.com/security/notices/USN-5865-1 https://ubuntu.com/security/notices/USN-5883-1 https://ubuntu.com/security/notices/USN-5924-1 https://ubuntu.com/security/notices/USN-5975-1 https://ubuntu.com/security/notices/USN-6007-1 https://ubuntu.com/security/notices/USN-6221-1 CVE-2022-26373 An issue was discovered in Pidgin before 2.14.9. A remote attacker who canspoof DNS responses can redirect a client connection to a malicious server.The client will perform TLS certificate verification of the maliciousdomain name instead of the original XMPP service domain, allowing theattacker to take over control over the XMPP connection and to obtain usercredentials and all communication content. This is similar toCVE-2022-24968. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:15:00 UTC CVE-2022-26491 In nbd-server in nbd before 3.24, there is an integer overflow with aresultant heap-based buffer overflow. A value of 0xffffffff in the namelength field will cause a zero-sized buffer to be allocated for the name,resulting in a write to a dangling pointer. This issue exists for theNBD_OPT_INFO, NBD_OPT_GO, and NBD_OPT_EXPORT_NAME messages. Update Instructions: Run `sudo pro fix CVE-2022-26495` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nbd-client - 1:3.23-3ubuntu1 nbd-server - 1:3.23-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-06 06:15:00 UTC 2022-03-06 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006915 https://ubuntu.com/security/notices/USN-5323-1 CVE-2022-26495 In nbd-server in nbd before 3.24, there is a stack-based buffer overflow.An attacker can cause a buffer overflow in the parsing of the name field bysending a crafted NBD_OPT_INFO or NBD_OPT_GO message with an large value asthe length of the name. Update Instructions: Run `sudo pro fix CVE-2022-26496` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nbd-client - 1:3.23-3ubuntu1 nbd-server - 1:3.23-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-06 06:15:00 UTC 2022-03-06 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006915 https://ubuntu.com/security/notices/USN-5323-1 CVE-2022-26496 An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN,it is possible to download files that are not certificates. These filescould be much larger than what one would expect to download, leading toResource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 05:15:00 UTC CVE-2022-26498 An SSRF issue was discovered in Asterisk through 19.x. When usingSTIR/SHAKEN, it's possible to send arbitrary requests (such as GET) tointerfaces such as localhost by using the Identity header. This is fixed in16.25.2, 18.11.2, and 19.3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 05:15:00 UTC CVE-2022-26499 Depending on the way the format strings in the card label are crafted it'spossible to leak kernel stack memory. There is also the possibility for DoSdue to the v4l2loopback kernel module crashing when providing the cardlabel on request (reproduce e.g. with many %s modifiers in a row). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-04 10:15:00 UTC CVE-2022-2652 An issue was discovered in Asterisk through 19.x and Certified Asteriskthrough 16.8-cert13. The func_odbc module provides possibly inadequateescaping functionality for backslash characters in SQL queries, resultingin user-provided data creating a broken SQL query or possibly a SQLinjection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 05:15:00 UTC CVE-2022-26651 An XXE issue was discovered in Tryton Application Platform (Server) 5.xthrough 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, andTryton Application Platform (Command Line Client (proteus)) 5.x through5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.x through 6.2.1. Anauthenticated user can make the server parse a crafted XML SEPA file toaccess arbitrary files on the system. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-10 17:47:00 UTC CVE-2022-26661 An XML Entity Expansion (XEE) issue was discovered in Tryton ApplicationPlatform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client(proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x and 6.2.xthrough 6.2.1. An unauthenticated user can send a crafted XML-RPC messageto consume all the resources of the server. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-10 17:47:00 UTC CVE-2022-26662 Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode incompileTranslationTable.c (called, indirectly, by tools/lou_checktable.c). Update Instructions: Run `sudo pro fix CVE-2022-26981` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: liblouis-bin - 3.22.0-1 liblouis-data - 3.22.0-1 liblouis20 - 3.22.0-1 python3-louis - 3.22.0-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-13 18:15:00 UTC 2022-03-13 18:15:00 UTC Han Zheng https://github.com/liblouis/liblouis/issues/1171 https://ubuntu.com/security/notices/USN-5476-1 CVE-2022-26981 libsixel 1.8.6 is affected by Buffer Overflow in libsixel/src/quant.c:876. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-08 15:15:00 UTC CVE-2022-27044 libsixel 1.8.6 suffers from a Heap Use After Free vulnerability in inlibsixel/src/dither.c:388. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-08 15:15:00 UTC CVE-2022-27046 xpdf 4.03 has heap buffer overflow in the function readXRefTable located inXRef.cc. An attacker can exploit this bug to cause a Denial of Service(Segmentation fault) or other unspecified effects by sending a crafted PDFfile to the pdftoppm binary. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-25 13:15:00 UTC CVE-2022-27135 The golang.org/x/crypto/ssh package before0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash aserver in certain circumstances involving AddHostKey. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-18 07:15:00 UTC CVE-2022-27191 rtl_433 21.12 was discovered to contain a stack overflow in the functionacurite_00275rm_decode at /devices/acurite.c. This vulnerability allowsattackers to cause a Denial of Service (DoS) via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-12 20:15:00 UTC CVE-2022-27419 SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memorywrite via the function TTF_RenderText_Solid(). This vulnerability istriggered via a crafted TTF file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-04 03:15:00 UTC CVE-2022-27470 Bento4 1.6.0-639 has a heap-based buffer over-read in the AP4_HvccAtomclass, a different issue than CVE-2018-14531. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-21 23:15:00 UTC CVE-2022-27607 The WP Socializer WordPress plugin before 7.3 does not sanitise and escapesome of its Icons settings, which could allow high privilege users such asadmin to perform Stored Cross-Site Scripting attacks even when theunfiltered_html capability is disallowed (for example in multisite setup) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-2763 A flaw was found in Undertow. Denial of service can be achieved as Undertowserver waits for the LAST_CHUNK forever for EJB invocations. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-01 21:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2117506 CVE-2022-2764 A flaw was found in crun where containers were incorrectly started withnon-empty default permissions. A vulnerability was found in Moby (DockerEngine) where containers were started incorrectly with non-emptyinheritable Linux process capabilities. This flaw allows an attacker withaccess to programs with inheritable file capabilities to elevate thosecapabilities to the permitted set when execve(2) runs. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-04 20:15:00 UTC CVE-2022-27650 A flaw was found in buildah where containers were incorrectly started withnon-empty default permissions. A bug was found in Moby (Docker Engine)where containers were incorrectly started with non-empty inheritable Linuxprocess capabilities, enabling an attacker with access to programs withinheritable file capabilities to elevate those capabilities to thepermitted set when execve(2) runs. This has the potential to impactconfidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-04 20:15:00 UTC CVE-2022-27651 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers cancause a denial of service because an HTTP/2 connection can hang duringclosing if shutdown were preempted by a fatal error. Update Instructions: Run `sudo pro fix CVE-2022-27664` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: google-guest-agent - 20230426.00-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-06 18:15:00 UTC 2022-09-06 18:15:00 UTC https://ubuntu.com/security/notices/USN-6038-1 https://ubuntu.com/security/notices/USN-6038-2 https://ubuntu.com/security/notices/USN-8089-1 https://ubuntu.com/security/notices/USN-8089-2 https://ubuntu.com/security/notices/USN-8089-3 CVE-2022-27664 When SMT is enabled, certain AMD processors may speculatively executeinstructions using a targetfrom the sibling thread after an SMT mode switch potentially resulting ininformation disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-01 08:15:00 UTC 2023-03-01 08:15:00 UTC https://ubuntu.com/security/notices/USN-5978-1 https://ubuntu.com/security/notices/USN-6079-1 https://ubuntu.com/security/notices/USN-6080-1 https://ubuntu.com/security/notices/USN-6085-1 https://ubuntu.com/security/notices/USN-6090-1 https://ubuntu.com/security/notices/USN-6091-1 https://ubuntu.com/security/notices/USN-6096-1 https://ubuntu.com/security/notices/USN-6133-1 https://ubuntu.com/security/notices/USN-6134-1 https://ubuntu.com/security/notices/USN-6284-1 https://ubuntu.com/security/notices/USN-6301-1 https://ubuntu.com/security/notices/USN-6312-1 https://ubuntu.com/security/notices/USN-6314-1 https://ubuntu.com/security/notices/USN-6331-1 https://ubuntu.com/security/notices/USN-6337-1 https://ubuntu.com/security/notices/USN-6385-1 https://ubuntu.com/security/notices/USN-6396-1 https://ubuntu.com/security/notices/USN-6396-2 https://ubuntu.com/security/notices/USN-6396-3 CVE-2022-27672 A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 whichwould allow an attacker to inject content if able to control input intospecific attributes. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-26 17:15:00 UTC CVE-2022-27777 GNOME OCRFeeder before 0.8.4 allows OS command injection via shellmetacharacters in a PDF or image filename. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-24 03:15:00 UTC René Walendy https://bugs.launchpad.net/ubuntu/+source/ocrfeeder/+bug/1961528 https://bugs.launchpad.net/ubuntu/+source/ocrfeeder/+bug/1961528 CVE-2022-27811 libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserverfunctionality via the search suggestions URL parameter. This is fixed in10.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-25 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008483 CVE-2022-27920 stb_image.h (aka the stb image loader) 2.19, as used in libsixel and otherproducts, has a reachable assertion in stbi__create_png_image_raw. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-26 13:15:00 UTC CVE-2022-27938 libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption indemangle_const, as demonstrated by nm-new. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-03-26 13:15:00 UTC Han Zheng https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039 https://sourceware.org/bugzilla/show_bug.cgi?id=28995 CVE-2022-27943 By flooding the target resolver with queries exploiting this flaw anattacker can significantly impair the resolver's performance, effectivelydenying legitimate clients access to the DNS resolution service. Update Instructions: Run `sudo pro fix CVE-2022-2795` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.4-2ubuntu2 bind9-dnsutils - 1:9.18.4-2ubuntu2 bind9-host - 1:9.18.4-2ubuntu2 bind9-libs - 1:9.18.4-2ubuntu2 bind9-utils - 1:9.18.4-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-21 2022-09-21 Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod https://ubuntu.com/security/notices/USN-5626-1 https://ubuntu.com/security/notices/USN-5626-2 CVE-2022-2795 stb_image.h v2.27 was discovered to contain an integer overflow via thefunction stbi__jpeg_decode_block_prog_dc. This vulnerability allowsattackers to cause a Denial of Service (DoS) via unspecified vectors. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 14:15:00 UTC CVE-2022-28041 stb_image.h v2.27 was discovered to contain an heap-based use-after-freevia the function stbi__jpeg_huff_decode. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 14:15:00 UTC CVE-2022-28042 STB v2.27 was discovered to contain an integer shift of invalid size in thecomponent stbi__jpeg_decode_block_prog_ac. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-15 14:15:00 UTC CVE-2022-28048 A heap buffer overflow in r_sleb128 function in radare2 5.4.2 and 5.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-28068 A heap buffer overflow in vax_opfunction in radare2 5.4.2 and 5.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-28069 A null pointer deference in __core_anal_fcn function in radare2 5.4.2 and5.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-28070 A use after free in r_reg_get_name_idx function in radare2 5.4.2 and 5.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-28071 A heap buffer overflow in r_read_le32 function in radare25.4.2 and 5.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-28072 A use after free in r_reg_set_value function in radare2 5.4.2 and 5.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-28073 An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4,and 1.37.x before 1.37.2. Users with the editinterface permission cantrigger infinite recursion, because a bare local interwiki is mishandledfor the mainpage message. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-19 21:15:00 UTC CVE-2022-28201 An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, andnbytes properties of messages are not escaped when used in galleries orSpecial:RevisionDelete. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-03-30 06:15:00 UTC CVE-2022-28202 A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.xbefore 1.36.4, and 1.37.x before 1.37.2. When many files exist, requestingSpecial:NewFiles with actor as a condition can result in a very longrunning query. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-19 21:15:00 UTC CVE-2022-28203 A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2.Rendering ofw/index.php?title=Special%3AWhatLinksHere&target=Property%3AP31&namespace=1&invert=1can take more than thirty seconds. There is a DDoS risk. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-19 21:15:00 UTC CVE-2022-28204 A flaw was found in Blender 3.3.0. An interger overflow insource/blender/blendthumb/src/blendthumb_extract.cc may lead to programcrash or memory corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-2831 A flaw was found in Blender 3.3.0. A null pointer dereference exists insource/blender/gpu/opengl/gl_backend.cc that may lead to loss ofconfidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-2832 Endless Infinite loop in Blender-thumnailing due to logical bugs. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-2833 NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because ofan unintended path to a management action from a management account. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-19 02:15:00 UTC CVE-2022-28357 Certain Neko-related HTML parsers allow a denial of service via craftedProcessing Instruction (PI) input that causes excessive heap memoryconsumption. In particular, this issue exists in HtmlUnit-Neko through2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTMLthrough 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 isthe last version of CyberNeko HTML. NOTE: this may be related toCVE-2022-24839. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010154 CVE-2022-28366 OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLEcontent with crafted input. The output serializer does not properly encodethe supposed Cascading Style Sheets (CSS) content. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010154 CVE-2022-28367 The Zephyr Project Manager WordPress plugin before 3.2.55 does not have anyauthorisation as well as CSRF in all its AJAX actions, allowingunauthenticated users to call them either directly or via CSRF attacks.Furthermore, due to the lack of sanitisation and escaping, it could alsoallow them to perform Stored Cross-Site Scripting attacks against logged inadmins. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-2839 ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow. Update Instructions: Run `sudo pro fix CVE-2022-28463` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-08 23:15:00 UTC 2022-05-08 23:15:00 UTC https://ubuntu.com/security/notices/USN-5456-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2022-28463 A flaw was found In 389-ds-base. When the Content Synchronization plugin isenabled, an authenticated user can reach a NULL pointer dereference using aspecially crafted query. This flaw allows an authenticated attacker tocause a denial of service. This CVE is assigned against an incomplete fixof CVE-2021-3514. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-14 18:15:00 UTC CVE-2022-2850 Matthias-Wandel/jhead jhead 3.06 is vulnerable to Buffer Overflow viashellescape(), jhead.c, jhead. jhead copies strings to a stack buffer whenit detects a &i or &o. However, jhead does not check the boundary of thestack buffer. As a result, there will be a stack buffer overflow problemwhen multiple `&i` or `&o` are given. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-13 20:15:00 UTC CVE-2022-28550 ~/.config/apport/settings parsing is vulnerable to "billion laughs" attack Update Instructions: Run `sudo pro fix CVE-2022-28652` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-28652 is_closing_session() allows users to fill up apport.log Update Instructions: Run `sudo pro fix CVE-2022-28654` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-28654 is_closing_session() allows users to create arbitrary tcp dbus connections Update Instructions: Run `sudo pro fix CVE-2022-28655` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-28655 is_closing_session() allows users to consume RAM in the Apport process Update Instructions: Run `sudo pro fix CVE-2022-28656` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-28656 Apport does not disable python crash handler before entering chroot Update Instructions: Run `sudo pro fix CVE-2022-28657` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-28657 Apport argument parsing mishandles filename splitting on older kernelsresulting in argument spoofing Update Instructions: Run `sudo pro fix CVE-2022-28658` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apport - 2.21.0-0ubuntu1 apport-core-dump-handler - 2.21.0-0ubuntu1 apport-gtk - 2.21.0-0ubuntu1 apport-kde - 2.21.0-0ubuntu1 apport-noui - 2.21.0-0ubuntu1 apport-retrace - 2.21.0-0ubuntu1 apport-valgrind - 2.21.0-0ubuntu1 dh-apport - 2.21.0-0ubuntu1 python3-apport - 2.21.0-0ubuntu1 python3-problem-report - 2.21.0-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-17 18:00:00 UTC 2022-05-17 18:00:00 UTC Gerrit Venema https://ubuntu.com/security/notices/USN-5427-1 https://ubuntu.com/security/notices/USN-6894-1 CVE-2022-28658 A vulnerability in the RDF/XML parser of Apache Jena allows an attacker tocause an external DTD to be retrieved. This issue affects Apache Jenaversion 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allowexternal entities. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-05 09:15:00 UTC Feras Daragma, Avishag Shapira, and Amit Laish CVE-2022-28890 HTMLCreator release_stable_2020-07-29 was discovered to contain across-site scripting (XSS) vulnerability via the function_generateFilename. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-12 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011056 CVE-2022-28919 An issue in the Unmarshal function in Go-Yaml v3 causes the program tocrash when attempting to deserialize invalid input. Update Instructions: Run `sudo pro fix CVE-2022-28948` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: snap-confine - 2.63+24.10 snapd - 2.63+24.10 snapd-xdg-open - 2.63+24.10 ubuntu-core-launcher - 2.63+24.10 ubuntu-core-snapd-units - 2.63+24.10 ubuntu-snappy - 2.63+24.10 ubuntu-snappy-cli - 2.63+24.10 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-19 20:15:00 UTC CVE-2022-28948 Bento4 v1.6.0.0 was discovered to contain a segmentation fault via thecomponent /x86_64/multiarch/strlen-avx2.S. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-16 14:15:00 UTC CVE-2022-29017 Smarty is a template engine for PHP, facilitating the separation ofpresentation (HTML/CSS) from application logic. Prior to versions 3.1.45and 4.1.1, template authors could inject php code by choosing a malicious{block} name or {include} file name. Sites that cannot fully trust templateauthors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch forthis issue. There are currently no known workarounds. Update Instructions: Run `sudo pro fix CVE-2022-29221` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: smarty3 - 3.1.39-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-24 15:15:00 UTC 2022-05-24 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011757 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011758 https://ubuntu.com/security/notices/USN-6012-1 https://ubuntu.com/security/notices/USN-6550-1 CVE-2022-29221 Jupyter Server provides the backend (i.e. the core services, APIs, and RESTendpoints) for Jupyter web applications like Jupyter Notebook. Prior toversion 1.17.1, if notebook server is started with a value of `root_dir`that contains the starting user's home directory, then the underlying RESTAPI can be used to leak the access token assigned at start time byguessing/brute forcing the PID of the jupyter server. While this requiresan authenticated user session, this URL can be used from a cross-sitescripting payload or from a hooked or otherwise compromised browser to leakthis access token to a malicious third party. This token can be used alongwith the REST API to interact with Jupyter services/notebooks such asmodifying or overwriting critical files, such as .bashrc or.ssh/authorized_keys, allowing a malicious user to read potentiallysensitive data and possibly gain control of the impacted system. This issueis patched in version 1.17.1. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-14 21:15:00 UTC CVE-2022-29241 npm pack ignores root-level .gitignore and .npmignore file exclusiondirectives when run in a workspace or with a workspace flag (ie.`--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or`npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively,may be affected and have published files into the npm registry they did notintend to include. Users should upgrade to the latest, patched version ofnpm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1,v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-13 14:15:00 UTC CVE-2022-29244 Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3contains a vulnerability with the cookie middleware. The vulnerability isthat it is not checked if the cookie domain equals the domain of the serverwhich sets the cookie via the Set-Cookie header, allowing a maliciousserver to set cookies for unrelated domains. The cookie middleware isdisabled by default, so most library consumers will not be affected by thisissue. Only those who manually add the cookie middleware to the handlerstack or construct the client with ['cookies' => true] are affected.Moreover, those who do not use the same Guzzle client to call multipledomains and have disabled redirect forwarding are not affected by thisvulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for thisissue. As a workaround, turn off the cookie middleware. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-25 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011636 CVE-2022-29248 OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLEcontent with crafted input. The output serializer does not properly encodethe supposed Cascading Style Sheets (CSS) content. NOTE: this issue existsbecause of an incomplete fix for CVE-2022-28367. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-04-21 23:15:00 UTC CVE-2022-29577 A use-after-free flaw was found in the Linux kernel’s PLP Rosefunctionality in the way a user triggers a race condition by calling bindwhile simultaneously triggering the rose_bind() function. This flaw allowsa local user to crash or potentially escalate their privileges on thesystem. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-29 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2120595 https://bugzilla.suse.com/show_bug.cgi?id=1202660 CVE-2022-2961 libmobi before v0.10 contains a NULL pointer dereference via the componentmobi_buffer_getpointer. This vulnerability allows attackers to cause aDenial of Service (DoS) via a crafted mobi file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:15:00 UTC 2022-06-02 14:15:00 UTC https://ubuntu.com/security/notices/USN-7638-1 CVE-2022-29788 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptorincorrectly stated it enabled Tomcat clustering to run over an untrustednetwork. This was not correct. While the EncryptInterceptor does provideconfidentiality and integrity protection, it does not protect against allrisks associated with running over any untrusted network, particularly DoSrisks. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-12 08:15:00 UTC 2022-05-12 08:15:00 UTC https://ubuntu.com/security/notices/USN-6943-1 CVE-2022-29885 An incorrect handling of the supplementary groups in the Buildah containerengine might lead to the sensitive information disclosure or possible datamodification if an attacker has direct access to the affected containerwhere supplementary groups are used to set access permissions and is ableto execute a binary code in that container. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-13 14:15:00 UTC CVE-2022-2990 A flaw was found in the python-scciclient when making an HTTPS connectionto a server where the server's certificate would not be verified. Thisissue opens up the connection to possible Man-in-the-middle (MITM) attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-01 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018213 CVE-2022-2996 The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rsselement (if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag istrue). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-02 05:15:00 UTC CVE-2022-29969 relan exFAT 1.3.0 allows local users to obtain sensitive information (datafrom deleted files in the filesystem) in certain situations involvingoffsets beyond ValidDataLength. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-02 12:16:00 UTC CVE-2022-29973 There is an assertion failure error in stbi__jpeg_huff_decode,stb_image.h:1894 in libsixel img2sixel 1.8.6. Remote attackers couldleverage this vulnerability to cause a denial-of-service via a crafted JPEGfile. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-11 14:15:00 UTC CVE-2022-29977 There is a floating point exception error in sixel_encoder_do_resize,encoder.c:633 in libsixel img2sixel 1.8.6. Remote attackers could leveragethis vulnerability to cause a denial-of-service via a crafted JPEG file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-11 14:15:00 UTC CVE-2022-29978 An issue was discovered in libezxml.a in ezXML 0.8.6. The functionezxml_decode() performs incorrect memory handling while parsing crafted XMLfiles, leading to a heap out-of-bounds read. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-17 20:15:00 UTC CVE-2022-30045 In Apache Tika, a regular expression in our StandardsText class, used bythe StandardsExtractingContentHandler could lead to a denial of servicecaused by backtracking on a specially crafted file. This only affects userswho are running the StandardsExtractingContentHandler, which is anon-standard handler. This is fixed in 1.28.2 and 2.4.0 Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-16 17:15:00 UTC 2022-05-16 17:15:00 UTC Tony Torralba and Joseph Farebrother https://ubuntu.com/security/notices/USN-7529-1 CVE-2022-30126 Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack ofa certain sq_reservestack call. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-04 23:15:00 UTC CVE-2022-30292 There is an invalid memory access in the TextLine class in TextOutputDev.ccin Xpdf 4.0.4 because the text extractor mishandles characters at large ycoordinates. It can be triggered by (for example) sending a crafted pdffile to the pdftotext binary, which allows a remote attacker to cause aDenial of Service (Segmentation fault) or possibly have unspecified otherimpact. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-09 18:15:00 UTC CVE-2022-30524 Parsing malicious or large YAML documents can consume excessive amounts ofCPU or memory. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 22:15:00 UTC 2022-12-27 22:15:00 UTC https://ubuntu.com/security/notices/USN-6287-1 CVE-2022-3064 NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to anovel type of the "ghost domain names" attack. The vulnerability works bytargeting an Unbound instance. Unbound is queried for a subdomain of arogue domain name. The rogue nameserver returns delegation information forthe subdomain that updates Unbound's delegation cache. This action can berepeated before expiry of the delegation information by querying Unboundfor a second level subdomain which the rogue nameserver provides newdelegation information. Since Unbound is a child-centric resolver, theever-updating child delegation information can keep a rogue domain nameresolvable long after revocation. From version 1.16.2 on, Unbound checksthe validity of parent delegation records before using cached delegationinformation. Update Instructions: Run `sudo pro fix CVE-2022-30698` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.16.2-1 python3-unbound - 1.16.2-1 unbound - 1.16.2-1 unbound-anchor - 1.16.2-1 unbound-host - 1.16.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 15:15:00 UTC 2022-08-01 15:15:00 UTC Xiang Li http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016493 https://ubuntu.com/security/notices/USN-5569-1 CVE-2022-30698 NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable to anovel type of the "ghost domain names" attack. The vulnerability works bytargeting an Unbound instance. Unbound is queried for a rogue domain namewhen the cached delegation information is about to expire. The roguenameserver delays the response so that the cached delegation information isexpired. Upon receiving the delayed answer containing the delegationinformation, Unbound overwrites the now expired entries. This action can berepeated when the delegation information is about to expire making therogue delegation information ever-updating. From version 1.16.2 on, Unboundstores the start time for a query and uses that to decide if the cacheddelegation information can be overwritten. Update Instructions: Run `sudo pro fix CVE-2022-30699` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.16.2-1 python3-unbound - 1.16.2-1 unbound - 1.16.2-1 unbound-anchor - 1.16.2-1 unbound-host - 1.16.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-01 15:15:00 UTC 2022-08-01 15:15:00 UTC Xiang Li http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016493 https://ubuntu.com/security/notices/USN-5569-1 CVE-2022-30699 A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows anattacker to execute HTML or JavaScript code via the Username field when anAdmin (or non-Admin users that can see other users logged into theplatform) clicks on Logout. NOTE: this exists in later versions thanCVE-2019-7348 and requires a different attack method. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-15 22:15:00 UTC CVE-2022-30768 Session fixation exists in ZoneMinder through 1.36.12 as an attacker canpoison a session cookie to the next logged-in user. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-15 22:15:00 UTC CVE-2022-30769 xpdf 4.04 allocates excessive memory when presented with crafted input.This can be triggered by (for example) sending a crafted PDF document tothe pdftoppm binary. It is most easily reproduced with theDCMAKE_CXX_COMPILER=afl-clang-fast++ option. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-16 03:15:00 UTC CVE-2022-30775 We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the1.28.2 release. In Apache Tika, a regular expression in the StandardsTextclass, used by the StandardsExtractingContentHandler could lead to a denialof service caused by backtracking on a specially crafted file. This onlyaffects users who are running the StandardsExtractingContentHandler, whichis a non-standard handler. This is fixed in 1.28.3. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-05-31 14:15:00 UTC 2022-05-31 14:15:00 UTC https://ubuntu.com/security/notices/USN-7529-1 CVE-2022-30973 The Mechanize library is used for automating interaction with websites.Mechanize automatically stores and sends cookies, follows redirects, andcan follow links and submit forms. In versions prior to 2.8.5 theAuthorization header is leaked after a redirect to a different port on thesame site. Users are advised to upgrade to Mechanize v2.8.5 or later. Thereare no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-09 20:15:00 UTC CVE-2022-31033 Guzzle is an open source PHP HTTP client. In affected versions the `Cookie`headers on requests are sensitive information. On making a request usingthe `https` scheme to a server which responds with a redirect to a URI withthe `http` scheme, or on making a request to a server which responds with aredirect to a a URI to a different host, we should not forward the `Cookie`header on. Prior to this fix, only cookies that were managed by our cookiemiddleware would be safely removed, and any `Cookie` header manually addedto the initial request would not be stripped. We now always strip it, andallow the cookie middleware to re-add any cookies that it deems should bethere. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon aspossible. Affected users using any earlier series of Guzzle should upgradeto Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider analternative approach to use your own redirect middleware, rather than ours.If you do not require or expect redirects to be followed, one should simplydisable redirects all together. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-10 00:15:00 UTC CVE-2022-31042 Guzzle is an open source PHP HTTP client. In affected versions`Authorization` headers on requests are sensitive information. On making arequest using the `https` scheme to a server which responds with a redirectto a URI with the `http` scheme, we should not forward the `Authorization`header on. This is much the same as to how we don't forward on the headerif the host changes. Prior to this fix, `https` to `http` downgrades didnot result in the `Authorization` header being removed, only changes to thehost. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon aspossible. Affected users using any earlier series of Guzzle should upgradeto Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider analternative approach which would be to use their own redirect middleware.Alternately users may simply disable redirects all together if redirectsare not expected or required. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-10 00:15:00 UTC CVE-2022-31043 Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 ofthe octokit gem were published containing world-writeable files.Specifically, the gem was packed with files having their permissions set to`-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This meanseveryone who is not the owner (Group and Public) with access to theinstance where this release had been installed could modify theworld-writable files from this gem. This issue is patched in Octokit4.25.0. Two workarounds are available. Users can use the previous versionof the gem, v4.22.0. Alternatively, users can modify the file permissionsmanually until they are able to upgrade to the latest version. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-15 23:15:00 UTC CVE-2022-31072 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. In versionsprior to 8.0 There are cases where LAM instantiates objects from arbitraryclasses. An attacker can inject the first constructor argument. This canlead to code execution if non-LAM classes are instantiated that executecode during object creation. This issue has been fixed in version 8.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 21:15:00 UTC elisehdy CVE-2022-31084 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. In versionsprior to 8.0 incorrect regular expressions allow to upload PHP scripts toconfig/templates/pdf. This vulnerability could lead to a Remote CodeExecution if the /config/templates/pdf/ directory is accessible for remoteusers. This is not a default configuration of LAM. This issue has beenfixed in version 8.0. There are no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 21:15:00 UTC elisehdy CVE-2022-31086 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. In versionsprior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allowsinterpretation of .php (and .php5/.php4/.phpt/etc) files. An attackercapable of writing files under www-data privileges can write a web-shellinto this directory, and gain a Code Execution on the host. This issue hasbeen fixed in version 8.0. Users unable to upgrade should disallowexecuting PHP scripts in (/var/lib/ldap-account-manager/)tmp directory. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 21:15:00 UTC elisehdy CVE-2022-31087 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. In versionsprior to 8.0 the user name field at login could be used to enumerate LDAPdata. This is only the case for LDAP search configuration. This issue hasbeen fixed in version 8.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 21:15:00 UTC elisehdy CVE-2022-31088 Guzzle, an extensible PHP HTTP client. `Authorization` headers on requestsare sensitive information. In affected versions when using our Curlhandler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an`Authorization` header. On making a request which responds with a redirectto a URI with a different origin (change in host, scheme or port), if wechoose to follow it, we should remove the `CURLOPT_HTTPAUTH` option beforecontinuing, stopping curl from appending the `Authorization` header to thenew request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soonas possible. Affected users using any earlier series of Guzzle shouldupgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implementedin Guzzle 7.4.2, where a change in host would trigger removal of thecurl-added Authorization header, however this earlier fix did not coverchange in scheme or change in port. If you do not require or expectredirects to be followed, one should simply disable redirects all together.Alternatively, one can specify to use the Guzzle steam handler backend,rather than curl. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 22:15:00 UTC CVE-2022-31090 Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headerson requests are sensitive information. In affected versions on making arequest which responds with a redirect to a URI with a different port, ifwe choose to follow it, we should remove the `Authorization` and `Cookie`headers from the request, before containing. Previously, we would onlyconsider a change in host or scheme. Affected Guzzle 7 users should upgradeto Guzzle 7.4.5 as soon as possible. Affected users using any earlierseries of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that apartial fix was implemented in Guzzle 7.4.2, where a change in host wouldtrigger removal of the curl-added Authorization header, however thisearlier fix did not cover change in scheme or change in port. Analternative approach would be to use your own redirect middleware, ratherthan ours, if you are unable to upgrade. If you do not require or expectredirects to be followed, one should simply disable redirects all together. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 22:15:00 UTC CVE-2022-31091 UltraJSON is a fast JSON encoder and decoder written in pure C withbindings for Python 3.7+. Affected versions were found to improperly decodecertain characters. JSON strings that contain escaped surrogate charactersnot part of a proper surrogate pair were decoded incorrectly. Besidescorrupting strings, this allowed for potential key confusion and valueoverwriting in dictionaries. All users parsing JSON from untrusted sourcesare vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates inthe same way as the standard library's `json` module does, preserving themin the parsed output. Users are advised to upgrade. There are no knownworkarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 18:15:00 UTC 2022-07-05 18:15:00 UTC https://ubuntu.com/security/notices/USN-6629-1 https://ubuntu.com/security/notices/USN-6629-3 CVE-2022-31116 UltraJSON is a fast JSON encoder and decoder written in pure C withbindings for Python 3.7+. In versions prior to 5.4.0 an error occurringwhile reallocating a buffer for string decoding can cause the buffer to getfreed twice. Due to how UltraJSON uses the internal decoder, this doublefree is impossible to trigger from Python. This issue has been resolved inversion 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are noknown workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 18:15:00 UTC 2022-07-05 18:15:00 UTC https://ubuntu.com/security/notices/USN-6629-1 https://ubuntu.com/security/notices/USN-6629-3 CVE-2022-31117 moment is a JavaScript date library for parsing, validating, manipulating,and formatting dates. Affected versions of moment were found to use aninefficient parsing algorithm. Specifically using string-to-date parsing inmoment (more specifically rfc2822 parsing, which is tried by default) hasquadratic (N^2) complexity on specific inputs. Users may notice anoticeable slowdown is observed with inputs above 10k characters. Users whopass user-provided strings without sanity length checks to momentconstructor are vulnerable to (Re)DoS attacks. The problem is patched in2.29.4, the patch can be applied to all affected versions with minimaltweaking. Users are advised to upgrade. Users unable to upgrade shouldconsider limiting date lengths accepted from user input. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-06 18:15:00 UTC 2022-07-06 18:15:00 UTC https://bugs.launchpad.net/ubuntu/bionic/+source/node-moment/+bug/1982617 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014845 https://ubuntu.com/security/notices/USN-5559-1 https://ubuntu.com/security/notices/USN-6550-1 CVE-2022-31129 undici is an HTTP/1.1 client, written from scratch for Node.js. It ispossible to inject CRLF sequences into request headers in undici inversions less than 5.7.1. A fix was released in version 5.8.0. Sanitizingall HTTP headers from untrusted sources to eliminate `\r\n` is a workaroundfor this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 21:15:00 UTC CVE-2022-31150 Authorization headers are cleared on cross-origin redirect. However, cookieheaders which are sensitive headers and are official headers found in thespec, remain uncleared. There are active users using cookie headers inundici. This may lead to accidental leakage of cookie to a 3rd-party siteor a malicious attacker who can control the redirection target (ie. an openredirector) to leak the cookie to the 3rd party site. This was patched inv5.7.1. By default, this vulnerability is not exploitable. Do not enableredirections, i.e. `maxRedirections: 0` (the default). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-21 04:15:00 UTC CVE-2022-31151 Gradle is a build tool. Dependency verification is a security feature inGradle Build Tool that was introduced to allow validation of externaldependencies either through their checksum or cryptographic signatures. Inversions 6.2 through 7.4.2, there are some cases in which Gradle may skipthat verification and accept a dependency that would otherwise fail thebuild as an untrusted external artifact. This can occur in two ways. Whensignature verification is disabled but the verification metadata containsentries for dependencies that only have a `gpg` element but no `checksum`element. When signature verification is enabled, the verification metadatacontains entries for dependencies with a `gpg` element but there is nosignature file on the remote repository. In both cases, the verificationwill accept the dependency, skipping signature verification and notcomplaining that the dependency has no checksum entry. For builds that arevulnerable, there are two risks. Gradle could download a malicious binaryfrom a repository outside your organization due to name squatting. Forthose still using HTTP only and not HTTPS for downloading dependencies, thebuild could download a malicious library instead of the expected one.Gradle 7.5 patches this issue by making sure to run checksum verificationif signature verification cannot be completed, whatever the reason. Twoworkarounds are available: Remove all `gpg` elements from dependencyverification metadata if you disable signature validation and/or avoidadding `gpg` entries for dependencies that do not have signature files. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-14 20:15:00 UTC CVE-2022-31156 The Heimdal Software Kerberos 5 implementation is vulnerable to a nullpointer dereferance. An attacker with network access to an application thatdepends on the vulnerable code path can cause the application to crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-07 2022-10-07 Michał Kępień https://ubuntu.com/security/notices/USN-5675-1 CVE-2022-3116 TZInfo is a Ruby library that provides access to time zone data and allowstimes to be converted using time zone rules. Versions prior to 0.36.1, aswell as those prior to 1.2.10 when used with the Ruby data sourcetzinfo-data, are vulnerable to relative path traversal. With the Ruby datasource, time zones are defined in Ruby files. There is one file per timezone. Time zone files are loaded with `require` on demand. In the affectedversions, `TZInfo::Timezone.get` fails to validate time zone identifierscorrectly, allowing a new line character within the identifier. With Rubyversion 1.9.3 and later, `TZInfo::Timezone.get` can be made to loadunintended files with `require`, executing them within the Ruby process.Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zoneidentifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61can still load arbitrary files from the Ruby load path if their namefollows the rules for a valid time zone identifier and the file has aprefix of `tzinfo/definition` within a directory in the load path.Applications should ensure that untrusted files are not placed in adirectory on the load path. As a workaround, the time zone identifier canbe validated before passing to `TZInfo::Timezone.get` by ensuring itmatches the regular expression`\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-22 04:15:00 UTC CVE-2022-31163 CKEditor 5 is a JavaScript rich text editor. A cross-site scriptingvulnerability has been discovered affecting three optional CKEditor 5'spackages in versions prior to 35.0.1. The vulnerability allowed to triggera JavaScript code after fulfilling special conditions. The affectedpackages are `@ckeditor/ckeditor5-markdown-gfm`,`@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`.The specific conditions are 1) Using one of the affected packages. In caseof `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, itwas required to use a configuration that allows unsafe markup inside theeditor. 2) Destroying the editor instance and 3) Initializing the editor onan element and using an element other than `<textarea>` as a base. The rootcause of the issue was a mechanism responsible for updating the sourceelement with the markup coming from the CKEditor 5 data pipeline afterdestroying the editor. This vulnerability might affect a small percent ofintegrators that depend on dynamic editor initialization/destroy and useMarkdown, General HTML Support or HTML embed features. The problem has beenrecognized and patched. The fix is available in version 35.0.1. There areno known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-03 19:15:00 UTC CVE-2022-31175 PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connectto a PostgreSQL database using standard, database independent Java code.The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` methodis not performing escaping of column names so a malicious column name thatcontains a statement terminator, e.g. `;`, could lead to SQL injection.This could lead to executing additional SQL commands as the application'sJDBC user. User applications that do not invoke the`ResultSet.refreshRow()` method are not impacted. User application that doinvoke that method are impacted if the underlying database that they arequerying via their JDBC application may be under the control of anattacker. The attack requires the attacker to trick the user into executingSQL against a table name who's column names would contain the malicious SQLand subsequently invoke the `refreshRow()` method on the ResultSet. Notethat the application's JDBC user and the schema owner need not be the same.A JDBC application that executes as a privileged user querying databaseschemas owned by potentially malicious less-privileged users would bevulnerable. In that situation it may be possible for the malicious user tocraft a schema that causes the application to execute commands as theprivileged user. Patched versions will be released as `42.2.26` and`42.4.1`. Users are advised to upgrade. There are no known workarounds forthis issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-03 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016662 CVE-2022-31197 A Privilege Context Switching issue was discovered in join.c in Firejail0.9.68. By crafting a bogus Firejail container that is accepted by theFirejail setuid-root program as a join target, a local attacker can enteran environment in which the Linux user namespace is still the initial usernamespace, the NO_NEW_PRIVS prctl is not activated, and the entered mountnamespace is under the attacker's control. In this way, the filesystemlayout can be adjusted to gain root privileges through execution ofavailable setuid-root binaries such as su or sudo. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-09 16:15:00 UTC Matthias Gerstner https://bugzilla.suse.com/show_bug.cgi?id=1199148 CVE-2022-31214 Cross-site Scripting (XSS) - Reflected in GitHub repositorysplitbrain/dokuwiki prior to 2022-07-31a. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-05 10:15:00 UTC CVE-2022-3123 The Frontend File Manager Plugin WordPress plugin before 21.3 allows anyunauthenticated user to rename uploaded files from users. Furthermore, dueto the lack of validation in the destination filename, this could allowallow them to change the content of arbitrary files on the web server Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-3124 The Frontend File Manager Plugin WordPress plugin before 21.3 allows anyauthenticated users, such as subscriber, to rename a file to an arbitraryextension, like PHP, which could allow them to basically be able to uploadarbitrary files on the server and achieve RCE Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-3125 The Donation Thermometer WordPress plugin before 2.1.3 does not sanitiseand escape some of its settings, which could allow high privilege userssuch as admin to perform Stored Cross-Site Scripting attacks even when theunfiltered_html capability is disallowed (for example in multisite setup) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-3128 Bento4 MP4Dump v1.2 was discovered to contain a segmentation violation viaan unknown address at /Source/C++/Core/Ap4DataBuffer.cpp:175. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-10 18:15:00 UTC CVE-2022-31282 An issue was discovered in Bento4 1.2. The allocator is out of memory in/Source/C++/Core/Ap4Array.h. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-10 18:15:00 UTC CVE-2022-31285 An issue was discovered in Bento4 v1.2. There is an allocation size requesterror in /Ap4RtpAtom.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-10 18:15:00 UTC CVE-2022-31287 An issue in dlt_config_file_parser.c of dlt-daemon v2.18.8 allows attackersto cause a double free via crafted TCP packets. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-16 16:15:00 UTC CVE-2022-31291 The Goolytics WordPress plugin before 1.1.2 does not sanitise and escapesome of its settings, which could allow high privilege users to performCross-Site Scripting attacks even when the unfiltered_html capability isdisallowed. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-3132 In libjpeg before 1.64, BitStream<false>::Get in bitstream.hpp has anassertion failure that may cause denial of service. This is related toout-of-bounds array access during arithmetically coded lossless scan orarithmetically coded sequential scan. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-05-25 21:15:00 UTC CVE-2022-31620 Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, andolder unsupported versions could be susceptible to a privilege escalationunder certain conditions. A malicious user or attacker can modify a requestinitiated by the Client (via the browser) to the Authorization Server whichcan lead to a privilege escalation on the subsequent approval. Thisscenario can happen if the Authorization Server responds with an OAuth2Access Token Response containing an empty scope list (per RFC 6749, Section5.1) on the subsequent request to the token endpoint to obtain the accesstoken. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 20:15:00 UTC CVE-2022-31690 Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 couldbe susceptible to authorization rules bypass via forward or includedispatcher types. Specifically, an application is vulnerable when all ofthe following are true: The application expects that Spring Securityapplies security to forward and include dispatcher types. The applicationuses the AuthorizationFilter either manually or via theauthorizeHttpRequests() method. The application configures theFilterChainProxy to apply to forward and/or include requests (e.g.spring.security.filter.dispatcher-types = request, error, async, forward,include). The application may forward or include the request to a higherprivilege-secured endpoint.The application configures Spring Security toapply to every dispatcher type viaauthorizeHttpRequests().shouldFilterAllDispatcherTypes(true) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 20:15:00 UTC CVE-2022-31692 libjpeg 1.63 has a heap-based buffer over-read inHierarchicalBitmapRequester::FetchRegion in hierarchicalbitmaprequester.cppbecause the MCU size can be different between allocation and use. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/71 CVE-2022-31796 In libjpeg 1.63, there is a NULL pointer dereference in Component::SubXOfin component.hpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:16:00 UTC CVE-2022-32201 In libjpeg 1.63, there is a NULL pointer dereference inLineBuffer::FetchRegion in linebuffer.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-02 14:16:00 UTC CVE-2022-32202 A possible escalation to RCE vulnerability exists when using YAMLserialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and<5.2.8.1 which could allow an attacker, that can manipulate data in thedatabase (via means like SQL injection), the ability to escalate to an RCE. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-05 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016140 CVE-2022-32224 XFCE 4.16 allows attackers to execute arbitrary code because xdg-open canexecute a .desktop file on an attacker-controlled FTP server. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-13 22:15:00 UTC 2022-06-13 22:15:00 UTC https://ubuntu.com/security/notices/USN-6008-1 CVE-2022-32278 A relative path traversal vulnerability in a FileUtil class used by thePEAR management component of Apache UIMA allows an attacker to create filesoutside the designated target directory using carefully crafted ZIP entrynames. This issue affects Apache UIMA Apache UIMA version 3.3.0 and priorversions. Note that PEAR files should never be installed into an UIMAinstallation from untrusted sources because PEAR archives are executableplugins that will be able to perform any actions with the same privilegesas the host Java Virtual Machine. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-03 12:15:00 UTC CVE-2022-32287 Toybox v0.8.7 was discovered to contain a NULL pointer dereference via thecomponent httpd.c. This vulnerability can lead to a Denial of Service (DoS)via unspecified vectors. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-14 20:15:00 UTC CVE-2022-32298 JPEGOPTIM v1.4.7 was discovered to contain a segmentation violation whichis caused by a READ memory access at jpegoptim.c. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-01 22:15:00 UTC https://github.com/tjko/jpegoptim/issues/107 CVE-2022-32325 A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how auser triggers remount and umount simultaneously. This flaw allows a localuser to crash or potentially escalate their privileges on the system. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-14 21:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2127927 https://bugzilla.suse.com/show_bug.cgi?id=1204655 CVE-2022-3238 jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in asituation where JSON.parse is preferable. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-06 22:15:00 UTC CVE-2022-32511 Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to bebypassed on some servlet containers. Applications using RegExPatternMatcherwith `.` in the regular expression are possibly vulnerable to anauthorization bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-29 00:15:00 UTC 4ra1n CVE-2022-32532 A vulnerability was found in ImageMagick, causing an outside the range ofrepresentable values of type 'unsigned long' at coders/pcl.c, when craftedor untrusted input is processed. This leads to a negative impact toapplication availability or other problems related to undefined behavior. Update Instructions: Run `sudo pro fix CVE-2022-32546` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-16 18:15:00 UTC 2022-06-16 18:15:00 UTC https://ubuntu.com/security/notices/USN-5534-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2022-32546 In ImageMagick, there is load of misaligned address for type 'double',which requires 8 byte alignment and for type 'float', which requires 4 bytealignment at MagickCore/property.c. Whenever crafted or untrusted input isprocessed by ImageMagick, this causes a negative impact to applicationavailability or other problems related to undefined behavior. Update Instructions: Run `sudo pro fix CVE-2022-32547` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.3ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.3ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-16 18:15:00 UTC 2022-06-16 18:15:00 UTC https://ubuntu.com/security/notices/USN-5534-1 https://ubuntu.com/security/notices/USN-5736-1 https://ubuntu.com/security/notices/USN-5736-2 https://ubuntu.com/security/notices/USN-6200-1 CVE-2022-32547 A flaw was found in Samba. Some SMB1 write requests were not correctlyrange-checked to ensure the client had sent enough data to fulfill thewrite, allowing server memory contents to be written into the file (orprinter) instead of client-supplied data. The client cannot control thearea of the server memory written to the file (or printer). Update Instructions: Run `sudo pro fix CVE-2022-32742` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-27 2022-07-27 Luca Moro https://bugzilla.samba.org/show_bug.cgi?id=15085 https://bugzilla.samba.org/show_bug.cgi?id=15109 (tracking bug) https://ubuntu.com/security/notices/USN-5542-1 CVE-2022-32742 A flaw was found in Samba. The KDC accepts kpasswd requests encrypted withany key known to it. By encrypting forged kpasswd requests with its ownkey, a user can change other users' passwords, enabling full domaintakeover. Update Instructions: Run `sudo pro fix CVE-2022-32744` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-27 2022-07-27 Joseph Sutton https://bugzilla.samba.org/show_bug.cgi?id=15074 https://bugzilla.samba.org/show_bug.cgi?id=15109 (tracking bug) https://ubuntu.com/security/notices/USN-5542-1 CVE-2022-32744 A flaw was found in Samba. Samba AD users can cause the server to accessuninitialized data with an LDAP add or modify the request, usuallyresulting in a segmentation fault. Update Instructions: Run `sudo pro fix CVE-2022-32745` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-27 2022-07-27 Joseph Sutton https://bugzilla.samba.org/show_bug.cgi?id=15008 https://bugzilla.samba.org/show_bug.cgi?id=15096 https://bugzilla.samba.org/show_bug.cgi?id=15109 (tracking bug) https://ubuntu.com/security/notices/USN-5542-1 CVE-2022-32745 A flaw was found in the Samba AD LDAP server. The AD DC database auditlogging module can access LDAP message values freed by a preceding databasemodule, resulting in a use-after-free issue. This issue is only possiblewhen modifying certain privileged attributes, such as userAccountControl. Update Instructions: Run `sudo pro fix CVE-2022-32746` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-27 2022-07-27 Joseph Sutton and Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=15009 https://bugzilla.samba.org/show_bug.cgi?id=15096 https://bugzilla.samba.org/show_bug.cgi?id=15109 (tracking bug) https://ubuntu.com/security/notices/USN-5542-1 CVE-2022-32746 Command injection is possible in the puppetlabs-mysql module prior toversion 13.0.0. A malicious actor is able to exploit this vulnerabilityonly if they are able to provide unsanitized input to the module. Thiscondition is rare in most deployments of Puppet and Puppet Enterprise. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-07 21:15:00 UTC CVE-2022-3276 There is an assertion failure in SingleComponentLSScan::ParseMCU insinglecomponentlsscan.cpp in libjpeg before 1.64 via an empty JPEG-LS scan. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-10 15:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/75 CVE-2022-32978 Knot Resolver through 5.5.1 may allow DNS cache poisoning when there is anattempt to limit forwarding actions by filters. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-20 16:15:00 UTC CVE-2022-32983 Lrzip v0.651 was discovered to contain multiple invalid arithmetic shiftsvia the functions get_magic in lrzip.c and Predictor::init inlibzpaq/libzpaq.cpp. These vulnerabilities allow attackers to cause aDenial of Service via unspecified vectors. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-23 17:15:00 UTC CVE-2022-33067 An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzzv4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecifiedvectors. Update Instructions: Run `sudo pro fix CVE-2022-33068` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-harfbuzz-0.0 - 2.7.4-1ubuntu5 libharfbuzz-bin - 2.7.4-1ubuntu5 libharfbuzz-cairo0 - 2.7.4-1ubuntu5 libharfbuzz-gobject0 - 2.7.4-1ubuntu5 libharfbuzz-icu0 - 2.7.4-1ubuntu5 libharfbuzz-subset0 - 2.7.4-1ubuntu5 libharfbuzz0b - 2.7.4-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-23 17:15:00 UTC 2022-06-23 17:15:00 UTC https://github.com/harfbuzz/harfbuzz/issues/3557 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013673 https://ubuntu.com/security/notices/USN-5524-1 CVE-2022-33068 Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift viathe function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. Thisvulnerability allows attackers to cause a Denial of Service (DoS) viaunspecified vectors. Update Instructions: Run `sudo pro fix CVE-2022-33070` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libprotobuf-c1 - 1.4.1-1ubuntu1 protobuf-c-compiler - 1.4.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-23 17:15:00 UTC 2022-06-23 17:15:00 UTC https://github.com/protobuf-c/protobuf-c/issues/506 https://ubuntu.com/security/notices/USN-5531-1 https://ubuntu.com/security/notices/USN-5811-1 CVE-2022-33070 XPDF v4.04 was discovered to contain a stack overflow vulnerability via theObject::Copy class of object.cc files. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-28 17:15:00 UTC CVE-2022-33108 The function that calls the diff tool in Diffy 3.4.1 does not properlyhandle double quotes in a filename when run in a windows environment. Thisallows attackers to execute arbitrary commands via a crafted string. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-23 17:15:00 UTC CVE-2022-33127 OpenSSL supports creating a custom cipher via the legacyEVP_CIPHER_meth_new() function and associated function calls. This functionwas deprecated in OpenSSL 3.0 and application authors are insteadencouraged to use the new provider mechanism in order to implement customciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy customciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() andEVP_CipherInit_ex2() functions (as well as other similarly named encryptionand decryption initialisation functions). Instead of using the customcipher directly it incorrectly tries to fetch an equivalent cipher from theavailable providers. An equivalent cipher is found based on the NID passedto EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NIDfor a given cipher. However it is possible for an application toincorrectly pass NID_undef as this value in the call toEVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSLencryption/decryption initialisation function will match the NULL cipher asbeing equivalent and will fetch this from the available providers. Thiswill succeed if the default provider has been loaded (or if a third partyprovider has been loaded that offers this cipher). Using the NULL ciphermeans that the plaintext is emitted as the ciphertext. Applications areonly affected by this issue if they call EVP_CIPHER_meth_new() usingNID_undef and subsequently use it in a call to an encryption/decryptioninitialisation function. Applications that only use SSL/TLS are notimpacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). Update Instructions: Run `sudo pro fix CVE-2022-3358` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.5-2ubuntu2 openssl - 3.0.5-2ubuntu2 openssl-provider-legacy - 3.0.5-2ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-10-11 15:15:00 UTC 2022-10-11 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021620 https://ubuntu.com/security/notices/USN-5710-1 CVE-2022-3358 Linux disk/nic frontends data leaks T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Linux Block and Network PV device frontends don't zeromemory regions before sharing them with the backend (CVE-2022-26365,CVE-2022-33740). Additionally the granularity of the grant table doesn'tallow sharing less than a 4K page, leading to unrelated data residing inthe same 4K page as data shared with a backend being accessible by suchbackend (CVE-2022-33741, CVE-2022-33742). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 13:15:00 UTC 2022-07-05 13:15:00 UTC Roger Pau Monné https://ubuntu.com/security/notices/USN-5572-1 https://ubuntu.com/security/notices/USN-5579-1 https://ubuntu.com/security/notices/USN-5572-2 https://ubuntu.com/security/notices/USN-5623-1 https://ubuntu.com/security/notices/USN-5624-1 https://ubuntu.com/security/notices/USN-5633-1 https://ubuntu.com/security/notices/USN-5635-1 https://ubuntu.com/security/notices/USN-5640-1 https://ubuntu.com/security/notices/USN-5644-1 https://ubuntu.com/security/notices/USN-5648-1 https://ubuntu.com/security/notices/USN-5655-1 https://ubuntu.com/security/notices/USN-5668-1 https://ubuntu.com/security/notices/USN-5669-1 https://ubuntu.com/security/notices/USN-5669-2 https://ubuntu.com/security/notices/USN-5677-1 https://ubuntu.com/security/notices/USN-5678-1 https://ubuntu.com/security/notices/USN-5679-1 https://ubuntu.com/security/notices/USN-5682-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5684-1 https://ubuntu.com/security/notices/USN-5687-1 https://ubuntu.com/security/notices/USN-5695-1 https://ubuntu.com/security/notices/USN-5706-1 CVE-2022-33740 Linux disk/nic frontends data leaks T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Linux Block and Network PV device frontends don't zeromemory regions before sharing them with the backend (CVE-2022-26365,CVE-2022-33740). Additionally the granularity of the grant table doesn'tallow sharing less than a 4K page, leading to unrelated data residing inthe same 4K page as data shared with a backend being accessible by suchbackend (CVE-2022-33741, CVE-2022-33742). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 13:15:00 UTC 2022-07-05 13:15:00 UTC https://ubuntu.com/security/notices/USN-5572-1 https://ubuntu.com/security/notices/USN-5579-1 https://ubuntu.com/security/notices/USN-5572-2 https://ubuntu.com/security/notices/USN-5623-1 https://ubuntu.com/security/notices/USN-5624-1 https://ubuntu.com/security/notices/USN-5633-1 https://ubuntu.com/security/notices/USN-5635-1 https://ubuntu.com/security/notices/USN-5640-1 https://ubuntu.com/security/notices/USN-5644-1 https://ubuntu.com/security/notices/USN-5648-1 https://ubuntu.com/security/notices/USN-5655-1 https://ubuntu.com/security/notices/USN-5668-1 https://ubuntu.com/security/notices/USN-5669-1 https://ubuntu.com/security/notices/USN-5669-2 https://ubuntu.com/security/notices/USN-5677-1 https://ubuntu.com/security/notices/USN-5678-1 https://ubuntu.com/security/notices/USN-5679-1 https://ubuntu.com/security/notices/USN-5682-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5684-1 https://ubuntu.com/security/notices/USN-5687-1 https://ubuntu.com/security/notices/USN-5695-1 https://ubuntu.com/security/notices/USN-5706-1 CVE-2022-33741 Linux disk/nic frontends data leaks T[his CNA information record relates tomultiple CVEs; the text explains which aspects/vulnerabilities correspondto which CVE.] Linux Block and Network PV device frontends don't zeromemory regions before sharing them with the backend (CVE-2022-26365,CVE-2022-33740). Additionally the granularity of the grant table doesn'tallow sharing less than a 4K page, leading to unrelated data residing inthe same 4K page as data shared with a backend being accessible by suchbackend (CVE-2022-33741, CVE-2022-33742). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 13:15:00 UTC 2022-07-05 13:15:00 UTC https://ubuntu.com/security/notices/USN-5623-1 https://ubuntu.com/security/notices/USN-5624-1 https://ubuntu.com/security/notices/USN-5633-1 https://ubuntu.com/security/notices/USN-5635-1 https://ubuntu.com/security/notices/USN-5640-1 https://ubuntu.com/security/notices/USN-5644-1 https://ubuntu.com/security/notices/USN-5648-1 https://ubuntu.com/security/notices/USN-5655-1 https://ubuntu.com/security/notices/USN-5668-1 https://ubuntu.com/security/notices/USN-5669-1 https://ubuntu.com/security/notices/USN-5669-2 https://ubuntu.com/security/notices/USN-5677-1 https://ubuntu.com/security/notices/USN-5678-1 https://ubuntu.com/security/notices/USN-5679-1 https://ubuntu.com/security/notices/USN-5682-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5684-1 https://ubuntu.com/security/notices/USN-5687-1 https://ubuntu.com/security/notices/USN-5695-1 https://ubuntu.com/security/notices/USN-5706-1 CVE-2022-33742 network backend may cause Linux netfront to use freed SKBs While addinglogic to support XDP (eXpress Data Path), a code label was moved in a wayallowing for SKBs having references (pointers) retained for furtherprocessing to nevertheless be freed. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 13:15:00 UTC 2022-07-05 13:15:00 UTC Jan Beulich https://ubuntu.com/security/notices/USN-5623-1 https://ubuntu.com/security/notices/USN-5624-1 https://ubuntu.com/security/notices/USN-5633-1 https://ubuntu.com/security/notices/USN-5635-1 https://ubuntu.com/security/notices/USN-5640-1 https://ubuntu.com/security/notices/USN-5644-1 https://ubuntu.com/security/notices/USN-5648-1 https://ubuntu.com/security/notices/USN-5655-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5773-1 https://ubuntu.com/security/notices/USN-5789-1 CVE-2022-33743 Arm guests can cause Dom0 DoS via PV devices When mapping pages of guestson Arm, dom0 is using an rbtree to keep track of the foreign mappings.Updating of that rbtree is not always done completely with the related lockheld, resulting in a small race window, which can be used by unprivilegedguests via PV devices to cause inconsistencies of the rbtree. Theseinconsistencies can lead to Denial of Service (DoS) of dom0, e.g. bycausing crashes or the inability to perform further mappings of otherguests' memory pages. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-05 13:15:00 UTC 2022-07-05 13:15:00 UTC Oleksandr Tyshchenko https://ubuntu.com/security/notices/USN-5623-1 https://ubuntu.com/security/notices/USN-5624-1 https://ubuntu.com/security/notices/USN-5633-1 https://ubuntu.com/security/notices/USN-5635-1 https://ubuntu.com/security/notices/USN-5640-1 https://ubuntu.com/security/notices/USN-5644-1 https://ubuntu.com/security/notices/USN-5648-1 https://ubuntu.com/security/notices/USN-5655-1 https://ubuntu.com/security/notices/USN-5668-1 https://ubuntu.com/security/notices/USN-5669-1 https://ubuntu.com/security/notices/USN-5669-2 https://ubuntu.com/security/notices/USN-5677-1 https://ubuntu.com/security/notices/USN-5678-1 https://ubuntu.com/security/notices/USN-5679-1 https://ubuntu.com/security/notices/USN-5682-1 https://ubuntu.com/security/notices/USN-5683-1 https://ubuntu.com/security/notices/USN-5684-1 https://ubuntu.com/security/notices/USN-5687-1 https://ubuntu.com/security/notices/USN-5695-1 https://ubuntu.com/security/notices/USN-5706-1 CVE-2022-33744 insufficient TLB flush for x86 PV guests in shadow mode For migration aswell as to work around kernels unaware of L1TF (see XSA-273), PV guests maybe run in shadow paging mode. To address XSA-401, code was moved inside afunction in Xen. This code movement missed a variable changing meaning /value between old and new code positions. The now wrong use of the variabledid lead to a wrong TLB flush condition, omitting flushes where such arenecessary. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-26 13:15:00 UTC CVE-2022-33745 P2M pool freeing may take excessively long The P2M pool backing secondlevel address translation for guests may be of significant size. Thereforeits freeing may take more time than is reasonable without intermediatepreemption checks. Such checking for the need to preempt was so farmissing. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-11 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021668 CVE-2022-33746 Arm: unbounded memory consumption for 2nd-level page tables Certain actionsrequire e.g. removing pages from a guest's P2M (Physical-to-Machine)mapping. When large pages are in use to map guest pages in the 2nd-stagepage tables, such a removal operation may incur a memory allocation (toreplace a large mapping with individual smaller ones). These memoryallocations are taken from the global memory pool. A malicious guest mightbe able to cause the global memory pool to be exhausted by manipulating itsown P2M mappings. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-11 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021668 CVE-2022-33747 lock order inversion in transitive grant copy handling As part of XSA-226 amissing cleanup call was inserted on an error handling path. While doingso, locking requirements were not paid attention to. As a result twocooperating guests granting each other transitive grants can cause locks tobe acquired nested within one another, but in respectively opposite order.With suitable timing between the involved grant copy operations this mayresult in the locking up of a CPU. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-11 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021668 CVE-2022-33748 The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in theStandardsExtractingContentHandler were insufficient, and we found aseparate, new regex DoS in a different regex in theStandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-27 22:15:00 UTC 2022-06-27 22:15:00 UTC Tony Torralba and Jaroslav Lobačevski https://ubuntu.com/security/notices/USN-7529-1 CVE-2022-33879 The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows aredirect to a UNIX socket. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-06-18 21:15:00 UTC CVE-2022-33987 Fossil 2.18 on Windows allows attackers to cause a denial of service(daemon crash) via an XSS payload in a ticket. This occurs because theticket data is stored in a temporary file, and the product does notproperly handle the absence of this file after Windows Defender has flaggedit as malware. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-28 00:15:00 UTC CVE-2022-34009 The Apache Xalan Java XSLT library is vulnerable to an integer truncationissue when processing malicious XSLT stylesheets. This can be used tocorrupt Java class files generated by the internal XSLTC compiler andexecute arbitrary Java bytecode. Users are recommended to update to version2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackagedcopies of Xalan. Update Instructions: Run `sudo pro fix CVE-2022-34169` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.16+8-0ubuntu1 openjdk-11-jdk - 11.0.16+8-0ubuntu1 openjdk-11-jdk-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre - 11.0.16+8-0ubuntu1 openjdk-11-jre-headless - 11.0.16+8-0ubuntu1 openjdk-11-jre-zero - 11.0.16+8-0ubuntu1 openjdk-11-source - 11.0.16+8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-19 18:15:00 UTC 2022-07-19 18:15:00 UTC https://ubuntu.com/security/notices/USN-5546-1 https://ubuntu.com/security/notices/USN-5546-2 CVE-2022-34169 wolfSSL before 5.4.0 allows remote attackers to cause a denial of servicevia DTLS because a check for return-routability can be skipped. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-08 16:15:00 UTC CVE-2022-34293 In tinyexr 1.0.1, there is a heap-based buffer over-read intinyexr::DecodePixelData. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-23 17:15:00 UTC 2022-06-23 17:15:00 UTC https://github.com/syoyo/tinyexr/issues/167 https://ubuntu.com/security/notices/USN-7913-1 CVE-2022-34300 In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examplesweb application displayed user provided data without filtering, exposing aXSS vulnerability. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-06-23 11:15:00 UTC CVE-2022-34305 A heap-based buffer overflow vulnerability was found in Samba within theGSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES andTriple-DES decryption routines in the Heimdal GSSAPI library allow alength-limited write buffer overflow on malloc() allocated memory whenpresented with a maliciously small packet. This flaw allows a remote userto send specially crafted malicious data to the application, possiblyresulting in a denial of service (DoS) attack. Update Instructions: Run `sudo pro fix CVE-2022-3437` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-27 2022-10-27 Evgeny Legerov https://bugzilla.samba.org/show_bug.cgi?id=15134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187 https://ubuntu.com/security/notices/USN-5800-1 https://ubuntu.com/security/notices/USN-5822-1 https://ubuntu.com/security/notices/USN-5822-2 https://ubuntu.com/security/notices/USN-5936-1 https://ubuntu.com/security/notices/USN-7582-1 CVE-2022-3437 Radare2 v5.7.0 was discovered to contain a heap buffer overflow via thefunction consume_encoded_name_new at format/wasm/wasm.c. This vulnerabilityallows attackers to cause a Denial of Service (DoS) via a crafted binaryfile. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-22 15:15:00 UTC CVE-2022-34502 Radare2 v5.7.2 was discovered to contain a NULL pointer dereference via thefunction r_bin_file_xtr_load_buffer at bin/bfile.c. This vulnerabilityallows attackers to cause a Denial of Service (DOS) via a crafted binaryfile. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-07-22 15:15:00 UTC CVE-2022-34520 NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflowvulnerability in cuobjdump, where an unprivileged remote attacker couldexploit this buffer overflow condition by persuading a local user todownload a specially crafted corrupted file and execute cuobjdump againstit locally, which may lead to a limited denial of service and some loss ofdata integrity for the local user. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-19 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021625 CVE-2022-34667 An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.xbefore 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurationsthat allow a JavaScript payload in a username. After account creation, whenit sets the page title to "Welcome" followed by the username, the usernameis not escaped: SpecialCreateAccount::successfulAction() calls::showSuccessPage() with a message as second parameter, andOutputPage::setPageTitle() uses text(). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-02 20:15:00 UTC CVE-2022-34911 An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before1.38.1. The contributions-title, used on Special:Contributions, is used aspage title without escaping. Hence, in a non-default configuration where ausername contains HTML entities, it won't be escaped. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-02 20:15:00 UTC CVE-2022-34912 MilkyTracker v1.03.00 was discovered to contain a stack overflow via thecomponent LoaderXM::load. This vulnerability is triggered when the programis supplied a crafted XM module file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-03 01:15:00 UTC CVE-2022-34927 Article template contents with sensitive data could be accessed from agentswithout permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-17 09:15:00 UTC CVE-2022-3501 A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allowsattackers to execute arbitrary web scripts or HTML via a crafted payloadinjected into the Name text field when creating a node. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-17 21:15:00 UTC CVE-2022-35133 An issue in AP4_SgpdAtom::AP4_SgpdAtom() of Bento4-1.6.0-639 allowsattackers to cause a Denial of Service (DoS) via a crafted mp4 input. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-18 05:15:00 UTC CVE-2022-35165 libjpeg commit 842c7ba was discovered to contain an infinite loop via thecomponent JPEG::ReadInternal. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-18 05:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/76 CVE-2022-35166 In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could showmalicious content and/or redirect users to a malicious URL in the webconsole by using HTML in the name of an address or queue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-23 15:15:00 UTC CVE-2022-35278 A vulnerability classified as critical has been found in Linux Kernel.Affected is the function btf_dump_name_dups of the filetools/lib/bpf/btf_dump.c of the component libbpf. The manipulation leads touse after free. It is recommended to apply a patch to fix this issue. Theidentifier of this vulnerability is VDB-211032. Update Instructions: Run `sudo pro fix CVE-2022-3534` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libbpf1 - 1.0.1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-17 09:15:00 UTC 2022-10-17 09:15:00 UTC https://ubuntu.com/security/notices/USN-5759-1 https://ubuntu.com/security/notices/USN-5759-2 https://ubuntu.com/security/notices/USN-6215-1 CVE-2022-3534 mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../directory traversal during the ZIP archive cleaning process. This primarilyaffects mat2 web instances, in which clients could obtain sensitiveinformation via a crafted archive. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-07-08 18:15:00 UTC CVE-2022-35410 jpeg-quantsmooth before commit 8879454 contained a floating point exception(FPE) via /jpeg-quantsmooth/jpegqs+0x4f5d6c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-35434 A flaw was found in pesign. The pesign package provides a systemd serviceused to start the pesign daemon. This service unit runs a script to setACLs for /etc/pki/pesign and /run/pesign directories to grant accessprivileges to users in the 'pesign' group. However, the script doesn'tcheck for symbolic links. This could allow an attacker to gain access toprivileged files and directories via a path traversal attack. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-02 21:22:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030168 CVE-2022-3560 WordPress is affected by an unauthenticated blind SSRF in the pingbackfeature. Because of a TOCTOU race condition between the validation checksand the HTTP request, attackers can reach internal hosts that areexplicitly forbidden. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-14 09:15:00 UTC CVE-2022-3590 ReactPHP HTTP is a streaming HTTP client and server implementation forReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookievalues, the cookie names are url-decoded. This may lead to cookies withprefixes like `__Host-` and `__Secure-` confused with cookies that decodeto such prefix, thus leading to an attacker being able to forge cookiewhich is supposed to be secure. This issue is fixed in ReactPHP HTTPversion 1.7.0. As a workaround, Infrastructure or DevOps can place areverse proxy in front of the ReactPHP HTTP server to filter out anyunexpected `Cookie` request headers. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-06 19:15:00 UTC CVE-2022-36032 jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping,and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTMLincluding `javascript:` URL expressions, which could allow XSS attacks whena reader subsequently clicks that link. If the non-default`SafeList.preserveRelativeLinks` option is enabled, HTML including`javascript:` URLs that have been crafted with control characters will notbe sanitized. If the site that this HTML is published on does not set aContent Security Policy, an XSS attack is then possible. This issue ispatched in jsoup 1.15.3. Users should upgrade to this version.Additionally, as the unsanitized input may have been persisted, old contentshould be cleaned again using the updated version. To remediate this issuewithout immediately upgrading: - disable `SafeList.preserveRelativeLinks`,which will rewrite input URLs as absolute URLs - ensure an appropriate[Content SecurityPolicy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined.(This should be used regardless of upgrading, as a defence-in-depth bestpractice.) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-29 17:15:00 UTC CVE-2022-36033 A vulnerability was found in Linux Kernel. It has been classified asproblematic. This affects the function find_prog_by_sec_insn of the filetools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to nullpointer dereference. It is recommended to apply a patch to fix this issue.The identifier VDB-211749 was assigned to this vulnerability. Update Instructions: Run `sudo pro fix CVE-2022-3606` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libbpf1 - 1.0.1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 09:15:00 UTC 2022-10-19 09:15:00 UTC https://ubuntu.com/security/notices/USN-5759-1 https://ubuntu.com/security/notices/USN-5759-2 https://ubuntu.com/security/notices/USN-6215-1 CVE-2022-3606 Poetry is a dependency manager for Python. When handling dependencies thatcome from a Git repository instead of a registry, Poetry uses variouscommands, such as `git clone`. These commands are constructed using userinput (e.g. the repository URL). When building the commands, Poetrycorrectly avoids Command Injection vulnerabilities by passing an array ofarguments instead of a command string. However, there is the possibilitythat a user input starts with a dash (`-`) and is therefore treated as anoptional argument instead of a positional one. This can lead to CodeExecution because some of the commands have options that can be leveragedto run arbitrary executables. If a developer is exploited, the attackercould steal credentials or persist their access. If the exploit happens ona server, the attackers could use their access to attack other internalsystems. Since this vulnerability requires a fair amount of userinteraction, it is not as dangerous as a remotely exploitable one. However,it still puts developers at risk when dealing with untrusted files in a waythey think is safe, because the exploit still works when the victim triesto make sure nothing can happen, e.g. by vetting any Git or Poetry configfiles that might be present in the directory. Versions 1.1.9 and 1.2.0b1contain patches for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 19:15:00 UTC CVE-2022-36069 JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS withno dependencies using runtime's native crypto in Node.js, Browser,Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key managementalgorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, whichdetermines how many PBKDF2 iterations must be executed in order to derive aCEK wrapping key. The purpose of this parameter is to intentionally slowdown the key derivation function in order to make password brute-force anddictionary attacks more expensive. This makes the PBES2 algorithmsunsuitable for situations where the JWE is coming from an untrusted source:an adversary can intentionally pick an extremely high PBES2 Count value,that will initiate a CPU-bound computation that may take an unreasonableamount of time to finish. Under certain conditions, it is possible to havethe user's environment consume unreasonable amount of CPU time. The impactis limited only to users utilizing the JWE decryption APIs with symmetricsecrets to decrypt JWEs from untrusted parties who do not limit theaccepted JWE Key Management Algorithms (`alg` Header Parameter) using the`keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option orthrough other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2`releases limit the maximum PBKDF2 iteration count to `10000` by default. Itis possible to adjust this limit with a newly introduced `maxPBES2Count`decryption option. If users are unable to upgrade their required libraryversion, they have two options depending on whether they expect to receiveJWEs using any of the three PBKDF2-based JWE key management algorithms.They can use the `keyManagementAlgorithms` decryption option to disableaccepting PBKDF2 altogether, or they can inspect the JOSE Header prior tousing the decryption API and limit the PBKDF2 iteration count (`p2c` HeaderParameter). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-36083 fdkaac commit 53fe239 was discovered to contain a floating point exception(FPE) via wav_open at /src/wav_reader.c. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC 2022-08-16 21:15:00 UTC https://ubuntu.com/security/notices/USN-7660-1 CVE-2022-36148 A heap out-of-bounds read vulnerability exists in the RLA format parser ofOpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in theway run-length encoded byte spans are handled. A malformed RLA file canlead to an out-of-bounds read of heap metadata which can result insensitive information leak. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-36354 XPDF v4.0.4 was discovered to contain a segmentation violation via thecomponent /xpdf/AcroForm.cc:538. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-30 21:15:00 UTC CVE-2022-36561 A vulnerability was found in Axiomatic Bento4. It has been declared ascritical. This vulnerability affects the function GetOffset of the fileAp4Sample.h of the component mp42hls. The manipulation leads to use afterfree. The attack can be initiated remotely. The exploit has been disclosedto the public and may be used. VDB-212002 is the identifier assigned tothis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3662 A vulnerability was found in Axiomatic Bento4. It has been rated asproblematic. This issue affects the function AP4_StsdAtom of the fileAp4StsdAtom.cpp of the component MP4fragment. The manipulation leads tonull pointer dereference. The attack may be initiated remotely. The exploithas been disclosed to the public and may be used. The associated identifierof this vulnerability is VDB-212003. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3663 A vulnerability classified as critical has been found in Axiomatic Bento4.Affected is the function AP4_BitStream::WriteBytes of the fileAp4BitStream.cpp of the component avcinfo. The manipulation leads toheap-based buffer overflow. It is possible to launch the attack remotely.The exploit has been disclosed to the public and may be used. Theidentifier of this vulnerability is VDB-212004. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3664 A vulnerability classified as critical was found in Axiomatic Bento4.Affected by this vulnerability is an unknown functionality of the fileAvcInfo.cpp of the component avcinfo. The manipulation leads to heap-basedbuffer overflow. The attack can be launched remotely. The exploit has beendisclosed to the public and may be used. The identifier VDB-212005 wasassigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3665 A vulnerability, which was classified as critical, has been found inAxiomatic Bento4. Affected by this issue is the functionAP4_LinearReader::Advance of the file Ap4LinearReader.cpp of the componentmp42ts. The manipulation leads to use after free. The attack may belaunched remotely. The exploit has been disclosed to the public and may beused. VDB-212006 is the identifier assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3666 A vulnerability, which was classified as critical, was found in AxiomaticBento4. This affects the function AP4_MemoryByteStream::WritePartial of thefile Ap4ByteStream.cpp of the component mp42aac. The manipulation leads toheap-based buffer overflow. It is possible to initiate the attack remotely.The exploit has been disclosed to the public and may be used. Theassociated identifier of this vulnerability is VDB-212007. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3667 A vulnerability has been found in Axiomatic Bento4 and classified asproblematic. This vulnerability affects the functionAP4_AtomFactory::CreateAtomFromStream of the component mp4edit. Themanipulation leads to memory leak. The attack can be initiated remotely.The exploit has been disclosed to the public and may be used. Theidentifier of this vulnerability is VDB-212008. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3668 A vulnerability was found in Axiomatic Bento4 and classified asproblematic. This issue affects the function AP4_AvccAtom::Create of thecomponent mp4edit. The manipulation leads to memory leak. The attack may beinitiated remotely. The exploit has been disclosed to the public and may beused. The identifier VDB-212009 was assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3669 A vulnerability was found in Axiomatic Bento4. It has been classified ascritical. Affected is the function WriteSample of the component mp42hevc.The manipulation leads to heap-based buffer overflow. It is possible tolaunch the attack remotely. The exploit has been disclosed to the publicand may be used. VDB-212010 is the identifier assigned to thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-26 19:15:00 UTC CVE-2022-3670 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker tosmuggle requests to the AJP server it forwards requests to. This issueaffects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and priorversions. Update Instructions: Run `sudo pro fix CVE-2022-36760` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.55-1ubuntu1 apache2-bin - 2.4.55-1ubuntu1 apache2-data - 2.4.55-1ubuntu1 apache2-suexec-custom - 2.4.55-1ubuntu1 apache2-suexec-pristine - 2.4.55-1ubuntu1 apache2-utils - 2.4.55-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 20:15:00 UTC 2023-01-17 20:15:00 UTC ZeddYu_Lu https://ubuntu.com/security/notices/USN-5834-1 https://ubuntu.com/security/notices/USN-5839-1 CVE-2022-36760 A flaw was found in Ansible in the amazon.aws collection when using thetower_callback parameter from the amazon.aws.ec2_instance module. This flawallows an attacker to take advantage of this issue as the module ishandling the parameter insecurely, leading to the password leaking in thelogs. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-28 16:15:00 UTC 2022-10-28 16:15:00 UTC https://ubuntu.com/security/notices/USN-6846-1 CVE-2022-3697 In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before25.0.2, there is a Client Authentication Bypass in certainclient-certification situations for SSL, TLS, and DTLS. Update Instructions: Run `sudo pro fix CVE-2022-37026` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: erlang - 1:24.3.4.5+dfsg-1 erlang-asn1 - 1:24.3.4.5+dfsg-1 erlang-base - 1:24.3.4.5+dfsg-1 erlang-common-test - 1:24.3.4.5+dfsg-1 erlang-crypto - 1:24.3.4.5+dfsg-1 erlang-debugger - 1:24.3.4.5+dfsg-1 erlang-dialyzer - 1:24.3.4.5+dfsg-1 erlang-diameter - 1:24.3.4.5+dfsg-1 erlang-edoc - 1:24.3.4.5+dfsg-1 erlang-eldap - 1:24.3.4.5+dfsg-1 erlang-et - 1:24.3.4.5+dfsg-1 erlang-eunit - 1:24.3.4.5+dfsg-1 erlang-examples - 1:24.3.4.5+dfsg-1 erlang-ftp - 1:24.3.4.5+dfsg-1 erlang-inets - 1:24.3.4.5+dfsg-1 erlang-jinterface - 1:24.3.4.5+dfsg-1 erlang-megaco - 1:24.3.4.5+dfsg-1 erlang-mnesia - 1:24.3.4.5+dfsg-1 erlang-mode - 1:24.3.4.5+dfsg-1 erlang-nox - 1:24.3.4.5+dfsg-1 erlang-observer - 1:24.3.4.5+dfsg-1 erlang-odbc - 1:24.3.4.5+dfsg-1 erlang-os-mon - 1:24.3.4.5+dfsg-1 erlang-parsetools - 1:24.3.4.5+dfsg-1 erlang-public-key - 1:24.3.4.5+dfsg-1 erlang-reltool - 1:24.3.4.5+dfsg-1 erlang-runtime-tools - 1:24.3.4.5+dfsg-1 erlang-snmp - 1:24.3.4.5+dfsg-1 erlang-src - 1:24.3.4.5+dfsg-1 erlang-ssh - 1:24.3.4.5+dfsg-1 erlang-ssl - 1:24.3.4.5+dfsg-1 erlang-syntax-tools - 1:24.3.4.5+dfsg-1 erlang-tftp - 1:24.3.4.5+dfsg-1 erlang-tools - 1:24.3.4.5+dfsg-1 erlang-wx - 1:24.3.4.5+dfsg-1 erlang-x11 - 1:24.3.4.5+dfsg-1 erlang-xmerl - 1:24.3.4.5+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-21 14:15:00 UTC 2022-09-21 14:15:00 UTC https://ubuntu.com/security/notices/USN-6059-1 CVE-2022-37026 An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 maylead to a segmentation fault and denial of service. This occurs inbgp_capability_msg_parse in bgpd/bgp_packet.c. Update Instructions: Run `sudo pro fix CVE-2022-37032` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 8.1-1ubuntu3 frr-pythontools - 8.1-1ubuntu3 frr-rpki-rtrlib - 8.1-1ubuntu3 frr-snmp - 8.1-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-19 22:15:00 UTC 2022-09-19 22:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1202023 https://ubuntu.com/security/notices/USN-5685-1 https://ubuntu.com/security/notices/USN-6482-1 https://ubuntu.com/security/notices/USN-6807-1 CVE-2022-37032 GNOME Nautilus 42.2 allows a NULL pointer dereference and get_basenameapplication crash via a pasted ZIP archive. Update Instructions: Run `sudo pro fix CVE-2022-37290` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-nautilus-4.1 - 1:44~alpha-0ubuntu1 libnautilus-extension4 - 1:44~alpha-0ubuntu1 nautilus - 1:44~alpha-0ubuntu1 nautilus-data - 1:44~alpha-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-14 08:15:00 UTC 2022-11-14 08:15:00 UTC https://gitlab.gnome.org/GNOME/nautilus/-/issues/2376 https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/1998060 https://ubuntu.com/security/notices/USN-5786-1 CVE-2022-37290 In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and19.x through 19.6.0, an incoming Setup message toaddons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE cancause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-05 21:15:00 UTC CVE-2022-37325 An out-of-bounds write vulnerability exists in the Gaussian formatorientation functionality of Open Babel 3.1.1 and master commit 530dbfa3. Aspecially crafted malformed file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-37331 Prior to Apache HTTP Server 2.4.55, a malicious backend can cause theresponse headers to be truncated early, resulting in some headers beingincorporated into the response body. If the later headers have any securitypurpose, they will not be interpreted by the client. Update Instructions: Run `sudo pro fix CVE-2022-37436` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.55-1ubuntu1 apache2-bin - 2.4.55-1ubuntu1 apache2-data - 2.4.55-1ubuntu1 apache2-suexec-custom - 2.4.55-1ubuntu1 apache2-suexec-pristine - 2.4.55-1ubuntu1 apache2-utils - 2.4.55-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 20:15:00 UTC 2023-01-17 20:15:00 UTC Dimas Fariski Setyawan Putra https://ubuntu.com/security/notices/USN-5839-1 https://ubuntu.com/security/notices/USN-5839-2 CVE-2022-37436 A Regular expression denial of service (ReDoS) flaw was found in FunctioninterpolateName in interpolateName.js in webpack loader-utils 2.0.0 via theresourcePath variable in interpolateName.js. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-11 19:15:00 UTC CVE-2022-37599 Prototype pollution vulnerability in function parseQuery in parseQuery.jsin webpack loader-utils via the name variable in parseQuery.js. Thisaffects all versions prior to 1.4.1 and 2.0.3. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-12 20:15:00 UTC CVE-2022-37601 A Regular expression denial of service (ReDoS) flaw was found in FunctioninterpolateName in interpolateName.js in webpack loader-utils 2.0.0 via theurl variable in interpolateName.js. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-14 16:15:00 UTC CVE-2022-37603 Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 viathe name variable in options.js. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-11 19:15:00 UTC CVE-2022-37609 enlightenment_sys in Enlightenment before 0.25.4 allows local users to gainprivileges because it is setuid root, and the system library functionmishandles pathnames that begin with a /dev/.. substring. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-25 19:15:00 UTC CVE-2022-37706 libjpeg commit 281daa9 was discovered to contain an infinite loop via thecomponent Frame::ParseTrailer. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-18 20:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/77 CVE-2022-37768 libjpeg commit 281daa9 was discovered to contain a segmentation fault viaHuffmanDecoder::Get at huffmandecoder.hpp. This vulnerability allowsattackers to cause a Denial of Service (DoS) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-18 20:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/78 CVE-2022-37769 libjpeg commit 281daa9 was discovered to contain a segmentation fault viaLineMerger::GetNextLowpassLine at linemerger.cpp. This vulnerability allowsattackers to cause a Denial of Service (DoS) via a crafted file. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-18 20:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/79 CVE-2022-37770 fdkaac v1.0.3 was discovered to contain a heap buffer overflow via__interceptor_memcpy.part.46 at/sanitizer_common/sanitizer_common_interceptors.inc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC 2022-08-16 21:15:00 UTC https://ubuntu.com/security/notices/USN-7660-1 CVE-2022-37781 A vulnerability classified as critical was found in Axiomatic Bento45e7bb34. Affected by this vulnerability is the functionAP4_Mp4AudioDsiParser::ReadBits of the file Ap4Mp4AudioInfo.cpp of thecomponent mp4hls. The manipulation leads to heap-based buffer overflow. Theattack can be launched remotely. The exploit has been disclosed to thepublic and may be used. The associated identifier of this vulnerability isVDB-212563. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 21:15:00 UTC CVE-2022-3784 A vulnerability, which was classified as critical, has been found inAxiomatic Bento4. Affected by this issue is the functionAP4_DataBuffer::SetDataSize of the component Avcinfo. The manipulationleads to heap-based buffer overflow. The attack may be launched remotely.The exploit has been disclosed to the public and may be used. Theidentifier of this vulnerability is VDB-212564. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 21:15:00 UTC CVE-2022-3785 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability Update Instructions: Run `sudo pro fix CVE-2022-37966` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-09 22:15:00 UTC 2022-11-09 22:15:00 UTC Tom Tervoort https://bugzilla.samba.org/show_bug.cgi?id=15237 https://ubuntu.com/security/notices/USN-5822-1 https://ubuntu.com/security/notices/USN-5822-2 https://ubuntu.com/security/notices/USN-5936-1 CVE-2022-37966 Windows Kerberos Elevation of Privilege Vulnerability Update Instructions: Run `sudo pro fix CVE-2022-37967` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-09 22:15:00 UTC 2022-11-09 22:15:00 UTC Tom Tervoort https://bugzilla.samba.org/show_bug.cgi?id=15231 https://ubuntu.com/security/notices/USN-5822-1 https://ubuntu.com/security/notices/USN-5822-2 https://ubuntu.com/security/notices/USN-5936-1 CVE-2022-37967 Netlogon RPC Elevation of Privilege Vulnerability Update Instructions: Run `sudo pro fix CVE-2022-38023` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-09 22:15:00 UTC 2022-11-09 22:15:00 UTC https://bugzilla.samba.org/show_bug.cgi?id=15240 https://ubuntu.com/security/notices/USN-5822-1 https://ubuntu.com/security/notices/USN-5822-2 https://ubuntu.com/security/notices/USN-5936-1 CVE-2022-38023 A vulnerability was found in Axiomatic Bento4. It has been rated asproblematic. Affected by this issue is some unknown functionality of thecomponent Incomplete Fix CVE-2019-13238. The manipulation leads to resourceconsumption. The attack may be launched remotely. The exploit has beendisclosed to the public and may be used. The identifier of thisvulnerability is VDB-212660. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 20:15:00 UTC CVE-2022-3807 An improper array index validation vulnerability exists in thestl_fix_normal_directions functionality of ADMesh Master Commit 767a105 andv0.98.4. A specially-crafted stl file can lead to a heap buffer overflow.An attacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-03 16:15:00 UTC CVE-2022-38072 A vulnerability was found in Axiomatic Bento4 and classified asproblematic. Affected by this issue is the function ParseCommandLine of thefile Mp4Tag/Mp4Tag.cpp of the component mp4tag. The manipulation leads todenial of service. The attack may be launched remotely. The exploit hasbeen disclosed to the public and may be used. VDB-212666 is the identifierassigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-02 13:15:00 UTC CVE-2022-3809 A vulnerability was found in Axiomatic Bento4. It has been classified asproblematic. This affects the function AP4_File::AP4_File of the fileMp42Hevc.cpp of the component mp42hevc. The manipulation leads to denial ofservice. It is possible to initiate the attack remotely. The exploit hasbeen disclosed to the public and may be used. The associated identifier ofthis vulnerability is VDB-212667. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-02 13:15:00 UTC CVE-2022-3810 A vulnerability was found in Axiomatic Bento4. It has been rated asproblematic. Affected by this issue is the functionAP4_ContainerAtom::AP4_ContainerAtom of the component mp4encrypt. Themanipulation leads to memory leak. The attack may be launched remotely. Theexploit has been disclosed to the public and may be used. VDB-212678 is theidentifier assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 22:15:00 UTC CVE-2022-3812 A vulnerability classified as problematic has been found in AxiomaticBento4. This affects an unknown part of the component mp4edit. Themanipulation leads to memory leak. It is possible to initiate the attackremotely. The exploit has been disclosed to the public and may be used. Theassociated identifier of this vulnerability is VDB-212679. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 22:15:00 UTC CVE-2022-3813 A vulnerability classified as problematic was found in Axiomatic Bento4.This vulnerability affects unknown code of the component mp4decrypt. Themanipulation leads to memory leak. The attack can be initiated remotely.The exploit has been disclosed to the public and may be used. Theidentifier of this vulnerability is VDB-212680. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 22:15:00 UTC CVE-2022-3814 A heap out-of-bounds write vulnerability exists in the way OpenImageIOv2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp filecan write to arbitrary out of bounds memory, which can lead to arbitrarycode execution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-38143 A vulnerability, which was classified as problematic, has been found inAxiomatic Bento4. This issue affects some unknown processing of thecomponent mp4decrypt. The manipulation leads to memory leak. The attack maybe initiated remotely. The exploit has been disclosed to the public and maybe used. The identifier VDB-212681 was assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 22:15:00 UTC CVE-2022-3815 An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 clientconnects to a wolfSSL server and SSL_clear is called on its session, theserver crashes with a segmentation fault. This occurs in the secondsession, which is created through TLS session resumption and reuses theinitial struct WOLFSSL. If the server reuses the previous session structure(struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the nextreceived Client Hello (that resumes the previous session) crashes theserver. Note that this bug is only triggered when resuming sessions usingTLS session resumption. Only servers that use wolfSSL_clear instead of therecommended SSL_free; SSL_new sequence are affected. Furthermore,wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabledby default. It is not part of wolfSSL's native API. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-31 17:15:00 UTC CVE-2022-38152 An issue was discovered in wolfSSL before 5.5.0 (when--enable-session-ticket is used); however, only version 5.3.0 isexploitable. Man-in-the-middle attackers or a malicious server can crashTLS 1.2 clients during a handshake. If an attacker injects a large ticket(more than 256 bytes) into a NewSessionTicket message in a TLS 1.2handshake, and the client has a non-empty session cache, the session cachefrees a pointer that points to unallocated memory, causing the client tocrash with a "free(): invalid pointer" message. NOTE: It is likely thatthis is also exploitable during TLS 1.3 handshakes between a client and amalicious server. With TLS 1.3, it is not possible to exploit this as aman-in-the-middle. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-31 18:15:00 UTC CVE-2022-38153 A vulnerability, which was classified as problematic, was found inAxiomatic Bento4. Affected is an unknown function of the componentmp4decrypt. The manipulation leads to memory leak. It is possible to launchthe attack remotely. The exploit has been disclosed to the public and maybe used. VDB-212682 is the identifier assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 22:15:00 UTC CVE-2022-3816 A vulnerability has been found in Axiomatic Bento4 and classified asproblematic. Affected by this vulnerability is an unknown functionality ofthe component mp4mux. The manipulation leads to memory leak. The attack canbe launched remotely. The exploit has been disclosed to the public and maybe used. The associated identifier of this vulnerability is VDB-212683. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 22:15:00 UTC CVE-2022-3817 Xpdf prior to version 4.04 contains an integer overflow in the JBIG2decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing aspecially crafted PDF file or JBIG2 image could lead to a crash or theexecution of arbitrary code. This is similar to the vulnerability describedby CVE-2021-30860 (Apple CoreGraphics). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-22 19:15:00 UTC CVE-2022-38171 There is a use-after-free issue in JBIG2Stream::close() located inJBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDFfile to (for example) the pdfimages binary. It allows an attacker to causeDenial of Service or possibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-29 03:15:00 UTC CVE-2022-38222 There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3.It can be triggered by sending a crafted HTML file to the w3m binary. Itallows an attacker to cause Denial of Service or possibly have unspecifiedother impact. Update Instructions: Run `sudo pro fix CVE-2022-38223` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: w3m - 0.5.3+git20220429-1ubuntu1 w3m-img - 0.5.3+git20220429-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-15 11:21:00 UTC 2022-08-15 11:21:00 UTC https://github.com/tats/w3m/issues/242 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019599 https://ubuntu.com/security/notices/USN-5796-1 https://ubuntu.com/security/notices/USN-5796-2 CVE-2022-38223 XPDF commit ffaf11c was discovered to contain a stack overflow via__asan_memcpy at asan_interceptors_memintrinsics.cpp. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38227 XPDF commit ffaf11c was discovered to contain a heap-buffer overflow viaDCTStream::transformDataUnit at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38228 XPDF commit ffaf11c was discovered to contain a heap-buffer overflow viaDCTStream::readHuffSym(DCTHuffTable*) at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38229 XPDF commit ffaf11c was discovered to contain a floating point exception(FPE) via DCTStream::decodeImage() at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38230 XPDF commit ffaf11c was discovered to contain a heap-buffer overflow viaDCTStream::getChar() at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38231 XPDF commit ffaf11c was discovered to contain a segmentation violation viaDCTStream::readMCURow() at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38233 XPDF commit ffaf11c was discovered to contain a segmentation violation viaLexer::getObj(Object*) at /xpdf/Lexer.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38234 XPDF commit ffaf11c was discovered to contain a segmentation violation viaDCTStream::getChar() at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38235 XPDF commit ffaf11c was discovered to contain a global-buffer overflow viaLexer::getObj(Object*) at /xpdf/Lexer.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38236 XPDF commit ffaf11c was discovered to contain a heap-buffer overflow viaDCTStream::readScan() at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38237 XPDF commit ffaf11c was discovered to contain a heap-buffer overflow viaDCTStream::lookChar() at /xpdf/Stream.cc. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-08-16 21:15:00 UTC CVE-2022-38238 Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS)vulnerability via the System Settings page under the Admin panel. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-38247 Nagios XI before v5.8.7 was discovered to contain multiple cross-sitescripting (XSS) vulnerabilities at auditlog.php. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-38248 Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS)vulnerability via the MTR component in version 1.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-38249 Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerabilityvia the mib_name parameter at the Manage MIBs page. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-38250 Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS)vulnerability via the System Performance Settings page under the Adminpanel. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-38251 Nagios XI before v5.8.7 was discovered to contain a cross-site scripting(XSS) vulnerability via the ajax.php script in CCM 3.1.5. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-07 22:15:00 UTC CVE-2022-38254 XPDF v4.04 and earlier was discovered to contain a stack overflow via thefunction Catalog::countPageTree() at Catalog.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-15 21:15:00 UTC CVE-2022-38334 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XMLGraphics allows an attacker to load a url thru the jar protocol. This issueaffects Apache XML Graphics Batik 1.14. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-22 15:15:00 UTC 2022-09-22 15:15:00 UTC https://issues.apache.org/jira/browse/BATIK-1331 https://ubuntu.com/security/notices/USN-6117-1 CVE-2022-38398 Open Asset Import Library (assimp) commit 3c253ca was discovered to containa segmentation violation via the componentAssimp::XFileImporter::CreateMeshes. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-06 23:15:00 UTC CVE-2022-38528 tinyexr commit 0647fb3 was discovered to contain a heap-buffer overflow viathe component rleUncompress. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-06 23:15:00 UTC CVE-2022-38529 Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c andvf_vo.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-15 16:15:00 UTC CVE-2022-38600 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XMLGraphics allows an attacker to fetch external resources. This issue affectsApache XML Graphics Batik 1.14. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-22 15:15:00 UTC 2022-09-22 15:15:00 UTC https://issues.apache.org/jira/browse/BATIK-1333 https://ubuntu.com/security/notices/USN-6117-1 CVE-2022-38648 An off-by-one read/write issue was found in the SDHCI device of QEMU. Itoccurs when reading/writing the Buffer Data Port Register insdhci_read_dataport and sdhci_write_dataport, respectively, if data_count== block_size. A malicious guest could use this flaw to crash the QEMUprocess on the host, resulting in a denial of service condition. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-07 21:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2140567 CVE-2022-3872 An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0through 3.37 allows remote attackers to cause a Denial of Service viacrafted syslog input that is mishandled by the tcp or network function.syslog-ng Premium Edition 7.0.30 and syslog-ng Store Box 6.10.0 are alsoaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-23 16:15:00 UTC CVE-2022-38725 Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio priorto 20.5.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-07 11:15:00 UTC CVE-2022-3873 Poppler prior to and including 22.08.0 contains an integer overflow in theJBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc).Processing a specially crafted PDF file or JBIG2 image could lead to acrash or the execution of arbitrary code. This is similar to thevulnerability described by CVE-2022-38171 in Xpdf. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-30 03:15:00 UTC 2022-08-30 03:15:00 UTC https://ubuntu.com/security/notices/USN-5606-1 https://ubuntu.com/security/notices/USN-5606-2 CVE-2022-38784 Certain The MPlayer Project products are vulnerable to Buffer Overflow viafunction asf_init_audio_stream() of libmpdemux/asfheader.c. This affectsmplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-15 15:15:00 UTC CVE-2022-38853 Certain The MPlayer Project products are vulnerable to Buffer Overflow viafunction mov_build_index() of libmpdemux/demux_mov.c. This affects mplayerSVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-15 15:15:00 UTC CVE-2022-38856 Certain The MPlayer Project products are vulnerable to Buffer Overflow viafunction play() of libaf/af.c:639. This affects mplayer SVN-r38374-13.0.1and mencoder SVN-r38374-13.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-15 15:15:00 UTC CVE-2022-38862 XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-21 13:15:00 UTC CVE-2022-38928 Freeciv before 2.6.7 and before 3.0.3 is prone to a buffer overflowvulnerability in the Modpack Installer utility's handling of the modpackURL. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-31 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017579 CVE-2022-39047 An attacker who is logged into OTRS as an admin user may manipulate the URLto cause execution of JavaScript in the context of OTRS. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-05 07:15:00 UTC CVE-2022-39049 An attacker who is logged into OTRS as an admin user may manipulatecustomer URL field to store JavaScript code to be run later by any otheragent when clicking the customer URL link. Then the stored JavaScript isexecuted in the context of OTRS. The same issue applies for the usage ofexternal data sources e.g. database or ldap Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-05 07:15:00 UTC CVE-2022-39050 Attacker might be able to execute malicious Perl code in the Templatetoolkit, by having the admin installing an unverified 3th party package Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-05 07:15:00 UTC CVE-2022-39051 An external attacker is able to send a specially crafted email (with manyrecipients) and trigger a potential DoS of the system Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-17 09:15:00 UTC CVE-2022-39052 In wolfSSL before 5.5.1, malicious clients can cause a buffer overflowduring a TLS 1.3 handshake. This occurs when an attacker supposedly resumesa previous TLS session. During the resumption Client Hello a Hello RetryRequest must be triggered. Both Client Hellos are required to contain alist of duplicate cipher suites to trigger the buffer overflow. In total,two Client Hellos have to be sent: one in the resumed session, and a secondone as a response to a Hello Retry Request message. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-29 01:15:00 UTC CVE-2022-39173 syslabs/sif is the Singularity Image Format (SIF) reference implementation.In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity`package did not verify that the hash algorithm(s) used arecryptographically secure when verifying digital signatures. A patch isavailable in version >= v2.8.1 of the module. Users are encouraged toupgrade. Users unable to upgrade may independently validate that the hashalgorithm(s) used for metadata digest(s) and signature hash arecryptographically secure. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-06 18:16:00 UTC CVE-2022-39237 NuProcess is an external process execution implementation for Java. In allthe versions of NuProcess where it forks processes by using the JVM'sJava_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can useNUL characters in their strings to perform command line injection. Java'sProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start.NuProcess is missing that check. This vulnerability can only be exploitedto inject command line arguments on Linux. Version 2.0.5 contains a patch.As a workaround, users of the library can sanitize command strings toremove NUL characters prior to passing them to NuProcess for execution. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-26 14:15:00 UTC CVE-2022-39243 PJSIP is a free and open source multimedia communication library written inC. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTPdecoder, and PJMEDIA SDP parser are affeced by a buffer overflowvulnerability. Users connecting to untrusted clients are at risk. Thisissue has been patched and is available as commit c4d3498 in the masterbranch and will be included in releases 2.13 and later. Users are advisedto upgrade. There are no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-06 18:16:00 UTC 2022-10-06 18:16:00 UTC ej7367 https://ubuntu.com/security/notices/USN-6422-1 CVE-2022-39244 matrix-nio is a Python Matrix client library, designed according to sansI/O principles. Prior to version 0.20, when a users requests a room keyfrom their devices, the software correctly remember the request. Once theyreceive a forwarded room key, they accept it without checking who the roomkey came from. This allows homeservers to try to insert room keys ofquestionable validity, potentially mounting an impersonation attack.Version 0.20 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-29 15:15:00 UTC CVE-2022-39254 nheko is a desktop client for the Matrix communication application. Allversions below 0.10.2 are vulnerable homeservers inserting malicioussecrets, which could lead to man-in-the-middle attacks. Users can upgradeto version 0.10.2 to protect against this issue. As a workaround, one mayapply the patch manually, avoid doing verifications of one's own devices,and/or avoid pressing the request button in the settings menu. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-28 22:15:00 UTC CVE-2022-39264 PJSIP is a free and open source multimedia communication library written inC. When processing certain packets, PJSIP may incorrectly switch from usingSRTP media transport to using basic RTP upon SRTP restart, causing themedia to be sent insecurely. The vulnerability impacts all PJSIP users thatuse SRTP. The patch is available as commit d2acb9a in the master branch ofthe project and will be included in version 2.13. Users are advised tomanually patch or to upgrade. There are no known workarounds for thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-06 18:16:00 UTC ej7367 CVE-2022-39269 ZoneMinder is a free, open source Closed-circuit television softwareapplication The file parameter is vulnerable to a cross site scriptingvulnerability (XSS) by backing out of the current "tr" "td" brackets. Thisthen allows a malicious user to provide code that will execute when a userviews the specific log on the "view=log" page. This vulnerability allows anattacker to store code within the logs that will be executed when loaded bya legitimate user. These actions will be performed with the permission ofthe victim. This could lead to data loss and/or further exploitationincluding account takeover. This issue has been addressed in versions`1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable toupgrade should disable database logging. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-07 21:15:00 UTC CVE-2022-39285 ZoneMinder is a free, open source Closed-circuit television softwareapplication. In affected versions the ZoneMinder API Exposes Database Logcontents to user without privileges, allows insertion, modification,deletion of logs without System Privileges. Users are advised yo upgrade assoon as possible. Users unable to upgrade should disable database logging. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-07 21:15:00 UTC CVE-2022-39289 ZoneMinder is a free, open source Closed-circuit television softwareapplication. In affected versions authenticated users can bypass CSRF keysby modifying the request supplied to the Zoneminder web application. Thesemodifications include replacing HTTP POST with an HTTP GET and removing theCSRF key from the request. An attacker can take advantage of this by usingan HTTP GET request to perform actions with no CSRF protection. This couldallow an attacker to cause an authenticated user to perform unexpectedactions on the web application. Users are advised to upgrade as soon aspossible. There are no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-07 21:15:00 UTC CVE-2022-39290 ZoneMinder is a free, open source Closed-circuit television softwareapplication. Affected versions of zoneminder are subject to a vulnerabilitywhich allows users with "View" system permissions to inject new data intothe logs stored by Zoneminder. This was observed through an HTTP POSTrequest containing log information to the "/zm/index.php" endpoint.Submission is not rate controlled and could affect database performanceand/or consume all storage resources. Users are advised to upgrade. Thereare no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-07 21:15:00 UTC CVE-2022-39291 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker caninject arbitrary HyperText Markup Language into the Desktop Clientapplication in the notifications. It is recommended that the NextcloudDesktop client is upgraded to 3.6.1. There are no known workarounds forthis issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-25 19:15:00 UTC CVE-2022-39331 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker caninject arbitrary HyperText Markup Language into the Desktop Clientapplication via user status and information. It is recommended that theNextcloud Desktop client is upgraded to 3.6.1. There are no knownworkarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-25 20:15:00 UTC CVE-2022-39332 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker caninject arbitrary HyperText Markup Language into the Desktop Clientapplication. It is recommended that the Nextcloud Desktop client isupgraded to 3.6.1. There are no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-25 20:15:00 UTC CVE-2022-39333 Nextcloud also ships a CLI utility called nextcloudcmd which is sometimesused for automated scripting and headless servers. Versions of nextcloudcmdprior to 3.6.1 would incorrectly trust invalid TLS certificates, which mayenable a Man-in-the-middle attack that exposes sensitive data orcredentials to a network attacker. This affects the CLI only. It does notaffect the standard GUI desktop Nextcloud clients, and it does not affectthe Nextcloud server. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-25 19:15:00 UTC CVE-2022-39334 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)`DOMParser` and `XMLSerializer` module. xmldom parses XML that is notwell-formed because it contains multiple top level elements, and adds allroot nodes to the `childNodes` collection of the `Document`, withoutreporting any error or throwing. This breaks the assumption that there isonly a single root node in the tree, which led to issuance ofCVE-2022-39299 as it is a potential issue for dependents. Update to@xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or@xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please oneof the following approaches depending on your use case: instead ofsearching for elements in the whole DOM, only search in the`documentElement`or reject a document with a document that has more then 1`childNode`. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-02 17:15:00 UTC 2022-11-02 17:15:00 UTC https://ubuntu.com/security/notices/USN-6102-1 CVE-2022-39353 A vulnerability classified as critical was found in Axiomatic Bento4.Affected by this vulnerability is the functionAP4_StdcFileByteStream::ReadPartial of the file Ap4StdCFileByteStream.cppof the component mp4info. The manipulation leads to heap-based bufferoverflow. The attack can be launched remotely. The exploit has beendisclosed to the public and may be used. The identifier VDB-213553 wasassigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-13 10:15:00 UTC CVE-2022-3974 An issue was discovered in PSPP 1.6.2. There is a heap-based bufferoverflow at the function read_bytes_internal in utilities/pspp-dump-sav.c,which allows attackers to cause a denial of service (application crash) orpossibly have unspecified other impact. This issue is different fromCVE-2018-20230. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-05 05:15:00 UTC CVE-2022-39831 An issue was discovered in PSPP 1.6.2. There is a heap-based bufferoverflow at the function read_string in utilities/pspp-dump-sav.c, whichallows attackers to cause a denial of service (application crash) orpossibly have unspecified other impact. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-05 05:15:00 UTC CVE-2022-39832 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule setbypass by submitting a specially crafted HTTP Content-Type header fieldthat indicates multiple character encoding schemes. A vulnerable back-endcan potentially be exploited by declaring multiple Content-Type "charset"names and therefore bypassing the configurable CRS Content-Type header"charset" allow list. An encoded payload can bypass CRS detection this wayand may then be decoded by the backend. The legacy CRS versions 3.0.x and3.1.x are affected, as well as the currently supported versions 3.2.1 and3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3respectively. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-20 07:15:00 UTC CVE-2022-39955 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule setbypass for HTTP multipart requests by submitting a payload that uses acharacter encoding scheme via the Content-Type or the deprecatedContent-Transfer-Encoding multipart MIME header fields that will not bedecoded and inspected by the web application firewall engine and the ruleset. The multipart payload will therefore bypass detection. A vulnerablebackend that supports these encoding schemes can potentially be exploited.The legacy CRS versions 3.0.x and 3.1.x are affected, as well as thecurrently supported versions 3.2.1 and 3.3.2. Integrators and users areadvised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation againstthese vulnerabilities depends on the installation of the latest ModSecurityversion (v2.9.6 / v3.0.8). Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-20 07:15:00 UTC CVE-2022-39956 The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bodybypass. A client can issue an HTTP Accept header field containing anoptional "charset" parameter in order to receive the response in an encodedform. Depending on the "charset", this response can not be decoded by theweb application firewall. A restricted resource, access to which wouldordinarily be detected, may therefore bypass detection. The legacy CRSversions 3.0.x and 3.1.x are affected, as well as the currently supportedversions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to3.2.2 and 3.3.3 respectively. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-20 07:15:00 UTC CVE-2022-39957 The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bodybypass to sequentially exfiltrate small and undetectable sections of databy repeatedly submitting an HTTP Range header field with a small byterange. A restricted resource, access to which would ordinarily be detected,may be exfiltrated from the backend, despite being protected by a webapplication firewall that uses CRS. Short subsections of a restrictedresource may bypass pattern matching techniques and allow undetectedaccess. The legacy CRS versions 3.0.x and 3.1.x are affected, as well asthe currently supported versions 3.2.1 and 3.3.2. Integrators and users areadvised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRSparanoia level of 3 or higher. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-20 07:15:00 UTC CVE-2022-39958 If an X.509 certificate contains a malformed policy constraint andpolicy processing is enabled, then a write lock will be taken twicerecursively. On some operating systems (most widely: Windows) thisresults in a denial of service when the affected process hangs. Policyprocessing being enabled on a publicly facing server is not consideredto be a common setup.Policy processing is enabled by passing the `-policy'argument to the command line utilities or by calling the`X509_VERIFY_PARAM_set1_policies()' function.Update (31 March 2023): The description of the policy processing enablementwas corrected based on CVE-2023-0466. Update Instructions: Run `sudo pro fix CVE-2022-3996` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.7-1ubuntu1 openssl - 3.0.7-1ubuntu1 openssl-provider-legacy - 3.0.7-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-12-13 16:15:00 UTC 2022-12-13 16:15:00 UTC Polar Bear https://ubuntu.com/security/notices/USN-6039-1 CVE-2022-3996 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XMLGraphics allows an attacker to access files using a Jar url. This issueaffects Apache XML Graphics Batik 1.14. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-22 15:15:00 UTC 2022-09-22 15:15:00 UTC https://issues.apache.org/jira/browse/BATIK-1335 https://ubuntu.com/security/notices/USN-6117-1 CVE-2022-40146 Those using Jettison to parse untrusted XML or JSON data may be vulnerableto Denial of Service attacks (DOS). If the parser is running on usersupplied input, an attacker may supply content that causes the parser tocrash by stackoverflow. This effect may support a denial of service attack. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-16 10:15:00 UTC 2022-09-16 10:15:00 UTC https://ubuntu.com/security/notices/USN-6177-1 CVE-2022-40149 Those using Jettison to parse untrusted XML or JSON data may be vulnerableto Denial of Service attacks (DOS). If the parser is running on usersupplied input, an attacker may supply content that causes the parser tocrash by Out of memory. This effect may support a denial of service attack. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-16 10:15:00 UTC 2022-09-16 10:15:00 UTC https://ubuntu.com/security/notices/USN-6177-1 CVE-2022-40150 Those using Xstream to seralize XML data may be vulnerable to Denial ofService attacks (DOS). If the parser is running on user supplied input, anattacker may supply content that causes the parser to crash bystackoverflow. This effect may support a denial of service attack. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-16 10:15:00 UTC CVE-2022-40151 Those using Woodstox to parse XML data may be vulnerable to Denial ofService attacks (DOS) if DTD support is enabled. If the parser is runningon user supplied input, an attacker may supply content that causes theparser to crash by stackoverflow. This effect may support a denial ofservice attack. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-16 10:15:00 UTC CVE-2022-40152 An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE).cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free afterSSL_get_peer_certificate, leading to information disclosure. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-08 22:15:00 UTC CVE-2022-40281 In Singular before 4.3.1, a predictable /tmp pathname is used (e.g., bysdb.cc), which allows local users to gain the privileges of other users viaa procedure in a file under /tmp. NOTE: this CVE Record is about sdb.cc andsimilar files in the Singular interface that have predictable /tmppathnames; this CVE Record is not about the lack of a safe temporary-filecreation capability in the Singular language. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-09 01:15:00 UTC CVE-2022-40299 cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based bufferover-read. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-09 21:15:00 UTC CVE-2022-40320 Buffer overflow vulnerability in functionAP4_MemoryByteStream::WritePartial in mp42aac in Bento4 v1.6.0-639, allowsattackers to cause a denial of service via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-14 21:15:00 UTC CVE-2022-40438 An memory leak issue was discovered in AP4_StdcFileByteStream::Create inmp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial of servicevia a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-14 21:15:00 UTC CVE-2022-40439 When xdg-mail is configured to use thunderbird for mailto URLs, improperparsing of the URL can lead to additional headers being passed tothunderbird that should not be included per RFC 2368. An attacker can usethis method to create a mailto URL that looks safe to users, but willactually attach files when clicked. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-11-19 00:15:00 UTC https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027160 CVE-2022-4055 strongSwan before 5.9.8 allows remote attackers to cause a denial ofservice in the revocation plugin by sending a crafted end-entity (andintermediate CA) certificate that contains a CRL/OCSP URL that points to aserver (under the attacker's control) that doesn't properly respond but(for example) just does nothing after the initial TCP handshake, or sendsan excessive amount of application data. Update Instructions: Run `sudo pro fix CVE-2022-40617` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 5.9.6-1ubuntu2 charon-systemd - 5.9.6-1ubuntu2 libcharon-extauth-plugins - 5.9.6-1ubuntu2 libcharon-extra-plugins - 5.9.6-1ubuntu2 libstrongswan - 5.9.6-1ubuntu2 libstrongswan-extra-plugins - 5.9.6-1ubuntu2 libstrongswan-standard-plugins - 5.9.6-1ubuntu2 strongswan - 5.9.6-1ubuntu2 strongswan-charon - 5.9.6-1ubuntu2 strongswan-libcharon - 5.9.6-1ubuntu2 strongswan-nm - 5.9.6-1ubuntu2 strongswan-pki - 5.9.6-1ubuntu2 strongswan-starter - 5.9.6-1ubuntu2 strongswan-swanctl - 5.9.6-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 2022-10-03 Lahav Schlesinger https://ubuntu.com/security/notices/USN-5651-1 https://ubuntu.com/security/notices/USN-5651-2 CVE-2022-40617 A vulnerability was found in Dalli up to 3.2.2. It has been classified asproblematic. Affected is the function self.meta_set of the filelib/dalli/protocol/meta/request_formatter.rb of the component Meta ProtocolHandler. The manipulation of the argument cas/ttl leads to injection. It ispossible to launch the attack remotely. The complexity of an attack israther high. The exploitability is told to be difficult. The exploit hasbeen disclosed to the public and may be used. Upgrading to version 3.2.3 isable to address this issue. The patch is identified as48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to upgrade theaffected component. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-11-19 19:15:00 UTC CVE-2022-4064 A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It hasbeen declared as critical. Affected by this vulnerability is the functiontestngXmlExistsInJar of the filetestng-core/src/main/java/org/testng/JarFileUtils.java of the component XMLFile Parser. The manipulation leads to path traversal. The attack can belaunched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to addressthis issue. The patch is named 9150736cd2c123a6a3b60e6193630859f9f0422b. Itis recommended to upgrade the affected component. The associated identifierof this vulnerability is VDB-214027. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-19 19:15:00 UTC CVE-2022-4065 Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shirowhen forwarding or including via RequestDispatcher. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-12 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021671 CVE-2022-40664 libexpat before 2.4.9 has a use-after-free in the doContent function inxmlparse.c. Update Instructions: Run `sudo pro fix CVE-2022-40674` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.5.0-1 libexpat1 - 2.5.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-14 11:15:00 UTC 2022-09-14 11:15:00 UTC Rhodri James http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019761 https://ubuntu.com/security/notices/USN-5638-1 https://ubuntu.com/security/notices/USN-5726-1 https://ubuntu.com/security/notices/USN-5638-2 https://ubuntu.com/security/notices/USN-5638-4 CVE-2022-40674 An issue was discovered in Bento4 1.6.0-639. There ie excessive memoryconsumption in AP4_CttsAtom::Create in Core/Ap4CttsAtom.cpp. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-15 04:15:00 UTC CVE-2022-40736 An issue was discovered in Bento4 through 1.6.0-639. A buffer over-readexists in the function AP4_StdcFileByteStream::WritePartial located inSystem/StdC/Ap4StdCFileByteStream.cpp, called from AP4_ByteStream::Writeand AP4_HdlrAtom::WriteFields. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-15 04:15:00 UTC CVE-2022-40737 An issue was discovered in Bento4 through 1.6.0-639. A NULL pointerdereference occurs in AP4_DescriptorListWriter::Action inCore/Ap4Descriptor.h, called from AP4_EsDescriptor::WriteFields andAP4_Expandable::Write. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-09-15 04:15:00 UTC CVE-2022-40738 An issue was discovered in Bento4 through 1.6.0-639. There is a NULLpointer dereference in AP4_StszAtom::GetSampleSize. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-18 19:15:00 UTC CVE-2022-40774 An issue was discovered in Bento4 through 1.6.0-639. A NULL pointerdereference occurs in AP4_StszAtom::WriteFields. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-18 19:15:00 UTC CVE-2022-40775 Bento4 1.6.0 has memory leaks via the mp4fragment. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 18:15:00 UTC CVE-2022-40884 Bento4 v1.6.0-639 has a memory allocation issue that can cause denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 18:15:00 UTC CVE-2022-40885 Information exposure through microarchitectural state after transientexecution in certain vector execution units for some Intel(R) Processorsmay allow an authenticated user to potentially enable informationdisclosure via local access. Update Instructions: Run `sudo pro fix CVE-2022-40982` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: intel-microcode - 3.20230808.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-08 2023-08-08 Daniel Moghimi https://ubuntu.com/security/notices/USN-6286-1 https://ubuntu.com/security/notices/USN-6315-1 https://ubuntu.com/security/notices/USN-6316-1 https://ubuntu.com/security/notices/USN-6317-1 https://ubuntu.com/security/notices/USN-6318-1 https://ubuntu.com/security/notices/USN-6321-1 https://ubuntu.com/security/notices/USN-6324-1 https://ubuntu.com/security/notices/USN-6325-1 https://ubuntu.com/security/notices/USN-6328-1 https://ubuntu.com/security/notices/USN-6329-1 https://ubuntu.com/security/notices/USN-6330-1 https://ubuntu.com/security/notices/USN-6331-1 https://ubuntu.com/security/notices/USN-6332-1 https://ubuntu.com/security/notices/USN-6346-1 https://ubuntu.com/security/notices/USN-6348-1 https://ubuntu.com/security/notices/USN-6357-1 https://ubuntu.com/security/notices/USN-6388-1 https://ubuntu.com/security/notices/USN-6396-1 https://ubuntu.com/security/notices/USN-6397-1 https://ubuntu.com/security/notices/USN-6396-2 https://ubuntu.com/security/notices/USN-6396-3 CVE-2022-40982 A vulnerability was found in buildah. Incorrect following of symlinks whilereading .containerignore and .dockerignore results in informationdisclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-08 16:15:00 UTC CVE-2022-4122 A flaw was found in Buildah. The local path and the lowest subdirectory maybe disclosed due to incorrect absolute path traversal, resulting in animpact to confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-08 16:15:00 UTC CVE-2022-4123 A flaw was found in openstack-glance. This issue could allow a remote,authenticated attacker to tamper with images, compromising the integrity ofvirtual machines created using these modified images. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-06 23:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2147462 https://bugs.launchpad.net/ossn/+bug/1990157 CVE-2022-4134 Bento4 v1.6.0-639 was discovered to contain a memory leak via theAP4_Processor::Process function in the mp4encrypt binary. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41419 nasm v2.16 was discovered to contain a stack overflow in the Ndisasmcomponent Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41420 Bento4 v1.6.0-639 was discovered to contain a segmentation violation in themp4fragment component. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41423 Bento4 v1.6.0-639 was discovered to contain a memory leak via theAP4_SttsAtom::Create function in mp42hls. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41424 Bento4 v1.6.0-639 was discovered to contain a segmentation violation viathe AP4_Processor::ProcessFragments function in mp4decrypt. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41425 Bento4 v1.6.0-639 was discovered to contain a memory leak via theAP4_AtomFactory::CreateAtomFromStream function in mp4split. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41426 Bento4 v1.6.0-639 was discovered to contain a memory leak in theAP4_AvcFrameParser::Feed function in mp4mux. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41427 Bento4 v1.6.0-639 was discovered to contain a heap overflow via theAP4_BitReader::ReadBits function in mp4mux. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41428 Bento4 v1.6.0-639 was discovered to contain a heap overflow via theAP4_Atom::TypeFromString function in mp4tag. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41429 Bento4 v1.6.0-639 was discovered to contain a heap overflow via theAP4_BitReader::ReadBit function in mp4mux. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-03 14:15:00 UTC CVE-2022-41430 Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted POSTrequest to graphs_new.php. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-41444 GNU oSIP v5.3.0 was discovered to contain an integer overflow via thecomponent osip_body_parse_header. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-11 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021662 CVE-2022-41550 A heap based buffer overflow vulnerability exists in tile decoding code ofTIFF image parser in OpenImageIO master-branch-9aeece7a and v2.3.19.0. Aspecially-crafted TIFF file can lead to an out of bounds memory corruption,which can result in arbitrary code execution. An attacker can provide amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41639 A heap out of bounds read vulnerability exists in the handling of IPTC datawhile parsing TIFF images in OpenImageIO v2.3.19.0. A specially-craftedTIFF file can cause a read of adjacent heap memory, which can leaksensitive process information. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41649 Incorrect Authorization check affecting all versions of GitLab EE from13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2allows group access tokens to continue working even after the group ownerloses the ability to revoke them. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-12 04:15:00 UTC CVE-2022-4167 An issue was discovered in the Linux kernel before 5.19.16. Attackers ableto inject WLAN frames could cause a buffer overflow in theieee80211_bss_info_update function in net/mac80211/scan.c. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-14 00:15:00 UTC 2022-10-14 00:15:00 UTC Sönke Huster https://ubuntu.com/security/notices/USN-5691-1 https://ubuntu.com/security/notices/USN-5692-1 https://ubuntu.com/security/notices/USN-5693-1 https://ubuntu.com/security/notices/USN-5700-1 https://ubuntu.com/security/notices/USN-5708-1 https://ubuntu.com/security/notices/USN-5752-1 CVE-2022-41674 A heap out of bounds read vulnerability exists in the OpenImageIOmaster-branch-9aeece7a when parsing the image file directory part of a PSDimage file. A specially-crafted .psd file can cause a read of arbitrarymemory address which can lead to denial of service. An attacker can providea malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41684 The rxvt-unicode package is vulnerable to a remote code execution, in thePerl background extension, when an attacker can control the data written tothe user's terminal and certain options are set. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-09 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025489 CVE-2022-4170 A vulnerability in Batik of Apache XML Graphics allows an attacker to rununtrusted Java code from an SVG. This issue affects Apache XML Graphicsprior to 1.16. It is recommended to update to version 1.16. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-25 17:15:00 UTC 2022-10-25 17:15:00 UTC https://ubuntu.com/security/notices/USN-6117-1 CVE-2022-41704 A maliciously crafted HTTP/2 stream could cause excessive CPU consumptionin the HPACK decoder, sufficient to cause a denial of service from a smallnumber of small requests. Update Instructions: Run `sudo pro fix CVE-2022-41723` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: google-guest-agent - 20230426.00-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-28 18:15:00 UTC 2023-02-28 18:15:00 UTC https://github.com/golang/go/issues/57855 https://ubuntu.com/security/notices/USN-7109-1 https://ubuntu.com/security/notices/USN-7111-1 https://ubuntu.com/security/notices/USN-8089-1 https://ubuntu.com/security/notices/USN-8089-2 https://ubuntu.com/security/notices/USN-8089-3 CVE-2022-41723 An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.xbefore 1.37.5, and 1.38.x before 1.38.3. HTMLUserTextField exposes theexistence of hidden users. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-26 06:15:00 UTC CVE-2022-41765 An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.xbefore 1.37.5, and 1.38.x before 1.38.3. Upon an action=rollback operation,the alreadyrolled message can leak a user name (when the user has beenrevision deleted/suppressed). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-29 21:15:00 UTC CVE-2022-41766 An issue was discovered in MediaWiki before 1.35.8, 1.36.x and 1.37.xbefore 1.37.5, and 1.38.x before 1.38.3. When changes made by an IP addressare reassigned to a user (using reassignEdits.php), the changes will stillbe attributed to the IP address on Special:Contributions when doing a rangelookup. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-26 06:15:00 UTC CVE-2022-41767 An out-of-bounds write vulnerability exists in the CSR format titlefunctionality of Open Babel 3.1.1 and master commit 530dbfa3. A speciallycrafted malformed file can lead to arbitrary code execution. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-41793 A heap based buffer overflow vulnerability exists in the PSD thumbnailresource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD filecan lead to arbitrary code execution. An attacker can provide a maliciousfile to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41794 An out-of-bounds write vulnerability exists in theOpenImageIO::add_exif_item_to_spec functionality of OpenImageIO ProjectOpenImageIO v2.4.4.2. Specially-crafted exif metadata can lead tostack-based memory corruption. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41837 A code execution vulnerability exists in the DDS scanline parsingfunctionality of OpenImageIO Project OpenImageIO v2.4.4.2. Aspecially-crafted .dds can lead to a heap buffer overflow. An attacker canprovide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41838 An issue was discovered in Bento4 through 1.6.0-639. A NULL pointerdereference occurs in AP4_File::ParseStream in Core/Ap4File.cpp, which iscalled from AP4_File::AP4_File. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41841 An issue was discovered in Xpdf 4.04. There is a crash in gfseek(_IO_FILE*,long, int) in goo/gfile.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41842 An issue was discovered in Xpdf 4.04. There is a crash in convertToType0 infofi/FoFiType1C.cc, a different vulnerability than CVE-2022-38928. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41843 An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int,int, Object*, int) in xpdf/XRef.cc, a different vulnerability thanCVE-2018-16369 and CVE-2019-16088. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41844 An issue was discovered in Bento4 1.6.0-639. There ie excessive memoryconsumption in the function AP4_Array<AP4_ElstEntry>::EnsureCapacity inCore/Ap4Array.h. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41845 An issue was discovered in Bento4 1.6.0-639. There ie excessive memoryconsumption in the function AP4_DataBuffer::ReallocateBuffer inCore/Ap4DataBuffer.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41846 An issue was discovered in Bento4 1.6.0-639. A memory leak exists inAP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*,AP4_FileByteStream::Mode, AP4_ByteStream*&) inSystem/StdC/Ap4StdCFileByteStream.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-09-30 05:15:00 UTC CVE-2022-41847 drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 has arace condition and resultant use-after-free if a physically proximateattacker removes a PCMCIA device while calling ioctl, aka a race conditionbetween mgslpc_ioctl and mgslpc_detach. Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-09-30 06:15:00 UTC Hyunwoo Kim CVE-2022-41848 Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb(HyperSQL DataBase) to process untrusted input may be vulnerable to aremote code execution attack. By default it is allowed to call any staticmethod of any Java class in the classpath resulting in code execution. Theissue can be prevented by updating to 2.7.1 or by setting the systemproperty "hsqldb.method_class_names" to classes which are allowed to becalled. For example, System.setProperty("hsqldb.method_class_names", "abc")or Java argument -Dhsqldb.method_class_names="abc" can be used. Fromversion 2.7.1 all classes by default are not accessible except those injava.lang.Math and need to be manually enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-06 18:17:00 UTC CVE-2022-41853 Netty project is an event-driven asynchronous network applicationframework. In versions prior to 4.1.86.Final, a StackOverflowError can beraised when parsing a malformed crafted message due to an infiniterecursion. This issue is patched in version 4.1.86.Final. There is noworkaround, except using a custom HaProxyMessageDecoder. Update Instructions: Run `sudo pro fix CVE-2022-41881` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-12 18:15:00 UTC 2022-12-12 18:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2022-41881 Netty project is an event-driven asynchronous network applicationframework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, whencalling `DefaultHttpHeadesr.set` with an _iterator_ of values, header valuevalidation was not performed, allowing malicious header values in theiterator to perform HTTP Response Splitting. This issue has been patched inversion 4.1.86.Final. Integrators can work around the issue by changing the`DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()`call, and call `add()` in a loop over the iterator of values. Update Instructions: Run `sudo pro fix CVE-2022-41915` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-13 07:15:00 UTC 2022-12-13 07:15:00 UTC https://ubuntu.com/security/notices/USN-6049-1 CVE-2022-41915 Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versionsprior to 7.7.1 are vulnerable to a denial of service vulnerability inHeimdal's PKI certificate validation library, affecting the KDC (viaPKINIT) and kinit (via PKINIT), as well as any third-party applicationsusing Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8.There are no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-15 23:15:00 UTC 2022-11-15 23:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187 https://ubuntu.com/security/notices/USN-5766-1 CVE-2022-41916 pgjdbc is an open source postgresql JDBC Driver. In affected versions aprepared statement using either `PreparedStatement.setText(int,InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will createa temporary file if the InputStream is larger than 2k. This will create atemporary file which is readable by other users on Unix like systems, butnot MacOS. On Unix like systems, the system's temporary directory is sharedbetween all users on that system. Because of this, when files anddirectories are written into this directory they are, by default, readableby other users on that same system. This vulnerability does not allow otherusers to overwrite the contents of these directories or files. This ispurely an information disclosure vulnerability. Because certain JDK filesystem APIs were only added in JDK 1.7, this this fix is dependent upon theversion of the JDK you are using. Java 1.7 and higher users: thisvulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch isavailable. If you are unable to patch, or are stuck running on Java 1.6,specifying the java.io.tmpdir system environment variable to a directorythat is exclusively owned by the executing user will mitigate thisvulnerability. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-11-23 20:15:00 UTC CVE-2022-41946 XStream serializes Java objects to XML and back again. Versions prior to1.4.20 may allow a remote attacker to terminate the application with astack overflow error, resulting in a denial of service only viamanipulation the processed input stream. The attack uses the hash codeimplementation for collections and maps to force recursive hash calculationcausing a stack overflow. This issue is patched in version 1.4.20 whichhandles the stack overflow and raises an InputManipulationExceptioninstead. A potential workaround for users who only use HashMap or HashSetand whose XML refers these only as default map or set, is to change thedefault implementation of java.util.Map and java.util per the code examplein the referenced advisory. However, this implies that your applicationdoes not care about the implementation of the map and all elements arecomparable. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-28 00:15:00 UTC 2022-12-28 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027754 https://ubuntu.com/security/notices/USN-5946-1 CVE-2022-41966 An out of bounds read vulnerability exists in the way OpenImageIO versionv2.3.19.0 processes string fields in TIFF image files. A specially-craftedTIFF file can lead to information disclosure. An attacker can provide amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41977 A stack-based buffer overflow vulnerability exists in the TGA file formatparser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead toout of bounds read and write on the process stack, which can lead toarbitrary code execution. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41981 An information disclosure vulnerability exists in theOpenImageIO::decode_iptc_iim() functionality of OpenImageIO ProjectOpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to adisclosure of sensitive information. An attacker can provide a maliciousfile to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41988 A denial of service vulnerability exists in the DDS native tile readingfunctionality of OpenImageIO Project OpenImageIO v2.3.19.0 and v2.4.4.2. Aspecially-crafted .dds can lead to denial of service. An attacker canprovide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-41999 In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1,resource exhaustion can occur because of a lack of a check in primitivevalue deserializers to avoid deep wrapper array nesting, when theUNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-02 05:15:00 UTC CVE-2022-42003 In FasterXML jackson-databind before 2.13.4, resource exhaustion can occurbecause of a lack of a check in BeanDeserializer._deserializeFromArray toprevent use of deeply nested arrays. An application is vulnerable only withcertain customized choices for deserialization. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-02 05:15:00 UTC CVE-2022-42004 If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers viasetting rejectIllegalHeader to false (the default for 8.5.x only), Tomcatdid not reject a request containing an invalid Content-Length header makinga request smuggling attack possible if Tomcat was located behind a reverseproxy that also failed to reject the request with the invalid header. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 09:15:00 UTC 2022-11-01 09:15:00 UTC https://ubuntu.com/security/notices/USN-6880-1 CVE-2022-42252 Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 amalicious guest can cause xenstored to use a wrong pointer during nodecreation in an error path, resulting in a crash of xenstored or a memorycorruption in xenstored causing further damage. Entering the error path canbe controlled by the guest e.g. by exceeding the quota value of maximumnodes per domain. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42309 Xenstore: Guests can create orphaned Xenstore nodes By creating multiplenodes inside a transaction resulting in an error, a malicious guest cancreate orphaned nodes in the Xenstore data base, as the cleanup after theerror will not remove all nodes already created. When the transaction iscommitted after this situation, nodes without a valid parent can be madepermanent in the data base. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42310 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42311 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42312 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42313 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42314 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42315 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42316 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42317 Xenstore: guests can let run xenstored out of memory T[his CNA informationrecord relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Malicious guests cancause xenstored to allocate vast amounts of memory, eventually resulting ina Denial of Service (DoS) of xenstored. There are multiple ways how guestscan cause large memory allocations in xenstored: - - by issuing newrequests to xenstored without reading the responses, causing the responsesto be buffered in memory - - by causing large number of watch events to begenerated via setting up multiple xenstore watches and then e.g. deletingmany xenstore nodes below the watched path - - by creating as many nodes asallowed with the maximum allowed size and path length in as manytransactions as possible - - by accessing many nodes inside a transaction Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42318 Xenstore: Guests can cause Xenstore to not free temporary memory Whenworking on a request of a guest, xenstored might need to allocate quitelarge amounts of memory temporarily. This memory is freed only after therequest has been finished completely. A request is regarded to be finishedonly after the guest has read the response message of the request from thering page. Thus a guest not reading the response can cause xenstored to notfree the temporary memory. This can result in memory shortages causingDenial of Service (DoS) of xenstored. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42319 Xenstore: Guests can get access to Xenstore nodes of deleted domains Accessrights of Xenstore nodes are per domid. When a domain is gone, there mightbe Xenstore nodes left with access rights containing the domid of theremoved domain. This is normally no problem, as those access right entrieswill be corrected when such a node is written later. There is a small timewindow when a new domain is created, where the access rights of a pastdomain with the same domid as the new one will be regarded to be stillvalid, leading to the new domain being able to get access to a node whichwas meant to be accessible by the removed domain. For this to happenanother domain needs to write the node before the newly created domain isbeing introduced to Xenstore by dom0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42320 Xenstore: Guests can crash xenstored via exhausting the stack Xenstored isusing recursion for some Xenstore operations (e.g. for deleting a sub-treeof Xenstore nodes). With sufficiently deep nesting levels this can resultin stack exhaustion on xenstored, leading to a crash of xenstored. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42321 Xenstore: Cooperating guests can create arbitrary numbers of nodes T[hisCNA information record relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322any Xenstore node owned by a removed domain will be modified to be owned byDom0. This will allow two malicious guests working together to create anarbitrary number of Xenstore nodes. This is possible by domain A lettingdomain B write into domain A's local Xenstore tree. Domain B can thencreate many nodes and reboot. The nodes created by domain B will now beowned by Dom0. By repeating this process over and over again an arbitrarynumber of nodes can be created, as Dom0's number of nodes isn't limited byXenstore quota. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42322 Xenstore: Cooperating guests can create arbitrary numbers of nodes T[hisCNA information record relates to multiple CVEs; the text explains whichaspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322any Xenstore node owned by a removed domain will be modified to be owned byDom0. This will allow two malicious guests working together to create anarbitrary number of Xenstore nodes. This is possible by domain A lettingdomain B write into domain A's local Xenstore tree. Domain B can thencreate many nodes and reboot. The nodes created by domain B will now beowned by Dom0. By repeating this process over and over again an arbitrarynumber of nodes can be created, as Dom0's number of nodes isn't limited byXenstore quota. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42323 Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_tout of the ring and casts it directly to an Ocaml integer. In 64-bit Ocamlbuilds this is fine, but in 32-bit builds, it truncates off the mostsignificant bit, and then creates unsigned/signed confusion in theremainder. This in turn can feed a negative value into logic not expectinga negative value, resulting in unexpected exceptions being thrown. Theunexpected exception is not handled suitably, creating a busy-loop trying(and failing) to take the bad packet out of the xenstore ring. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42324 Xenstore: Guests can create arbitrary number of nodes via transactionsT[his CNA information record relates to multiple CVEs; the text explainswhich aspects/vulnerabilities correspond to which CVE.] In case a node hasbeen created in a transaction and it is later deleted in the sametransaction, the transaction will be terminated with an error. As thiserror is encountered only when handling the deleted node at transactionfinalization, the transaction will have been performed partially andwithout updating the accounting information. This will enable a maliciousguest to create arbitrary number of nodes. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42325 Xenstore: Guests can create arbitrary number of nodes via transactionsT[his CNA information record relates to multiple CVEs; the text explainswhich aspects/vulnerabilities correspond to which CVE.] In case a node hasbeen created in a transaction and it is later deleted in the sametransaction, the transaction will be terminated with an error. As thiserror is encountered only when handling the deleted node at transactionfinalization, the transaction will have been performed partially andwithout updating the accounting information. This will enable a maliciousguest to create arbitrary number of nodes. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42326 x86: unintended memory sharing between guests On Intel systems that supportthe "virtualize APIC accesses" feature, a guest can read and write theglobal shared xAPIC page by moving the local APIC out of xAPIC mode. Accessto this shared page bypasses the expected isolation that should existbetween two guests. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-01 13:15:00 UTC CVE-2022-42327 Guests can cause Xenstore crash via soft reset When a guest issues a "SoftReset" (e.g. for performing a kexec) the libxl based Xen toolstack willnormally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstoredthis can result in a crash of xenstored. Any other use of XS_RELEASE willhave the same impact. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-26 21:16:00 UTC CVE-2022-42330 x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight inthe very original Spectre/Meltdown security work (XSA-254), one entrypathperforms its speculation-safety actions too late. In some configurations,there is an unprotected RET instruction which can be attacked with avariety of speculative attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-21 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033297 CVE-2022-42331 x86 shadow plus log-dirty mode use-after-free In environments where hostassisted address translation is necessary but Hardware Assisted Paging(HAP) is unavailable, Xen will run guests in so called shadow mode. Shadowmode maintains a pool of memory used for both shadow page tables as well asauxiliary data structures. To migrate or snapshot guests, Xen additionallyruns them in so called log-dirty mode. The data structures needed by thelog-dirty tracking are part of aformentioned auxiliary data. In order tokeep error handling efforts within reasonable bounds, for operations whichmay require memory allocations shadow mode logic ensures up front thatenough memory is available for the worst case requirements. Unfortunately,while page table memory is properly accounted for on the code pathrequiring the potential establishing of new shadows, demands by thelog-dirty infrastructure were not taken into consideration. As a result,just established shadow page tables could be freed again immediately, whileother code is still accessing them on the assumption that they would remainallocated. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-21 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033297 CVE-2022-42332 x86/HVM pinned cache attributes mis-handling T[his CNA information recordrelates to multiple CVEs; the text explains which aspects/vulnerabilitiescorrespond to which CVE.] To allow cachability control for HVM guests withpassed through devices, an interface exists to explicitly override defaultswhich would otherwise be put in place. While not exposed to the affectedguests themselves, the interface specifically exists for domainscontrolling such guests. This interface may therefore be used by not fullyprivileged entities, e.g. qemu running deprivileged in Dom0 or qemu runningin a so called stub-domain. With this exposure it is an issue that - thenumber of the such controlled regions was unbounded (CVE-2022-42333), -installation and removal of such regions was not properly serialized(CVE-2022-42334). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-21 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033297 CVE-2022-42333 x86/HVM pinned cache attributes mis-handling T[his CNA information recordrelates to multiple CVEs; the text explains which aspects/vulnerabilitiescorrespond to which CVE.] To allow cachability control for HVM guests withpassed through devices, an interface exists to explicitly override defaultswhich would otherwise be put in place. While not exposed to the affectedguests themselves, the interface specifically exists for domainscontrolling such guests. This interface may therefore be used by not fullyprivileged entities, e.g. qemu running deprivileged in Dom0 or qemu runningin a so called stub-domain. With this exposure it is an issue that - thenumber of the such controlled regions was unbounded (CVE-2022-42333), -installation and removal of such regions was not properly serialized(CVE-2022-42334). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-21 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033297 CVE-2022-42334 x86 shadow paging arbitrary pointer dereference In environments where hostassisted address translation is necessary but Hardware Assisted Paging(HAP) is unavailable, Xen will run guests in so called shadow mode. Due totoo lax a check in one of the hypervisor routines used for shadow pagehandling it is possible for a guest with a PCI device passed through tocause the hypervisor to access an arbitrary pointer partially under guestcontrol. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034842 CVE-2022-42335 Mishandling of guest SSBD selection on AMD hardware The current logic toset SSBD on AMD Family 17h and Hygon Family 18h processors requires thatthe setting of SSBD is coordinated at a core level, as the setting isshared between threads. Logic was introduced to keep track of how manythreads require SSBD active in order to coordinate it, such logic relies onusing a per-core counter of threads that have SSBD active. When running onthe mentioned hardware, it's possible for a guest to under or overflow thethread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest getspropagated to the helper that does the per-core active accounting.Underflowing the counter causes the value to get saturated, and thusattempts for guests running on the same core to set SSBD won't have effectbecause the hypervisor assumes it's already active. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-17 01:15:00 UTC CVE-2022-42336 A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14,19.6, and certified/18.9-cert2 may allow a remote authenticated attacker tocrash Asterisk (denial of service) by performing activity on a subscriptionvia a reliable transport at the same time that Asterisk is also performingactivity on that subscription. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-05 21:15:00 UTC CVE-2022-42705 An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18through 18.14, 19 through 19.6, and certified through 18.9-cert1.GetConfig, via Asterisk Manager Interface, allows a connected applicationto access files outside of the asterisk configuration directory, akaDirectory Traversal. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-05 21:15:00 UTC CVE-2022-42706 A use-after-free in the mac80211 stack when parsing a multi-BSSID elementin the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used byattackers (able to inject WLAN frames) to crash the kernel and potentiallyexecute code. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-13 23:15:00 UTC 2022-10-13 23:15:00 UTC Sönke Huster https://ubuntu.com/security/notices/USN-5692-1 https://ubuntu.com/security/notices/USN-5693-1 https://ubuntu.com/security/notices/USN-5700-1 https://ubuntu.com/security/notices/USN-5708-1 https://ubuntu.com/security/notices/USN-5728-1 https://ubuntu.com/security/notices/USN-5728-2 https://ubuntu.com/security/notices/USN-5728-3 https://ubuntu.com/security/notices/USN-5752-1 CVE-2022-42719 Various refcounting bugs in the multi-BSS handling in the mac80211 stack inthe Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by localattackers (able to inject WLAN frames) to trigger use-after-free conditionsto potentially execute code. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-14 00:15:00 UTC 2022-10-14 00:15:00 UTC Sönke Huster https://ubuntu.com/security/notices/USN-5691-1 https://ubuntu.com/security/notices/USN-5692-1 https://ubuntu.com/security/notices/USN-5693-1 https://ubuntu.com/security/notices/USN-5700-1 https://ubuntu.com/security/notices/USN-5708-1 https://ubuntu.com/security/notices/USN-5752-1 CVE-2022-42720 A list management bug in BSS handling in the mac80211 stack in the Linuxkernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers(able to inject WLAN frames) to corrupt a linked list and, in turn,potentially execute code. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-14 00:15:00 UTC 2022-10-14 00:15:00 UTC Sönke Huster https://ubuntu.com/security/notices/USN-5691-1 https://ubuntu.com/security/notices/USN-5692-1 https://ubuntu.com/security/notices/USN-5693-1 https://ubuntu.com/security/notices/USN-5700-1 https://ubuntu.com/security/notices/USN-5708-1 https://ubuntu.com/security/notices/USN-5752-1 CVE-2022-42721 In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers ableto inject WLAN frames into the mac80211 stack could cause a NULL pointerdereference denial-of-service attack against the beacon protection of P2Pdevices. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-14 00:15:00 UTC 2022-10-14 00:15:00 UTC Sönke Huster https://ubuntu.com/security/notices/USN-5692-1 https://ubuntu.com/security/notices/USN-5693-1 https://ubuntu.com/security/notices/USN-5700-1 https://ubuntu.com/security/notices/USN-5708-1 https://ubuntu.com/security/notices/USN-5752-1 CVE-2022-42722 An illegal memory access flaw was found in the binutils package. Parsing anELF file containing corrupt symbol version information may result in adenial of service. This issue is the result of an incomplete fix forCVE-2020-16599. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-01-27 18:15:00 UTC 2023-01-27 18:15:00 UTC https://sourceware.org/bugzilla/show_bug.cgi?id=29699 https://ubuntu.com/security/notices/USN-6544-1 https://ubuntu.com/security/notices/USN-6842-1 CVE-2022-4285 A use of uninitialized pointer vulnerability exists in the GRO format resfunctionality of Open Babel 3.1.1 and master commit 530dbfa3. A speciallycrafted malformed file can lead to arbitrary code execution. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-42885 A vulnerability in Batik of Apache XML Graphics allows an attacker to runJava code from untrusted SVG via JavaScript. This issue affects Apache XMLGraphics prior to 1.16. Users are recommended to upgrade to version 1.16. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-25 17:15:00 UTC 2022-10-25 17:15:00 UTC https://ubuntu.com/security/notices/USN-6117-1 CVE-2022-42890 PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before1.20.1 has integer overflows that may lead to remote code execution (inKDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms(which have a resultant heap-based buffer overflow), and cause a denial ofservice on other platforms. This occurs in krb5_pac_parse inlib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug." Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-25 06:15:00 UTC 2022-12-25 06:15:00 UTC Greg Hudson https://bugzilla.samba.org/show_bug.cgi?id=15203 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024267 https://ubuntu.com/security/notices/USN-5800-1 https://ubuntu.com/security/notices/USN-5822-1 https://ubuntu.com/security/notices/USN-5822-2 https://ubuntu.com/security/notices/USN-5828-1 https://ubuntu.com/security/notices/USN-5936-1 https://ubuntu.com/security/notices/USN-7582-1 CVE-2022-42898 In wolfSSL before 5.5.2, if callback functions are enabled (via theWOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or networkattacker can trigger a buffer over-read on the heap of 5 bytes.(WOLFSSL_CALLBACKS is only intended for debugging.) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-07 00:15:00 UTC CVE-2022-42905 powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrarycode execution. git repositories can contain per-repository configurationthat changes the behavior of git, including running arbitrary commands.When using powerline-gitstatus, changing to a directory automatically runsgit commands in order to display information about the current repositoryin the prompt. If an attacker can convince a user to change their currentdirectory to one controlled by the attacker, such as in a shared filesystemor extracted archive, powerline-gitstatus will run arbitrary commands underthe attacker's control. NOTE: this is similar to CVE-2022-20001. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-13 03:15:00 UTC CVE-2022-42906 An issue was discovered in wolfSSL before 5.5.0. A fault injection attackon RAM via Rowhammer leads to ECDSA key disclosure. Users performingsigning operations with private ECC keys, such as in server-side TLSconnections, might leak faulty ECC signatures. These signatures can beprocessed via an advanced technique for ECDSA key recovery. (In 5.5.0 andlater, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.) Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-15 04:15:00 UTC CVE-2022-42961 An exponential ReDoS (Regular Expression Denial of Service) can betriggered in the cleo PyPI package, when an attacker is able to supplyarbitrary input to the Table.set_rows method Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-09 20:15:00 UTC CVE-2022-42966 An issue was discovered in Bento4 v1.6.0-639. There is a memory leak inAP4_DescriptorFactory::CreateDescriptorFromStream inCore/Ap4DescriptorFactory.cpp, as demonstrated by mp42aac. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 14:15:00 UTC CVE-2022-43032 An issue was discovered in Bento4 1.6.0-639. There is a bad free in thecomponent AP4_HdlrAtom::~AP4_HdlrAtom() which allows attackers to cause aDenial of Service (DoS) via a crafted input. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 14:15:00 UTC CVE-2022-43033 An issue was discovered in Bento4 v1.6.0-639. There is a heap bufferoverflow vulnerability in the AP4_BitReader::SkipBits(unsigned int)function in mp42ts. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 14:15:00 UTC CVE-2022-43034 An issue was discovered in Bento4 v1.6.0-639. There is aheap-buffer-overflow in AP4_Dec3Atom::AP4_Dec3Atom at Ap4Dec3Atom.cpp,leading to a Denial of Service (DoS), as demonstrated by mp42aac. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 14:15:00 UTC CVE-2022-43035 An issue was discovered in Bento4 1.6.0-639. There is a memory leak in thefunction AP4_File::ParseStream in /Core/Ap4File.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 14:15:00 UTC CVE-2022-43037 Bento4 v1.6.0-639 was discovered to contain a heap overflow via theAP4_BitReader::ReadCache() function in mp42ts. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-19 14:15:00 UTC CVE-2022-43038 A timing based side channel exists in the OpenSSL RSA Decryptionimplementationwhich could be sufficient to recover a plaintext across a network in aBleichenbacher style attack. To achieve a successful decryption an attackerwould have to be able to send a very large number of trial messages fordecryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,RSA-OEAP and RSASVE.For example, in a TLS connection, RSA is commonly used by a client to sendanencrypted pre-master secret to the server. An attacker that had observed agenuine connection between a client and a server could use this flaw tosendtrial messages to the server and record the time taken to process them.After asufficiently large number of messages the attacker could recover thepre-mastersecret used for the original connection and thus be able to decrypt theapplication data sent over that connection. Update Instructions: Run `sudo pro fix CVE-2022-4304` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu1 openssl - 3.0.8-1ubuntu1 openssl-provider-legacy - 3.0.8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-07 2023-02-07 Hubert Kario https://ubuntu.com/security/notices/USN-5844-1 https://ubuntu.com/security/notices/USN-6564-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2022-4304 A stack overflow in the Catalog::readPageLabelTree2(Object*) function ofXPDF v4.04 allows attackers to cause a Denial of Service (DoS) via acrafted PDF file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-15 17:15:00 UTC CVE-2022-43071 timg v1.4.4 was discovered to contain a memory leak via the functiontimg::QueryBackgroundColor() at /timg/src/term-query.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 19:15:00 UTC CVE-2022-43151 DCMTK v3.6.7 was discovered to contain a memory leak via theT_ASC_Association object. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-12-02 16:15:00 UTC 2022-12-02 16:15:00 UTC https://ubuntu.com/security/notices/USN-5882-1 https://ubuntu.com/security/notices/USN-7010-1 CVE-2022-43272 XPDF v4.04 was discovered to contain a stack overflow via the functionFileStream::copy() at xpdf/Stream.cc:795. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-14 21:15:00 UTC CVE-2022-43295 An out-of-bounds write vulnerability exists in the PQS format coord_filefunctionality of Open Babel 3.1.1 and master commit 530dbfa3. A speciallycrafted malformed file can lead to arbitrary code execution. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-43467 Cross-site scripting vulnerability in WordPress versions prior to 6.0.3allows a remote unauthenticated attacker to inject an arbitrary script. Thedeveloper also provides new patched releases for all versions since 3.7. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-05 04:15:00 UTC CVE-2022-43497 Cross-site scripting vulnerability in WordPress versions prior to 6.0.3allows a remote unauthenticated attacker to inject an arbitrary script. Thedeveloper also provides new patched releases for all versions since 3.7. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-05 04:15:00 UTC CVE-2022-43500 Improper authentication vulnerability in WordPress versions prior to 6.0.3allows a remote unauthenticated attacker to obtain the email address of theuser who posted a blog using the WordPress Post by Email Feature. Thedeveloper also provides new patched releases for all versions since 3.7. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-12-05 04:15:00 UTC CVE-2022-43504 An information disclosure vulnerability exists in the DPXOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to leaked heap data. An attacker canprovide malicious input to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43592 A denial of service vulnerability exists in the DPXOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to null pointer dereference. Anattacker can provide malicious input to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43593 Multiple denial of service vulnerabilities exist in the image outputclosing functionality of OpenImageIO Project OpenImageIO v2.4.4.2.Specially crafted ImageOutput Objects can lead to multiple null pointerdereferences. An attacker can provide malicious multiple inputs to triggerthese vulnerabilities.This vulnerability applies to writing .bmp files. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43594 Multiple denial of service vulnerabilities exist in the image outputclosing functionality of OpenImageIO Project OpenImageIO v2.4.4.2.Specially crafted ImageOutput Objects can lead to multiple null pointerdereferences. An attacker can provide malicious multiple inputs to triggerthese vulnerabilities.This vulnerability applies to writing .fits files. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43595 An information disclosure vulnerability exists in the IFFOutput channelinterleaving functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Aspecially crafted ImageOutput Object can lead to leaked heap data. Anattacker can provide malicious input to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43596 Multiple memory corruption vulnerabilities exist in the IFFOutput alignmentpadding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Aspecially crafted ImageOutput Object can lead to arbitrary code execution.An attacker can provide malicious input to trigger thesevulnerabilities.This vulnerability arises when the `m_spec.format` is`TypeDesc::UINT8`. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43597 Multiple memory corruption vulnerabilities exist in the IFFOutput alignmentpadding functionality of OpenImageIO Project OpenImageIO v2.4.4.2. Aspecially crafted ImageOutput Object can lead to arbitrary code execution.An attacker can provide malicious input to trigger thesevulnerabilities.This vulnerability arises when the `m_spec.format` is`TypeDesc::UINT16`. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43598 Multiple code execution vulnerabilities exist in the IFFOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to a heap buffer overflow. An attackercan provide malicious input to trigger these vulnerabilities.Thisvulnerability arises when the `xmax` variable is set to 0xFFFF and`m_spec.format` is `TypeDesc::UINT8` Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43599 Multiple code execution vulnerabilities exist in the IFFOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to a heap buffer overflow. An attackercan provide malicious input to trigger these vulnerabilities.Thisvulnerability arises when the `xmax` variable is set to 0xFFFF and`m_spec.format` is `TypeDesc::UINT16` Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43600 Multiple code execution vulnerabilities exist in the IFFOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to a heap buffer overflow. An attackercan provide malicious input to trigger these vulnerabilities.Thisvulnerability arises when the `ymax` variable is set to 0xFFFF and`m_spec.format` is `TypeDesc::UINT16` Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43601 Multiple code execution vulnerabilities exist in the IFFOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to a heap buffer overflow. An attackercan provide malicious input to trigger these vulnerabilities.Thisvulnerability arises when the `ymax` variable is set to 0xFFFF and`m_spec.format` is `TypeDesc::UINT8` Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43602 A denial of service vulnerability exists in the ZfileOutput::close()functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A speciallycrafted ImageOutput Object can lead to denial of service. An attacker canprovide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-22 22:15:00 UTC CVE-2022-43603 An out-of-bounds write vulnerability exists in the MOL2 format attributeand value functionality of Open Babel 3.1.1 and master commit 530dbfa3. Aspecially crafted malformed file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-43607 In libexpat through 2.4.9, there is a use-after free caused by overeagerdestruction of a shared DTD in XML_ExternalEntityParserCreate inout-of-memory situations. Update Instructions: Run `sudo pro fix CVE-2022-43680` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.5.0-1 libexpat1 - 2.5.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-24 14:15:00 UTC 2022-10-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022743 https://ubuntu.com/security/notices/USN-5638-3 https://ubuntu.com/security/notices/USN-5638-2 https://ubuntu.com/security/notices/USN-5638-4 CVE-2022-43680 A vulnerability was found in RDFlib pyrdfa3 and classified as problematic.This issue affects the function _get_option of the file pyRdfa/__init__.py.The manipulation leads to cross site scripting. The attack may be initiatedremotely. The name of the patch isffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply apatch to fix this issue. The identifier VDB-215249 was assigned to thisvulnerability. NOTE: This vulnerability only affects products that are nolonger supported by the maintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-10 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026051 CVE-2022-4396 Integer Overflow or Wraparound in GitHub repository radareorg/radare2 priorto 5.8.0. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-10 20:15:00 UTC CVE-2022-4398 An issue was discovered in the Linux kernel through 6.0.6.drivers/char/pcmcia/scr24x_cs.c has a race condition and resultantuse-after-free if a physically proximate attacker removes a PCMCIA devicewhile calling open(), aka a race condition between scr24x_open() andscr24x_remove(). Ubuntu 26.04 LTS Negligible Copyright (C) 2022 Canonical Ltd. 2022-10-30 01:15:00 UTC CVE-2022-44034 Lodepng v20220717 was discovered to contain a segmentation fault via thefunction pngdetail. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-10-31 19:15:00 UTC CVE-2022-44081 NASM v2.16 was discovered to contain a null pointer deference in the NASMcomponent Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-03-29 20:15:00 UTC CVE-2022-44368 NASM 2.16 (development) is vulnerable to 476: Null Pointer Dereference viaoutput/outaout.c. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-03-29 20:15:00 UTC CVE-2022-44369 A use of uninitialized pointer vulnerability exists in the MSI format atomfunctionality of Open Babel 3.1.1 and master commit 530dbfa3. A speciallycrafted malformed file can lead to arbitrary code execution. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-44451 The function PEM_read_bio_ex() reads a PEM file from a BIO and parses anddecodes the "name" (e.g. "CERTIFICATE"), any header data and the payloaddata.If the function succeeds then the "name_out", "header" and "data" argumentsarepopulated with pointers to buffers containing the relevant decoded data.Thecaller is responsible for freeing those buffers. It is possible toconstruct aPEM file that results in 0 bytes of payload data. In this casePEM_read_bio_ex()will return a failure code but will populate the header argument with apointerto a buffer that has already been freed. If the caller also frees thisbufferthen a double free will occur. This will most likely lead to a crash. Thiscould be exploited by an attacker who has the ability to supply maliciousPEMfiles for parsing to achieve a denial of service attack.The functions PEM_read_bio() and PEM_read() are simple wrappers aroundPEM_read_bio_ex() and therefore these functions are also directly affected.These functions are also called indirectly by a number of other OpenSSLfunctions including PEM_X509_INFO_read_bio_ex() andSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSLinternaluses of these functions are not vulnerable because the caller does not freetheheader argument if PEM_read_bio_ex() returns a failure code. Theselocationsinclude the PEM_read_bio_TYPE() functions as well as the decodersintroduced inOpenSSL 3.0.The OpenSSL asn1parse command line application is also impacted by thisissue. Update Instructions: Run `sudo pro fix CVE-2022-4450` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu1 openssl - 3.0.8-1ubuntu1 openssl-provider-legacy - 3.0.8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-07 2023-02-07 CarpetFuzz, Dawei Wang https://ubuntu.com/security/notices/USN-5844-1 https://ubuntu.com/security/notices/USN-6564-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2022-4450 A denial of service vulnerability present in ActiveRecord's PostgreSQLadapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bitsigned integer is provided to the PostgreSQL connection adapter, it willtreat the target column type as numeric. Comparing integer values againstnumeric values can result in a slow sequential scan resulting in potentialDenial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC CVE-2022-44566 A flaw was found in libXpm. When processing a file with width of 0 and avery large height, some parser functions will be called repeatedly and canlead to an infinite loop, resulting in a Denial of Service in theapplication linked to the library. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 2023-01-17 Martin Ettl https://ubuntu.com/security/notices/USN-5807-1 https://ubuntu.com/security/notices/USN-5807-2 CVE-2022-44617 Heimdal before 7.7.1 allows remote attackers to execute arbitrary codebecause of an invalid free in the ASN.1 codec used by the Key DistributionCenter (KDC). Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-25 05:15:00 UTC 2022-12-25 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187 https://bugzilla.samba.org/show_bug.cgi?id=14929 https://ubuntu.com/security/notices/USN-5800-1 CVE-2022-44640 Server-Side Request Forgery (SSRF) vulnerability in Apache SoftwareFoundation Apache XML Graphics Batik.This issue affects Apache XML GraphicsBatik: 1.16.On version 1.16, a malicious SVG could trigger loading external resourcesby default, causing resource consumption or in some cases even informationdisclosure. Users are recommended to upgrade to version 1.17 or later. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-44729 Server-Side Request Forgery (SSRF) vulnerability in Apache SoftwareFoundation Apache XML Graphics Batik.This issue affects Apache XML GraphicsBatik: 1.16.A malicious SVG can probe user profile / data and send it directly asparameter to a URL. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-44730 The undertow client is not checking the server identity presented by theserver certificate in https connections. This is a compulsory step (atleast it should be performed by default) in https and in http/2. I wouldadd it to any TLS client protocol. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-23 20:15:00 UTC CVE-2022-4492 Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisationattack if the attacker is able to control the JDBC URL used or cause theunderlying database server to return malicious data. The mySQL JDBC driverin particular is known to be vulnerable to this class of attack. As aresult an application using Apache Jena SDB can be subject to RCE whenconnected to a malicious database server. Apache Jena SDB has been EOLsince December 2020 and users should migrate to alternative options e.g.Apache Jena TDB 2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-14 16:15:00 UTC CVE-2022-45136 The fix for CVE-2022-3437 included changing memcmp to be constant time anda workaround for a compiler bug by adding "!= 0" comparisons to the resultof memcmp. When these patches were backported to the heimdal-7.7.1 andheimdal-7.8.0 branches (and possibly other branches) a logic inversionsneaked in causing the validation of message integrity codes ingssapi/arcfour to be inverted. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-08 2023-02-08 Helmut Grohne https://ubuntu.com/security/notices/USN-5849-1 CVE-2022-45142 The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and10.1.0-M1 to 10.1.1 did not escape the type, message or description values.In some circumstances these are constructed from user provided data and itwas therefore possible for users to supply values that invalidated ormanipulated the JSON output. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-03 19:15:00 UTC CVE-2022-45143 egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS commandexecution during package installation via escape characters in a .egg file. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-10 16:15:00 UTC CVE-2022-45145 A flaw named "EntryBleed" was found in the Linux Kernel Page TableIsolation (KPTI). This issue could allow a local attacker to leak KASLRbase via prefetch side-channels based on TLB timing for Intel systems. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-11 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2153871 https://bugzilla.suse.com/show_bug.cgi?id=1206463 CVE-2022-4543 Stack overflow vulnerability in function Dict::find in xpdf/Dict.cc in xpdf4.04, allows local attackers to cause a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-15 18:15:00 UTC CVE-2022-45586 Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf4.04, allows local attackers to cause a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-15 18:15:00 UTC CVE-2022-45587 A stack overflow in Jettison before v1.5.2 allows attackers to cause aDenial of Service (DoS) via crafted JSON data. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-13 15:15:00 UTC 2022-12-13 15:15:00 UTC https://ubuntu.com/security/notices/USN-6177-1 CVE-2022-45685 Jettison before v1.5.2 was discovered to contain a stack overflow via themap parameter. This vulnerability allows attackers to cause a Denial ofService (DoS) via a crafted string. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-13 15:15:00 UTC 2022-12-13 15:15:00 UTC https://ubuntu.com/security/notices/USN-6177-1 CVE-2022-45693 An issue was discovered with assimp 5.1.4, a use after free occurred infunction ColladaParser::ExtractDataObjectFromChannel in file/code/AssetLib/Collada/ColladaParser.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-20 19:15:00 UTC CVE-2022-45748 An issue was discovered in the Linux kernel through 6.0.9.drivers/media/dvb-core/dvb_frontend.c has a race condition that can cause ause-after-free when a device is disconnected. Ubuntu 26.04 LTS Low Copyright (C) 2022 Canonical Ltd. 2022-11-25 04:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2148513 https://bugzilla.suse.com/show_bug.cgi?id=1205758 CVE-2022-45885 In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line cancause arbitrary code execution because eval is used unsafely. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-26 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024903 CVE-2022-45907 GNU Emacs through 28.2 allows attackers to execute commands via shellmetacharacters in the name of a source-code file, because lib-src/etags.cuses the system C library function in its implementation of the ctagsprogram. For example, a victim may use the "ctags *" command (suggested inthe ctags documentation) in a situation where the current working directoryhas contents that depend on untrusted input. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-28 06:15:00 UTC 2022-11-28 06:15:00 UTC https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59544 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025009 https://ubuntu.com/security/notices/USN-5781-1 https://ubuntu.com/security/notices/USN-7027-1 CVE-2022-45939 Prometheus Exporter Toolkit is a utility package to build exporters. Priorto versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.ymlfile and users' bcrypted passwords, they can bypass security by poisoningthe built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fixfor the issue. There is no workaround, but attacker must have access to thehashed password to use this functionality. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-11-29 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025127 CVE-2022-46146 Syncthing is an open source, continuous file synchronization program. Inversions prior to 1.23.5 a compromised instance with shared folders couldsync malicious files which contain arbitrary HTML and JavaScript in thename. If the owner of another device looks over the shared folder settingsand moves the mouse over the latest sync, a script could be executed tochange settings for shared folders or add devices automatically.Additionally adding a new device with a malicious name could embed HTML orJavaScript inside parts of the page. As a result the webUI may be subjectto a stored cross site scripting attack. This issue has been addressed inversion 1.23.5. Users are advised to upgrade. Users unable to upgradeshould avoid sharing folders with untrusted users. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-06 18:15:00 UTC CVE-2022-46165 A use of uninitialized pointer vulnerability exists in the PQS formatpFormat functionality of Open Babel 3.1.1 and master commit 530dbfa3. Aspecially crafted malformed file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46280 A flaw was found in libXpm. This issue occurs when parsing a file with acomment not closed; the end-of-file condition will not be detected, leadingto an infinite loop and resulting in a Denial of Service in the applicationlinked to the library. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 2023-01-17 Marco Ivaldi https://ubuntu.com/security/notices/USN-5807-1 https://ubuntu.com/security/notices/USN-5807-2 https://ubuntu.com/security/notices/USN-5807-3 CVE-2022-46285 Multiple out-of-bounds write vulnerabilities exist in the ORCA formatnAtoms functionality of Open Babel 3.1.1 and master commit 530dbfa3. Aspecially-crafted malformed file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability.nAtomscalculation wrap-around, leading to a small buffer allocation Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46289 Multiple out-of-bounds write vulnerabilities exist in the ORCA formatnAtoms functionality of Open Babel 3.1.1 and master commit 530dbfa3. Aspecially-crafted malformed file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability.Theloop that stores the coordinates does not check its index against nAtoms Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46290 Multiple out-of-bounds write vulnerabilities exist in thetranslationVectors parsing functionality in multiple supported formats ofOpen Babel 3.1.1 and master commit 530dbfa3. A specially-crafted malformedfile can lead to arbitrary code execution. An attacker can provide amalicious file to trigger this vulnerability.This vulnerability affects theMSI file format Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46291 Multiple out-of-bounds write vulnerabilities exist in thetranslationVectors parsing functionality in multiple supported formats ofOpen Babel 3.1.1 and master commit 530dbfa3. A specially-crafted malformedfile can lead to arbitrary code execution. An attacker can provide amalicious file to trigger this vulnerability.This vulnerability affects theMOPAC file format, inside the Unit Cell Translation section Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46292 Multiple out-of-bounds write vulnerabilities exist in thetranslationVectors parsing functionality in multiple supported formats ofOpen Babel 3.1.1 and master commit 530dbfa3. A specially-crafted malformedfile can lead to arbitrary code execution. An attacker can provide amalicious file to trigger this vulnerability.This vulnerability affects theMOPAC file format, inside the Final Point and Derivatives section Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46293 Multiple out-of-bounds write vulnerabilities exist in thetranslationVectors parsing functionality in multiple supported formats ofOpen Babel 3.1.1 and master commit 530dbfa3. A specially-crafted malformedfile can lead to arbitrary code execution. An attacker can provide amalicious file to trigger this vulnerability.This vulnerability affects theMOPAC Cartesian file format Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46294 Multiple out-of-bounds write vulnerabilities exist in thetranslationVectors parsing functionality in multiple supported formats ofOpen Babel 3.1.1 and master commit 530dbfa3. A specially-crafted malformedfile can lead to arbitrary code execution. An attacker can provide amalicious file to trigger this vulnerability.This vulnerability affects theGaussian file format Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-21 21:15:00 UTC Claudio Bozzato CVE-2022-46295 A cleverly devised username might bypass LDAP authentication checks. InLDAP-authenticated Derby installations, this could let an attacker fillup the disk by creating junk Derby databases. In LDAP-authenticatedDerby installations, this could also allow the attacker to executemalware which was visible to and executable by the account which bootedthe Derby server. In LDAP-protected databases which weren't alsoprotected by SQL GRANT/REVOKE authorization, this vulnerability couldalso let an attacker view and corrupt sensitive data and run sensitivedatabase functions and procedures.Mitigation:Users should upgrade to Java 21 and Derby 10.17.1.0.Alternatively, users who wish to remain on older Java versions shouldbuild their own Derby distribution from one of the release families towhich the fix was backported: 10.16, 10.15, and 10.14. Those are thereleases which correspond, respectively, with Java LTS versions 17, 11,and 8. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-20 09:15:00 UTC CVE-2022-46337 A vulnerability, which was classified as critical, has been found in sslh.This issue affects the function hexdump of the file probe.c of thecomponent Packet Dumping Handler. The manipulation of the argument msg_infoleads to format string. The attack may be initiated remotely. The name ofthe patch is b19f8a6046b080e4c2e28354a58556bb26040c6f. It is recommended toapply a patch to fix this issue. The identifier VDB-216497 was assigned tothis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-21 22:15:00 UTC CVE-2022-4639 An issue in MPD (Music Player Daemon) v0.23.10 allows attackers to cause aDenial of Service (DoS) via a crafted input. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-10 22:15:00 UTC CVE-2022-46449 NASM v2.16 was discovered to contain a global buffer overflow in thecomponent dbgdbg_typevalue at /output/outdbg.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-04 18:15:00 UTC CVE-2022-46456 NASM v2.16 was discovered to contain a segmentation violation in thecomponent ieee_write_file at /output/outieee.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-04 18:15:00 UTC CVE-2022-46457 An out of date library (libusrsctp) contained vulnerabilities that couldpotentially be exploited. This vulnerability affects Firefox < 108. Update Instructions: Run `sudo pro fix CVE-2022-46871` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: thunderbird - 1:102.7.1+build2-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-14 2022-12-14 https://bugzilla.mozilla.org/show_bug.cgi?id=1795697 https://bugs.launchpad.net/ubuntu/+source/libusrsctp/+bug/2015448 https://ubuntu.com/security/notices/USN-5782-1 https://ubuntu.com/security/notices/USN-5824-1 CVE-2022-46871 Nagvis before 1.9.34 was discovered to contain an arbitrary file readvulnerability via the component /core/classes/NagVisHoverUrl.php. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-26 15:15:00 UTC CVE-2022-46945 7-Zip 22.01 does not report an error for certain invalid xz files,involving block flags and reserved bits. Some later versions areunaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-19 21:15:00 UTC CVE-2022-47111 7-Zip 22.01 does not report an error for certain invalid xz files,involving stream flags and reserved bits. Some later versions areunaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-19 21:15:00 UTC CVE-2022-47112 A vulnerability has been found in Graphite Web and classified asproblematic. This vulnerability affects unknown code of the componentCookie Handler. The manipulation leads to cross site scripting. The attackcan be initiated remotely. The exploit has been disclosed to the public andmay be used. The name of the patch is2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply apatch to fix this issue. VDB-216742 is the identifier assigned to thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 15:15:00 UTC 2022-12-27 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026992 https://ubuntu.com/security/notices/USN-6243-1 CVE-2022-4728 A vulnerability was found in Graphite Web and classified as problematic.This issue affects some unknown processing of the component Template NameHandler. The manipulation leads to cross site scripting. The attack may beinitiated remotely. The exploit has been disclosed to the public and may beused. The name of the patch is 2f178f490e10efc03cd1d27c72f64ecab224eb23. Itis recommended to apply a patch to fix this issue. The associatedidentifier of this vulnerability is VDB-216743. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 15:15:00 UTC 2022-12-27 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026992 https://ubuntu.com/security/notices/USN-6243-1 CVE-2022-4729 A vulnerability was found in Graphite Web. It has been classified asproblematic. Affected is an unknown function of the component Absolute TimeRange Handler. The manipulation leads to cross site scripting. It ispossible to launch the attack remotely. The exploit has been disclosed tothe public and may be used. The name of the patch is2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply apatch to fix this issue. The identifier of this vulnerability isVDB-216744. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-27 15:15:00 UTC 2022-12-27 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026992 https://ubuntu.com/security/notices/USN-6243-1 CVE-2022-4730 Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509parser for parsing boot certificates. This affects downstream use ofget_ext and auth_nvctr. Attackers might be able to trigger dangerous readside effects or obtain sensitive information about microarchitecturalstate. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-16 16:15:00 UTC Demi Marie Obenour CVE-2022-47630 kraken <= 0.1.4 has an arbitrary file read vulnerability via the componenttestfs. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-01-20 17:15:00 UTC CVE-2022-47747 An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated usermay coerce the S3 API into returning arbitrary file contents from the hostserver, resulting in unauthorized read access to potentially sensitivedata. This impacts both s3api deployments (Rocky or later), and swift3deployments (Queens and earlier, no longer actively developed). Update Instructions: Run `sudo pro fix CVE-2022-47950` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-swift - 2.31.0+git2023020814.488f8c83-0ubuntu1 swift - 2.31.0+git2023020814.488f8c83-0ubuntu1 swift-account - 2.31.0+git2023020814.488f8c83-0ubuntu1 swift-container - 2.31.0+git2023020814.488f8c83-0ubuntu1 swift-object - 2.31.0+git2023020814.488f8c83-0ubuntu1 swift-object-expirer - 2.31.0+git2023020814.488f8c83-0ubuntu1 swift-proxy - 2.31.0+git2023020814.488f8c83-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 17:15:00 UTC 2023-01-18 17:15:00 UTC https://bugs.launchpad.net/swift/+bug/1998625 https://ubuntu.com/security/notices/USN-5852-1 CVE-2022-47950 An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0;and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying aspecially created VMDK flat image that references a specific backing filepath, an authenticated user may convince systems to return a copy of thatfile's contents from the server, resulting in unauthorized access topotentially sensitive data. Update Instructions: Run `sudo pro fix CVE-2022-47951` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cinder-api - 2:21.1.0+git2023012815.c9e65529-0ubuntu1 cinder-backup - 2:21.1.0+git2023012815.c9e65529-0ubuntu1 cinder-common - 2:21.1.0+git2023012815.c9e65529-0ubuntu1 cinder-scheduler - 2:21.1.0+git2023012815.c9e65529-0ubuntu1 cinder-volume - 2:21.1.0+git2023012815.c9e65529-0ubuntu1 python3-cinder - 2:21.1.0+git2023012815.c9e65529-0ubuntu1 No subscription required glance - 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1 glance-api - 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1 glance-common - 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1 python3-glance - 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1 No subscription required nova-ajax-console-proxy - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-api - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-api-metadata - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-api-os-compute - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-api-os-volume - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-cells - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-common - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-ironic - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-kvm - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-libvirt - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-lxc - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-qemu - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-vmware - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-compute-xen - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-conductor - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-novncproxy - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-scheduler - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-serialproxy - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-spiceproxy - 3:26.1.0+git2023012815.98daf501-0ubuntu1 nova-volume - 3:26.1.0+git2023012815.98daf501-0ubuntu1 python3-nova - 3:26.1.0+git2023012815.98daf501-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-27 2023-01-27 Guillaume Espanel, Pierre Libeau, Arnaud Morin and Damien Rannou https://launchpad.net/bugs/1996188 https://ubuntu.com/security/notices/USN-5835-1 https://ubuntu.com/security/notices/USN-5835-2 https://ubuntu.com/security/notices/USN-5835-3 https://ubuntu.com/security/notices/USN-5835-4 https://ubuntu.com/security/notices/USN-5835-5 https://ubuntu.com/security/notices/USN-6882-2 CVE-2022-47951 There is a stack overflow vulnerability in ash.c:6030 in busybox before1.35. In the environment of Internet of Vehicles, this vulnerability can beexecuted from command to arbitrary code execution. Update Instructions: Run `sudo pro fix CVE-2022-48174` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: busybox - 1:1.36.1-6ubuntu4 busybox-initramfs - 1:1.36.1-6ubuntu4 busybox-static - 1:1.36.1-6ubuntu4 busybox-syslogd - 1:1.36.1-6ubuntu4 udhcpc - 1:1.36.1-6ubuntu4 udhcpd - 1:1.36.1-6ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC 2023-08-22 19:16:00 UTC https://bugs.busybox.net/show_bug.cgi?id=15216 https://ubuntu.com/security/notices/USN-6335-1 https://ubuntu.com/security/notices/USN-6961-1 CVE-2022-48174 loadAsync in JSZip before 3.8.0 allows Directory Traversal via a craftedZIP archive. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-29 05:15:00 UTC CVE-2022-48285 GNU Emacs through 28.2 allows attackers to execute commands via shellmetacharacters in the name of a source-code file, because lib-src/etags.cuses the system C library function in its implementation of the etagsprogram. For example, a victim may use the "etags -u *" command (suggestedin the etags documentation) in a situation where the current workingdirectory has contents that depend on untrusted input. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 23:15:00 UTC 2023-02-20 23:15:00 UTC https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59817 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031730 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=61819 (regression) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031888 (regression) https://ubuntu.com/security/notices/USN-7027-1 CVE-2022-48337 An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, theruby-find-library-file function has a local command injectionvulnerability. The ruby-find-library-file function is an interactivefunction, and bound to C-c C-f. Inside the function, the external commandgem is called through shell-command-to-string, but the feature-nameparameters are not escaped. Thus, malicious Ruby source files may causecommands to be executed. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 23:15:00 UTC 2023-02-20 23:15:00 UTC https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60268 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031730 https://ubuntu.com/security/notices/USN-7027-1 CVE-2022-48338 An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has acommand injection vulnerability. In the hfy-istext-command function, theparameter file and parameter srcdir come from external input, andparameters are not escaped. If a file name or directory name contains shellmetacharacters, code may be executed. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 23:15:00 UTC 2023-02-20 23:15:00 UTC https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60295 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031730 https://ubuntu.com/security/notices/USN-5955-1 https://ubuntu.com/security/notices/USN-7027-1 CVE-2022-48339 NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to5.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-12-29 18:15:00 UTC CVE-2022-4843 An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fakeAuthentication-Results header fields, which allows a remote attacker tocraft an e-mail message with a fake sender address such that programs thatrely on Authentication-Results from OpenDKIM will treat the message ashaving a valid DKIM signature when in fact it has none. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-11 20:15:00 UTC CVE-2022-48521 In Cacti 1.2.19, there is an authentication bypass in the web loginfunctionality because of improper validation in the PHP code:cacti_ldap_auth() allows a zero as the password. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-48538 An infinite recursion in Catalog::findDestInTree can cause denial ofservice for xpdf 4.02. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-48545 A reflected cross-site scripting (XSS) vulnerability in Cacti 0.8.7g andearlier allows unauthenticated remote attackers to inject arbitrary webscript or HTML in the "ref" parameter at auth_changepassword.php. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-48547 Crypto++ through 8.4 contains a timing side channel in ECDSA signaturegeneration. Function FixedSizeAllocatorWithCleanup could write to memoryoutside of the allocation if the allocated memory was not 16-byte aligned.NOTE: this issue exists because the CVE-2019-14318 fix was intentionallyremoved for functionality reasons. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2022-48570 Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-10 19:15:00 UTC CVE-2022-48614 uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait ifmaxevents is a large number. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-12 04:15:00 UTC CVE-2022-48620 A flaw was found in libXpm. When processing files with .Z or .gzextensions, the library calls external programs to compress and uncompressfiles, relying on the PATH environment variable to find these programs,which could allow a malicious user to execute other programs bymanipulating the PATH environment variable. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-17 2023-01-17 Alan Coopersmith https://ubuntu.com/security/notices/USN-5807-1 https://ubuntu.com/security/notices/USN-5807-2 CVE-2022-4883 In the Linux kernel, the following vulnerability has been resolved:block: release rq qos structures for queue without diskblkcg_init_queue() may add rq qos structures to request queue, previouslyblk_cleanup_queue() calls rq_qos_exit() to release them, but commit8e141f9eb803 ("block: drain file system I/O on del_gendisk")moves rq_qos_exit() into del_gendisk(), so memory leak is causedbecause queues may not have disk, such as un-present scsi luns, nvmeadmin queue, ...Fixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.BTW, v5.18 won't need this patch any more since we moveblkcg_init_queue()/blkcg_exit_queue() into disk allocation/releasehandler, and patches have been in for-5.18/block. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-16 13:15:00 UTC CVE-2022-48846 In the Linux kernel, the following vulnerability has been resolved:bpf: Fix crash due to out of bounds access into reg2btf_ids.When commit e6ac2450d6de ("bpf: Support bpf program calling kernelfunction") addedkfunc support, it defined reg2btf_ids as a cheap way to translate theverifierreg type to the appropriate btf_vmlinux BTF ID, howevercommit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX |PTR_MAYBE_NULL")moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum toafterthe base register types, and defined other variants using type flagcomposition. However, now, the direct usage of reg->type to index intoreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hencelead toout of bounds access and kernel crash on dereference of bad pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-22 04:15:00 UTC CVE-2022-48929 netplan leaks the private key of wireguard to local users. Versions after1.0 are not affected. Update Instructions: Run `sudo pro fix CVE-2022-4968` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetplan1 - 1.0.1-1ubuntu2 netplan-generator - 1.0.1-1ubuntu2 netplan.io - 1.0.1-1ubuntu2 python3-netplan - 1.0.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-07 01:15:00 UTC 2024-06-07 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072789 https://bugs.launchpad.net/netplan/+bug/1987842 https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738 https://ubuntu.com/security/notices/USN-6851-1 CVE-2022-4968 In X.Org X server 20.11 through 21.1.16, when a client application useseasystroke for mouse gestures, the main thread modifies various datastructures used by the input thread without acquiring a lock, aka a racecondition. In particular, AttachDevice in dix/devices.c does not acquire aninput lock. Update Instructions: Run `sudo pro fix CVE-2022-49737` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-03-16 01:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081338 https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260 CVE-2022-49737 In the Linux kernel, the following vulnerability has been resolved:tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()A null pointer dereference can happen when attempting to access the"gsm->receive()" function in gsmld_receive_buf(). Currently, the codeassumes that gsm->recieve is only called after MUX activation.Since the gsmld_receive_buf() function can be accessed without the need toinitialize the MUX, the gsm->receive() function will not be set and aNULL pointer dereference will occur.Fix this by avoiding the call to "gsm->receive()" in case the function isnot initialized by adding a sanity check.Call Trace: <TASK> gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861 tiocsti drivers/tty/tty_io.c:2293 [inline] tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-18 11:15:00 UTC CVE-2022-49940 In the Linux kernel, the following vulnerability has been resolved:btrfs: replace BTRFS_MAX_EXTENT_SIZE with fs_info->max_extent_sizeOn zoned filesystem, data write out is limited by max_zone_append_size,and a large ordered extent is split according the size of a bio. OTOH,the number of extents to be written is calculated usingBTRFS_MAX_EXTENT_SIZE, and that estimated number is used to reserve themetadata bytes to update and/or create the metadata items.The metadata reservation is done at e.g, btrfs_buffered_write() and thenreleased according to the estimation changes. Thus, if the number of extentincreases massively, the reserved metadata can run out.The increase of the number of extents easily occurs on zoned filesystemif BTRFS_MAX_EXTENT_SIZE > max_zone_append_size. And, it causes thefollowing warning on a small RAM environment with disabling metadataover-commit (in the following patch).[75721.498492] ------------[ cut here ]------------[75721.505624] BTRFS: block rsv 1 returned -28[75721.512230] WARNING: CPU: 24 PID: 2327559 at fs/btrfs/block-rsv.c:537btrfs_use_block_rsv+0x560/0x760 [btrfs][75721.581854] CPU: 24 PID: 2327559 Comm: kworker/u64:10 Kdump: loadedTainted: G W 5.18.0-rc2-BTRFS-ZNS+ #109[75721.597200] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.002/22/2021[75721.607310] Workqueue: btrfs-endio-write btrfs_work_helper [btrfs][75721.616209] RIP: 0010:btrfs_use_block_rsv+0x560/0x760 [btrfs][75721.646649] RSP: 0018:ffffc9000fbdf3e0 EFLAGS: 00010286[75721.654126] RAX: 0000000000000000 RBX: 0000000000004000 RCX:0000000000000000[75721.663524] RDX: 0000000000000004 RSI: 0000000000000008 RDI:fffff52001f7be6e[75721.672921] RBP: ffffc9000fbdf420 R08: 0000000000000001 R09:ffff889f8d1fc6c7[75721.682493] R10: ffffed13f1a3f8d8 R11: 0000000000000001 R12:ffff88980a3c0e28[75721.692284] R13: ffff889b66590000 R14: ffff88980a3c0e40 R15:ffff88980a3c0e8a[75721.701878] FS: 0000000000000000(0000) GS:ffff889f8d000000(0000)knlGS:0000000000000000[75721.712601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[75721.720726] CR2: 000055d12e05c018 CR3: 0000800193594000 CR4:0000000000350ee0[75721.730499] Call Trace:[75721.735166] <TASK>[75721.739886] btrfs_alloc_tree_block+0x1e1/0x1100 [btrfs][75721.747545] ? btrfs_alloc_logged_file_extent+0x550/0x550 [btrfs][75721.756145] ? btrfs_get_32+0xea/0x2d0 [btrfs][75721.762852] ? btrfs_get_32+0xea/0x2d0 [btrfs][75721.769520] ? push_leaf_left+0x420/0x620 [btrfs][75721.776431] ? memcpy+0x4e/0x60[75721.781931] split_leaf+0x433/0x12d0 [btrfs][75721.788392] ? btrfs_get_token_32+0x580/0x580 [btrfs][75721.795636] ? push_for_double_split.isra.0+0x420/0x420 [btrfs][75721.803759] ? leaf_space_used+0x15d/0x1a0 [btrfs][75721.811156] btrfs_search_slot+0x1bc3/0x2790 [btrfs][75721.818300] ? lock_downgrade+0x7c0/0x7c0[75721.824411] ? free_extent_buffer.part.0+0x107/0x200 [btrfs][75721.832456] ? split_leaf+0x12d0/0x12d0 [btrfs][75721.839149] ? free_extent_buffer.part.0+0x14f/0x200 [btrfs][75721.846945] ? free_extent_buffer+0x13/0x20 [btrfs][75721.853960] ? btrfs_release_path+0x4b/0x190 [btrfs][75721.861429] btrfs_csum_file_blocks+0x85c/0x1500 [btrfs][75721.869313] ? rcu_read_lock_sched_held+0x16/0x80[75721.876085] ? lock_release+0x552/0xf80[75721.881957] ? btrfs_del_csums+0x8c0/0x8c0 [btrfs][75721.888886] ? __kasan_check_write+0x14/0x20[75721.895152] ? do_raw_read_unlock+0x44/0x80[75721.901323] ? _raw_write_lock_irq+0x60/0x80[75721.907983] ? btrfs_global_root+0xb9/0xe0 [btrfs][75721.915166] ? btrfs_csum_root+0x12b/0x180 [btrfs][75721.921918] ? btrfs_get_global_root+0x820/0x820 [btrfs][75721.929166] ? _raw_write_unlock+0x23/0x40[75721.935116] ? unpin_extent_cache+0x1e3/0x390 [btrfs][75721.942041] btrfs_finish_ordered_io.isra.0+0xa0c/0x1dc0 [btrfs][75721.949906] ? try_to_wake_up+0x30/0x14a0[75721.955700] ? btrfs_unlink_subvol+0xda0/0xda0 [btrfs][75721.962661] ? rcu---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-18 11:15:00 UTC CVE-2022-50090 In the Linux kernel, the following vulnerability has been resolved:arm64: set UXN on swapper page tables[ This issue was fixed upstream by accident in c3cee924bd85 ("arm64: head: cover entire kernel image in initial ID map") as part of a large refactoring of the arm64 boot flow. This simple fix is therefore preferred for -stable backporting ]On a system that implements FEAT_EPAN, read/write access to the idmapis denied because UXN is not set on the swapper PTEs. As a result,idmap_kpti_install_ng_mappings panics the kernel when accessing__idmap_kpti_flag. Fix it by setting UXN on these PTEs. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-18 11:15:00 UTC CVE-2022-50230 In the Linux kernel, the following vulnerability has been resolved:arm64: set UXN on swapper page tables[ This issue was fixed upstream by accident in c3cee924bd85 ("arm64: head: cover entire kernel image in initial ID map") as part of a large refactoring of the arm64 boot flow. This simple fix is therefore preferred for -stable backporting ]On a system that implements FEAT_EPAN, read/write access to the idmapis denied because UXN is not set on the swapper PTEs. As a result,idmap_kpti_install_ng_mappings panics the kernel when accessing__idmap_kpti_flag. Fix it by setting UXN on these PTEs. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-18 11:15:00 UTC CVE-2022-50232 In the Linux kernel, the following vulnerability has been resolved:android: binder: stop saving a pointer to the VMADo not record a pointer to a VMA outside of the mmap_lock for later use.This is unsafe and there are a number of failure paths *after* therecorded VMA pointer may be freed during setup. There is no callback tothe driver to clear the saved pointer from generic mm code. Furthermore,the VMA pointer may become stale if any number of VMA operations end upfreeing the VMA so saving it was fragile to being with.Instead, change the binder_alloc struct to record the start address of theVMA and use vma_lookup() to get the vma when needed. Add lockdepmmap_lock checks on updates to the vma pointer to ensure the lock is heldand depend on that lock for synchronization of readers and writers - whichwas already the case anyways, so the smp_wmb()/smp_rmb() was notnecessary.[akpm@linux-foundation.org: fix drivers/android/binder_alloc_selftest.c] Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-15 14:15:00 UTC CVE-2022-50240 In the Linux kernel, the following vulnerability has been resolved:video/aperture: Call sysfb_disable() before removing PCI devicesCall sysfb_disable() from aperture_remove_conflicting_pci_devices()before removing PCI devices. Without, simpledrm can still bind tosimple-framebuffer devices after the hardware driver has taken overthe hardware. Both drivers interfere with each other and results areundefined.Reported modesetting errors [1] are shown below.---- snap ----rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... } 7jiffies s: 165 root: 0x2000/.rcu: blocking rcu_node structures (internal RCU debug):Task dump for CPU 13:task:X state:R running task stack: 0 pid: 4242 ppid:4228 flags:0x00000008Call Trace: <TASK> ? commit_tail+0xd7/0x130 ? drm_atomic_helper_commit+0x126/0x150 ? drm_atomic_commit+0xa4/0xe0 ? drm_plane_get_damage_clips.cold+0x1c/0x1c ? drm_atomic_helper_dirtyfb+0x19e/0x280 ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? drm_ioctl_kernel+0xc4/0x150 ? drm_ioctl+0x246/0x3f0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? __x64_sys_ioctl+0x91/0xd0 ? do_syscall_64+0x60/0xd0 ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5 </TASK>...rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 13-.... }30 jiffies s: 169 root: 0x2000/.rcu: blocking rcu_node structures (internal RCU debug):Task dump for CPU 13:task:X state:R running task stack: 0 pid: 4242 ppid:4228 flags:0x0000400eCall Trace: <TASK> ? memcpy_toio+0x76/0xc0 ? memcpy_toio+0x1b/0xc0 ? drm_fb_memcpy_toio+0x76/0xb0 ? drm_fb_blit_toio+0x75/0x2b0 ? simpledrm_simple_display_pipe_update+0x132/0x150 ? drm_atomic_helper_commit_planes+0xb6/0x230 ? drm_atomic_helper_commit_tail+0x44/0x80 ? commit_tail+0xd7/0x130 ? drm_atomic_helper_commit+0x126/0x150 ? drm_atomic_commit+0xa4/0xe0 ? drm_plane_get_damage_clips.cold+0x1c/0x1c ? drm_atomic_helper_dirtyfb+0x19e/0x280 ? drm_mode_dirtyfb_ioctl+0x10f/0x1e0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? drm_ioctl_kernel+0xc4/0x150 ? drm_ioctl+0x246/0x3f0 ? drm_mode_getfb2_ioctl+0x2d0/0x2d0 ? __x64_sys_ioctl+0x91/0xd0 ? do_syscall_64+0x60/0xd0 ? entry_SYSCALL_64_after_hwframe+0x4b/0xb5 </TASK>The problem was added by commit 5e0137612430 ("video/aperture: Disableand unregister sysfb devices via aperture helpers") to v6.0.3 and doesnot exist in the mainline branch.The mainline commit 5e0137612430 ("video/aperture: Disable andunregister sysfb devices via aperture helpers") has been backportedfrom v6.0-rc1 to stable v6.0.3 from a larger patch series [2] thatreworks fbdev framebuffer ownership. The backport misses a change toaperture_remove_conflicting_pci_devices(). Mainline itself is fine,because the function does not exist there as a result of the patchseries.Instead of backporting the whole series, fix the additional function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-15 15:15:00 UTC CVE-2022-50332 In the Linux kernel, the following vulnerability has been resolved:mm: /proc/pid/smaps_rollup: fix no vma's null-derefCommit 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single valueseq_file") introduced a null-deref if there are no vma's in the task inshow_smaps_rollup. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-18 14:15:00 UTC CVE-2022-50380 In the Linux kernel, the following vulnerability has been resolved:wifi: brcmfmac: Fix potential shift-out-of-bounds inbrcmf_fw_alloc_request()This patch fixes a shift-out-of-bounds in brcmfmac that occurs inBIT(chiprev) when a 'chiprev' provided by the device is too large.It should also not be equal to or greater than BITS_PER_TYPE(u32)as we do bitwise AND with a u32 variable and BIT(chiprev). The patchadds a check that makes the function return NULL if that is the case.Note that the NULL case is later handled by the bus-specific caller,brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.Found by a modified version of syzkaller.UBSAN: shift-out-of-bounds indrivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.cshift exponent 151055786 is too large for 64-bit type 'long unsigned int'CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOSrel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014Workqueue: usb_hub_wq hub_eventCall Trace: dump_stack_lvl+0x57/0x7d ubsan_epilogue+0x5/0x40 __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb ? lock_chain_count+0x20/0x20 brcmf_fw_alloc_request.cold+0x19/0x3ea ? brcmf_fw_get_firmwares+0x250/0x250 ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0 brcmf_usb_get_fwname+0x114/0x1a0 ? brcmf_usb_reset_resume+0x120/0x120 ? number+0x6c4/0x9a0 brcmf_c_process_clm_blob+0x168/0x590 ? put_dec+0x90/0x90 ? enable_ptr_key_workfn+0x20/0x20 ? brcmf_common_pd_remove+0x50/0x50 ? rcu_read_lock_sched_held+0xa1/0xd0 brcmf_c_preinit_dcmds+0x673/0xc40 ? brcmf_c_set_joinpref_default+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lock_acquire+0x19d/0x4e0 ? find_held_lock+0x2d/0x110 ? brcmf_usb_deq+0x1cc/0x260 ? mark_held_locks+0x9f/0xe0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? _raw_spin_unlock_irqrestore+0x47/0x50 ? trace_hardirqs_on+0x1c/0x120 ? brcmf_usb_deq+0x1a7/0x260 ? brcmf_usb_rx_fill_all+0x5a/0xf0 brcmf_attach+0x246/0xd40 ? wiphy_new_nm+0x1476/0x1d50 ? kmemdup+0x30/0x40 brcmf_usb_probe+0x12de/0x1690 ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 ? usb_match_id.part.0+0x88/0xc0 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __mutex_unlock_slowpath+0xe7/0x660 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_set_configuration+0x984/0x1770 ? kernfs_create_link+0x175/0x230 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_new_device.cold+0x463/0xf66 ? hub_disconnect+0x400/0x400 ? _raw_spin_unlock_irq+0x24/0x30 hub_event+0x10d5/0x3330 ? hub_port_debounce+0x280/0x280 ? __lock_acquire+0x1671/0x5790 ? wq_calc_node_cpumask+0x170/0x2a0 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x873/0x13e0 ? lock_release+0x640/0x640 ? pwq_dec_nr_in_flight+0x320/0x320 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x8b/0xd10 ? __kthread_parkme+0xd9/0x1d0 ? pr---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-07 16:15:00 UTC CVE-2022-50551 Incinga Web 2.8.2 contains a client-side cross-site scripting vulnerabilitythat allows remote attackers to inject malicious script codes through theicinga.min.js file. Attackers can exploit the EventListener.handleEventmethod to execute arbitrary scripts, potentially leading to sessionhijacking and non-persistent phishing attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-01 13:15:00 UTC CVE-2022-50942 [freeciv modpack installer buffer overflow] Ubuntu 26.04 LTS Medium Copyright (C) 2022 Canonical Ltd. 2022-08-18 00:00:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017579 CVE-2022-6083 A use-after-free flaw was found in the Linux kernel’s nouveau driver in howa user triggers a memory overflow that causes the nvkm_vma_tail function tofail. This flaw allows a local user to crash or potentially escalate theirprivileges on the system. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-08 23:15:00 UTC Zheng Wang https://bugzilla.redhat.com/show_bug.cgi?id=2157270 https://bugzilla.suse.com/show_bug.cgi?id=1206777 CVE-2023-0030 A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flawallows a local user to potentially crash the system. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 17:15:00 UTC Hsin-Wei Hung https://bugzilla.redhat.com/show_bug.cgi?id=2159764 https://bugzilla.suse.com/show_bug.cgi?id=1209657 CVE-2023-0160 NVIDIA CUDA Toolkit SDK contains a vulnerability in cuobjdump, where alocal user running the tool against a malicious binary may cause anout-of-bounds read, which may result in a limited denial of service andlimited information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-10 21:15:00 UTC CVE-2023-0193 The public API function BIO_new_NDEF is a helper function used forstreamingASN.1 data via a BIO. It is primarily used internally to OpenSSL to supporttheSMIME, CMS and PKCS7 streaming capabilities, but may also be calleddirectly byend user applications.The function receives a BIO from the caller, prepends a new BIO_f_asn1filterBIO onto the front of it to form a BIO chain, and then returns the new headofthe BIO chain to the caller. Under certain conditions, for example if a CMSrecipient public key is invalid, the new filter BIO is freed and thefunctionreturns a NULL result indicating a failure. However, in this case, the BIOchainis not properly cleaned up and the BIO passed by the caller still retainsinternal pointers to the previously freed filter BIO. If the caller thengoes onto call BIO_pop() on the BIO then a use-after-free will occur. This willmostlikely result in a crash.This scenario occurs directly in the internal function B64_write_ASN1()whichmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop()onthe BIO. This internal function is in turn called by the public APIfunctionsPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream,PEM_write_bio_PKCS7_stream,SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.Other public API functions that may be impacted by this includei2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream andi2d_PKCS7_bio_stream.The OpenSSL cms and smime command line applications are similarly affected. Update Instructions: Run `sudo pro fix CVE-2023-0215` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu1 openssl - 3.0.8-1ubuntu1 openssl-provider-legacy - 3.0.8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-07 2023-02-07 Octavio Galland and Marcel Böhme https://ubuntu.com/security/notices/USN-5844-1 https://ubuntu.com/security/notices/USN-5845-1 https://ubuntu.com/security/notices/USN-5845-2 https://ubuntu.com/security/notices/USN-6564-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-0215 There is a type confusion vulnerability relating to X.400 addressprocessinginside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRINGbutthe public structure definition for GENERAL_NAME incorrectly specified thetypeof the x400Address field as ASN1_TYPE. This field is subsequentlyinterpreted bythe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than anASN1_STRING.When CRL checking is enabled (i.e. the application sets theX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker topassarbitrary pointers to a memcmp call, enabling them to read memory contentsorenact a denial of service. In most cases, the attack requires the attackertoprovide both the certificate chain and CRL, neither of which need to have avalid signature. If the attacker only controls one of these inputs, theotherinput must already contain an X.400 address as a CRL distribution point,whichis uncommon. As such, this vulnerability is most likely to only affectapplications which have implemented their own functionality for retrievingCRLsover a network. Update Instructions: Run `sudo pro fix CVE-2023-0286` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu1 openssl - 3.0.8-1ubuntu1 openssl-provider-legacy - 3.0.8-1ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2023 Canonical Ltd. 2023-02-07 2023-02-07 David Benjamin https://ubuntu.com/security/notices/USN-5844-1 https://ubuntu.com/security/notices/USN-5845-1 https://ubuntu.com/security/notices/USN-5845-2 https://ubuntu.com/security/notices/USN-6564-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-0286 Failure to Sanitize Special Elements into a Different Plane (SpecialElement Injection) in GitHub repository radareorg/radare2 prior to 5.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-15 01:15:00 UTC CVE-2023-0302 A security vulnerability has been identified in all supported versionsof OpenSSL related to the verification of X.509 certificate chainsthat include policy constraints. Attackers may be able to exploit thisvulnerability by creating a malicious certificate chain that triggersexponential use of computational resources, leading to a denial-of-service(DoS) attack on affected systems.Policy processing is disabled by default but can be enabled by passingthe `-policy' argument to the command line utilities or by calling the`X509_VERIFY_PARAM_set1_policies()' function. Update Instructions: Run `sudo pro fix CVE-2023-0464` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu2 openssl - 3.0.8-1ubuntu2 openssl-provider-legacy - 3.0.8-1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-03-22 17:15:00 UTC 2023-03-22 17:15:00 UTC David Benjamin https://ubuntu.com/security/notices/USN-6039-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-0464 Applications that use a non-default option when verifying certificates maybevulnerable to an attack from a malicious CA to circumvent certain checks.Invalid certificate policies in leaf certificates are silently ignored byOpenSSL and other certificate policy checks are skipped for thatcertificate.A malicious CA could use this to deliberately assert invalid certificatepoliciesin order to circumvent policy checking on the certificate altogether.Policy processing is disabled by default but can be enabled by passingthe `-policy' argument to the command line utilities or by calling the`X509_VERIFY_PARAM_set1_policies()' function. Update Instructions: Run `sudo pro fix CVE-2023-0465` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu2 openssl - 3.0.8-1ubuntu2 openssl-provider-legacy - 3.0.8-1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-03-28 15:15:00 UTC 2023-03-28 15:15:00 UTC David Benjamin https://ubuntu.com/security/notices/USN-6039-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-0465 The function X509_VERIFY_PARAM_add0_policy() is documented toimplicitly enable the certificate policy check when doing certificateverification. However the implementation of the function does notenable the check which allows certificates with invalid or incorrectpolicies to pass the certificate verification.As suddenly enabling the policy check could break existing deployments itwasdecided to keep the existing behavior of theX509_VERIFY_PARAM_add0_policy()function.Instead the applications that require OpenSSL to perform certificatepolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitlyenable the policy check by calling X509_VERIFY_PARAM_set_flags() withthe X509_V_FLAG_POLICY_CHECK flag argument.Certificate policy checks are disabled by default in OpenSSL and are notcommonly used by applications. Update Instructions: Run `sudo pro fix CVE-2023-0466` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu2 openssl - 3.0.8-1ubuntu2 openssl-provider-legacy - 3.0.8-1ubuntu2 No subscription required Ubuntu 26.04 LTS Negligible Copyright (C) 2023 Canonical Ltd. 2023-03-28 15:15:00 UTC 2023-03-28 15:15:00 UTC David Benjamin https://ubuntu.com/security/notices/USN-6039-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-0466 In RESTEasy the insecure File.createTempFile() is used in theDataSourceProvider, FileProvider and Mime4JWorkaround classes which createstemp files with insecure permissions that could be read by a local user. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-17 22:15:00 UTC 2023-02-17 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031728 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031729 https://ubuntu.com/security/notices/USN-7351-1 https://ubuntu.com/security/notices/USN-7630-1 CVE-2023-0482 The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidentialattribute disclosure vi LDAP filters was insufficient and an attacker maybe able to obtain confidential BitLocker recovery keys from a Samba AD DC. Update Instructions: Run `sudo pro fix CVE-2023-0614` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-29 2023-03-29 Demi Marie Obenour https://bugzilla.samba.org/show_bug.cgi?id=15270 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2014052 https://ubuntu.com/security/notices/USN-5992-1 https://ubuntu.com/security/notices/USN-5993-1 CVE-2023-0614 xml2js version 0.4.23 allows an external attacker to edit or add newproperties to an object. This is possible because the application does notproperly validate incoming JSON keys, thus allowing the __proto__ propertyto be edited. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-05 20:15:00 UTC CVE-2023-0842 The Samba AD DC administration tool, when operating against a remote LDAPserver, will by default send new or reset passwords over a signed-onlyconnection. Update Instructions: Run `sudo pro fix CVE-2023-0922` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-29 2023-03-29 Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=15315 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2014052 https://ubuntu.com/security/notices/USN-5993-1 CVE-2023-0922 A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP triesto decode the userPassword attribute instead of the userCertificateattribute which could lead into sensitive information leaked. An attackerwith a local account where the cockpit-389-ds is running can list theprocesses and display the hashed passwords. The highest threat from thisvulnerability is to data confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-27 22:15:00 UTC CVE-2023-1055 A flaw was found in undertow. This issue makes achieving a denial ofservice possible due to an unexpected handshake status updated inSslConduit, where the loop never terminates. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-14 15:15:00 UTC CVE-2023-1108 A use-after-free flaw was found in setup_async_work in the KSMBDimplementation of the in-kernel samba server and CIFS in the Linux kernel.This issue could allow an attacker to crash the system by accessing freedwork. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-01 20:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2154177 https://bugzilla.suse.com/show_bug.cgi?id=1208972 CVE-2023-1193 Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARMplatform contains a bug that could cause it to read past the input buffer,leading to a crash.Impact summary: Applications that use the AES-XTS algorithm on the 64 bitARMplatform can crash in rare circumstances. The AES-XTS algorithm is usuallyused for disk encryption.The AES-XTS cipher decryption implementation for 64 bit ARM platform willreadpast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in16byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after theciphertextbuffer is unmapped, this will trigger a crash which results in a denial ofservice.If an attacker can control the size and location of the ciphertext bufferbeing decrypted by an application using AES-XTS on 64 bit ARM, theapplication is affected. This is fairly unlikely making this issuea Low severity one. Update Instructions: Run `sudo pro fix CVE-2023-1255` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu3 openssl - 3.0.8-1ubuntu3 openssl-provider-legacy - 3.0.8-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-20 17:15:00 UTC 2023-04-20 17:15:00 UTC Anton Romanov https://ubuntu.com/security/notices/USN-6119-1 CVE-2023-1255 A vulnerability was discovered in ImageMagick where a specially created SVGfile loads itself and causes a segmentation fault. This flaw allows aremote attacker to pass a specially crafted SVG file that leads to asegmentation fault, generating many trash files in "/tmp," resulting in adenial of service. When ImageMagick crashes, it generates a lot of trashfiles. These trash files can be large if the SVG file contains many renderactions. In a denial of service attack, if a remote attacker uploads an SVGfile of size t, ImageMagick generates files of size 103*t. If an attackeruploads a 100M SVG, the server will generate about 10G. Update Instructions: Run `sudo pro fix CVE-2023-1289` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.6ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-03-23 20:15:00 UTC 2023-03-23 20:15:00 UTC https://ubuntu.com/security/notices/USN-6200-1 https://ubuntu.com/security/notices/USN-6200-2 CVE-2023-1289 A flaw was found in the 9p passthrough filesystem (9pfs) implementation inQEMU. When a local user in the guest writes an executable file with SUID orSGID, none of these privileged bits are correctly dropped. As a result, inrare circumstances, this flaw could be used by malicious users in the guestto elevate their privileges within the guest and help a host local user toelevate privileges on the host. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-07-24 16:15:00 UTC Jietao Xiao, Wenbo Shen, Jinku Li, Nanzi Yang https://github.com/v9fs/linux/issues/29 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055174 CVE-2023-1386 A flaw was found in X.Org Server Overlay Window. A Use-After-Free may leadto local privilege escalation. If a client explicitly destroys thecompositor overlay window (aka COW), the Xserver would leave a danglingpointer to that window in the CompScreen structure, which will trigger ause-after-free later. Update Instructions: Run `sudo pro fix CVE-2023-1393` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.7-1ubuntu3 xorg-server-source - 2:21.1.7-1ubuntu3 xserver-common - 2:21.1.7-1ubuntu3 xserver-xephyr - 2:21.1.7-1ubuntu3 xserver-xorg-core - 2:21.1.7-1ubuntu3 xserver-xorg-legacy - 2:21.1.7-1ubuntu3 xvfb - 2:21.1.7-1ubuntu3 No subscription required xwayland - 2:22.1.8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-29 12:00:00 UTC 2023-03-29 12:00:00 UTC Jan-Niklas Sohn https://bugs.launchpad.net/ubuntu/+source/tigervnc/+bug/2048442 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051921 https://ubuntu.com/security/notices/USN-5986-1 CVE-2023-1393 An issue has been discovered in GitLab affecting all versions starting from15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It waspossible for an unauthorised user to add child epics linked to victim'sepic in an unrelated group. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-05 21:15:00 UTC CVE-2023-1417 There exists an vulnerability causing an abort() to be called in gRPC.The following headers cause gRPC's C++ implementation to abort() whencalled via http2:te: x (x != trailers):scheme: x (x != http, https)grpclb_client_stats: x (x == anything)On top of sending one of those headers, a later header must be sent thatgets the total header size past 8KB. We recommend upgrading past gitcommit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-09 11:15:00 UTC CVE-2023-1428 An infinite recursion is triggered in Jettison when constructing aJSONArray from a Collection that contains a self-reference in one of itselements. This leads to a StackOverflowError exception being thrown. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-22 06:15:00 UTC 2023-03-22 06:15:00 UTC https://ubuntu.com/security/notices/USN-6179-1 CVE-2023-1436 On Linux the sccache client can execute arbitrary code with the privilegesof a local sccache server, by preloading the code in a shared librarypassed to LD_PRELOAD.If the server is run as root (which is the default when installing thesnap package https://snapcraft.io/sccache ), this means a user running thesccache client can get root privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 12:15:00 UTC CVE-2023-1521 A flaw was found in the QEMU implementation of VMWare's paravirtual RDMAdevice. This flaw allows a crafted guest driver to allocate and initializea huge number of page tables to be used as a ring of descriptors for CQ andasync events, potentially leading to an out-of-bounds read and crash ofQEMU. Update Instructions: Run `sudo pro fix CVE-2023-1544` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:8.1.3+ds-1ubuntu1 qemu-block-supplemental - 1:8.1.3+ds-1ubuntu1 qemu-guest-agent - 1:8.1.3+ds-1ubuntu1 qemu-system - 1:8.1.3+ds-1ubuntu1 qemu-system-arm - 1:8.1.3+ds-1ubuntu1 qemu-system-common - 1:8.1.3+ds-1ubuntu1 qemu-system-data - 1:8.1.3+ds-1ubuntu1 qemu-system-gui - 1:8.1.3+ds-1ubuntu1 qemu-system-mips - 1:8.1.3+ds-1ubuntu1 qemu-system-misc - 1:8.1.3+ds-1ubuntu1 qemu-system-modules-opengl - 1:8.1.3+ds-1ubuntu1 qemu-system-modules-spice - 1:8.1.3+ds-1ubuntu1 qemu-system-ppc - 1:8.1.3+ds-1ubuntu1 qemu-system-riscv - 1:8.1.3+ds-1ubuntu1 qemu-system-s390x - 1:8.1.3+ds-1ubuntu1 qemu-system-sparc - 1:8.1.3+ds-1ubuntu1 qemu-system-x86 - 1:8.1.3+ds-1ubuntu1 qemu-system-x86-xen - 1:8.1.3+ds-1ubuntu1 qemu-system-xen - 1:8.1.3+ds-1ubuntu1 qemu-user - 1:8.1.3+ds-1ubuntu1 qemu-user-binfmt - 1:8.1.3+ds-1ubuntu1 qemu-utils - 1:8.1.3+ds-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-23 20:15:00 UTC 2023-03-23 20:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034179 https://ubuntu.com/security/notices/USN-6567-1 CVE-2023-1544 Denial of Service in GitHub repository radareorg/radare2 prior to 5.8.6. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-23 19:15:00 UTC CVE-2023-1605 A flaw was found in openvswitch (OVS). When processing an IP packet withprotocol 0, OVS will install the datapath flow without the action modifyingthe IP header. This issue results (for both kernel and userspace datapath)in installing a datapath flow matching all IP protocols (nw_proto iswildcarded) for this flow, but with an incorrect action, possibly causingincorrect handling of other IP packets with a != 0 IP protocol that matchesthis dp flow. Update Instructions: Run `sudo pro fix CVE-2023-1668` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openvswitch-common - 3.1.0-1ubuntu1 openvswitch-ipsec - 3.1.0-1ubuntu1 openvswitch-pki - 3.1.0-1ubuntu1 openvswitch-source - 3.1.0-1ubuntu1 openvswitch-switch - 3.1.0-1ubuntu1 openvswitch-switch-dpdk - 3.1.0-1ubuntu1 openvswitch-test - 3.1.0-1ubuntu1 openvswitch-testcontroller - 3.1.0-1ubuntu1 openvswitch-vtep - 3.1.0-1ubuntu1 python3-openvswitch - 3.1.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-10 22:15:00 UTC 2023-04-10 22:15:00 UTC David Marchand http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034042 https://bugzilla.redhat.com/show_bug.cgi?id=2134873 (private) https://ubuntu.com/security/notices/USN-6068-1 CVE-2023-1668 A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() causedby a maliciously crafted file may lead to an application crash. Update Instructions: Run `sudo pro fix CVE-2023-1729` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libraw-bin - 0.20.2-2.1ubuntu1 libraw23t64 - 0.20.2-2.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 22:15:00 UTC 2023-05-15 22:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2188240 https://github.com/LibRaw/LibRaw/issues/557 https://ubuntu.com/security/notices/USN-6137-1 https://ubuntu.com/security/notices/USN-7266-1 CVE-2023-1729 A Regular Expression Denial of Service (ReDoS) issue was discovered inPuppet Server 7.9.2 certificate validation. An issue related tospecifically crafted certificate names significantly slowed down serveroperations. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-04 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035541 CVE-2023-1894 A heap-based buffer overflow issue was discovered in ImageMagick'sImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. Anattacker could pass specially crafted file to convert, triggering anout-of-bounds read error, allowing an application to crash, resulting in adenial of service. Update Instructions: Run `sudo pro fix CVE-2023-1906` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.6ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-12 22:15:00 UTC 2023-04-12 22:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2185714 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034373 https://ubuntu.com/security/notices/USN-6200-1 CVE-2023-1906 A flaw was found in hibernate-validator's 'isValid' method in theorg.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidatorclass, which can be bypassed by omitting the tag ending in a less-thancharacter. Browsers may render an invalid html, allowing HTML injection orCross-Site-Scripting (XSS) attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-07 10:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063540 CVE-2023-1932 A flaw was found in Undertow package. Using theFormAuthenticationMechanism, a malicious user could trigger a Denial ofService by sending crafted requests, leading the server to an OutofMemoryerror, exhausting the server's memory. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-07 10:15:00 UTC CVE-2023-1973 There exists a use after free/double free in libwebp. An attacker can usethe ApplyFiltersAndEncode() function and loop through to free best.bw andassign best = trial pointer. The second loop will then return 0 because ofan Out of memory error in VP8 encoder, the pointer is still assigned totrial and the AddressSanitizer will attempt a double free. Update Instructions: Run `sudo pro fix CVE-2023-1999` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libsharpyuv0 - 1.2.4-0.1ubuntu1 libwebp7 - 1.2.4-0.1ubuntu1 libwebpdecoder3 - 1.2.4-0.1ubuntu1 libwebpdemux2 - 1.2.4-0.1ubuntu1 libwebpmux3 - 1.2.4-0.1ubuntu1 webp - 1.2.4-0.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-08 2023-05-08 Irvan Kurniawan http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035371 https://bugzilla.mozilla.org/show_bug.cgi?id=1819244 (not public) https://ubuntu.com/security/notices/USN-6078-1 https://ubuntu.com/security/notices/USN-6078-2 CVE-2023-1999 A side channel vulnerability on some of the AMD CPUs may allow an attackerto influence the return address prediction. This may result in speculativeexecution at an attacker-controlled address, potentially leading toinformation disclosure. Update Instructions: Run `sudo pro fix CVE-2023-20569` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20230808.1.1ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2023 Canonical Ltd. 2023-08-08 18:15:00 UTC 2023-08-08 18:15:00 UTC Daniël Trujillo, Johannes Wikner, and Kaveh Razavi https://ubuntu.com/security/notices/USN-6319-1 https://ubuntu.com/security/notices/USN-6412-1 https://ubuntu.com/security/notices/USN-6415-1 https://ubuntu.com/security/notices/USN-6416-1 https://ubuntu.com/security/notices/USN-6416-2 https://ubuntu.com/security/notices/USN-6416-3 https://ubuntu.com/security/notices/USN-6445-1 https://ubuntu.com/security/notices/USN-6445-2 https://ubuntu.com/security/notices/USN-6466-1 CVE-2023-20569 Insufficient checks of the RMP on host buffer access in IOMMU may allow anattacker with privileges and a compromised hypervisor to trigger an out ofbounds condition without RMP checks, resulting in a potential loss ofconfidential guest integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 19:16:00 UTC CVE-2023-20585 An issue in “Zen 2” CPUs, under specific microarchitectural circumstances,may allow an attacker to potentially access sensitive information. Update Instructions: Run `sudo pro fix CVE-2023-20593` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20230719.1ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2023 Canonical Ltd. 2023-07-24 2023-07-24 Tavis Ormandy of Google Information Security https://ubuntu.com/security/notices/USN-6244-1 https://ubuntu.com/security/notices/USN-6315-1 https://ubuntu.com/security/notices/USN-6316-1 https://ubuntu.com/security/notices/USN-6317-1 https://ubuntu.com/security/notices/USN-6318-1 https://ubuntu.com/security/notices/USN-6321-1 https://ubuntu.com/security/notices/USN-6324-1 https://ubuntu.com/security/notices/USN-6325-1 https://ubuntu.com/security/notices/USN-6328-1 https://ubuntu.com/security/notices/USN-6329-1 https://ubuntu.com/security/notices/USN-6330-1 https://ubuntu.com/security/notices/USN-6331-1 https://ubuntu.com/security/notices/USN-6332-1 https://ubuntu.com/security/notices/USN-6342-1 https://ubuntu.com/security/notices/USN-6346-1 https://ubuntu.com/security/notices/USN-6348-1 https://ubuntu.com/security/notices/USN-6342-2 https://ubuntu.com/security/notices/USN-6357-1 https://ubuntu.com/security/notices/USN-6385-1 https://ubuntu.com/security/notices/USN-6397-1 https://ubuntu.com/security/notices/USN-6532-1 CVE-2023-20593 Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**"as a pattern in Spring Security configuration with the mvcRequestMatchercreates a mismatch in pattern matching between Spring Security and SpringMVC, and the potential for a security bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-27 22:15:00 UTC CVE-2023-20860 In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE -5.2.22.RELEASE, and older unsupported versions, it is possible for a userto provide a specially crafted SpEL expression that may cause adenial-of-service (DoS) condition. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-23 21:15:00 UTC CVE-2023-20861 In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ ,it is possible for a user to provide a specially crafted SpEL expressionthat may cause a denial-of-service (DoS) condition. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-13 20:15:00 UTC CVE-2023-20863 In Nunjucks versions prior to version 3.2.4, it waspossible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the sameline used in the views, it was possible to inject cross site scriptingpayloads using the backslash \ character. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088331 https://bugzilla.mozilla.org/show_bug.cgi?id=1825980 CVE-2023-2142 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JSSE). Supported versions that areaffected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVMEnterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitablevulnerability allows unauthenticated attacker with network access via DTLSto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized abilityto cause a partial denial of service (partial DOS) of Oracle Java SE,Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2023-21835` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.18+10-0ubuntu1 openjdk-11-jdk - 11.0.18+10-0ubuntu1 openjdk-11-jdk-headless - 11.0.18+10-0ubuntu1 openjdk-11-jre - 11.0.18+10-0ubuntu1 openjdk-11-jre-headless - 11.0.18+10-0ubuntu1 openjdk-11-jre-zero - 11.0.18+10-0ubuntu1 openjdk-11-source - 11.0.18+10-0ubuntu1 No subscription required openjdk-17-demo - 17.0.6+10-0ubuntu1 openjdk-17-jdk - 17.0.6+10-0ubuntu1 openjdk-17-jdk-headless - 17.0.6+10-0ubuntu1 openjdk-17-jre - 17.0.6+10-0ubuntu1 openjdk-17-jre-headless - 17.0.6+10-0ubuntu1 openjdk-17-jre-zero - 17.0.6+10-0ubuntu1 openjdk-17-source - 17.0.6+10-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC 2023-01-18 00:15:00 UTC Juraj Somorovsky, Marcel Maehren, Nurullah Erinola, and Robert Merget https://ubuntu.com/security/notices/USN-5897-1 CVE-2023-21835 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Sound). Supported versions that areaffected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1;Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21843` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-17-demo - 17.0.6+10-0ubuntu1 openjdk-17-jdk - 17.0.6+10-0ubuntu1 openjdk-17-jdk-headless - 17.0.6+10-0ubuntu1 openjdk-17-jre - 17.0.6+10-0ubuntu1 openjdk-17-jre-headless - 17.0.6+10-0ubuntu1 openjdk-17-jre-zero - 17.0.6+10-0ubuntu1 openjdk-17-source - 17.0.6+10-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC 2023-01-18 00:15:00 UTC Markus Loewe https://ubuntu.com/security/notices/USN-5897-1 https://ubuntu.com/security/notices/USN-5898-1 CVE-2023-21843 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.42 and prior to 7.0.6. Easily exploitable vulnerability allows highprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksof this vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS3.1 Base Score 4.4 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC Siqi Chen of Shanghai Jiao Tong University CVE-2023-21884 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.42 and prior to 7.0.6. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC Exist (exist91240480) working with Trend Micro Zero Day Initiative CVE-2023-21886 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.42 and prior to 7.0.6. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products (scope change). Successful attacks of thisvulnerability can result in unauthorized read access to a subset of OracleVM VirtualBox accessible data. CVSS 3.1 Base Score 3.8 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC Aobo Wang and Kun Yang of Chaitin Security Research Lab CVE-2023-21889 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.42 and prior to 7.0.6. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksof this vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note:Applies to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score5.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC Aobo Wang and Kun Yang of Chaitin Security Research Lab CVE-2023-21898 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.42 and prior to 7.0.6. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksof this vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note:Applies to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score5.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-18 00:15:00 UTC Aobo Wang and Kun Yang of Chaitin Security Research Lab CVE-2023-21899 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JSSE). Supported versions that areaffected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; OracleGraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorizedcreation, deletion or modification access to critical data or all OracleJava SE, Oracle GraalVM Enterprise Edition accessible data as well asunauthorized access to critical data or complete access to all Oracle JavaSE, Oracle GraalVM Enterprise Edition accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability can also be exploitedby using APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality andIntegrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21930` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21930 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Networking). Supported versions thatare affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21937` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21937 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21938` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21938 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Swing). Supported versions that areaffected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; OracleGraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitablevulnerability allows unauthenticated attacker with network access via HTTPto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorizedupdate, insert or delete access to some of Oracle Java SE, Oracle GraalVMEnterprise Edition accessible data. Note: This vulnerability applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability can also be exploited by using APIs in thespecified Component, e.g., through a web service which supplies data to theAPIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21939` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21939 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Hotspot). Supported versions thatare affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; OracleGraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle JavaSE, Oracle GraalVM Enterprise Edition accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability can also be exploitedby using APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21954` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21954 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JSSE). Supported versions that areaffected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; OracleGraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized abilityto cause a hang or frequently repeatable crash (complete DOS) of OracleJava SE, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2023-21967` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21967 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Libraries). Supported versions thatare affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20;Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability can also be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2023-21968` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk - 11.0.19+7~us1-0ubuntu1 openjdk-11-jdk-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-headless - 11.0.19+7~us1-0ubuntu1 openjdk-11-jre-zero - 11.0.19+7~us1-0ubuntu1 openjdk-11-source - 11.0.19+7~us1-0ubuntu1 No subscription required openjdk-17-demo - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk - 17.0.7+7~us1-0ubuntu1 openjdk-17-jdk-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-headless - 17.0.7+7~us1-0ubuntu1 openjdk-17-jre-zero - 17.0.7+7~us1-0ubuntu1 openjdk-17-source - 17.0.7+7~us1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-18 20:15:00 UTC 2023-04-18 20:15:00 UTC https://ubuntu.com/security/notices/USN-6077-1 CVE-2023-21968 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition,Oracle GraalVM for JDK product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7,20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; OracleGraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, OracleGraalVM for JDK. Successful attacks require human interaction from aperson other than the attacker. Successful attacks of this vulnerabilitycan result in unauthorized update, insert or delete access to some ofOracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDKaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability does not apply to Java deployments, typically in servers,that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2023-22006` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.20+8-1ubuntu1 openjdk-11-jdk - 11.0.20+8-1ubuntu1 openjdk-11-jdk-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre - 11.0.20+8-1ubuntu1 openjdk-11-jre-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre-zero - 11.0.20+8-1ubuntu1 openjdk-11-source - 11.0.20+8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 21:15:00 UTC 2023-07-18 21:15:00 UTC Motoyasu Saburi https://ubuntu.com/security/notices/USN-6263-1 https://ubuntu.com/security/notices/USN-6272-1 CVE-2023-22006 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows highprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksrequire human interaction from a person other than the attacker. Successfulattacks of this vulnerability can result in unauthorized ability to cause ahang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 21:15:00 UTC CVE-2023-22016 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksof this vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note:This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 5.5(Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 21:15:00 UTC CVE-2023-22017 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to6.1.46 and Prior to 7.0.10. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via RDP to compromise OracleVM VirtualBox. Successful attacks of this vulnerability can result intakeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 21:15:00 UTC CVE-2023-22018 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition,Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7,20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; OracleGraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, OracleGraalVM for JDK. Successful attacks of this vulnerability can result inunauthorized ability to cause a partial denial of service (partial DOS) ofOracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.Note: This vulnerability can be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.This vulnerability also applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7(Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2023-22036` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.20+8-1ubuntu1 openjdk-11-jdk - 11.0.20+8-1ubuntu1 openjdk-11-jdk-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre - 11.0.20+8-1ubuntu1 openjdk-11-jre-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre-zero - 11.0.20+8-1ubuntu1 openjdk-11-source - 11.0.20+8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 21:15:00 UTC 2023-07-18 21:15:00 UTC Eirik Bjørsnøs https://ubuntu.com/security/notices/USN-6263-1 https://ubuntu.com/security/notices/USN-6272-1 CVE-2023-22036 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition,Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u371-perf,11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10,21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult toexploit vulnerability allows unauthenticated attacker with logon to theinfrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition,Oracle GraalVM for JDK executes to compromise Oracle Java SE, OracleGraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks ofthis vulnerability can result in unauthorized access to critical data orcomplete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition,Oracle GraalVM for JDK accessible data. Note: This vulnerability applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSSVector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2023-22041` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.20+8-1ubuntu1 openjdk-11-jdk - 11.0.20+8-1ubuntu1 openjdk-11-jdk-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre - 11.0.20+8-1ubuntu1 openjdk-11-jre-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre-zero - 11.0.20+8-1ubuntu1 openjdk-11-source - 11.0.20+8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-18 21:15:00 UTC 2023-07-18 21:15:00 UTC David Stancu https://ubuntu.com/security/notices/USN-6263-1 https://ubuntu.com/security/notices/USN-6272-1 CVE-2023-22041 Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1(4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series),4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of3.7 series, All versions of 3.6 series, All versions of 3.5 series, Allversions of 3.4 series, and All versions of 3.3 series. A specific databaseuser's authentication information may be obtained by another database user.As a result, the information stored in the database may be altered and/ordatabase may be suspended by a remote attacker who successfully logged inthe product with the obtained credentials. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-30 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030048 CVE-2023-22332 CKEditor Integration UI adds support for editing wiki pages using CKEditor.Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked aprotection against Cross-Site Request Forgery (CSRF), allowing to executemacros with the rights of the current user. If a privileged user withprogramming rights was tricked into executing a GET request to thisdocument with certain parameters (e.g., via an image with a correspondingURL embedded in a comment or via a redirect), this would allow arbitraryremote code execution and the attacker could gain rights, access privateinformation or impact the availability of the wiki. The issue has beenpatched in the CKEditor Integration version 1.64.3. This has also beenpatched in the version of the CKEditor integration that is bundled startingwith XWiki 14.6 RC1. There are no known workarounds for this other thanupgrading the CKEditor integration to a fixed version. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-04 15:15:00 UTC CVE-2023-22457 cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderinglibrary and program in C. Versions prior to 0.29.0.gfm.7 contain apolynomial time complexity issue in handle_close_bracket that may lead tounbounded resource exhaustion and subsequent denial of service. Thisvulnerability has been patched in 0.29.0.gfm.7. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-26 21:18:00 UTC 2023-01-26 21:18:00 UTC https://ubuntu.com/security/notices/USN-7319-1 CVE-2023-22486 Gatsby is a free and open source framework based on React that helpsdevelopers build websites and apps. The gatsby-transformer-remark pluginprior to versions 5.25.1 and 6.3.2 passes input through to the`gray-matter` npm package, which is vulnerable to JavaScript injection inits default configuration, unless input is sanitized. The vulnerability ispresent in gatsby-transformer-remark when passing input in data mode(querying MarkdownRemark nodes via GraphQL). Injected JavaScript executesin the context of the build server. To exploit this vulnerabilityuntrusted/unsanitized input would need to be sourced by or added into afile processed by gatsby-transformer-remark. A patch has been introduced in`gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2`which mitigates the issue by disabling the `gray-matter` JavaScriptFrontmatter engine. As a workaround, if an older version of`gatsby-transformer-remark` must be used, input passed into the pluginshould be sanitized ahead of processing. It is encouraged for projects toupgrade to the latest major release branch for all Gatsby plugins to ensurethe latest security updates and bug fixes are received in a timely manner. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-13 19:15:00 UTC CVE-2023-22491 WordPress through 6.1.1 depends on unpredictable client visits to causewp-cron.php execution and the resulting security updates, and the sourcecode describes "the scenario where a site may not receive enough visits toexecute scheduled tasks in a timely manner," but neither the installationguide nor the security guide mentions this default behavior, or alerts theuser about security risks on installations with very few visits. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-05 02:15:00 UTC CVE-2023-22622 A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')vulnerability in openSUSE libeconf leads to DoS via malformed config files.This issue affects libeconf: before 0.5.2. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-01 12:15:00 UTC CVE-2023-22652 There is insufficient checking of user queries in Apache Jena versions4.7.0 and earlier, when invoking custom scripts. It allows a remote user toexecute arbitrary javascript via a SPARQL query. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 07:15:00 UTC CVE-2023-22665 A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,<6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with aspecially crafted X_FORWARDED_HOST header can cause the regular expressionengine to enter a state of catastrophic backtracking. This can cause theprocess to use large amounts of CPU and memory, leading to a possible DoSvulnerability All users running an affected release should either upgradeor use one of the workarounds immediately. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC CVE-2023-22792 A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related tothe sanitization of comments. If malicious user input is passed to eitherthe `annotate` query method, the `optimizer_hints` query method, or throughthe QueryLogs interface which automatically adds annotations, it may besent to the database withinsufficient sanitization and be able to injectSQL outside of the comment. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC CVE-2023-22794 A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTPIf-None-Match header can cause the regular expression engine to enter astate of catastrophic backtracking, when on a version of Ruby below 3.2.0.This can cause the process to use large amounts of CPU and memory, leadingto a possible DoS vulnerability All users running an affected releaseshould either upgrade or use one of the workarounds immediately. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC CVE-2023-22795 A regular expression based DoS vulnerability in Active Support <6.1.7.1 and<7.0.4.1. A specially crafted string passed to the underscore method cancause the regular expression engine to enter a state of catastrophicbacktracking. This can cause the process to use large amounts of CPU andmemory, leading to a possible DoS vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC CVE-2023-22796 An open redirect vulnerability is fixed in Rails 7.0.4.1 with the newprotection against open redirects from calling redirect_to with untrusteduser input. In prior versions the developer was fully responsible for onlyproviding trusted input. However the check introduced could allow anattacker to bypass with a carefully crafted URL resulting in an openredirect vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC CVE-2023-22797 A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow anattacker supplying a carefully crafted input can cause the regularexpression engine to take an unexpected amount of time. All users runningan affected release should either upgrade or use one of the workaroundsimmediately. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-09 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029851 CVE-2023-22799 Zip4j through 2.11.2, as used in Threema and other products, does notalways check the MAC when decrypting a ZIP archive. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-10 02:15:00 UTC CVE-2023-22899 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.xbefore 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remoteattackers to cause a denial of service because database queries are slow. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-10 08:15:00 UTC CVE-2023-22909 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.xbefore 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacementin HTML attributes, which can lead to XSS, because widget authors often donot expect that their widget is executed in an HTML attribute context. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-10 08:15:00 UTC CVE-2023-22911 A vulnerability was found in the libreswan library. This security issueoccurs when an IKEv1 Aggressive Mode packet is received with onlyunacceptable crypto algorithms, and the response packet is not sent with azero responder SPI. When a subsequent packet is received where the senderreuses the libreswan responder SPI as its own initiator SPI, the plutodaemon state machine crashes. No remote code execution is possible. ThisCVE exists because of a CVE-2023-30570 security regression for libreswanpackage in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-17 23:15:00 UTC CVE-2023-2295 Libreswan 4.9 allows remote attackers to cause a denial of service (assertfailure and daemon restart) via crafted TS payload with an incorrectselector length. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-21 16:15:00 UTC CVE-2023-23009 A heap buffer overflow vulnerability in Kodi Home Theater Software up to19.5 allows attackers to cause a denial of service due to an improperlength of the value passed to the offset argument. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-03 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031048 CVE-2023-23082 Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0fixed in v1.1.1 allows an attacker to execute arbitrary code via thejson_value_parse function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-03 18:15:00 UTC CVE-2023-23088 In crasm 1.8-3, invalid input validation, specific files passed to thecommand line application, can lead to a NULL pointer dereference in thefunction Xasc. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-27 14:15:00 UTC CVE-2023-23108 In crasm 1.8-3, invalid input validation, specific files passed to thecommand line application, can lead to a divide by zero fault in thefunction opdiv. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-27 14:15:00 UTC CVE-2023-23109 A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack()in p_tmt.cpp file. The flow allows an attacker to cause a denial of service(abort) via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-12 19:15:00 UTC CVE-2023-23456 A Segmentation fault was found in UPX inPackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with acrafted input file allows invalid memory address access that could lead toa denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-01-12 19:15:00 UTC CVE-2023-23457 There is a potential DOM based cross-site scripting issue in rails-ujswhich leverages the Clipboard API to target HTML elements that are assignedthe contenteditable attribute. This has the potential to occur when pastingmalicious HTML content from the clipboard that includes a data-method,data-remote or data-disable-with attribute. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263 CVE-2023-23913 In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, theparsed values of Accept-Language headers are cached in order to avoidrepetitive parsing. This leads to a potential denial-of-service vector viaexcessive memory usage if the raw value of Accept-Language headers is verylarge. Update Instructions: Run `sudo pro fix CVE-2023-23969` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:3.2.16-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-01 10:00:00 UTC 2023-02-01 10:00:00 UTC Nick Pope https://ubuntu.com/security/notices/USN-5837-1 https://ubuntu.com/security/notices/USN-5837-2 CVE-2023-23969 An attacker can arbitrarily craft malicious DDS Participants (or ROS 2Nodes) with valid certificates to compromise and get full control of theattacked secure DDS databus system by exploiting vulnerable attributes inthe configuration of PKCS#7 certificate’s validation. This is caused by anon-compliant implementation of permission document verification used bysome DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verifyfunction used to validate S/MIME signatures. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104239 CVE-2023-24010 An information disclosure vulnerability exists in theTGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIOv2.4.7.1. A specially crafted targa file can lead to a disclosure ofsensitive information. An attacker can provide a malicious file to triggerthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-30 16:15:00 UTC CVE-2023-24473 Parsing invalid messages can panic. Parsing a text-format message whichcontains a potential number consisting of a minus sign, one or morecharacters of whitespace, and no further input will cause a panic. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-08 21:15:00 UTC CVE-2023-24535 An issue was discovered in the Multipart Request Parser in Django 3.2before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certaininputs (e.g., an excessive number of parts) to multipart forms could resultin too many open files or memory exhaustion, and provided a potentialvector for a denial-of-service attack. Update Instructions: Run `sudo pro fix CVE-2023-24580` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:3.2.18-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-14 09:00:00 UTC 2023-02-14 09:00:00 UTC Jakob Ackermann https://ubuntu.com/security/notices/USN-5868-1 CVE-2023-24580 Qt before 6.4.3 allows a denial of service via a crafted string when theSQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affectedversions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-15 01:15:00 UTC 2023-04-15 01:15:00 UTC https://ubuntu.com/security/notices/USN-7780-1 CVE-2023-24607 PDFio is a C library for reading and writing PDF files. In versions priorto 1.1.0 a denial of service (DOS) vulnerability exists in the pdfioparser. Crafted pdf files can cause the program to run at 100% utilizationand never terminate. The pdf which causes this crash found in testing isabout 28kb in size and was discovered via fuzzing. Anyone who uses thislibrary either as a standalone binary or as a library can be DOSed whenattempting to parse this type of file. Web servers or other automatedprocesses which rely on this code to turn pdf submissions into plaintextcan be DOSed when an attacker uploads the pdf. Please see the linked GHSAfor an example pdf. Users are advised to upgrade. There are no knownworkarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-07 01:15:00 UTC CVE-2023-24808 NetHack is a single player dungeon exploration game. Starting with version3.6.2 and prior to version 3.6.7, illegal input to the "C" (call) commandcan cause a buffer overflow and crash the NetHack process. Thisvulnerability may be a security issue for systems that have NetHackinstalled suid/sgid and for shared systems. For all systems, it may resultin a process crash. This issue is resolved in NetHack 3.6.7. There are noknown workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-17 20:15:00 UTC CVE-2023-24809 IPython (Interactive Python) is a command shell for interactive computingin multiple programming languages, originally developed for the Pythonprogramming language. Versions prior to 8.1.0 are subject to a commandinjection vulnerability with very specific prerequisites. Thisvulnerability requires that the function`IPython.utils.terminal.set_term_title` be called on Windows in a Pythonenvironment where ctypes is not available. The dependency on `ctypes` in`IPython.utils._process_win32` prevents the vulnerable code from ever beingreached in the ipython binary. However, as a library that could be used byanother tool `set_term_title` could be called and hence introduce avulnerability. Should an attacker get untrusted input to an instance ofthis function they would be able to inject shell commands as currentprocess and limited to the scope of the current process. Users of ipythonas a library are advised to upgrade. Users unable to upgrade should ensurethat any calls to the `IPython.utils.terminal.set_term_title` function aredone with trusted or filtered input. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-02-10 20:15:00 UTC CVE-2023-24816 cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderinglibrary and program in C. A polynomial time complexity issue in cmark-gfmmay lead to unbounded resource exhaustion and subsequent denial of service.This CVE covers quadratic complexity issues when parsing text which leadswith either large numbers of `>` or `-` characters. This issue has beenaddressed in version 0.29.0.gfm.10. Users are advised to upgrade. Usersunable to upgrade should validate that their input comes from trustedsources. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-31 23:15:00 UTC CVE-2023-24824 Apache Commons FileUpload before 1.5 does not limit the number of requestparts to be processed resulting in the possibility of an attackertriggering a DoS with a malicious upload or series of uploads.Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 16:15:00 UTC CVE-2023-24998 hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers totrigger O(n^2) growth via consecutive marks during the process of lookingback for base glyphs when attaching marks. Update Instructions: Run `sudo pro fix CVE-2023-25193` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.20+8-1ubuntu1 openjdk-11-jdk - 11.0.20+8-1ubuntu1 openjdk-11-jdk-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre - 11.0.20+8-1ubuntu1 openjdk-11-jre-headless - 11.0.20+8-1ubuntu1 openjdk-11-jre-zero - 11.0.20+8-1ubuntu1 openjdk-11-source - 11.0.20+8-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-02-04 20:15:00 UTC 2023-02-04 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030612 https://ubuntu.com/security/notices/USN-6263-1 https://ubuntu.com/security/notices/USN-6272-1 https://ubuntu.com/security/notices/USN-7251-1 CVE-2023-25193 NVIDIA CUDA Toolkit SDK for Linux and Windows contains a NULL pointerdereference in cuobjdump, where a local user running the tool against amalformed binary may cause a limited denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-22 03:15:00 UTC CVE-2023-25510 NVIDIA CUDA Toolkit for Linux and Windows contains a vulnerability incuobjdump, where a division-by-zero error may enable a user to cause acrash, which may lead to a limited denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-22 03:15:00 UTC CVE-2023-25511 NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability incuobjdump, where an attacker may cause an out-of-bounds memory read byrunning cuobjdump on a malformed input file. A successful exploit of thisvulnerability may lead to limited denial of service, code execution, andlimited information disclosure. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-22 03:15:00 UTC CVE-2023-25512 NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability incuobjdump, where an attacker may cause an out-of-bounds read by tricking auser into running cuobjdump on a malformed input file. A successful exploitof this vulnerability may lead to limited denial of service, codeexecution, and limited information disclosure. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-22 03:15:00 UTC CVE-2023-25513 NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability incuobjdump, where an attacker may cause an out-of-bounds read by tricking auser into running cuobjdump on a malformed input file. A successful exploitof this vulnerability may lead to limited denial of service, codeexecution, and limited information disclosure. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-22 03:15:00 UTC CVE-2023-25514 NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in thenvdisasm binary file, where an attacker may cause a NULL pointerdereference by providing a user with a malformed ELF file. A successfulexploit of this vulnerability may lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-04 00:15:00 UTC CVE-2023-25523 Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through2.4.55 allow a HTTP Request Smuggling attack.Configurations are affected when mod_proxy is enabled along with some formof RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variablesubstitution. For example, something like:RewriteEngine onRewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]ProxyPassReverse /here/ http://example.com:8080/Request splitting/smuggling could result in bypass of access controls inthe proxy server, proxying unintended URLs to existing origin servers, andcache poisoning. Users are recommended to update to at least version 2.4.56of Apache HTTP Server. Update Instructions: Run `sudo pro fix CVE-2023-25690` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.55-1ubuntu2 apache2-bin - 2.4.55-1ubuntu2 apache2-data - 2.4.55-1ubuntu2 apache2-suexec-custom - 2.4.55-1ubuntu2 apache2-suexec-pristine - 2.4.55-1ubuntu2 apache2-utils - 2.4.55-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-07 16:15:00 UTC 2023-03-07 16:15:00 UTC Lars Krapf https://ubuntu.com/security/notices/USN-5942-1 https://ubuntu.com/security/notices/USN-5942-2 CVE-2023-25690 In phpMyAdmin before 4.9.11 and 5.x before 5.2.1, an authenticated user cantrigger XSS by uploading a crafted .sql file through the drag-and-dropinterface. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-13 06:15:00 UTC CVE-2023-25727 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can beinjected into the database logs, containing a malicious referrer field.This is unescaped when viewing the logs in the web ui. This issue ispatched in version 1.36.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 01:15:00 UTC Daniel Hofer CVE-2023-25825 A vulnerability was found in the pthread_create() function in libcap. Thisissue may allow a malicious actor to use cause __real_pthread_create() toreturn an error, which can exhaust the process memory. Update Instructions: Run `sudo pro fix CVE-2023-2602` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libcap2 - 1:2.66-4ubuntu1 libcap2-bin - 1:2.66-4ubuntu1 libpam-cap - 1:2.66-4ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-05-15 2023-05-15 David Gstir https://bugzilla.kernel.org/show_bug.cgi?id=217410 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036114 https://ubuntu.com/security/notices/USN-6166-1 CVE-2023-2602 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason webtoken. The Username field of the JWT token was trusted when performing anSQL query to load the user. If an attacker could determine the HASH keyused by ZoneMinder, they could generate a malicious JWT token and use it toexecute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 01:15:00 UTC CVE-2023-26032 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability.The (blind) SQL Injection vulnerability is present within the`filter[Query][terms][0][attr]` query string parameter of the`/zm/index.php` endpoint. A user with the View or Edit permissions ofEvents may execute arbitrary SQL. The resulting impact can includeunauthorized data access (and modification), authentication and/orauthorization bypass, and remote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 01:15:00 UTC CVE-2023-26034 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote CodeExecution via Missing Authorization. There are no permissions check on thesnapshot action, which expects an id to fetch an existing monitor but canbe passed an object to create a new one instead. TriggerOn ends up callingshell_exec using the supplied Id. This issue is fixed in This issue isfixed in versions 1.36.33 and 1.37.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 02:15:00 UTC CVE-2023-26035 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 contain a Local File Inclusion (UntrustedSearch Path) vulnerability via /web/index.php. By controlling $view, anylocal file ending in .php can be executed. This is supposed to be mitigatedby calling detaintPath, however dentaintPath does not properly sandbox thepath. This can be exploited by constructing paths like "..././", which getreplaced by "../". This issue is patched in versions 1.36.33 and 1.37.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 02:15:00 UTC CVE-2023-26036 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime andmaxTime request parameters are not properly validated and could be usedexecute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 02:15:00 UTC CVE-2023-26037 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 contain a Local File Inclusion (UntrustedSearch Path) vulnerability via web/ajax/modal.php, where an arbitrary phpfile path can be passed in the request and loaded. This issue is patched inversions 1.36.33 and 1.37.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 02:15:00 UTC Manfred Paul CVE-2023-26038 ZoneMinder is a free, open source Closed-circuit television softwareapplication for Linux which supports IP, USB and Analog cameras. Versionsprior to 1.36.33 and 1.37.33 contain an OS Command Injection viadaemonControl() in (/web/api/app/Controller/HostController.php). Anyauthenticated user can construct an api command to execute any shellcommand as the web user. This issue is patched in versions 1.36.33 and1.37.33. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-25 02:15:00 UTC Aymen Borgi CVE-2023-26039 Gradle is a build tool with a focus on build automation and support formulti-language development. This is a collision attack on long IDs (64bits)for PGP keys. Users of dependency verification in Gradle are vulnerable ifthey use long IDs for PGP keys in a `trusted-key` or `pgp` element in theirdependency verification metadata file. The fix is to fail dependencyverification if anything but a fingerprint is used in a trust element independency verification metadata. The problem is fixed in Gradle 8.0 andabove. The problem is also patched in Gradle 6.9.4 and 7.6.1. As aworkaround, use only full fingerprint IDs for `trusted-key` or `pgp`element in the metadata is a protection against this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-02 04:15:00 UTC CVE-2023-26053 In Epiphany (aka GNOME Web) through 43.0, untrusted web content can trickusers into exfiltrating passwords, because autofill occurs in sandboxedcontexts. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-20 03:15:00 UTC CVE-2023-26081 Versions of the package graphql from 16.3.0 and before 16.8.1 arevulnerable to Denial of Service (DoS) due to insufficient checks in theOverlappingFieldsCanBeMergedRule.ts file when parsing large queries. Thisvulnerability allows an attacker to degrade system performance. **Note:**It was not proven that this vulnerability can crash the process. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-20 05:15:00 UTC CVE-2023-26144 afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linuxkernel through 6.1.12 has an integer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-21 01:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1208518 CVE-2023-26242 In AFL++ 4.05c, the CmpLog component uses the current working directory toresolve and execute unprefixed fuzzing targets, allowing code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-21 04:15:00 UTC CVE-2023-26266 Denial of service could be caused to the command line interface ofmarkdown-it-py, before v2.2.0, if an attacker was allowed to use invalidUTF-8 characters as input. Update Instructions: Run `sudo pro fix CVE-2023-26302` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-markdown-it - 2.1.0-4ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-22 23:15:00 UTC Mark Esler CVE-2023-26302 Denial of service could be caused to markdown-it-py, before v2.2.0, if anattacker was allowed to force null assertions with specially crafted input. Update Instructions: Run `sudo pro fix CVE-2023-26303` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-markdown-it - 2.1.0-4ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-02-23 00:15:00 UTC Mark Esler CVE-2023-26303 Denial of service vulnerability in PowerDNS Recursor allows authoritativeservers to be marked unavailable.This issue affects Recursor: through4.6.5, through 4.7.4 , through 4.8.3. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-04 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033941 CVE-2023-26437 cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderinglibrary and program in C. A polynomial time complexity issue in cmark-gfmmay lead to unbounded resource exhaustion and subsequent denial of service.This CVE covers quadratic complexity issues when parsing text which leadswith either large numbers of `_` characters. This issue has been addressedin version 0.29.0.gfm.10. Users are advised to upgrade. Users unable toupgrade should validate that their input comes from trusted sources.### ImpactA polynomial time complexity issue in cmark-gfm may lead to unboundedresource exhaustion and subsequent denial of service.### Proof of concept```$ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad,end="")' | time ./build/src/cmark-gfm --to plaintext```Increasing the number 10000 in the above commands causes the running timeto increase quadratically.### PatchesThis vulnerability have been patched in 0.29.0.gfm.10.### Note on cmark and cmark-gfmXXX: TBD[cmark-gfm](https://github.com/github/cmark-gfm) is a fork of[cmark](https://github.com/commonmark/cmark) that adds the GitHub FlavoredMarkdown extensions. The two codebases have diverged over time, but share acommon core. These bugs affect both `cmark` and `cmark-gfm`.### CreditWe would like to thank @gravypod for reporting this vulnerability.### Referenceshttps://en.wikipedia.org/wiki/Time_complexity### For more informationIf you have any questions or comments about this advisory:* Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm) Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-31 23:15:00 UTC 2023-03-31 23:15:00 UTC https://github.com/commonmark/cmark/issues/431 https://ubuntu.com/security/notices/USN-7319-1 CVE-2023-26485 Issue summary: Processing some specially crafted ASN.1 object identifiersordata containing them may be very slow.Impact summary: Applications that use OBJ_obj2txt() directly, or use any ofthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with nomessagesize limit may experience notable to very long delays when processing thosemessages, which may lead to a Denial of Service.An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -most of which have no size limit. OBJ_obj2txt() may be used to translatean ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSLtype ASN1_OBJECT) to its canonical numeric text form, which are thesub-identifiers of the OBJECT IDENTIFIER in decimal form, separated byperiods.When one of the sub-identifiers in the OBJECT IDENTIFIER is very large(these are sizes that are seen as absurdly large, taking up tens orhundredsof KiBs), the translation to a decimal number in text may take a very longtime. The time complexity is O(n^2) with 'n' being the size of thesub-identifiers in bytes (*).With OpenSSL 3.0, support to fetch cryptographic algorithms using names /identifiers in string form was introduced. This includes using OBJECTIDENTIFIERs in canonical numeric text form as identifiers for fetchingalgorithms.Such OBJECT IDENTIFIERs may be received through the ASN.1 structureAlgorithmIdentifier, which is commonly used in multiple protocols tospecifywhat cryptographic algorithm should be used to sign or verify, encrypt ordecrypt, or digest passed data.Applications that call OBJ_obj2txt() directly with untrusted data areaffected, with any version of OpenSSL. If the use is for the mere purposeof display, the severity is considered low.In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,CMS, CMP/CRMF or TS. It also impacts anything that processes X.509certificates, including simple things like verifying its signature.The impact on TLS is relatively low, because all versions of OpenSSL have a100KiB limit on the peer's certificate chain. Additionally, this onlyimpacts clients, or servers that have explicitly enabled clientauthentication.In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,such as X.509 certificates. This is assumed to not happen in such a waythat it would cause a Denial of Service, so these versions are considerednot affected by this issue in such a way that it would be cause forconcern,and the severity is therefore considered low. Update Instructions: Run `sudo pro fix CVE-2023-2650` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.8-1ubuntu3 openssl - 3.0.8-1ubuntu3 openssl-provider-legacy - 3.0.8-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-30 2023-05-30 Matt Caswell https://ubuntu.com/security/notices/USN-6119-1 https://ubuntu.com/security/notices/USN-6188-1 https://ubuntu.com/security/notices/USN-6672-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-2650 In Xpdf 4.04 (and earlier), a bad color space object in the input PDF filecan cause a divide-by-zero. Ubuntu 26.04 LTS Negligible Copyright (C) 2023 Canonical Ltd. 2023-05-11 21:15:00 UTC CVE-2023-2662 In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leadsto infinite recursion and a stack overflow. Ubuntu 26.04 LTS Negligible Copyright (C) 2023 Canonical Ltd. 2023-05-11 21:15:00 UTC CVE-2023-2663 In Xpdf 4.04 (and earlier), a PDF object loop in the embedded file treeleads to infinite recursion and a stack overflow. Ubuntu 26.04 LTS Negligible Copyright (C) 2023 Canonical Ltd. 2023-05-11 21:15:00 UTC CVE-2023-2664 libmodbus v3.1.10 has a heap-based buffer overflow vulnerability inread_io_status function in src/modbus.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-01 19:15:00 UTC CVE-2023-26793 fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-12 17:15:00 UTC CVE-2023-26920 radare2 v5.8.3 was discovered to contain a segmentation fault via thecomponent wasm_dis at p/wasm/wasm.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-10 02:15:00 UTC CVE-2023-27114 WebAssembly v1.0.29 was discovered to contain a segmentation fault via thecomponent wabt::cat_compute_size. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-10 02:15:00 UTC CVE-2023-27115 WebAssembly v1.0.29 was discovered to contain a heap overflow via thecomponent component wabt::Node::operator. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-10 02:15:00 UTC CVE-2023-27117 WebAssembly v1.0.29 was discovered to contain a segmentation fault via thecomponent wabt::Decompiler::WrapChild. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-10 02:15:00 UTC CVE-2023-27119 Math/PrimeField.php in phpseclib 3.x before 3.0.19 has an infinite loopwith composite primefields. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-03 06:15:00 UTC CVE-2023-27560 CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Priorto version 2.7.0, Cairo can send requests to external hosts when processingSVG files. A malicious actor could send a specially crafted SVG file thatallows them to perform a server-side request forgery or denial of service.Version 2.7.0 disables CairoSVG's ability to access other files online bydefault. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-20 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033295 CVE-2023-27586 An issue found in Eteran edb-debugger v.1.3.0 allows a local attacker tocausea denial of service via the collect_symbols function inplugins/BinaryInfo/symbols.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-04 15:15:00 UTC CVE-2023-27734 jpegoptim v1.5.2 was discovered to contain a heap overflow in the optimizefunction at jpegoptim.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-15 15:15:00 UTC CVE-2023-27781 A vulnerability was found in GNU cflow 1.7. It has been rated asproblematic. This issue affects the functionfunc_body/parse_variable_declaration of the file parser.c. The manipulationleads to denial of service. The exploit has been disclosed to the publicand may be used. The identifier VDB-229373 was assigned to thisvulnerability. NOTE: The vendor was contacted early about this disclosurebut did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-18 13:15:00 UTC CVE-2023-2789 A flaw was found in ofono, an Open Source Telephony on Linux. A stackoverflow bug is triggered within the decode_deliver() function during theSMS decoding. It is assumed that the attack scenario is accessible from acompromised modem, a malicious base station, or just SMS. There is a boundcheck for this memcpy length in decode_submit(), but it was forgotten indecode_deliver(). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-10 11:15:00 UTC 2024-04-10 11:15:00 UTC https://ubuntu.com/security/notices/USN-7141-1 CVE-2023-2794 emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shellcommand injections through a crafted mailto: URI. This is related to lackof compliance with the Desktop Entry Specification. It is fixed in 29.0.90 Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-09 06:15:00 UTC https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032538 CVE-2023-27985 emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to EmacsLisp code injections through a crafted mailto: URI with unescapeddouble-quote characters. It is fixed in 29.0.90. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-09 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032538 CVE-2023-27986 Flatpak is a system for building, distributing, and running sandboxeddesktop applications on Linux. Versions prior to 1.10.8, 1.12.8, 1.14.4,and 1.15.4 contain a vulnerability similar to CVE-2017-5226, but using the`TIOCLINUX` ioctl command instead of `TIOCSTI`. If a Flatpak app is run ona Linux virtual console such as `/dev/tty1`, it can copy text from thevirtual console and paste it into the command buffer, from which thecommand might be run after the Flatpak app has exited. Ordinary graphicalterminal emulators like xterm, gnome-terminal and Konsole are unaffected.This vulnerability is specific to the Linux virtual consoles `/dev/tty1`,`/dev/tty2` and so on. A patch is available in versions 1.10.8, 1.12.8,1.14.4, and 1.15.4. As a workaround, don't run Flatpak on a Linux virtualconsole. Flatpak is primarily designed to be used in a Wayland or X11graphical environment. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-16 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2063035 CVE-2023-28100 Flatpak is a system for building, distributing, and running sandboxeddesktop applications on Linux. In versions prior to 1.10.8, 1.12.8, 1.14.4,and 1.15.4, if an attacker publishes a Flatpak app with elevatedpermissions, they can hide those permissions from users of the `flatpak(1)`command-line interface by setting other permissions to crafted values thatcontain non-printable control characters such as `ESC`. A fix is availablein versions 1.10.8, 1.12.8, 1.14.4, and 1.15.4. As a workaround, use a GUIlike GNOME Software rather than the command-line interface, or only installapps whose maintainers you trust. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-16 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2063034 CVE-2023-28101 Sentry SDK is the official Python SDK for Sentry, real-time crash reportingsoftware. When using the Django integration of versions prior to 1.14.0 ofthe Sentry SDK in a specific configuration it is possible to leak sensitivecookies values, including the session cookie to Sentry. These sensitivecookies could then be used by someone with access to your Sentry issues toimpersonate or escalate their privileges within your application.In order for these sensitive values to be leaked, the Sentry SDKconfiguration must have `sendDefaultPII` set to `True`; one must use acustom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one'sDjango settings; and one must not be configured in one's organization orproject settings to use Sentry's data scrubbing features to account for thecustom cookie names.As of version 1.14.0, the Django integration of the `sentry-sdk` willdetect the custom cookie names based on one's Django settings and willremove the values from the payload before sending the data to Sentry. As aworkaround, use the SDK's filtering mechanism to remove the cookies fromthe payload that is sent to Sentry. For error events, this can be done withthe `before_send` callback method and for performance related events(transactions) one can use the `before_send_transaction` callback method.Those who want to handle filtering of these values on the server-side canalso use Sentry's advanced data scrubbing feature to account for the customcookie names. Look for the `$http.cookies`, `$http.headers`,`$request.cookies`, or `$request.headers` fields to target with a scrubbingrule. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-22 20:15:00 UTC CVE-2023-28117 There is a vulnerability in ActiveSupport if the new bytesplice method iscalled on a SafeBuffer with untrusted user input. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262 CVE-2023-28120 Webpack 5 before 5.76.0 does not avoid cross-realm object access.ImportParserPlugin.js mishandles the magic comment feature. An attacker whocontrols a property of an untrusted object can obtain access to the realglobal object. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-13 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904 CVE-2023-28154 Every `named` instance configured to run as a recursive resolver maintainsa cache database holding the responses to the queries it has recently sentto authoritative servers. The size limit for that cache database can beconfigured using the `max-cache-size` statement in the configuration file;it defaults to 90% of the total amount of memory available on the host.When the size of the cache reaches 7/8 of the configured limit, acache-cleaning algorithm starts to remove expired and/or least-recentlyused RRsets from the cache, to keep memory use below the configured limit.It has been discovered that the effectiveness of the cache-cleaningalgorithm used in `named` can be severely diminished by querying theresolver for specific RRsets in a certain order, effectively allowing theconfigured `max-cache-size` limit to be significantly exceeded.This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and9.18.11-S1 through 9.18.15-S1. Update Instructions: Run `sudo pro fix CVE-2023-2828` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.12-1ubuntu2 bind9-dnsutils - 1:9.18.12-1ubuntu2 bind9-host - 1:9.18.12-1ubuntu2 bind9-libs - 1:9.18.12-1ubuntu2 bind9-utils - 1:9.18.12-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-21 2023-06-21 Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt https://ubuntu.com/security/notices/USN-6183-1 https://ubuntu.com/security/notices/USN-6183-2 CVE-2023-2828 An improper certificate validation vulnerability exists in curl <v8.1.0 inthe way it supports matching of wildcard patterns when listed as "SubjectAlternative Name" in TLS server certificates. curl can be built to use itsown name matching function for TLS rather than one provided by a TLSlibrary. This private wildcard matching function would match IDN(International Domain Name) hosts incorrectly and could as a result acceptpatterns that otherwise should mismatch. IDN hostnames are converted topuny code before used for certificate checks. Puny coded names always startwith `xn--` and should not be allowed to pattern match, but the wildcardcheck in curl could still check for `x*`, which would match even though theIDN name most likely contained nothing even resembling an `x`. Update Instructions: Run `sudo pro fix CVE-2023-28321` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 7.88.1-10ubuntu1 libcurl3t64-gnutls - 7.88.1-10ubuntu1 libcurl4t64 - 7.88.1-10ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-05-17 06:00:00 UTC 2023-05-17 06:00:00 UTC Hiroki Kurosawa https://ubuntu.com/security/notices/USN-6237-1 https://ubuntu.com/security/notices/USN-6237-3 CVE-2023-28321 An information disclosure vulnerability exists in curl <v8.1.0 when doingHTTP(S) transfers, libcurl might erroneously use the read callback(`CURLOPT_READFUNCTION`) to ask for data to send, even when the`CURLOPT_POSTFIELDS` option has been set, if the same handle previouslywasused to issue a `PUT` request which used that callback. This flaw maysurprise the application and cause it to misbehave and either send off thewrong data or use memory after free or similar in the second transfer. Theproblem exists in the logic for a reused handle when it is (expected to be)changed from a PUT to a POST. Update Instructions: Run `sudo pro fix CVE-2023-28322` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 7.88.1-10ubuntu1 libcurl3t64-gnutls - 7.88.1-10ubuntu1 libcurl4t64 - 7.88.1-10ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-05-17 06:00:00 UTC 2023-05-17 06:00:00 UTC Hiroki Kurosawa https://ubuntu.com/security/notices/USN-6237-1 https://ubuntu.com/security/notices/USN-6237-3 CVE-2023-28322 OpenDoas through 6.8.2, when TIOCSTI is available, allows privilegeescalation because of sharing a terminal with the original session. NOTE:TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be madeunavailable in the Linux kernel 6.2 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-14 19:15:00 UTC CVE-2023-28339 The redirect_to method in Rails allows provided values to containcharacters which are not legal in an HTTP header value. This results in thepotential for downstream services which enforce RFC compliance on HTTPresponse headers to remove the assigned Location header. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 01:15:00 UTC CVE-2023-28362 In Stellarium through 1.2, attackers can write to files that are typicallyunintended, such as ones with absolute pathnames or .. directory traversal. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-15 04:15:00 UTC CVE-2023-28371 PDFio is a C library for reading and writing PDF files. In versions 1.1.0and prior, a denial of service vulnerability exists in the pdfio parser.Crafted pdf files can cause the program to run at 100% utilization andnever terminate. This is different from CVE-2023-24808. A patch for thisissue is available in version 1.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-20 15:15:00 UTC CVE-2023-28428 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Across-site scripting vulnerability has been discovered affecting IframeDialog and Media Embed packages. The vulnerability may trigger a JavaScriptcode after fulfilling special conditions: using one of the affectedpackages on a web page with missing proper Content Security Policyconfiguration; initializing the editor on an element and using an elementother than `<textarea>` as a base; and destroying the editor instance. Thisvulnerability might affect a small percentage of integrators that depend ondynamic editor initialization/destroy mechanism.A fix is available in CKEditor4 version 4.21.0. In some rare cases, asecurity fix may be considered a breaking change. Starting from version4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute bydefault, which restricts JavaScript code execution in the iframe element.To change this behavior, configure the `config.iframe_attributes` option.Also starting from version 4.21.0, the Media Embed plugin regenerates theentire content of the embed widget by default. To change this behavior,configure the `config.embed_keepOriginalContent` option. Those who chooseto enable either of the more permissive options or who cannot upgrade to apatched version should properly configure Content Security Policy to avoidany potential security issues that may arise from embedding iframe elementson their web page. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-22 21:15:00 UTC 2023-03-22 21:15:00 UTC CVE-2023-28439 Sudo before 1.9.13 does not escape control characters in log messages. Update Instructions: Run `sudo pro fix CVE-2023-28486` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-sudo - 1.9.13p1-1ubuntu2 sudo - 1.9.13p1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-16 01:15:00 UTC 2023-03-16 01:15:00 UTC Matthieu Barjole and Victor Cutillas https://github.com/sudo-project/sudo/issues/254 (regression) https://ubuntu.com/security/notices/USN-6005-1 https://ubuntu.com/security/notices/USN-6005-2 CVE-2023-28486 Sudo before 1.9.13 does not escape control characters in sudoreplay output. Update Instructions: Run `sudo pro fix CVE-2023-28487` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-sudo - 1.9.13p1-1ubuntu2 sudo - 1.9.13p1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-16 01:15:00 UTC 2023-03-16 01:15:00 UTC Matthieu Barjole and Victor Cutillas https://ubuntu.com/security/notices/USN-6005-1 https://ubuntu.com/security/notices/USN-6005-2 CVE-2023-28487 org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNUEmacs allows attackers to execute arbitrary commands via a file name ordirectory name that contains shell metacharacters. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-19 03:15:00 UTC 2023-03-19 03:15:00 UTC Xi Lu https://ubuntu.com/security/notices/USN-6003-1 https://ubuntu.com/security/notices/USN-7027-1 https://ubuntu.com/security/notices/USN-7375-1 CVE-2023-28617 lambdaisland/uri is a pure Clojure/ClojureScript URI library. In versionsprior to 1.14.120 `authority-regex` allows an attacker to send maliciousURLs to be parsed by the `lambdaisland/uri` and return the wrong authority.This issue is similar to but distinct from CVE-2020-8910. The regex inquestion doesn't handle the backslash (`\`) character in the usernamecorrectly, leading to a wrong output. ex. a payload of`https://example.com\\@google.com` would return that the host is`google.com`, but the correct host should be `example.com`. Given that thelibrary returns the wrong authority this may be abused to bypass hostrestrictions depending on how the library is used in an application. Usersare advised to upgrade. There are no known workarounds for thisvulnerability. Ubuntu 26.04 LTS High Copyright (C) 2023 Canonical Ltd. 2023-03-27 21:15:00 UTC 2023-03-27 21:15:00 UTC https://ubuntu.com/security/notices/USN-8151-1 CVE-2023-28628 When using the RemoteIpFilter with requests received from a reverseproxy via HTTP that include the X-Forwarded-Proto header set to https,session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include thesecure attribute. This could result in the user agent transmitting thesession cookie over an insecure channel.Older, EOL versions may also be affected. Update Instructions: Run `sudo pro fix CVE-2023-28708` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-22 11:15:00 UTC 2023-03-22 11:15:00 UTC https://ubuntu.com/security/notices/USN-7106-1 https://ubuntu.com/security/notices/USN-7562-1 CVE-2023-28708 The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. Ifnon-default HTTP connector settings were used such that themaxParameterCount could be reached using query string parameters and arequest was submitted that supplied exactly maxParameterCountparameters in the query string, the limit for uploaded request parts couldbe bypassed with the potential for a denial of service to occur. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-22 11:15:00 UTC CVE-2023-28709 A ReDoS issue was discovered in the URI component through 0.12.0 in Rubythrough 3.2.1. The URI parser mishandles invalid URLs that have specificcharacters. It causes an increase in execution time for parsing strings toURI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-31 04:15:00 UTC 2023-03-31 04:15:00 UTC https://ubuntu.com/security/notices/USN-6055-1 https://ubuntu.com/security/notices/USN-6055-2 https://ubuntu.com/security/notices/USN-6087-1 https://ubuntu.com/security/notices/USN-6181-1 https://ubuntu.com/security/notices/USN-6219-1 https://ubuntu.com/security/notices/USN-7735-1 CVE-2023-28755 A ReDoS issue was discovered in the Time component through 0.2.1 in Rubythrough 3.2.1. The Time parser mishandles invalid URLs that have specificcharacters. It causes an increase in execution time for parsing strings toTime objects. The fixed versions are 0.1.1 and 0.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-31 04:15:00 UTC 2023-03-31 04:15:00 UTC https://ubuntu.com/security/notices/USN-6055-1 https://ubuntu.com/security/notices/USN-6055-2 https://ubuntu.com/security/notices/USN-6087-1 https://ubuntu.com/security/notices/USN-6181-1 CVE-2023-28756 redis-py before 4.5.3 leaves a connection open after canceling an asyncRedis command at an inopportune time, and can send response data to theclient of an unrelated request in an off-by-one manner. NOTE: this CVERecord was initially created in response to reports about ChatGPT, and4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipelineoperations); however, please see CVE-2023-28859 about addressing dataleakage across AsyncIO connections in general. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-26 19:15:00 UTC https://github.com/redis/redis-py/issues/2624 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033754 CVE-2023-28858 redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open aftercanceling an async Redis command at an inopportune time, and can sendresponse data to the client of an unrelated request. (This could, forexample, happen for a non-pipeline operation.) NOTE: the solutions forCVE-2023-28859 address data leakage across AsyncIO connections in general. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-26 19:15:00 UTC https://github.com/redis/redis-py/issues/2665 CVE-2023-28859 Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial ofservice (worker crash and unresponsiveness) because some inputs cause asegfault in the Transaction class for some configurations. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-28 04:15:00 UTC CVE-2023-28882 Nextcloud is an open-source productivity platform. In Nextcloud Desktopclient 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, andNextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator cangain full access to an end-to-end encrypted folder. They can decrypt files,recover the folder structure and add new files.​ This issue is fixed inNextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0.No known workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-04 13:15:00 UTC CVE-2023-28999 An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1.38.xbefore 1.38.6, and 1.39.x before 1.39.3. An auto-block can occur for anuntrusted X-Forwarded-For header. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-03-31 19:15:00 UTC https://phabricator.wikimedia.org/T285159 CVE-2023-29141 ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2before errata 020, and OpenSMTPD Portable before 7.0.0-portable commitf748277, can abort upon a connection from a local, scoped IPv6 address. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-04 23:15:00 UTC CVE-2023-29323 A maliciously-crafted image can cause excessive CPU consumption indecoding. A tiled image with a height of 0 and a very large width can causeexcessive CPU consumption, despite the image size (width * height)appearing to be zero. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-02 20:15:00 UTC CVE-2023-29407 The TIFF decoder does not place a limit on the size of compressed tiledata. A maliciously-crafted image can exploit this to cause a small image(both in terms of pixel width/height, and encoded size) to make the decoderdecode large amounts of compressed data, consuming excessive memory andCPU. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-02 20:15:00 UTC CVE-2023-29408 Stored or persistent cross-site scripting (XSS) is a type of XSS where theattacker first sends the payload to the web application, then theapplication saves the payload (e.g., in a database or server-side textfiles), and finally, the application unintentionally executes the payloadfor every victim visiting its web pages. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 10:15:00 UTC CVE-2023-29454 URL validation scheme receives input from a user and then parses it toidentify its various components. The validation scheme can ensure that allURL components comply with internet standards. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 10:15:00 UTC CVE-2023-29456 Reflected XSS attacks, occur when a malicious script is reflected off a webapplication to the victim's browser. The script can be activated throughAction form fields, which can be sent as request to a website with avulnerability that enables execution of malicious scripts. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 10:15:00 UTC CVE-2023-29457 Duktape is an 3rd-party embeddable JavaScript engine, with a focus onportability and compact footprint. When adding too many values in valstackJavaScript will crash. This issue occurs due to bug in Duktape 2.6 which isan 3rd-party solution that we use. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 10:15:00 UTC CVE-2023-29458 SageMath FlintQS 1.0 relies on pathnames under TMPDIR (typicallyworld-writable), which (for example) allows a local user to overwrite fileswith the privileges of a different user (who is running FlintQS). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-06 20:15:00 UTC CVE-2023-29465 Ribose RNP before 0.16.3 sometimes lets secret keys remain unlocked afteruse. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-24 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034558 CVE-2023-29480 Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability viagc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial ofService (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-12 15:15:00 UTC CVE-2023-29571 yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation viathe component yasm_expr_create at /libyasm/expr.c. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-12 13:15:00 UTC CVE-2023-29580 Buffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a localattacker to cause a denial of service via the mjs_mk_string function inmjs.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-09 16:15:00 UTC CVE-2023-30087 An issue found in Cesanta MJS v.1.26 allows a local attacker to cause adenial of service via the mjs_execute function in mjs.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-09 16:15:00 UTC CVE-2023-30088 A divide by zero issue discovered in Kodi Home Theater Software 19.5 andearlier allows attackers to cause a denial of service via use of craftedmp3 file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-05 21:15:00 UTC https://github.com/xbmc/xbmc/issues/22378 CVE-2023-30207 A Buffer Overflow vulnerability in importshp plugin in LibreCAD 2.2.0allows attackers to obtain sensitive information via a crafted DBF file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-28 14:15:00 UTC CVE-2023-30259 Buffer Overflow vulnerability in coap_send function in libcoap library4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to obtainsensitive information via malformed pdu. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-23 12:15:00 UTC CVE-2023-30362 An excessively large PDF page size (found in fuzz testing, unlikely innormal PDF files) can result in a divide-by-zero in Xpdf's text extractioncode.This is related to CVE-2022-30524, but the problem here is caused by a verylarge page size, rather than by a very large character coordinate. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-06-02 23:15:00 UTC CVE-2023-3044 Apptainer is an open source container platform for Linux. There is an ext4use-after-free flaw that is exploitable through versions of Apptainer <1.1.0 and installations that include apptainer-suid < 1.1.8 on olderoperating systems where that CVE has not been patched. That includes RedHat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package isinstalled), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-freeflaws in the kernel can be used to attack the kernel for denial of serviceand potentially for privilege escalation.Apptainer 1.1.8 includes a patch that by default disables mounting of extfsfilesystem types in setuid-root mode, while continuing to allow mounting ofextfs filesystems in non-setuid "rootless" mode using fuse2fs.Some workarounds are possible. Either do not install apptainer-suid (forversions 1.1.0 through 1.1.7) or set `allow setuid = no` in apptainer.conf. This requires having unprivileged user namespaces enabled and except forapptainer 1.1.x versions will disallow mounting of sif files, extfs files,and squashfs files in addition to other, less significant impacts.(Encrypted sif files are also not supported unprivileged in apptainer1.1.x.). Alternatively, use the `limit containers` options inapptainer.conf/singularity.conf to limit sif files to trusted users,groups, and/or paths, and set `allow container extfs = no` to disallowmounting of extfs overlay files. The latter option by itself does notdisallow mounting of extfs overlay partitions inside SIF files, so that'swhy the former options are also needed. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-25 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035026 CVE-2023-30549 pluto in Libreswan before 4.11 allows a denial of service (responder SPImishandling and daemon crash) via unauthenticated IKEv1 Aggressive Modepackets. The earliest affected version is 3.28. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-29 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035542 CVE-2023-30570 Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This hassecurity relevance because, for example, execution of Dmidecode via Sudo isplausible. NOTE: Some third parties have indicated the fix in 3.5 does notadequately address the vulnerability. The argument is that the proposedpatch prevents dmidecode from writing to an existing file. However, thereare multiple attack vectors that would not require overwriting an existingfile that would provide the same level of unauthorized privilege escalation(e.g. creating a new file in /etc/cron.hourly). Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-13 16:15:00 UTC CVE-2023-30630 All versions of the qBittorrent client through 4.5.5 use defaultcredentials when the web user interface is enabled. The administrator isnot forced to change the default credentials. As of 4.5.5, this issue hasnot been fixed. A remote attacker can use the default credentials toauthenticate and execute arbitrary operating system commands using the"external program" feature in the web user interface. This was reportedlyexploited in the wild in March 2023. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-10 14:15:00 UTC CVE-2023-30801 NVIDIA GPU Driver for Windows and Linux contains a vulnerability in thekernel mode layer, where an unprivileged regular user can cause aNULL-pointer dereference, which may lead to denial of service. Update Instructions: Run `sudo pro fix CVE-2023-31018` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.129.03-0ubuntu1 libnvidia-common-535-server - 535.129.03-0ubuntu1 libnvidia-compute-535-server - 535.129.03-0ubuntu1 libnvidia-decode-535-server - 535.129.03-0ubuntu1 libnvidia-encode-535-server - 535.129.03-0ubuntu1 libnvidia-extra-535-server - 535.129.03-0ubuntu1 libnvidia-fbc1-535-server - 535.129.03-0ubuntu1 libnvidia-gl-535-server - 535.129.03-0ubuntu1 nvidia-compute-utils-535-server - 535.129.03-0ubuntu1 nvidia-dkms-535-server - 535.129.03-0ubuntu1 nvidia-dkms-535-server-open - 535.129.03-0ubuntu1 nvidia-driver-535-server - 535.129.03-0ubuntu1 nvidia-driver-535-server-open - 535.129.03-0ubuntu1 nvidia-headless-535-server - 535.129.03-0ubuntu1 nvidia-headless-535-server-open - 535.129.03-0ubuntu1 nvidia-headless-no-dkms-535-server - 535.129.03-0ubuntu1 nvidia-headless-no-dkms-535-server-open - 535.129.03-0ubuntu1 nvidia-kernel-common-535-server - 535.129.03-0ubuntu1 nvidia-kernel-source-535-server - 535.129.03-0ubuntu1 nvidia-kernel-source-535-server-open - 535.129.03-0ubuntu1 nvidia-utils-535-server - 535.129.03-0ubuntu1 xserver-xorg-video-nvidia-535-server - 535.129.03-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-02 19:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-535/+bug/2038514 CVE-2023-31018 NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability inthe kernel mode layer, where a NULL-pointer dereference may lead to denialof service. Update Instructions: Run `sudo pro fix CVE-2023-31022` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.129.03-0ubuntu1 libnvidia-common-535-server - 535.129.03-0ubuntu1 libnvidia-compute-535-server - 535.129.03-0ubuntu1 libnvidia-decode-535-server - 535.129.03-0ubuntu1 libnvidia-encode-535-server - 535.129.03-0ubuntu1 libnvidia-extra-535-server - 535.129.03-0ubuntu1 libnvidia-fbc1-535-server - 535.129.03-0ubuntu1 libnvidia-gl-535-server - 535.129.03-0ubuntu1 nvidia-compute-utils-535-server - 535.129.03-0ubuntu1 nvidia-dkms-535-server - 535.129.03-0ubuntu1 nvidia-dkms-535-server-open - 535.129.03-0ubuntu1 nvidia-driver-535-server - 535.129.03-0ubuntu1 nvidia-driver-535-server-open - 535.129.03-0ubuntu1 nvidia-headless-535-server - 535.129.03-0ubuntu1 nvidia-headless-535-server-open - 535.129.03-0ubuntu1 nvidia-headless-no-dkms-535-server - 535.129.03-0ubuntu1 nvidia-headless-no-dkms-535-server-open - 535.129.03-0ubuntu1 nvidia-kernel-common-535-server - 535.129.03-0ubuntu1 nvidia-kernel-source-535-server - 535.129.03-0ubuntu1 nvidia-kernel-source-535-server-open - 535.129.03-0ubuntu1 nvidia-utils-535-server - 535.129.03-0ubuntu1 xserver-xorg-video-nvidia-535-server - 535.129.03-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-02 19:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-535/+bug/2038514 CVE-2023-31022 SQL injection in Log4cxx when using the ODBC appender to send log messagesto a database.  No fields sent to the database were properly escaped forSQL injection.  This has been the case since at least version0.9.0(released 2003-08-06)Note that Log4cxx is a C++ framework, so only C++ applications areaffected.Before version 1.1.0, the ODBC appender was automatically part of Log4cxxif the library was found when compiling the library.  As of version 1.1.0,this must be both explicitly enabled in order to be compiled in.Three preconditions must be met for this vulnerability to be possible:1. Log4cxx compiled with ODBC support(before version 1.1.0, this wasauto-detected at compile time)2. ODBCAppender enabled for logging messages to, generally done via aconfig file3. User input is logged at some point. If your application does not haveuser input, it is unlikely to be affected.Users are recommended to upgrade to version 1.1.0 which properly binds theparameters to the SQL statement, or migrate to the new DBAppender classwhich supports an ODBC connection in addition to other databases.Note that this fix does require a configuration file update, as the oldconfiguration files will not configure properly.  An example is shownbelow, and more information may be found in the Log4cxx documentation onthe ODBCAppender.Example of old configuration snippet:<appender name="SqlODBCAppender" class="ODBCAppender">    <param name="sql" value="INSERT INTO logs (message) VALUES ('%m')" />    ... other params here ...</appender>The migrated configuration snippet with new ColumnMapping parameters:<appender name="SqlODBCAppender" class="ODBCAppender">    <param name="sql" value="INSERT INTO logs (message) VALUES (?)" />    <param name="ColumnMapping" value="message"/>    ... other params here ...</appender> Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-08 09:15:00 UTC CVE-2023-31038 An issue was discovered in drivers/media/test-drivers/vidtv/vidtv_bridge.cin the Linux kernel 6.2. There is a NULL pointer dereference invidtv_mux_stop_thread. In vidtv_stop_streaming, after dvb->mux=NULL occurs,it executes vidtv_mux_stop_thread(dvb->mux). Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-04-24 06:15:00 UTC Yu Hao https://bugzilla.suse.com/show_bug.cgi?id=1210782 CVE-2023-31081 An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2.There is a sleeping function called from an invalid context in gsmld_write,which will block the kernel. Note: This has been disputed by 3rd parties asnot a valid vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-04-24 06:15:00 UTC Yu Hao https://bugzilla.redhat.com/show_bug.cgi?id=2212938 https://bugzilla.suse.com/show_bug.cgi?id=1210781 CVE-2023-31082 RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as anattacker can create a new .php log file in language folder, while executinga crafted payload and escalate privileges allowing execution of anycommands on the remote system. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 15:15:00 UTC CVE-2023-31493 A memory leak in the component CConsole::Chain of Teeworlds v0.7.5 allowsattackers to cause a Denial of Service (DoS) via opening a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-23 20:15:00 UTC CVE-2023-31517 A heap use-after-free in the component CDataFileReader::GetItem ofteeworlds v0.7.5 allows attackers to cause a Denial of Service (DoS) via acrafted map file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-23 20:15:00 UTC CVE-2023-31518 jose4j before v0.9.3 allows attackers to set a low iteration count of 1000or less. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 18:17:00 UTC CVE-2023-31582 An issue in the __libc_malloc component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31607 An issue in the artm_div_int component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31608 An issue in the dfe_unit_col_loci component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31609 An issue in the _IO_default_xsputn component of openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31610 An issue in the __libc_longjmp component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31611 An issue in the dfe_qexp_list component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31612 An issue in the __nss_database_lookup component of openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31613 An issue in the mp_box_deserialize_string function in openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) after running a SELECT statement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31614 An issue in the chash_array component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31615 An issue in the bif_mod component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31616 An issue in the dk_set_delete component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31617 An issue in the sqlc_union_dt_wrap component of openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31618 An issue in the sch_name_to_object component of openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31619 An issue in the dv_compare component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31620 An issue in the kc_var_col component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC CVE-2023-31621 An issue in the sqlc_make_policy_trig component of openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31622 An issue in the mp_box_copy component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31623 An issue in the sinv_check_exp component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31624 An issue in the psiginfo component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31625 An issue in the gpf_notice component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31626 An issue in the strhash component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31627 An issue in the stricmp component of openlink virtuoso-opensource v7.2.9allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6832-1 CVE-2023-31628 An issue in the sqlo_union_scope component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31629 An issue in the sqlo_query_spec component of openlink virtuoso-opensourcev7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31630 An issue in the sqlo_preds_contradiction component of openlinkvirtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 15:15:00 UTC 2023-05-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036467 https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-31631 redis v7.0.10 was discovered to contain a segmentation violation. Thisvulnerability allows attackers to cause a Denial of Service (DoS) viaunspecified vectors. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-18 20:15:00 UTC CVE-2023-31655 yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation viathe function expand_mmac_params at /nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-17 15:15:00 UTC CVE-2023-31723 yasm 1.3.0.55.g101bc was discovered to contain a segmentation violation viathe function do_directive at /nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-17 15:15:00 UTC CVE-2023-31724 yasm 1.3.0.55.g101bc was discovered to contain a heap-use-after-free viathe function expand_mmac_params at yasm/modules/preprocs/nasm/nasm-pp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-17 15:15:00 UTC CVE-2023-31725 A stack-based buffer overflow issue was found in ImageMagick'scoders/tiff.c. This flaw allows an attacker to trick the user into openinga specially crafted malicious tiff file, causing an application to crash,resulting in a denial of service. Update Instructions: Run `sudo pro fix CVE-2023-3195` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-16 20:15:00 UTC 2023-06-16 20:15:00 UTC https://ubuntu.com/security/notices/USN-6200-1 CVE-2023-3195 Catdoc v0.95 was discovered to contain a global buffer overflow via thefunction process_file at /src/reader.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-09 14:15:00 UTC CVE-2023-31979 in-toto is a framework to protect supply chain integrity. The in-totoconfiguration is read from various directories and allows users toconfigure the behavior of the framework. The files are from directoriesfollowing the XDG base directory specification. In versions 1.4.0 andprior, among the files read is `.in_totorc` which is a hidden file in thedirectory in which in-toto is run. If an attacker controls the inputs to asupply chain step, they can mask their activities by also passing in an`.in_totorc` file that includes the necessary exclude patterns andsettings. RC files are widely used in other systems and security issueshave been discovered in their implementations as well. Maintainers found intheir conversations with in-toto adopters that `in_totorc` is not theirpreferred way to configure in-toto. As none of the options supported in`in_totorc` is unique, and can be set elsewhere using API parameters or CLIarguments, the maintainers decided to drop support for `in_totorc`.in-toto's `user_settings` module has been dropped altogether in commit3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandboxfunctionary code as a security measure. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-10 18:15:00 UTC CVE-2023-32076 etcd is a distributed key-value store for the data of a distributed system.Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows accessto key names (not value) associated to a lease when `Keys` parameter istrue, even a user doesn't have read permission to the keys. The impact islimited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9fix this issue. There are no known workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-11 20:15:00 UTC CVE-2023-32082 A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')vulnerability in openSUSE libeconf allows for DoS via malformedconfiguration filesThis issue affects libeconf: before 0.5.2. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-01 12:15:00 UTC CVE-2023-32181 There is insufficient restrictions of called script functions in ApacheJena versions 4.8.0 and earlier. It allows aremote user to execute javascript via a SPARQL query.This issue affects Apache Jena: from 3.7.0 through 4.8.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-12 08:15:00 UTC CVE-2023-32200 A flaw was found in undertow. Servlets annotated with @MultipartConfig maycause an OutOfMemoryError due to large multipart content. This may allowunauthorized users to cause remote Denial of Service (DoS) attack. If theserver uses fileSizeThreshold to limit the file size, it's possible tobypass the limit by setting the file name in the request to null. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-27 15:18:00 UTC CVE-2023-3223 An issue has been discovered in GitLab EE/CE affecting all versionsstarting before 16.3.6, all versions starting from 16.4 before 16.4.2, allversions starting from 16.5 before 16.5.1 which allows an attackers toblock Sidekiq job processor. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-06 13:15:00 UTC CVE-2023-3246 In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization ismishandled. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-10 06:15:00 UTC CVE-2023-32573 An integer overflow vulnerability exists in the FST_BL_GEOM parsingmaxhandle functionality of GTKWave 3.3.115, when compiled as a 32-bitbinary. A specially crafted .fst file can lead to memory corruption. Avictim would need to open a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-32650 A stored XSS has been found in the Zabbix web application in the Mapselement if a URL field is set with spaces before URL. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-12 07:15:00 UTC CVE-2023-32721 When gRPC HTTP2 stack raised a header size exceeded error, it skippedparsing the rest of the HPACK frame. This caused any HPACK table mutationsto also be skipped, resulting in a desynchronization of HPACK tablesbetween sender and receiver. If leveraged, say, between a proxy and abackend, this could lead to requests from the proxy being interpreted ascontaining headers from different proxy clients - leading to an informationleak that can be used for privilege escalation or data exfiltration. Werecommend upgrading beyond the commit contained inhttps://github.com/grpc/grpc/pull/33005https://github.com/grpc/grpc/pull/33005 Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-09 11:15:00 UTC CVE-2023-32731 gRPC contains a vulnerability whereby a client can cause a termination ofconnection between a HTTP2 proxy and a gRPC server: a base64 encoding errorfor `-bin` suffixed headers will result in a disconnection by the gRPCserver, but is typically allowed by HTTP2 proxies. We recommend upgradingbeyond the commit in  https://github.com/grpc/grpc/pull/32309https://www.google.com/url Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-09 11:15:00 UTC CVE-2023-32732 An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.xthrough 6.5.x before 6.5.1. Qt Network incorrectly parses thestrict-transport-security (HSTS) header, allowing unencrypted connectionsto be established, even when explicitly prohibited by the server. Thishappens if the case used for this header does not exactly match. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-28 23:15:00 UTC 2023-05-28 23:15:00 UTC https://ubuntu.com/security/notices/USN-7780-1 CVE-2023-32762 An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.xthrough 6.5.x before 6.5.1. When a SVG file with an image inside it isrendered, a QTextLayout buffer overflow can be triggered. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-28 23:15:00 UTC CVE-2023-32763 In KeePass 2.x before 2.54, it is possible to recover the cleartext masterpassword from a memory dump, even when a workspace is locked or no longerrunning. The memory dump can be a KeePass process dump, swap file(pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entiresystem. The first character cannot be recovered. In 2.54, there isdifferent API usage and/or random string insertion for mitigation. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-15 06:15:00 UTC CVE-2023-32784 Memory corruption in Kernel while parsing metadata. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-12-05 03:15:00 UTC CVE-2023-33053 pam_krb5 authenticates a user by essentially running kinit with thepassword, getting a ticket-granting ticket (tgt) from the Kerberos KDC (KeyDistribution Center) over the network, as a way to verify the password.However, if a keytab is not provisioned on the system, pam_krb5 has no wayto validate the response from the KDC, and essentially trusts the tgtprovided over the network as being valid. In a non-default FreeBSDinstallation that leverages pam_krb5 for authentication and does not have akeytab provisioned, an attacker that is able to control both the passwordand the KDC responses can return a valid tgt, allowing authentication tooccur for any user on the system. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-06-22 17:15:00 UTC CVE-2023-3326 An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via acrafted reply from a DNS server. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-22 03:15:00 UTC 2023-05-22 03:15:00 UTC https://ubuntu.com/security/notices/USN-7780-1 CVE-2023-33285 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function.which will cause out-of-memory in server and cause crash. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-06-06 12:15:00 UTC 2023-06-06 12:15:00 UTC https://github.com/lloyd/yajl/issues/250 https://ubuntu.com/security/notices/USN-6233-1 https://ubuntu.com/security/notices/USN-6233-2 CVE-2023-33460 Orthanc before 1.12.0 allows authenticated users with access to the OrthancAPI to overwrite arbitrary files on the file system, and in specificdeployment scenarios allows the attacker to overwrite the configuration,which can be exploited to trigger Remote Code Execution (RCE). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-29 15:15:00 UTC CVE-2023-33466 Heap Buffer Overflow in the erofsfsck_dirent_iter function in fsck/main.cin erofs-utils v1.6 allows remote attackers to execute arbitrary code via acrafted erofs filesystem image. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-01 15:15:00 UTC CVE-2023-33551 Heap Buffer Overflow in the erofs_read_one_data function at data.c inerofs-utils v1.6 allows remote attackers to execute arbitrary code via acrafted erofs filesystem image. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-01 15:15:00 UTC CVE-2023-33552 gRPC contains a vulnerability that allows hpack table accounting errorscould lead to unwanted disconnects between clients and servers inexceptional cases/ Three vectors were found that allow the following DOSattacks:- Unbounded memory buffering in the HPACK parser- Unbounded CPU consumption in the HPACK parserThe unbounded CPU consumption is down to a copy that occurredper-input-block in the parser, and because that could be unbounded due tothe memory copy bug we end up with an O(n^2) parsing loop, with n selectedby the client.The unbounded memory buffering bugs:- The header size limit check was behind the string reading code, so weneeded to first buffer up to a 4 gigabyte string before rejecting it aslonger than 8 or 16kb.- HPACK varints have an encoding quirk whereby an infinite number of 0’scan be added at the start of an integer. gRPC’s hpack parser needed to readall of them before concluding a parse.- gRPC’s metadata overflow check was performed per frame, so that thefollowing sequence of frames could cause infinite buffering: HEADERS:containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3etc… Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-09 13:15:00 UTC CVE-2023-33953 A race condition occurred between the functions lmLogClose and txEnd inJFS, in the Linux Kernel, executed in different threads. This flaw allows alocal attacker with normal user privileges to crash the system or leakinternal kernel information. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-01 20:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2217271 https://bugzilla.suse.com/show_bug.cgi?id=1212704 CVE-2023-3397 An issue has been discovered in GitLab EE affecting all versions startingfrom 11.6 before 16.3.6, all versions starting from 16.4 before 16.4.2, allversions starting from 16.5 before 16.5.1. It was possible for anunauthorised project or group member to read the CI/CD variables using thecustom project templates. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-06 13:15:00 UTC CVE-2023-3399 In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user toprovide specially crafted HTTP requests that may cause a denial-of-service(DoS) condition.Specifically, an application is vulnerable when all of the following aretrue: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to recordobservationsTypically, Spring Boot applications need theorg.springframework.boot:spring-boot-actuator dependency to meet allconditions. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-28 09:15:00 UTC CVE-2023-34053 An improper array index validation vulnerability exists in the EVCD var lenparsing functionality of GTKWave 3.3.115. A specially crafted .evcd filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-34087 cpdb-libs provides frontend and backend libraries for the Common PrintingDialog Backends (CPDB) project. In versions 1.0 through 2.0b4, cpdb-libs isvulnerable to buffer overflows via improper use of `scanf(3)`. cpdb-libsuses the `fscanf()` and `scanf()` functions to parse command lines andconfiguration files, dropping the read string components into fixed-lengthbuffers, but does not limit the length of the strings to be read by`fscanf()` and `scanf()` causing buffer overflows when a string is longerthan 1023 characters. A patch for this issue is available at commitf181bd1f14757c2ae0f17cc76dc20421a40f30b7. As all buffers have a length of1024 characters, the patch limits the maximum string length to be read to1023 by replacing all occurrences of `%s` with `%1023s` in all calls of the`fscanf()` and `scanf()` functions. Update Instructions: Run `sudo pro fix CVE-2023-34095` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cpdb-libs-tools - 2.0~b4-0ubuntu4 libcpdb-frontend2t64 - 2.0~b4-0ubuntu4 libcpdb-libs-tools - 2.0~b4-0ubuntu4 libcpdb2t64 - 2.0~b4-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-14 2023-06-14 Seth Arnold https://ubuntu.com/security/notices/USN-6204-1 CVE-2023-34095 A vulnerability was found in ImageMagick. This security flaw ouccers as anundefined behaviors of casting double to size_t in svg, mvg and othercoders (recurring bugs of CVE-2022-32546). Update Instructions: Run `sudo pro fix CVE-2023-34151` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-05-30 22:15:00 UTC 2023-05-30 22:15:00 UTC https://github.com/ImageMagick/ImageMagick/issues/6341 https://ubuntu.com/security/notices/USN-6200-1 https://ubuntu.com/security/notices/USN-6200-2 https://ubuntu.com/security/notices/USN-7440-1 CVE-2023-34151 SABnzbd is an open source automated Usenet download tool. A design flaw wasdiscovered in SABnzbd that could allow remote code execution. Manipulatingthe Parameters setting in the Notification Script functionality allows codeexecution with the privileges of the SABnzbd process. Exploiting thevulnerabilities requires access to the web interface. Remote exploitationis possible if users[exposed their setup to the internet or other untrustednetworks without setting a username/password. By default SABnzbd is onlyaccessible from `localhost`, with no authentication required for the webinterface. This issue has been patched in commits `e3a722` and `422b4f`which have been included in the 4.0.2 release. Users are advised toupgrade. Users unable to upgrade should ensure that a username and passwordhave been set if their instance is web accessible. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-07 20:15:00 UTC CVE-2023-34237 A heap-based buffer overflow vulnerability was found in coders/tiff.c inImageMagick. This issue may allow a local attacker to trick the user intoopening a specially crafted file, resulting in an application crash anddenial of service. Update Instructions: Run `sudo pro fix CVE-2023-3428` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7-common - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16 - 8:6.9.11.60+dfsg-1.6ubuntu1 imagemagick-7.q16hdri - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libimage-magick-q16hdri-perl - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagick++-7.q16hdri-5 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-arch-config - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7-headers - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 libmagickwand-7.q16hdri-10 - 8:6.9.11.60+dfsg-1.6ubuntu1 perlmagick - 8:6.9.11.60+dfsg-1.6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-29 2023-06-29 https://ubuntu.com/security/notices/USN-6200-1 CVE-2023-3428 Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412where software, under certain circumstances, could deadlock a coredue to the execution of either a load to device or non-cacheable memory,and either a store exclusive or register read of the PhysicalAddress Register (PAR_EL1) in close proximity. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-08 21:15:00 UTC CVE-2023-34320 Arm provides multiple helpers to clean & invalidate the cachefor a given region. This is, for instance, used when allocatingguest memory to ensure any writes (such as the ones during scrubbing)have reached memory before handing over the page to a guest.Unfortunately, the arithmetics in the helpers can overflow and wouldthen result to skip the cache cleaning/invalidation. Therefore thereis no guarantee when all the writes will reach the memory. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34321 For migration as well as to work around kernels unaware of L1TF (seeXSA-273), PV guests may be run in shadow paging mode. Since Xen itselfneeds to be mapped when PV guests run, Xen and shadowed PV guests rundirectly the respective shadow page tables. For 64-bit PV guests thismeans running on the shadow of the guest root page table.In the course of dealing with shortage of memory in the shadow poolassociated with a domain, shadows of page tables may be torn down. Thistearing down may include the shadow root page table that the CPU inquestion is presently running on. While a precaution exists tosupposedly prevent the tearing down of the underlying live page table,the time window covered by that precaution isn't large enough. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34322 When a transaction is committed, C Xenstored will first checkthe quota is correct before attempting to commit any nodes. It wouldbe possible that accounting is temporarily negative if a node hasbeen removed outside of the transaction.Unfortunately, some versions of C Xenstored are assuming that thequota cannot be negative and are using assert() to confirm it. Thiswill lead to C Xenstored crash when tools are built without -DNDEBUG(this is the default). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34323 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]libfsimage contains parsing code for several filesystems, most of thembased ongrub-legacy code. libfsimage is used by pygrub to inspect guest disks.Pygrub runs as the same user as the toolstack (root in a priviledgeddomain).At least one issue has been reported to the Xen Security Team that allowsanattacker to trigger a stack buffer overflow in libfsimage. After furtheranalisys the Xen Security Team is no longer confident in the suitability oflibfsimage when run against guest controlled input with super userpriviledges.In order to not affect current deployments that rely on pygrub patches areprovided in the resolution section of the advisory that allow runningpygrub indeprivileged mode.CVE-2023-4949 refers to the original issue in the upstream grubproject ("An attacker with local access to a system (either through adisk or external drive) can present a modified XFS partition togrub-legacy in such a way to exploit a memory corruption in grub’s XFSfile system implementation.") CVE-2023-34325 refers specifically tothe vulnerabilities in Xen's copy of libfsimage, which is decendedfrom a very old version of grub. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34325 The caching invalidation guidelines from the AMD-Vi specification(48882—Rev3.07-PUB—Oct 2022) is incorrect on some hardware, as devices willmalfunction(see stale DMA mappings) if some fields of the DTE are updated but theIOMMUTLB is not flushed.Such stale DMA mappings can point to memory ranges not owned by the guest,thusallowing access to unindented memory regions. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34326 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.Xen supports guests using these extensions.Unfortunately there are errors in Xen's handling of the guest state,leadingto denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34327 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.Xen supports guests using these extensions.Unfortunately there are errors in Xen's handling of the guest state,leadingto denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-34328 Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field isitself in another object stream. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-27 21:15:00 UTC CVE-2023-3436 An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.xthrough 6.5.x before 6.5.2. Certificate validation for TLS does not alwaysconsider whether the root of a chain is a configured CA certificate. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-05 03:15:00 UTC 2023-06-05 03:15:00 UTC https://ubuntu.com/security/notices/USN-7780-1 CVE-2023-34410 The xml-rs crate before 0.8.14 for Rust and Crab allows a denial of service(panic) via an invalid <! token (such as <!DOCTYPEs/%<!A nesting) in an XMLdocument. The earliest affected version is 0.8.9. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-05 04:15:00 UTC CVE-2023-34411 An out-of-bounds write vulnerability exists in the LXT2num_time_table_entries functionality of GTKWave 3.3.115. A speciallycrafted .lxt2 file can lead to arbitrary code execution. A victim wouldneed to open a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-34436 snappy-java is a fast compressor/decompressor for Java. Due to uncheckedmultiplications, an integer overflow may occur in versions prior to1.1.10.1, causing a fatal error.The function `shuffle(int[] input)` in the file `BitShuffle.java` receivesan array of integers and applies a bit shuffle on it. It does so bymultiplying the length by 4 and passing it to the natively compiled shufflefunction. Since the length is not tested, the multiplication by four cancause an integer overflow and become a smaller value than the true size, oreven zero or negative. In the case of a negative value, a`java.lang.NegativeArraySizeException` exception will raise, which cancrash the program. In a case of a value that is zero or too small, the codethat afterwards references the shuffled array will assume a bigger size ofthe array, which might cause exceptions such as`java.lang.ArrayIndexOutOfBoundsException`.The same issue exists also when using the `shuffle` functions that receivea double, float, long and short, each using a different multiplier that maycause the same issue.Version 1.1.10.1 contains a patch for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-15 17:15:00 UTC CVE-2023-34453 snappy-java is a fast compressor/decompressor for Java. Due to uncheckedmultiplications, an integer overflow may occur in versions prior to1.1.10.1, causing an unrecoverable fatal error.The function `compress(char[] input)` in the file `Snappy.java` receives anarray of characters and compresses it. It does so by multiplying the lengthby 2 and passing it to the rawCompress` function.Since the length is not tested, the multiplication by two can cause aninteger overflow and become negative. The rawCompress function then usesthe received length and passes it to the natively compiledmaxCompressedLength function, using the returned value to allocate a bytearray.Since the maxCompressedLength function treats the length as an unsignedinteger, it doesn’t care that it is negative, and it returns a valid value,which is casted to a signed integer by the Java engine. If the result isnegative, a `java.lang.NegativeArraySizeException` exception will be raisedwhile trying to allocate the array `buf`. On the other side, if the resultis positive, the `buf` array will successfully be allocated, but its sizemight be too small to use for the compression, causing a fatal AccessViolation error.The same issue exists also when using the `compress` functions that receivedouble, float, int, long and short, each using a different multiplier thatmay cause the same issue. The issue most likely won’t occur when using abyte array, since creating a byte array of size 0x80000000 (or any othernegative value) is impossible in the first place.Version 1.1.10.1 contains a patch for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-15 17:15:00 UTC CVE-2023-34454 snappy-java is a fast compressor/decompressor for Java. Due to use of anunchecked chunk length, an unrecoverable fatal error can occur in versionsprior to 1.1.10.1.The code in the function hasNextChunk in the fileSnappyInputStream.javachecks if a given stream has more chunks to read. It does that byattempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, thefunction returns false. Otherwise, if 4 bytes were available, the codetreats them as the length of the next chunk.In the case that the `compressed` variable is null, a byte array isallocated with the size given by the input data. Since the code doesn’ttest the legality of the `chunkSize` variable, it is possible to pass anegative number (such as 0xFFFFFFFF which is -1), which will cause the codeto raise a `java.lang.NegativeArraySizeException` exception. A worse casewould happen when passing a huge positive value (such as 0x7FFFFFFF), whichwould raise the fatal `java.lang.OutOfMemoryError` error.Version 1.1.10.1 contains a patch for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-15 18:15:00 UTC CVE-2023-34455 MechanicalSoup is a Python library for automating interaction withwebsites. Starting in version 0.2.0 and prior to version 1.3.0, a maliciousweb server can read arbitrary files on the client using a `<inputtype="file" ...>` inside HTML form. All users of MechanicalSoup's formsubmission are affected, unless they took very specific (and manual) stepsto reset HTML form field values. Version 1.3.0 contains a patch for thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-05 20:15:00 UTC CVE-2023-34457 Netty is an asynchronous event-driven network application framework forrapid development of maintainable high performance protocol servers &clients. The `SniHandler` can allocate up to 16MB of heap for each channelduring the TLS handshake. When the handler or the channel does not have anidle timeout, it can be used to make a TCP server using the `SniHandler` toallocate 16MB of heap. The `SniHandler` class is a handler that waits forthe TLS handshake to configure a `SslHandler` according to the indicatedserver name by the `ClientHello` record. For this matter it allocates a`ByteBuf` using the value defined in the `ClientHello` record. Normally thevalue of the packet should be smaller than the handshake packet but thereare not checks done here and the way the code is written, it is possible tocraft a packet that makes the `SslClientHelloHandler`. This vulnerabilityhas been fixed in version 4.1.94.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-22 23:15:00 UTC 2023-06-22 23:15:00 UTC https://ubuntu.com/security/notices/USN-6994-1 CVE-2023-34462 Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a pathtraversal attack that results in an authentication bypass when usedtogether with APIs or other web frameworks that route requests based onnon-normalized requests.Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ Update Instructions: Run `sudo pro fix CVE-2023-34478` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libshiro-java - 1.3.2-5ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-24 19:15:00 UTC 2023-07-24 19:15:00 UTC https://ubuntu.com/security/notices/USN-7147-1 CVE-2023-34478 An issue was discovered mjson thru 1.4.1 allows attackers to cause a denialof service or other unspecified impacts via crafted object that uses cyclicdependencies. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-14 14:15:00 UTC CVE-2023-34611 An issue was discovered jtidy thru r938 allows attackers to cause a denialof service or other unspecified impacts via crafted object that uses cyclicdependencies. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-06-14 14:15:00 UTC https://github.com/trajano/jtidy/issues/4 CVE-2023-34623 fdkaac before 1.0.5 was discovered to contain a stack overflow inread_callback function in src/main.c. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-06-14 14:15:00 UTC 2023-06-14 14:15:00 UTC https://github.com/nu774/fdkaac/issues/55 https://ubuntu.com/security/notices/USN-7660-1 CVE-2023-34823 fdkaac before 1.0.5 was discovered to contain a heap buffer overflow incaf_info function in caf_reader.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-14 14:15:00 UTC 2023-06-14 14:15:00 UTC https://github.com/nu774/fdkaac/issues/55 https://ubuntu.com/security/notices/USN-7660-1 CVE-2023-34824 A path disclosure vulnerability was found in Samba. As part of theSpotlight protocol, Samba discloses the server-side absolute path ofshares, files, and directories in the results for search queries. This flawallows a malicious client or an attacker with a targeted RPC request toview the information that is part of the disclosed path. Update Instructions: Run `sudo pro fix CVE-2023-34968` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-19 2023-07-19 Ralph Boehme and Stefan Metzmacher https://bugzilla.samba.org/show_bug.cgi?id=15388 https://ubuntu.com/security/notices/USN-6238-1 CVE-2023-34968 An integer overflow vulnerability exists in the VZT longest_len valueallocation functionality of GTKWave 3.3.115. A specially crafted .vzt filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35004 An integer overflow vulnerability exists in the LXT2 lxt2_rd_trace valueelements allocation functionality of GTKWave 3.3.115. A specially crafted.lxt2 file can lead to memory corruption. A victim would need to open amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35057 An integer overflow vulnerability exists in the fstReaderIterBlocks2time_table tsec_nitems functionality of GTKWave 3.3.115. A speciallycrafted .fst file can lead to memory corruption. A victim would need toopen a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35128 Mediawiki v1.40.0 does not validate namespaces used in XML files.Therefore, if the instance administrator allows XML file uploads,a remote attacker with a low-privileged user account can use thisexploit to become an administrator by sending a malicious link tothe instance administrator. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-25 16:15:00 UTC CVE-2023-3550 Multiple stack-based buffer overflow vulnerabilities exist in the FSTLEB128 varint functionality of GTKWave 3.3.115. A specially crafted .fstfile can lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe fstReaderVarint32 function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35702 Multiple stack-based buffer overflow vulnerabilities exist in the FSTLEB128 varint functionality of GTKWave 3.3.115. A specially crafted .fstfile can lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe fstReaderVarint64 function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35703 Multiple stack-based buffer overflow vulnerabilities exist in the FSTLEB128 varint functionality of GTKWave 3.3.115. A specially crafted .fstfile can lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe fstReaderVarint32WithSkip function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35704 Stormshield Endpoint Security Evolution 2.0.0 through 2.3.2 has InsecurePermissions. An interactive user can use the SES Evolution agent to createarbitrary files with local system privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-27 17:15:00 UTC CVE-2023-35799 In Suricata before 6.0.13 (when there is an adversary who controls anexternal source of rules), a dataset filename, that comes from a rule, maytrigger absolute or relative directory traversal, and lead to write accessto a local filesystem. This is addressed in 6.0.13 by requiringallow-absolute-filenames and allow-write (in the datasets rulesconfiguration section) if an installation requires traversal/writing inthis situation. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-19 04:15:00 UTC CVE-2023-35852 In Suricata before 6.0.13, an adversary who controls an external source ofLua rules may be able to execute Lua code. This is addressed in 6.0.13 bydisabling Lua unless allow-rules is true in the security lua configurationsection. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-19 04:15:00 UTC CVE-2023-35853 libcoap 4.3.1 contains a buffer over-read via the functioncoap_parse_oscore_conf_mem at coap_oscore.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-19 05:15:00 UTC CVE-2023-35862 yt-dlp is a command-line program to download videos from video sites.During file downloads, yt-dlp or the external downloaders that yt-dlpemploys may leak cookies on HTTP redirects to a different host, or leakthem when the host for download fragments differs from their parentmanifest's host. This vulnerable behavior is present in yt-dlp prior to2023.07.06 and nightly 2023.07.06.185519. All native and externaldownloaders are affected, except for `curl` and `httpie` (version 3.1.0 orlater).At the file download stage, all cookies are passed by yt-dlp to the filedownloader as a `Cookie` header, thereby losing their scope. This alsooccurs in yt-dlp's info JSON output, which may be used by external tools.As a result, the downloader or external tool may indiscriminately sendcookies with requests to domains or paths for which the cookies are notscoped.yt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue byremoving the `Cookie` header upon HTTP redirects; having native downloaderscalculate the `Cookie` header from the cookiejar, utilizing externaldownloaders' built-in support for cookies instead of passing them as headerarguments, disabling HTTP redirectiong if the external downloader does nothave proper cookie support, processing cookies passed as HTTP headers tolimit their scope, and having a separate field for cookies in the info dictstoring more information about scopingSome workarounds are available for those who are unable to upgrade. Avoidusing cookies and user authentication methods. While extractors may setcustom cookies, these usually do not contain sensitive information.Alternatively, avoid using `--load-info-json`. Or, if authentication is amust: verify the integrity of download links from unknown sources inbrowser (including redirects) before passing them to yt-dlp; use `curl` asexternal downloader, since it is not impacted; and/or avoid fragmentedformats such as HLS/m3u8, DASH/mpd and ISM. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-06 20:15:00 UTC CVE-2023-35934 Pandoc is a Haskell library for converting from one markup format toanother, and a command-line tool that uses this library. Starting inversion 1.13 and prior to version 3.1.4, Pandoc is susceptible to anarbitrary file write vulnerability, which can be triggered by providing aspecially crafted image element in the input when generating files usingthe `--extract-media` option or outputting to PDF format. Thisvulnerability allows an attacker to create or overwrite arbitrary files onthe system ,depending on the privileges of the process running pandoc. Itonly affects systems that pass untrusted user input to pandoc and allowpandoc to be used to produce a PDF or with the `--extract-media` option.The fix is to unescape the percent-encoding prior to checking that theresource is not above the working directory, and prior to extracting theextension. Some code for checking that the path is below the workingdirectory was flawed in a similar way and has also been fixed. Note thatthe `--sandbox` option, which only affects IO done by readers and writersthemselves, does not block this vulnerability. The vulnerability is patchedin pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDFoutput and the `--extract-media` option. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-05 21:15:00 UTC CVE-2023-35936 Gradle is a build tool with a focus on build automation and support formulti-language development. When Gradle writes a dependency into itsdependency cache, it uses the dependency's coordinates to compute a filelocation. With specially crafted dependency coordinates, Gradle can be madeto write files into an unintended location. The file may be written outsidethe dependency cache or over another file in the dependency cache. Thisvulnerability could be used to poison the dependency cache or overwriteimportant files elsewhere on the filesystem where the Gradle process haswrite permissions. Exploiting this vulnerability requires an attacker tohave control over a dependency repository used by the Gradle build or havethe ability to modify the build's configuration. It is unlikely that thiswould go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 toprotect against this vulnerability. Gradle will refuse to cachedependencies that have path traversal elements in their dependencycoordinates. It is recommended that users upgrade to a patched version. Ifyou are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification`will make this vulnerability more difficult to exploit. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 21:15:00 UTC CVE-2023-35946 Gradle is a build tool with a focus on build automation and support formulti-language development. In affected versions when unpacking Tararchives, Gradle did not check that files could be written outside of theunpack location. This could lead to important files being overwrittenanywhere the Gradle process has write permissions. For a build reading Tarentries from a Tar archive, this issue could allow Gradle to discloseinformation from sensitive files through an arbitrary file read. To exploitthis behavior, an attacker needs to either control the source of an archivealready used by the build or modify the build to interact with a maliciousarchive. It is unlikely that this would go unnoticed. A fix has beenreleased in Gradle 7.6.2 and 8.2 to protect against this vulnerability.Starting from these versions, Gradle will refuse to handle Tar archiveswhich contain path traversal elements in a Tar entry name. Users areadvised to upgrade. There are no known workarounds for this vulnerability.### ImpactThis is a path traversal vulnerability when Gradle deals with Tar archives,often referenced as TarSlip, a variant of ZipSlip.* When unpacking Tar archives, Gradle did not check that files could bewritten outside of the unpack location. This could lead to important filesbeing overwritten anywhere the Gradle process has write permissions.* For a build reading Tar entries from a Tar archive, this issue couldallow Gradle to disclose information from sensitive files through anarbitrary file read.To exploit this behavior, an attacker needs to either control the source ofan archive already used by the build or modify the build to interact with amalicious archive. It is unlikely that this would go unnoticed.Gradle uses Tar archives for its [BuildCache](https://docs.gradle.org/current/userguide/build_cache.html). Thesearchives are safe when created by Gradle. But if an attacker had control ofa remote build cache server, they could inject malicious build cacheentries that leverage this vulnerability. This attack vector could also beexploited if a man-in-the-middle can be performed between the remote cacheand the build.### PatchesA fix has been released in Gradle 7.6.2 and 8.2 to protect against thisvulnerability. Starting from these versions, Gradle will refuse to handleTar archives which contain path traversal elements in a Tar entry name.It is recommended that users upgrade to a patched version.### WorkaroundsThere is no workaround.* If your build deals with Tar archives that you do not fully trust, youneed to inspect them to confirm they do not attempt to leverage thisvulnerability.* If you use the Gradle remote build cache, make sure only trusted partieshave write access to it and that connections to the remote cache areproperly secured.### References* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)* [Gradle BuildCache](https://docs.gradle.org/current/userguide/build_cache.html)* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability) Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 21:15:00 UTC CVE-2023-35947 Multiple stack-based buffer overflow vulnerabilities exist in thereadOFF.cpp functionality of libigl v2.4.0. A specially-crafted .off filecan lead to a buffer overflow. An attacker can arbitrary code execution totrigger these vulnerabilities.This vulnerability exists within the coderesponsible for parsing geometric faces of an OFF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2023-35949 Multiple stack-based buffer overflow vulnerabilities exist in thereadOFF.cpp functionality of libigl v2.4.0. A specially-crafted .off filecan lead to a buffer overflow. An attacker can arbitrary code execution totrigger these vulnerabilities.This vulnerability exists within the coderesponsible for parsing the header of an OFF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2023-35950 Multiple stack-based buffer overflow vulnerabilities exist in thereadOFF.cpp functionality of libigl v2.4.0. A specially-crafted .off filecan lead to a buffer overflow. An attacker can arbitrary code execution totrigger these vulnerabilities.This vulnerability exists within the coderesponsible for parsing geometric vertices of an OFF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2023-35951 Multiple stack-based buffer overflow vulnerabilities exist in thereadOFF.cpp functionality of libigl v2.4.0. A specially-crafted .off filecan lead to a buffer overflow. An attacker can arbitrary code execution totrigger these vulnerabilities.This vulnerability exists within the coderesponsible for parsing comments within the geometric faces section withinan OFF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2023-35952 Multiple stack-based buffer overflow vulnerabilities exist in thereadOFF.cpp functionality of libigl v2.4.0. A specially-crafted .off filecan lead to a buffer overflow. An attacker can arbitrary code execution totrigger these vulnerabilities.This vulnerability exists within the coderesponsible for parsing comments within the geometric vertices sectionwithin an OFF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2023-35953 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 VCDATA parsing functionality of GTKWave 3.3.115. Aspecially-crafted .fst file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the decompression function`LZ4_decompress_safe_partial`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35955 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 VCDATA parsing functionality of GTKWave 3.3.115. Aspecially-crafted .fst file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the decompression function `fastlz_decompress`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35956 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 VCDATA parsing functionality of GTKWave 3.3.115. Aspecially-crafted .fst file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the decompression function `uncompress`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35957 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 VCDATA parsing functionality of GTKWave 3.3.115. Aspecially-crafted .fst file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the copy function `fstFread`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35958 Multiple OS command injection vulnerabilities exist in the decompressionfunctionality of GTKWave 3.3.115. A specially crafted wave file can lead toarbitrary command execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns `.ghw`decompression. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35959 Multiple OS command injection vulnerabilities exist in the decompressionfunctionality of GTKWave 3.3.115. A specially crafted wave file can lead toarbitrary command execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns legacydecompression in `vcd_main`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35960 Multiple OS command injection vulnerabilities exist in the decompressionfunctionality of GTKWave 3.3.115. A specially crafted wave file can lead toarbitrary command execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns decompressionin `vcd_recorder_main`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35961 Multiple OS command injection vulnerabilities exist in the decompressionfunctionality of GTKWave 3.3.115. A specially crafted wave file can lead toarbitrary command execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns decompressionin the `vcd2vzt` utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35962 Multiple OS command injection vulnerabilities exist in the decompressionfunctionality of GTKWave 3.3.115. A specially crafted wave file can lead toarbitrary command execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns decompressionin the `vcd2lxt2` utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35963 Multiple OS command injection vulnerabilities exist in the decompressionfunctionality of GTKWave 3.3.115. A specially crafted wave file can lead toarbitrary command execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns decompressionin the `vcd2lxt` utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35964 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 chain_table parsing functionality of GTKWave 3.3.115.A specially crafted .fst file can lead to arbitrary code execution. Avictim would need to open a malicious file to trigger thesevulnerabilities.This vulnerability concerns the chain_table of`FST_BL_VCDATA` and `FST_BL_VCDATA_DYN_ALIAS` section types. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35969 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 chain_table parsing functionality of GTKWave 3.3.115.A specially crafted .fst file can lead to arbitrary code execution. Avictim would need to open a malicious file to trigger thesevulnerabilities.This vulnerability concerns the chain_table of the`FST_BL_VCDATA_DYN_ALIAS2` section type. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35970 An integer overflow vulnerability exists in the LXT2 zlib block allocationfunctionality of GTKWave 3.3.115. A specially crafted .lxt2 file can leadto arbitrary code execution. A victim would need to open a malicious fileto trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35989 An integer overflow vulnerability exists in the FST fstReaderIterBlocks2vesc allocation functionality of GTKWave 3.3.115, when compiled as a 32-bitbinary. A specially crafted .fst file can lead to memory corruption. Avictim would need to open a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35992 Multiple improper array index validation vulnerabilities exist in thefstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A speciallycrafted .fst file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the tdelta initialization part. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35994 Multiple improper array index validation vulnerabilities exist in thefstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A speciallycrafted .fst file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the tdelta indexing when signal_lens is 1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35995 Multiple improper array index validation vulnerabilities exist in thefstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A speciallycrafted .fst file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the tdelta indexing when signal_lens is 0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35996 Multiple improper array index validation vulnerabilities exist in thefstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A speciallycrafted .fst file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the tdelta indexing when signal_lens is 2 or more. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-35997 Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and before allows aremote to execute arbitrary code and obtain sensitive information via acrafted file to the readimg function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-03 21:15:00 UTC CVE-2023-36183 Sngrep v1.6.0 was discovered to contain a heap buffer overflow via thefunction capture_ws_check_packet at /src/capture.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-23 02:15:00 UTC CVE-2023-36192 Gifsicle v1.9.3 was discovered to contain a heap buffer overflow via theambiguity_error component at /src/clp.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-23 02:15:00 UTC CVE-2023-36193 FLVMeta v1.2.1 was discovered to contain a buffer overflow via thexml_on_metadata_tag_only function at dump_xml.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-22 19:15:00 UTC CVE-2023-36243 CSV Injection vulnerability in GNOME time tracker version 3.0.2, allowslocal attackers to execute arbitrary code via crafted .tsv file whencreating a new record. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-14 17:15:00 UTC CVE-2023-36250 GzipSource does not handle an exception that might be raised when parsing amalformed gzip buffer. This may lead to denial of service of the Okioclient when handling a crafted GZIP archive, by using the GzipSource class. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-12 19:15:00 UTC CVE-2023-3635 An uncontrolled resource consumption flaw was found in openstack-neutron.This flaw allows a remote authenticated user to query a list of securitygroups for an invalid project. This issue creates resources that areunconstrained by the user's quota. If a malicious user were to submit asignificant number of requests, this could lead to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-25 13:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2222270 CVE-2023-3637 A possible unauthorized memory access flaw was found in the Linux kernel'scpu_entry_area mapping of X86 CPU data to memory, where a user may guessthe location of exception stacks or other important data. Based on theprevious CVE-2023-0597, the 'Randomize per-cpu entry area' feature wasimplemented in /arch/x86/mm/cpu_entry_area.c, which works through theinit_cea_offsets() function when KASLR is enabled. However, despite thisfeature, there is still a risk of per-cpu entry area leaks. This issuecould allow a local user to gain access to some important data with memoryin an expected location and potentially escalate their privileges on thesystem. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-24 16:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2217523 https://bugzilla.suse.com/show_bug.cgi?id=1213271 CVE-2023-3640 pypdf is an open source, pure-python PDF library. In affected versions anattacker may craft a PDF which leads to an infinite loop if`__parse_content_stream` is executed. That is, for example, the case if theuser extracted text from such a PDF. This issue was introduced in pullrequest #969 and resolved in pull request #1828. Users are advised toupgrade. Users unable to upgrade may modify the line `while peek not in(b"\r", b"\n")` in `pypdf/generic/_data_structures.py` to `while peek notin (b"\r", b"\n", b"")`. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-27 22:15:00 UTC CVE-2023-36464 A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby.The URI parser mishandles invalid URLs that have specific characters. Thereis an increase in execution time for parsing strings to URI objects withrfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse ofan incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixedversion. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-29 13:15:00 UTC 2023-06-29 13:15:00 UTC https://ubuntu.com/security/notices/USN-6219-1 https://ubuntu.com/security/notices/USN-7747-1 CVE-2023-36617 An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.xbefore 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php inBlockLogFormatter allows XSS in the partial blocks feature. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-26 01:15:00 UTC CVE-2023-36675 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 fstWritex len functionality of GTKWave 3.3.115. Aspecially crafted .fst file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the handling of `len` in `fstWritex` when parsingthe time table. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-36746 Multiple heap-based buffer overflow vulnerabilities exist in thefstReaderIterBlocks2 fstWritex len functionality of GTKWave 3.3.115. Aspecially crafted .fst file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the handling of `len` in `fstWritex` when `beg_time`does not match the start of the time table. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-36747 SQLFluff is a SQL linter. Prior to version 2.1.2, in environments whereuntrusted users have access to the config files, there is a potentialsecurity vulnerability where those users could use the `library_path`config value to allow arbitrary python code to be executed via macros. Formany users who use SQLFluff in the context of an environment where allusers already have fairly escalated privileges, this may not be an issue -however in larger user bases, or where SQLFluff is bundled into anothertool where developers still wish to give users access to supply their onrule configuration, this may be an issue.The 2.1.2 release offers the ability for the `library_path` argument to beoverwritten on the command line by using the `--library-path` option. Thisoverrides any values provided in the config files and effectively preventsthis route of attack for users which have access to the config file, butnot to the scripts which call the SQLFluff CLI directly. A similar optionis provided for the Python API, where users also have a greater ability tofurther customise or override configuration as necessary. Unless`library_path` is explicitly required, SQLFluff maintainers recommend usingthe option `--library-path none` when invoking SQLFluff which will disablethe `library-path` option entirely regardless of the options set in theconfiguration file or via inline config directives. As a workaround,limiting access to - or otherwise validating configuration files beforethey are ingested by SQLFluff will provides a similar effect and does notrequire upgrade. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-06 16:15:00 UTC CVE-2023-36830 An out-of-bounds write vulnerability exists in the VZT LZMA_read_varintfunctionality of GTKWave 3.3.115. A specially crafted .vzt file can lead toarbitrary code execution. A victim would need to open a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-36861 An integer overflow vulnerability exists in the fstReaderIterBlocks2temp_signal_value_buf allocation functionality of GTKWave 3.3.115. Aspecially crafted .fst file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-36864 Multiple integer overflow vulnerabilities exist in the FSTfstReaderIterBlocks2 chain_table allocation functionality of GTKWave3.3.115. A specially crafted .fst file can lead to arbitrary codeexecution. A victim would need to open a malicious file to trigger thesevulnerabilities.This vulnerability concerns the allocation of the`chain_table` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-36915 Multiple integer overflow vulnerabilities exist in the FSTfstReaderIterBlocks2 chain_table allocation functionality of GTKWave3.3.115. A specially crafted .fst file can lead to arbitrary codeexecution. A victim would need to open a malicious file to trigger thesevulnerabilities.This vulnerability concerns the allocation of the`chain_table_lengths` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-36916 check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary commandexecution via ProxyCommand, LocalCommand, and PermitLocalCommand with\${IFS}. This has been categorized both as fixed in e8810de, and asintended behavior. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 06:15:00 UTC CVE-2023-37154 If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE(key share extension) when connecting to a malicious server, a defaultpredictable buffer gets used for the IKM (Input Keying Material) value whengenerating the session master secret. Using a potentially known IKM valuewhen generating the session master secret key compromises the keygenerated, allowing an eavesdropper to reconstruct it and potentiallyallowing access to or meddling with message contents in the session. Thisissue does not affect client validation of connected servers, nor exposeprivate key information, but could result in an insecure TLS 1.3 sessionwhen not controlling both sides of the connection. wolfSSL recommends thatTLS 1.3 client side users update the version of wolfSSL used. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-17 22:15:00 UTC CVE-2023-3724 An out-of-bounds write vulnerability exists in the VZT LZMA_Read dmemextraction functionality of GTKWave 3.3.115. A specially crafted .vzt filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37282 An issue was discovered in the CheckUserLog API in the CheckUser extensionfor MediaWiki through 1.39.3. There is incorrect access control forvisibility of hidden users. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 17:15:00 UTC CVE-2023-37300 An issue was discovered in SubmitEntityAction in Wikibase in MediaWikithrough 1.39.3. Because it doesn't use EditEntity for undo and restore, theintended interaction with AbuseFilter does not occur. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 17:15:00 UTC CVE-2023-37301 An issue was discovered in SiteLinksView.php in Wikibase in MediaWikithrough 1.39.3. There is XSS via a crafted badge title attribute. This isalso related to lack of escaping in wbTemplate (fromresources/wikibase/templates.js) for quotes (which can be in a titleattribute). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 17:15:00 UTC CVE-2023-37302 An issue was discovered in the CheckUser extension for MediaWiki through1.39.3. In certain situations, an attempt to block a user fails after atemporary browser hang and a DBQueryDisconnectedError error message. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 17:15:00 UTC CVE-2023-37303 An issue was discovered in the DoubleWiki extension for MediaWiki through1.39.3. includes/DoubleWiki.php allows XSS via the column alignmentfeature. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 17:15:00 UTC CVE-2023-37304 An issue was discovered in the ProofreadPage (aka Proofread Page) extensionfor MediaWiki through 1.39.3. In includes/Page/PageContentHandler.php andincludes/Page/PageDisplayHandler.php, hidden users can be exposed viapublic interfaces. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 17:15:00 UTC CVE-2023-37305 Hnswlib 0.7.0 has a double free in init_index when the M argument is alarge integer. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-06-30 19:15:00 UTC CVE-2023-37365 In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before6.5.2, there can be an application crash in QXmlStreamReader via a craftedXML string that triggers a situation in which a prefix is greater than alength. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-20 07:15:00 UTC CVE-2023-37369 Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles accesscontrol for an uninstaller directory. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-03 20:15:00 UTC CVE-2023-37378 Multiple out-of-bounds write vulnerabilities exist in the VCDparse_valuechange portdump functionality of GTKWave 3.3.115. A speciallycrafted .vcd file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when triggered via the GUI'slegacy VCD parsing code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37416 Multiple out-of-bounds write vulnerabilities exist in the VCDparse_valuechange portdump functionality of GTKWave 3.3.115. A speciallycrafted .vcd file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when triggered via the GUI'sinteractive VCD parsing code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37417 Multiple out-of-bounds write vulnerabilities exist in the VCDparse_valuechange portdump functionality of GTKWave 3.3.115. A speciallycrafted .vcd file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when triggered via thevcd2vzt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37418 Multiple out-of-bounds write vulnerabilities exist in the VCDparse_valuechange portdump functionality of GTKWave 3.3.115. A speciallycrafted .vcd file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when triggered via thevcd2lxt2 conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37419 Multiple out-of-bounds write vulnerabilities exist in the VCDparse_valuechange portdump functionality of GTKWave 3.3.115. A speciallycrafted .vcd file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when triggered via thevcd2lxt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37420 Multiple out-of-bounds read vulnerabilities exist in the VCD var definitionsection functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theout-of-bounds read when triggered via the GUI's default VCD parsing code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37442 Multiple out-of-bounds read vulnerabilities exist in the VCD var definitionsection functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theout-of-bounds read when triggered via the GUI's legacy VCD parsing code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37443 Multiple out-of-bounds read vulnerabilities exist in the VCD var definitionsection functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theout-of-bounds read when triggered via the GUI's interactive VCD parsingcode. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37444 Multiple out-of-bounds read vulnerabilities exist in the VCD var definitionsection functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theout-of-bounds write when triggered via the vcd2vzt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37445 Multiple out-of-bounds read vulnerabilities exist in the VCD var definitionsection functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theout-of-bounds write when triggered via the vcd2lxt2 conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37446 Multiple out-of-bounds read vulnerabilities exist in the VCD var definitionsection functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theout-of-bounds write when triggered via the vcd2lxt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37447 Asterisk is an open source private branch exchange and telephony toolkit.In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; aswell as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionalityof the PJSIP_HEADER dialplan function can exceed the available buffer spacefor storing the new value of a header. By doing so this can overwritememory or cause a crash. This is not externally exploitable, unlessdialplan is explicitly written to update a header based on data from anoutside source. If the 'update' functionality is not used the vulnerabilitydoes not occur. A patch is available at commita1ca0268254374b515fa5992f01340f7717113fa. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 20:15:00 UTC CVE-2023-37457 Plexis Archiver is a collection of Plexus components to create archives orextract archives to a directory with a unified `Archiver`/`UnArchiver` API.Prior to version 4.8.0, using AbstractUnArchiver for extracting an archivemight lead to an arbitrary file creation and possibly remote codeexecution. When extracting an archive with an entry that already exists inthe destination directory as a symbolic link whose target does not exist -the `resolveFile()` function will return the symlink's source instead ofits target, which will pass the verification that ensures the file will notbe extracted outside of the destination directory. Later`Files.newOutputStream()`, that follows symlinks by default, will actuallywrite the entry's content to the symlink's target. Whoever uses plexusarchiver to extract an untrusted archive is vulnerable to an arbitrary filecreation and possibly remote code execution. Version 4.8.0 contains a patchfor this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-25 20:15:00 UTC CVE-2023-37460 OpenIDC/cjose is a C library implementing the Javascript Object Signing andEncryption (JOSE). The AES GCM decryption routine incorrectly uses the Taglength from the actual Authentication Tag provided in the JWE. The specsays that a fixed length of 16 octets must be applied. Therefore this bugallows an attacker to provide a truncated Authentication Tag and to modifythe JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Usersunable to upgrade should avoid using AES GCM encryption and replace it withanother encryption algorithm (e.g. AES CBC). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-14 21:15:00 UTC 2023-07-14 21:15:00 UTC https://ubuntu.com/security/notices/USN-6307-1 CVE-2023-37464 Cacti before 1.2.6 allows IDOR (Insecure Direct Object Reference) foraccessing any graph via a modified local_graph_id parameter tograph_xport.php. This is a different vulnerability than CVE-2019-16723. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-10 15:15:00 UTC CVE-2023-37543 Multiple use-after-free vulnerabilities exist in the VCD get_vartokenrealloc functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theuse-after-free when triggered via the GUI's recoder (default) VCD parsingcode. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37573 Multiple use-after-free vulnerabilities exist in the VCD get_vartokenrealloc functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theuse-after-free when triggered via the GUI's legacy VCD parsing code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37574 Multiple use-after-free vulnerabilities exist in the VCD get_vartokenrealloc functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theuse-after-free when triggered via the GUI's interactive VCD parsing code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37575 Multiple use-after-free vulnerabilities exist in the VCD get_vartokenrealloc functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theuse-after-free when triggered via the vcd2vzt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37576 Multiple use-after-free vulnerabilities exist in the VCD get_vartokenrealloc functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theuse-after-free when triggered via the vcd2lxt2 conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37577 Multiple use-after-free vulnerabilities exist in the VCD get_vartokenrealloc functionality of GTKWave 3.3.115. A specially crafted .vcd file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theuse-after-free when triggered via the vcd2lxt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37578 A race condition flaw was found in sssd where the GPO policy is notconsistently applied for authenticated users. This may lead to improperauthorization issues, granting or denying access to resourcesinappropriately. Update Instructions: Run `sudo pro fix CVE-2023-3758` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libipa-hbac0t64 - 2.9.4-1.1ubuntu7 libnss-sss - 2.9.4-1.1ubuntu7 libpam-sss - 2.9.4-1.1ubuntu7 libsss-certmap0 - 2.9.4-1.1ubuntu7 libsss-idmap0 - 2.9.4-1.1ubuntu7 libsss-nss-idmap0 - 2.9.4-1.1ubuntu7 libsss-sudo - 2.9.4-1.1ubuntu7 python3-libipa-hbac - 2.9.4-1.1ubuntu7 python3-libsss-nss-idmap - 2.9.4-1.1ubuntu7 python3-sss - 2.9.4-1.1ubuntu7 sssd - 2.9.4-1.1ubuntu7 sssd-ad - 2.9.4-1.1ubuntu7 sssd-ad-common - 2.9.4-1.1ubuntu7 sssd-common - 2.9.4-1.1ubuntu7 sssd-dbus - 2.9.4-1.1ubuntu7 sssd-idp - 2.9.4-1.1ubuntu7 sssd-ipa - 2.9.4-1.1ubuntu7 sssd-kcm - 2.9.4-1.1ubuntu7 sssd-krb5 - 2.9.4-1.1ubuntu7 sssd-krb5-common - 2.9.4-1.1ubuntu7 sssd-ldap - 2.9.4-1.1ubuntu7 sssd-passkey - 2.9.4-1.1ubuntu7 sssd-proxy - 2.9.4-1.1ubuntu7 sssd-tools - 2.9.4-1.1ubuntu7 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-18 19:15:00 UTC 2024-04-18 19:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2223762 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070369 https://ubuntu.com/security/notices/USN-6836-1 CVE-2023-3758 Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in/libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause adenial of service via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-26 21:15:00 UTC CVE-2023-37732 stress-test master commit e4c878 was discovered to contain a FPEvulnerability via the component combine_inner at /pixman-combine-float.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-17 20:15:00 UTC https://gitlab.freedesktop.org/pixman/pixman/-/issues/76 CVE-2023-37769 faust commit ee39a19 was discovered to contain a stack overflow via thecomponent boxppShared::print() at /boxes/ppbox.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-17 20:15:00 UTC CVE-2023-37770 libjpeg commit db33a6e was discovered to contain a reachable assertion viaBitMapHook::BitMapHook at bitmaphook.cpp. This vulnerability allowsattackers to cause a Denial of Service (DoS) via a crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 23:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/87#BUG1 CVE-2023-37836 libjpeg commit db33a6e was discovered to contain a heap buffer overflow viaLineBitmapRequester::EncodeRegion at linebitmaprequester.cpp. Thisvulnerability allows attackers to cause a Denial of Service (DoS) via acrafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 23:15:00 UTC https://github.com/thorfdbg/libjpeg/issues/87#BUG0 CVE-2023-37837 Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearchfunctionality of GTKWave 3.3.115. A specially crafted .vcd file can lead toarbitrary code execution. A victim would need to open a malicious file totrigger these vulnerabilities.This vulnerability concerns the arbitrarywrite when triggered via the vcd2vzt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37921 Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearchfunctionality of GTKWave 3.3.115. A specially crafted .vcd file can lead toarbitrary code execution. A victim would need to open a malicious file totrigger these vulnerabilities.This vulnerability concerns the arbitrarywrite when triggered via the vcd2lxt2 conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37922 Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearchfunctionality of GTKWave 3.3.115. A specially crafted .vcd file can lead toarbitrary code execution. A victim would need to open a malicious file totrigger these vulnerabilities.This vulnerability concerns the arbitrarywrite when triggered via the vcd2lxt conversion utility. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-37923 Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability inWordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin<= 16.8.0 versions. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-13 10:15:00 UTC CVE-2023-38000 ActiveSupport::EncryptedFile writes contents that will be encrypted to atemporary file. The temporary file's permissions are defaulted to theuser'scurrent `umask` settings, meaning that it's possible for other users on thesame system to read the contents of the temporary file.Attackers that have access to the file system could possibly read thecontentsof this temporary file while a user is editing it.All users running an affected release should either upgrade or use one oftheworkarounds immediately. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057 CVE-2023-38037 Improper Neutralization of commands allowed to be executed via OTRS SystemConfiguration e.g. SchedulerCronTaskModule using UnitTests modules allowsany authenticated attacker with admin privileges local execution ofCode.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-24 09:15:00 UTC CVE-2023-38056 An improper input validation vulnerability in OTRS Survey modules allowsany attacker with a link to a valid and unanswered survey request to injectjavascript code in free text answers. This allows a cross site scriptingattack while reading the replies as authenticated agent.This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.Xbefore 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.Xthrough 6.0.22. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-24 09:15:00 UTC CVE-2023-38057 An improper privilege check in the OTRS ticket move action in the agentinterface allows any as agent authenticated attacker to to perform amove of an ticket without the needed permission.This issue affects OTRS: from 8.0.X before 8.0.35. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-24 09:15:00 UTC CVE-2023-38058 The loading of external images is not blocked, even if configured, if theattacker uses protocol-relative URL in the payload. This can be used toretreive the IP of the user.This issue affects OTRS: from 7.0.X before7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.Xthrough 6.0.34. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-16 09:15:00 UTC CVE-2023-38059 Improper Input Validation vulnerability in the ContentType parameter forattachments on TicketCreate or TicketUpdate operations of the OTRS GenericInterface modules allows any authenticated attacker to to perform an hostheader injection for the ContentType header of the attachment.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-24 09:15:00 UTC CVE-2023-38060 An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.xthrough 6.5.x before 6.5.3. There are infinite loops in recursive entityexpansion. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 02:15:00 UTC CVE-2023-38197 coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does notdetect multiple Content-Type request headers on some platforms. This mightallow attackers to bypass a WAF with a crafted payload, aka "Content-Typeconfusion" between the WAF and the backend application. This occurs whenthe web application relies on only the last Content-Type header. Otherplatforms may reject the additional Content-Type header or mergeconflicting headers, leading to detection as a malformed header. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-13 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109 CVE-2023-38199 An out-of-bounds read flaw was found in w3m, in the Strnew_size function inStr.c. This issue may allow an attacker to cause a denial of servicethrough a crafted HTML file. Update Instructions: Run `sudo pro fix CVE-2023-38252` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: w3m - 0.5.3+git20230121-2ubuntu1 w3m-img - 0.5.3+git20230121-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-07-14 18:15:00 UTC https://github.com/tats/w3m/issues/270 https://bugzilla.redhat.com/show_bug.cgi?id=2222775 CVE-2023-38252 An out-of-bounds read flaw was found in w3m, in the growbuf_to_Str functionin indep.c. This issue may allow an attacker to cause a denial of servicethrough a crafted HTML file. Update Instructions: Run `sudo pro fix CVE-2023-38253` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: w3m - 0.5.3+git20230121-2ubuntu1 w3m-img - 0.5.3+git20230121-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-07-14 18:15:00 UTC https://github.com/tats/w3m/issues/271 https://bugzilla.redhat.com/show_bug.cgi?id=2222779 CVE-2023-38253 In OpenBGPD before 8.1, incorrect handling of BGP update data (length ofpath attributes) set by a potentially distant remote actor may cause thesystem to incorrectly reset a session. This is fixed in OpenBSD 7.3 errata006. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-29 16:15:00 UTC CVE-2023-38283 iperf3 before 3.14 allows peers to cause an integer overflow and heapcorruption via a crafted length field. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-17 21:15:00 UTC 2023-07-17 21:15:00 UTC https://ubuntu.com/security/notices/USN-6431-1 https://ubuntu.com/security/notices/USN-6431-2 https://ubuntu.com/security/notices/USN-6431-3 CVE-2023-38403 The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has aninsufficiently trustworthy search path, leading to remote code execution ifan agent is forwarded to an attacker-controlled system. (Code in /usr/libis not necessarily safe for loading into ssh-agent.) NOTE: this issueexists because of an incomplete fix for CVE-2016-10009. Update Instructions: Run `sudo pro fix CVE-2023-38408` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:9.3p1-1ubuntu2 openssh-client-gssapi - 1:9.3p1-1ubuntu2 openssh-server - 1:9.3p1-1ubuntu2 openssh-server-gssapi - 1:9.3p1-1ubuntu2 openssh-sftp-server - 1:9.3p1-1ubuntu2 openssh-tests - 1:9.3p1-1ubuntu2 ssh - 1:9.3p1-1ubuntu2 ssh-askpass-gnome - 1:9.3p1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-19 2023-07-19 https://ubuntu.com/security/notices/USN-6242-1 https://ubuntu.com/security/notices/USN-6242-2 CVE-2023-38408 This flaw allows an attacker to insert cookies at will into a runningprogramusing libcurl, if the specific series of conditions are met.libcurl performs transfers. In its API, an application creates "easyhandles"that are the individual handles for single transfers.libcurl provides a function call that duplicates en easy handle called[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).If a transfer has cookies enabled when the handle is duplicated, thecookie-enable state is also cloned - but without cloning the actualcookies. If the source handle did not read any cookies from a specific fileondisk, the cloned version of the handle would instead store the file name as`none` (using the four ASCII letters, no quotes).Subsequent use of the cloned handle that does not explicitly set a sourcetoload cookies from would then inadvertently load cookies from a file named`none` - if such a file exists and is readable in the current directory oftheprogram using libcurl. And if using the correct file format of course. Update Instructions: Run `sudo pro fix CVE-2023-38546` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.2.1-1ubuntu3.1 libcurl3t64-gnutls - 8.2.1-1ubuntu3.1 libcurl4t64 - 8.2.1-1ubuntu3.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-10-11 06:00:00 UTC 2023-10-11 06:00:00 UTC w0x42 on hackerone https://ubuntu.com/security/notices/USN-6429-1 https://ubuntu.com/security/notices/USN-6429-2 https://ubuntu.com/security/notices/USN-6429-3 CVE-2023-38546 A stack-based buffer overflow vulnerability exists in the LXT2lxt2_rd_expand_integer_to_bits function of GTKWave 3.3.115. A speciallycrafted .lxt2 file can lead to arbitrary code execution. A victim wouldneed to open a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38583 Multiple integer overflow vulnerabilities exist in the VZT facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .vzt file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theinteger overflow when allocating the `rows` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38618 Multiple integer overflow vulnerabilities exist in the VZT facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .vzt file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theinteger overflow when allocating the `msb` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38619 Multiple integer overflow vulnerabilities exist in the VZT facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .vzt file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theinteger overflow when allocating the `lsb` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38620 Multiple integer overflow vulnerabilities exist in the VZT facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .vzt file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theinteger overflow when allocating the `flags` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38621 Multiple integer overflow vulnerabilities exist in the VZT facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .vzt file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theinteger overflow when allocating the `len` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38622 Multiple integer overflow vulnerabilities exist in the VZT facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .vzt file canlead to arbitrary code execution. A victim would need to open a maliciousfile to trigger these vulnerabilities.This vulnerability concerns theinteger overflow when allocating the `vindex_offset` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38623 Multiple out-of-bounds write vulnerabilities exist in the VZTvzt_rd_get_facname decompression functionality of GTKWave 3.3.115. Aspecially crafted .vzt file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write perfomed by the prefix copyloop. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38648 Multiple out-of-bounds write vulnerabilities exist in the VZTvzt_rd_get_facname decompression functionality of GTKWave 3.3.115. Aspecially crafted .vzt file can lead to arbitrary code execution. A victimwould need to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write perfomed by the string copyloop. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38649 Multiple integer overflow vulnerabilities exist in the VZTvzt_rd_block_vch_decode times parsing functionality of GTKWave 3.3.115. Aspecially crafted .vzt file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the integer overflow when num_time_ticks is notzero. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38650 Multiple integer overflow vulnerabilities exist in the VZTvzt_rd_block_vch_decode times parsing functionality of GTKWave 3.3.115. Aspecially crafted .vzt file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the integer overflow when num_time_ticks is zero. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38651 Multiple integer overflow vulnerabilities exist in the VZTvzt_rd_block_vch_decode dict parsing functionality of GTKWave 3.3.115. Aspecially crafted .vzt file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the integer overflow when num_time_ticks is notzero. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38652 Multiple integer overflow vulnerabilities exist in the VZTvzt_rd_block_vch_decode dict parsing functionality of GTKWave 3.3.115. Aspecially crafted .vzt file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the integer overflow when num_time_ticks is zero. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38653 An out-of-bounds write vulnerability exists in the LXT2 zlib blockdecompression functionality of GTKWave 3.3.115. A specially crafted .lxt2file can lead to arbitrary code execution. A victim would need to open amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-38657 Stack-based buffer over-read in function disasm in nasm 2.16 allowsattackers to cause a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2023-38667 Stack-based buffer over-read in disasm in nasm 2.16 allows attackers tocause a denial of service (crash). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-22 19:16:00 UTC CVE-2023-38668 protocol-http1 provides a low-level implementation of the HTTP/1 protocol.RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunkextension. The value of Content-Length header should be a string of 0-9digits, the chunk size should be a string of hex digits and should splitfrom chunk data using CRLF, and the chunk extension shouldn't contain anyinvisible character. However, Falcon has following behaviors while disobeythe corresponding RFCs: accepting Content-Length header values that have`+` prefix, accepting Content-Length header values that written inhexadecimal with `0x` prefix, accepting `0x` and `+` prefixed chunk size,and accepting LF in chunk extension. This behavior can lead to desync whenforwarding through multiple HTTP parsers, potentially results in HTTPrequest smuggling and firewall bypassing. This issue is fixed in`protocol-http1` v0.15.1. There are no known workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-04 18:15:00 UTC CVE-2023-38697 PJSIP is a free and open source multimedia communication library written inC with high level API in C, C++, Java, C#, and Python languages. SRTP is ahigher level media transport which is stacked upon a lower level mediatransport such as UDP and ICE. Currently a higher level transport is notsynchronized with its lower level transport that may introduceuse-after-free issue. This vulnerability affects applications that haveSRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying mediatransport other than UDP. This vulnerability’s impact may range fromunexpected application termination to control flow hijack/memorycorruption. The patch is available as a commit in the master branch. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-06 14:15:00 UTC CVE-2023-38703 Faulty input validation in the core of Apache allows malicious orexploitable backend/content generators to split HTTP responses.This issue affects Apache HTTP Server: through 2.4.58. Update Instructions: Run `sudo pro fix CVE-2023-38709` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.58-1ubuntu8.1 apache2-bin - 2.4.58-1ubuntu8.1 apache2-data - 2.4.58-1ubuntu8.1 apache2-suexec-custom - 2.4.58-1ubuntu8.1 apache2-suexec-pristine - 2.4.58-1ubuntu8.1 apache2-utils - 2.4.58-1ubuntu8.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-04 20:15:00 UTC 2024-04-04 20:15:00 UTC Orange Tsai http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412 https://ubuntu.com/security/notices/USN-6729-1 https://ubuntu.com/security/notices/USN-6729-2 https://ubuntu.com/security/notices/USN-6729-3 CVE-2023-38709 An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SAREKEY packet contains an invalid IPsec protocol ID number of 0 or 1, anerror notify INVALID_SPI is sent back. The notify payload's protocol ID iscopied from the incoming packet, but the code that verifies outgoingpackets fails an assertion that the protocol ID must be ESP (2) or AH(3)and causes the pluto daemon to crash and restart. NOTE: the earliestaffected version is 3.20. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-25 21:15:00 UTC CVE-2023-38710 An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Modeconnection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcrpayload with ID_FQDN, a NULL pointer dereference causes a crash and restartof the pluto daemon. NOTE: the earliest affected version is 4.6. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-25 21:15:00 UTC CVE-2023-38711 An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1ISAKMP SA Informational Exchange packet contains a Delete/Notify payloadfollowed by further Notifies that act on the ISAKMP SA, such as aduplicated Delete/Notify message, a NULL pointer dereference on the deletedstate causes the pluto daemon to crash and restart. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-25 21:15:00 UTC CVE-2023-38712 Pandoc before 3.1.6 allows arbitrary file write: this can be triggered byproviding a crafted image element in the input when generating files viathe --extract-media option or outputting to PDF format. This allows anattacker to create or overwrite arbitrary files, depending on theprivileges of the process running Pandoc. It only affects systems that passuntrusted user input to Pandoc and allow Pandoc to be used to produce a PDFor with the --extract-media option. NOTE: this issue exists because of anincomplete fix for CVE-2023-35936 (failure to properly account for doubleencoded path names). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-07-25 04:15:00 UTC CVE-2023-38745 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker toexecute arbitrary code and cause a denial of service via a crafted XLS fileto the xls_parseWorkBook function in xls.c:1018. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC CVE-2023-38851 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker toexecute arbitrary code and cause a denial of service via a crafted XLS fileto the unicode_decode_wcstombs function in xlstool.c:266. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC CVE-2023-38852 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker toexecute arbitrary code and cause a denial of service via a crafted XLS fileto the xls_parseWorkBook function in xls.c:1015. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC CVE-2023-38853 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker toexecute arbitrary code and cause a denial of service via a crafted XLS fileto the transcode_latin1_to_utf8 function in xlstool.c:296. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC CVE-2023-38854 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker toexecute arbitrary code and cause a denial of service via a crafted XLS fileto the get_string function in xlstool.c:395. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC CVE-2023-38855 Buffer Overflow vulnerability in libxlsv.1.6.2 allows a remote attacker toexecute arbitrary code and cause a denial of service via a crafted XLS fileto the get_string function in xlstool.c:411. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC CVE-2023-38856 Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker toexecute arbitrary code and cause a denial of service via the stcoinfunction in mp4read.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC 2023-08-15 17:15:00 UTC https://github.com/knik0/faad2/issues/171 https://ubuntu.com/security/notices/USN-6313-1 CVE-2023-38857 Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker toexecute arbitrary code and cause a denial of service via the mp4infofunction in mp4read.c:1039. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-15 17:15:00 UTC 2023-08-15 17:15:00 UTC https://github.com/knik0/faad2/issues/173 https://ubuntu.com/security/notices/USN-6313-1 CVE-2023-38858 An information leak in Camp Style Project Line v13.6.1 allows attackers toobtain the channel access token and send crafted messages. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-18 21:15:00 UTC CVE-2023-39039 An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrarycode via the removeContradiction parameter in token.cpp:1934. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-11 19:15:00 UTC CVE-2023-39070 Denial of Service in pipelines affecting all versions of Gitlab EE and CEprior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allowsattacker to cause pipelines to fail. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-29 07:15:00 UTC CVE-2023-3917 Multiple out-of-bounds write vulnerabilities exist in the VZTvzt_rd_process_block autosort functionality of GTKWave 3.3.115. A speciallycrafted .vzt file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when looping over`lt->numrealfacs`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39234 Multiple out-of-bounds write vulnerabilities exist in the VZTvzt_rd_process_block autosort functionality of GTKWave 3.3.115. A speciallycrafted .vzt file can lead to arbitrary code execution. A victim would needto open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the out-of-bounds write when looping over`lt->num_time_ticks`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39235 Multiple integer overflow vulnerabilities exist in the LXT2 facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .lxt2 filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe integer overflow when allocating the `rows` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39270 Multiple integer overflow vulnerabilities exist in the LXT2 facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .lxt2 filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe integer overflow when allocating the `msb` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39271 Multiple integer overflow vulnerabilities exist in the LXT2 facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .lxt2 filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe integer overflow when allocating the `lsb` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39272 Multiple integer overflow vulnerabilities exist in the LXT2 facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .lxt2 filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe integer overflow when allocating the `flags` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39273 Multiple integer overflow vulnerabilities exist in the LXT2 facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .lxt2 filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe integer overflow when allocating the `len` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39274 Multiple integer overflow vulnerabilities exist in the LXT2 facgeometryparsing functionality of GTKWave 3.3.115. A specially crafted .lxt2 filecan lead to arbitrary code execution. A victim would need to open amalicious file to trigger these vulnerabilities.This vulnerability concernsthe integer overflow when allocating the `value` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39275 Multiple integer overflow vulnerabilities exist in the LXT2num_dict_entries functionality of GTKWave 3.3.115. A specially crafted.lxt2 file can lead to arbitrary code execution. A victim would need toopen a malicious file to trigger these vulnerabilities.This vulnerabilityconcerns the integer overflow when allocating the `string_pointers` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39316 Multiple integer overflow vulnerabilities exist in the LXT2num_dict_entries functionality of GTKWave 3.3.115. A specially crafted.lxt2 file can lead to arbitrary code execution. A victim would need toopen a malicious file to trigger these vulnerabilities.This vulnerabilityconcerns the integer overflow when allocating the `string_lens` array. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39317 A flaw was found in OpenJPEG. Maliciously constructed pictures can causethe program to enter a large loop and continuously print warning messageson the terminal. Update Instructions: Run `sudo pro fix CVE-2023-39327` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.5.0-2ubuntu1 libopenjp2-tools - 2.5.0-2ubuntu1 libopenjpip-dec-server - 2.5.0-2ubuntu1 libopenjpip-viewer - 2.5.0-2ubuntu1 libopenjpip7 - 2.5.0-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-13 03:15:00 UTC 2024-07-13 03:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1472 https://ubuntu.com/security/notices/USN-7037-1 https://ubuntu.com/security/notices/USN-7623-1 CVE-2023-39327 A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flawallows an attacker to bypass existing protections and cause an applicationcrash through a maliciously crafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-09 14:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1471 https://bugzilla.redhat.com/show_bug.cgi?id=2219236 CVE-2023-39328 A flaw was found in OpenJPEG. A resource exhaustion can occur in theopj_t1_decode_cblks function in tcd.c through a crafted image file, causinga denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-13 03:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1474 CVE-2023-39329 Cacti is an open source operational monitoring and fault managementframework. Affected versions are subject to a SQL injection discovered ingraph_view.php. Since guest users can access graph_view.php withoutauthentication by default, if guest users are being utilized in an enabledstate, there could be the potential for significant damage. Attackers mayexploit this vulnerability, and there may be possibilities for actions suchas the usurpation of administrative privileges or remote code execution.This issue has been addressed in version 1.2.25. Users are advised toupgrade. There are no known workarounds for this vulnerability. Update Instructions: Run `sudo pro fix CVE-2023-39361` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cacti - 1.2.25+ds1-2 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2023 Canonical Ltd. 2023-09-05 21:15:00 UTC 2023-09-05 21:15:00 UTC https://ubuntu.com/security/notices/USN-6720-1 CVE-2023-39361 Multiple integer underflow vulnerabilities exist in the LXT2lxt2_rd_iter_radix shift operation functionality of GTKWave 3.3.115. Aspecially crafted .lxt2 file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the integer underflow when performing the left shiftoperation. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39413 Multiple integer underflow vulnerabilities exist in the LXT2lxt2_rd_iter_radix shift operation functionality of GTKWave 3.3.115. Aspecially crafted .lxt2 file can lead to memory corruption. A victim wouldneed to open a malicious file to trigger these vulnerabilities.Thisvulnerability concerns the integer underflow when performing the rightshift operation. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39414 Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsingfunctionality of GTKWave 3.3.115. A specially-crafted .lxt2 file can leadto arbitrary code execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns theout-of-bounds write perfomed by the prefix copy loop. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39443 Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsingfunctionality of GTKWave 3.3.115. A specially-crafted .lxt2 file can leadto arbitrary code execution. A victim would need to open a malicious fileto trigger these vulnerabilities.This vulnerability concerns theout-of-bounds write perfomed by the string copy loop. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-08 15:15:00 UTC CVE-2023-39444 AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read memoryaccess via the component assign_frame_buffer_p inav1/common/av1_common_int.h. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-29 17:15:00 UTC CVE-2023-39616 lrzip v0.651 was discovered to contain a heap overflow via thelibzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp. Thisvulnerability allows attackers to cause a Denial of Service (DoS) via acrafted file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-17 19:15:00 UTC CVE-2023-39741 lrzip-next LZMA v23.01 was discovered to contain an access violation viathe component /bz3_decode_block src/libbz3.c. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-08-17 19:15:00 UTC CVE-2023-39743 efibootguard is a simple UEFI boot loader with support for safely switchingbetween current and updated partition sets. Insufficient or missingvalidation and sanitization of input from untrustworthy bootloaderenvironment files can cause crashes and probably also code injections into`bg_setenv`) or programs using `libebgenv`. This is triggered when theaffected components try to modify a manipulated environment, in particularits user variables. Furthermore, `bg_printenv` may crash over invalid readaccesses or report invalid results. Not affected by this issue is EFI BootGuard's bootloader EFI binary. EFI Boot Guard release v0.15 containsrequired patches to sanitize and validate the bootloader environment priorto processing it in userspace. Its library and tools should be updated, soshould programs statically linked against it. An update of the bootloaderEFI executable is not required. The only way to prevent the issue with anunpatched EFI Boot Guard version is to avoid accesses to user variables,specifically modifications to them. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-14 21:15:00 UTC CVE-2023-39950 jupyter-server is the backend for Jupyter web applications. Open RedirectVulnerability. Maliciously crafted login links to known Jupyter Servers cancause successful login or an already logged-in session to be redirected toarbitrary sites, which should be restricted to Jupyter Server-served URLs.This issue has been addressed in commit `29036259` which is included inrelease 2.7.2. Users are advised to upgrade. There are no known workaroundsfor this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-28 21:15:00 UTC CVE-2023-39968 Exposure of Sensitive Information to an Unauthorized Actor inWordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-13 12:15:00 UTC CVE-2023-39999 A flaw was found in the USB Host Controller Driver framework in the Linuxkernel. The usb_giveback_urb function has a logic loophole in itsimplementation. Due to the inappropriate judgment condition of the gotostatement, the function cannot return under the input of a specificmalformed descriptor file, so it falls into an endless loop, resulting in adenial of service. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-07-31 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2227726 https://bugzilla.suse.com/show_bug.cgi?id=1214030 CVE-2023-4010 jupyter-server is the backend for Jupyter web applications. Impropercross-site credential checks on `/files/` URLs could allow exposure ofcertain file contents, or accessing files when opening untrusted files via"Open image in new tab". This issue has been addressed in commit`87a49272728` which has been included in release `2.7.2`. Users are advisedto upgrade. Users unable to upgrade may use the lower performance`--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`,which implements the correct checks. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-28 21:15:00 UTC CVE-2023-40170 Puma is a Ruby/Rack web server built for parallelism. Prior to versions6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunkedtransfer encoding bodies and zero-length Content-Length headers in a waythat allowed HTTP request smuggling. Severity of this issue is highlydependent on the nature of the web site using puma is. This could be causedby either incorrect parsing of trailing fields in chunked transfer encodingbodies or by parsing of blank/zero-length Content-Length headers. Bothissues have been addressed and this vulnerability has been fixed inversions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no knownworkarounds for this vulnerability. Update Instructions: Run `sudo pro fix CVE-2023-40175` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: puma - 5.6.5-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-18 22:15:00 UTC 2023-08-18 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050079 https://ubuntu.com/security/notices/USN-6399-1 https://ubuntu.com/security/notices/USN-6682-1 CVE-2023-40175 GitPython before 3.1.32 does not block insecure non-multi options in cloneand clone_from. NOTE: this issue exists because of an incomplete fix forCVE-2022-24439. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-11 07:15:00 UTC 2023-08-11 07:15:00 UTC https://ubuntu.com/security/notices/USN-6326-1 CVE-2023-40267 **DISPUTED**A failure in the -fstack-protector feature in GCC-basedtoolchainsthat target AArch64 allows an attacker to exploit an existing bufferoverflow in dynamically-sized local variables in your applicationwithout this being detected. This stack-protector failure only appliesto C99-style dynamically-sized local variables or those created usingalloca(). The stack-protector operates as intended for statically-sizedlocal variables.The default behavior when the stack-protectordetects an overflow is to terminate your application, resulting incontrolled loss of availability. An attacker who can exploit a bufferoverflow without triggering the stack-protector might be able to changeprogram flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC projectargues that this is a missed hardening bug and not a vulnerability byitself. Update Instructions: Run `sudo pro fix CVE-2023-4039` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cpp-11 - 11.4.0-4ubuntu1 g++-11 - 11.4.0-4ubuntu1 g++-11-multilib - 11.4.0-4ubuntu1 gcc-11 - 11.4.0-4ubuntu1 gcc-11-base - 11.4.0-4ubuntu1 gcc-11-hppa64-linux-gnu - 11.4.0-4ubuntu1 gcc-11-locales - 11.4.0-4ubuntu1 gcc-11-multilib - 11.4.0-4ubuntu1 gcc-11-offload-amdgcn - 11.4.0-4ubuntu1 gcc-11-offload-nvptx - 11.4.0-4ubuntu1 gcc-11-source - 11.4.0-4ubuntu1 gcc-11-test-results - 11.4.0-4ubuntu1 gccgo-11 - 11.4.0-4ubuntu1 gccgo-11-multilib - 11.4.0-4ubuntu1 gdc-11 - 11.4.0-4ubuntu1 gdc-11-multilib - 11.4.0-4ubuntu1 gfortran-11 - 11.4.0-4ubuntu1 gfortran-11-multilib - 11.4.0-4ubuntu1 gnat-11 - 11.4.0-4ubuntu1 gobjc++-11 - 11.4.0-4ubuntu1 gobjc++-11-multilib - 11.4.0-4ubuntu1 gobjc-11 - 11.4.0-4ubuntu1 gobjc-11-multilib - 11.4.0-4ubuntu1 lib32asan6 - 11.4.0-4ubuntu1 lib32go19 - 11.4.0-4ubuntu1 lib32gphobos2 - 11.4.0-4ubuntu1 lib64asan6 - 11.4.0-4ubuntu1 lib64go19 - 11.4.0-4ubuntu1 lib64gphobos2 - 11.4.0-4ubuntu1 libasan6 - 11.4.0-4ubuntu1 libgnat-11 - 11.4.0-4ubuntu1 libgo19 - 11.4.0-4ubuntu1 libgphobos2 - 11.4.0-4ubuntu1 libstdc++-11-pic - 11.4.0-4ubuntu1 libtsan0 - 11.4.0-4ubuntu1 libx32asan6 - 11.4.0-4ubuntu1 libx32go19 - 11.4.0-4ubuntu1 libx32gphobos2 - 11.4.0-4ubuntu1 No subscription required cpp-12 - 12.3.0-9ubuntu1 g++-12 - 12.3.0-9ubuntu1 g++-12-multilib - 12.3.0-9ubuntu1 gcc-12 - 12.3.0-9ubuntu1 gcc-12-base - 12.3.0-9ubuntu1 gcc-12-hppa64-linux-gnu - 12.3.0-9ubuntu1 gcc-12-locales - 12.3.0-9ubuntu1 gcc-12-multilib - 12.3.0-9ubuntu1 gcc-12-offload-amdgcn - 12.3.0-9ubuntu1 gcc-12-offload-nvptx - 12.3.0-9ubuntu1 gcc-12-source - 12.3.0-9ubuntu1 gcc-12-test-results - 12.3.0-9ubuntu1 gccgo-12 - 12.3.0-9ubuntu1 gccgo-12-multilib - 12.3.0-9ubuntu1 gdc-12 - 12.3.0-9ubuntu1 gdc-12-multilib - 12.3.0-9ubuntu1 gfortran-12 - 12.3.0-9ubuntu1 gfortran-12-multilib - 12.3.0-9ubuntu1 gm2-12 - 12.3.0-9ubuntu1 gnat-12 - 12.3.0-9ubuntu1 gobjc++-12 - 12.3.0-9ubuntu1 gobjc++-12-multilib - 12.3.0-9ubuntu1 gobjc-12 - 12.3.0-9ubuntu1 gobjc-12-multilib - 12.3.0-9ubuntu1 lib32go21 - 12.3.0-9ubuntu1 lib32gphobos3 - 12.3.0-9ubuntu1 lib64go21 - 12.3.0-9ubuntu1 lib64gphobos3 - 12.3.0-9ubuntu1 libgm2-17 - 12.3.0-9ubuntu1 libgnat-12 - 12.3.0-9ubuntu1 libgo21 - 12.3.0-9ubuntu1 libgphobos3 - 12.3.0-9ubuntu1 libstdc++-12-pic - 12.3.0-9ubuntu1 libx32go21 - 12.3.0-9ubuntu1 libx32gphobos3 - 12.3.0-9ubuntu1 No subscription required cpp-13 - 13.2.0-4ubuntu1 cpp-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 cpp-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 cpp-13-for-build - 13.2.0-4ubuntu1 cpp-13-for-host - 13.2.0-4ubuntu1 cpp-13-i686-linux-gnu - 13.2.0-4ubuntu1 cpp-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 cpp-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 cpp-13-s390x-linux-gnu - 13.2.0-4ubuntu1 cpp-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 g++-13 - 13.2.0-4ubuntu1 g++-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 g++-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 g++-13-for-build - 13.2.0-4ubuntu1 g++-13-for-host - 13.2.0-4ubuntu1 g++-13-i686-linux-gnu - 13.2.0-4ubuntu1 g++-13-multilib - 13.2.0-4ubuntu1 g++-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 g++-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 g++-13-s390x-linux-gnu - 13.2.0-4ubuntu1 g++-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gcc-13 - 13.2.0-4ubuntu1 gcc-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gcc-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gcc-13-base - 13.2.0-4ubuntu1 gcc-13-for-build - 13.2.0-4ubuntu1 gcc-13-for-host - 13.2.0-4ubuntu1 gcc-13-hppa64-linux-gnu - 13.2.0-4ubuntu1 gcc-13-i686-linux-gnu - 13.2.0-4ubuntu1 gcc-13-locales - 13.2.0-4ubuntu1 gcc-13-multilib - 13.2.0-4ubuntu1 gcc-13-offload-amdgcn - 13.2.0-4ubuntu1 gcc-13-offload-nvptx - 13.2.0-4ubuntu1 gcc-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gcc-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gcc-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gcc-13-source - 13.2.0-4ubuntu1 gcc-13-test-results - 13.2.0-4ubuntu1 gcc-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gccgo-13 - 13.2.0-4ubuntu1 gccgo-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gccgo-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gccgo-13-for-build - 13.2.0-4ubuntu1 gccgo-13-for-host - 13.2.0-4ubuntu1 gccgo-13-i686-linux-gnu - 13.2.0-4ubuntu1 gccgo-13-multilib - 13.2.0-4ubuntu1 gccgo-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gccgo-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gccgo-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gccgo-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gdc-13 - 13.2.0-4ubuntu1 gdc-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gdc-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gdc-13-for-build - 13.2.0-4ubuntu1 gdc-13-for-host - 13.2.0-4ubuntu1 gdc-13-i686-linux-gnu - 13.2.0-4ubuntu1 gdc-13-multilib - 13.2.0-4ubuntu1 gdc-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gdc-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gdc-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gdc-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gfortran-13 - 13.2.0-4ubuntu1 gfortran-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gfortran-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gfortran-13-for-build - 13.2.0-4ubuntu1 gfortran-13-for-host - 13.2.0-4ubuntu1 gfortran-13-i686-linux-gnu - 13.2.0-4ubuntu1 gfortran-13-multilib - 13.2.0-4ubuntu1 gfortran-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gfortran-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gfortran-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gfortran-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gm2-13 - 13.2.0-4ubuntu1 gm2-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gm2-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gm2-13-for-build - 13.2.0-4ubuntu1 gm2-13-for-host - 13.2.0-4ubuntu1 gm2-13-i686-linux-gnu - 13.2.0-4ubuntu1 gm2-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gm2-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gm2-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gm2-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gnat-13 - 13.2.0-4ubuntu1 gnat-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gnat-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gnat-13-for-build - 13.2.0-4ubuntu1 gnat-13-for-host - 13.2.0-4ubuntu1 gnat-13-i686-linux-gnu - 13.2.0-4ubuntu1 gnat-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gnat-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gnat-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gnat-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gobjc++-13 - 13.2.0-4ubuntu1 gobjc++-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gobjc++-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gobjc++-13-for-build - 13.2.0-4ubuntu1 gobjc++-13-for-host - 13.2.0-4ubuntu1 gobjc++-13-i686-linux-gnu - 13.2.0-4ubuntu1 gobjc++-13-multilib - 13.2.0-4ubuntu1 gobjc++-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gobjc++-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gobjc++-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gobjc++-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 gobjc-13 - 13.2.0-4ubuntu1 gobjc-13-aarch64-linux-gnu - 13.2.0-4ubuntu1 gobjc-13-arm-linux-gnueabihf - 13.2.0-4ubuntu1 gobjc-13-for-build - 13.2.0-4ubuntu1 gobjc-13-for-host - 13.2.0-4ubuntu1 gobjc-13-i686-linux-gnu - 13.2.0-4ubuntu1 gobjc-13-multilib - 13.2.0-4ubuntu1 gobjc-13-powerpc64le-linux-gnu - 13.2.0-4ubuntu1 gobjc-13-riscv64-linux-gnu - 13.2.0-4ubuntu1 gobjc-13-s390x-linux-gnu - 13.2.0-4ubuntu1 gobjc-13-x86-64-linux-gnu - 13.2.0-4ubuntu1 lib32go22 - 13.2.0-4ubuntu1 lib32gphobos4 - 13.2.0-4ubuntu1 lib64go22 - 13.2.0-4ubuntu1 lib64gphobos4 - 13.2.0-4ubuntu1 libgm2-18 - 13.2.0-4ubuntu1 libgnat-13 - 13.2.0-4ubuntu1 libgo22 - 13.2.0-4ubuntu1 libgphobos4 - 13.2.0-4ubuntu1 libstdc++-13-pic - 13.2.0-4ubuntu1 libx32go22 - 13.2.0-4ubuntu1 libx32gphobos4 - 13.2.0-4ubuntu1 No subscription required cpp-11-aarch64-linux-gnu - 21ubuntu2 cpp-11-arm-linux-gnueabi - 21ubuntu2 cpp-11-arm-linux-gnueabihf - 21ubuntu2 cpp-11-i686-linux-gnu - 21ubuntu2 cpp-11-powerpc-linux-gnu - 21ubuntu2 cpp-11-powerpc64le-linux-gnu - 21ubuntu2 cpp-11-s390x-linux-gnu - 21ubuntu2 cpp-11-x86-64-linux-gnu - 21ubuntu2 g++-11-aarch64-linux-gnu - 21ubuntu2 g++-11-arm-linux-gnueabi - 21ubuntu2 g++-11-arm-linux-gnueabihf - 21ubuntu2 g++-11-i686-linux-gnu - 21ubuntu2 g++-11-multilib-i686-linux-gnu - 21ubuntu2 g++-11-multilib-powerpc-linux-gnu - 21ubuntu2 g++-11-multilib-x86-64-linux-gnu - 21ubuntu2 g++-11-powerpc-linux-gnu - 21ubuntu2 g++-11-powerpc64le-linux-gnu - 21ubuntu2 g++-11-s390x-linux-gnu - 21ubuntu2 g++-11-x86-64-linux-gnu - 21ubuntu2 gcc-11-aarch64-linux-gnu - 21ubuntu2 gcc-11-aarch64-linux-gnu-base - 21ubuntu2 gcc-11-arm-linux-gnueabi - 21ubuntu2 gcc-11-arm-linux-gnueabi-base - 21ubuntu2 gcc-11-arm-linux-gnueabihf - 21ubuntu2 gcc-11-arm-linux-gnueabihf-base - 21ubuntu2 gcc-11-cross-base - 21ubuntu2 gcc-11-i686-linux-gnu - 21ubuntu2 gcc-11-i686-linux-gnu-base - 21ubuntu2 gcc-11-multilib-i686-linux-gnu - 21ubuntu2 gcc-11-multilib-powerpc-linux-gnu - 21ubuntu2 gcc-11-multilib-x86-64-linux-gnu - 21ubuntu2 gcc-11-powerpc-linux-gnu - 21ubuntu2 gcc-11-powerpc-linux-gnu-base - 21ubuntu2 gcc-11-powerpc64le-linux-gnu - 21ubuntu2 gcc-11-powerpc64le-linux-gnu-base - 21ubuntu2 gcc-11-s390x-linux-gnu - 21ubuntu2 gcc-11-s390x-linux-gnu-base - 21ubuntu2 gcc-11-x86-64-linux-gnu - 21ubuntu2 gcc-11-x86-64-linux-gnu-base - 21ubuntu2 gccgo-11-aarch64-linux-gnu - 21ubuntu2 gccgo-11-arm-linux-gnueabi - 21ubuntu2 gccgo-11-arm-linux-gnueabihf - 21ubuntu2 gccgo-11-i686-linux-gnu - 21ubuntu2 gccgo-11-multilib-i686-linux-gnu - 21ubuntu2 gccgo-11-multilib-powerpc-linux-gnu - 21ubuntu2 gccgo-11-multilib-x86-64-linux-gnu - 21ubuntu2 gccgo-11-powerpc-linux-gnu - 21ubuntu2 gccgo-11-powerpc64le-linux-gnu - 21ubuntu2 gccgo-11-s390x-linux-gnu - 21ubuntu2 gccgo-11-x86-64-linux-gnu - 21ubuntu2 gdc-11-aarch64-linux-gnu - 21ubuntu2 gdc-11-arm-linux-gnueabi - 21ubuntu2 gdc-11-arm-linux-gnueabihf - 21ubuntu2 gdc-11-i686-linux-gnu - 21ubuntu2 gdc-11-multilib-i686-linux-gnu - 21ubuntu2 gdc-11-multilib-powerpc-linux-gnu - 21ubuntu2 gdc-11-multilib-x86-64-linux-gnu - 21ubuntu2 gdc-11-powerpc-linux-gnu - 21ubuntu2 gdc-11-powerpc64le-linux-gnu - 21ubuntu2 gdc-11-s390x-linux-gnu - 21ubuntu2 gdc-11-x86-64-linux-gnu - 21ubuntu2 gfortran-11-aarch64-linux-gnu - 21ubuntu2 gfortran-11-arm-linux-gnueabi - 21ubuntu2 gfortran-11-arm-linux-gnueabihf - 21ubuntu2 gfortran-11-i686-linux-gnu - 21ubuntu2 gfortran-11-multilib-i686-linux-gnu - 21ubuntu2 gfortran-11-multilib-powerpc-linux-gnu - 21ubuntu2 gfortran-11-multilib-x86-64-linux-gnu - 21ubuntu2 gfortran-11-powerpc-linux-gnu - 21ubuntu2 gfortran-11-powerpc64le-linux-gnu - 21ubuntu2 gfortran-11-s390x-linux-gnu - 21ubuntu2 gfortran-11-x86-64-linux-gnu - 21ubuntu2 gnat-11-aarch64-linux-gnu - 21ubuntu2 gnat-11-arm-linux-gnueabi - 21ubuntu2 gnat-11-arm-linux-gnueabihf - 21ubuntu2 gnat-11-i686-linux-gnu - 21ubuntu2 gnat-11-powerpc-linux-gnu - 21ubuntu2 gnat-11-powerpc64le-linux-gnu - 21ubuntu2 gnat-11-s390x-linux-gnu - 21ubuntu2 gnat-11-x86-64-linux-gnu - 21ubuntu2 gobjc++-11-aarch64-linux-gnu - 21ubuntu2 gobjc++-11-arm-linux-gnueabi - 21ubuntu2 gobjc++-11-arm-linux-gnueabihf - 21ubuntu2 gobjc++-11-i686-linux-gnu - 21ubuntu2 gobjc++-11-multilib-i686-linux-gnu - 21ubuntu2 gobjc++-11-multilib-powerpc-linux-gnu - 21ubuntu2 gobjc++-11-multilib-x86-64-linux-gnu - 21ubuntu2 gobjc++-11-powerpc-linux-gnu - 21ubuntu2 gobjc++-11-powerpc64le-linux-gnu - 21ubuntu2 gobjc++-11-s390x-linux-gnu - 21ubuntu2 gobjc++-11-x86-64-linux-gnu - 21ubuntu2 gobjc-11-aarch64-linux-gnu - 21ubuntu2 gobjc-11-arm-linux-gnueabi - 21ubuntu2 gobjc-11-arm-linux-gnueabihf - 21ubuntu2 gobjc-11-i686-linux-gnu - 21ubuntu2 gobjc-11-multilib-i686-linux-gnu - 21ubuntu2 gobjc-11-multilib-powerpc-linux-gnu - 21ubuntu2 gobjc-11-multilib-x86-64-linux-gnu - 21ubuntu2 gobjc-11-powerpc-linux-gnu - 21ubuntu2 gobjc-11-powerpc64le-linux-gnu - 21ubuntu2 gobjc-11-s390x-linux-gnu - 21ubuntu2 gobjc-11-x86-64-linux-gnu - 21ubuntu2 lib32asan6-amd64-cross - 21ubuntu2 lib32go19-amd64-cross - 21ubuntu2 lib32gphobos2-amd64-cross - 21ubuntu2 lib64asan6-i386-cross - 21ubuntu2 lib64asan6-powerpc-cross - 21ubuntu2 lib64go19-i386-cross - 21ubuntu2 lib64go19-powerpc-cross - 21ubuntu2 lib64gphobos2-i386-cross - 21ubuntu2 lib64gphobos2-powerpc-cross - 21ubuntu2 libasan6-amd64-cross - 21ubuntu2 libasan6-arm64-cross - 21ubuntu2 libasan6-armel-cross - 21ubuntu2 libasan6-armhf-cross - 21ubuntu2 libasan6-i386-cross - 21ubuntu2 libasan6-powerpc-cross - 21ubuntu2 libasan6-ppc64el-cross - 21ubuntu2 libasan6-s390x-cross - 21ubuntu2 libgnat-11-amd64-cross - 21ubuntu2 libgnat-11-arm64-cross - 21ubuntu2 libgnat-11-armel-cross - 21ubuntu2 libgnat-11-armhf-cross - 21ubuntu2 libgnat-11-i386-cross - 21ubuntu2 libgnat-11-powerpc-cross - 21ubuntu2 libgnat-11-ppc64el-cross - 21ubuntu2 libgnat-11-s390x-cross - 21ubuntu2 libgo19-amd64-cross - 21ubuntu2 libgo19-arm64-cross - 21ubuntu2 libgo19-armel-cross - 21ubuntu2 libgo19-armhf-cross - 21ubuntu2 libgo19-i386-cross - 21ubuntu2 libgo19-powerpc-cross - 21ubuntu2 libgo19-ppc64el-cross - 21ubuntu2 libgo19-s390x-cross - 21ubuntu2 libgphobos2-amd64-cross - 21ubuntu2 libgphobos2-arm64-cross - 21ubuntu2 libgphobos2-armel-cross - 21ubuntu2 libgphobos2-armhf-cross - 21ubuntu2 libgphobos2-i386-cross - 21ubuntu2 libgphobos2-powerpc-cross - 21ubuntu2 libgphobos2-ppc64el-cross - 21ubuntu2 libgphobos2-s390x-cross - 21ubuntu2 libstdc++-11-pic-amd64-cross - 21ubuntu2 libstdc++-11-pic-arm64-cross - 21ubuntu2 libstdc++-11-pic-armel-cross - 21ubuntu2 libstdc++-11-pic-armhf-cross - 21ubuntu2 libstdc++-11-pic-i386-cross - 21ubuntu2 libstdc++-11-pic-powerpc-cross - 21ubuntu2 libstdc++-11-pic-ppc64el-cross - 21ubuntu2 libstdc++-11-pic-s390x-cross - 21ubuntu2 libtsan0-amd64-cross - 21ubuntu2 libtsan0-arm64-cross - 21ubuntu2 libtsan0-ppc64el-cross - 21ubuntu2 libx32asan6-amd64-cross - 21ubuntu2 libx32asan6-i386-cross - 21ubuntu2 libx32go19-amd64-cross - 21ubuntu2 libx32go19-i386-cross - 21ubuntu2 libx32gphobos2-amd64-cross - 21ubuntu2 libx32gphobos2-i386-cross - 21ubuntu2 No subscription required cpp-12-aarch64-linux-gnu - 19ubuntu2 cpp-12-arm-linux-gnueabi - 19ubuntu2 cpp-12-arm-linux-gnueabihf - 19ubuntu2 cpp-12-i686-linux-gnu - 19ubuntu2 cpp-12-powerpc-linux-gnu - 19ubuntu2 cpp-12-powerpc64le-linux-gnu - 19ubuntu2 cpp-12-s390x-linux-gnu - 19ubuntu2 cpp-12-x86-64-linux-gnu - 19ubuntu2 g++-12-aarch64-linux-gnu - 19ubuntu2 g++-12-arm-linux-gnueabi - 19ubuntu2 g++-12-arm-linux-gnueabihf - 19ubuntu2 g++-12-i686-linux-gnu - 19ubuntu2 g++-12-multilib-i686-linux-gnu - 19ubuntu2 g++-12-multilib-powerpc-linux-gnu - 19ubuntu2 g++-12-multilib-x86-64-linux-gnu - 19ubuntu2 g++-12-powerpc-linux-gnu - 19ubuntu2 g++-12-powerpc64le-linux-gnu - 19ubuntu2 g++-12-s390x-linux-gnu - 19ubuntu2 g++-12-x86-64-linux-gnu - 19ubuntu2 gcc-12-aarch64-linux-gnu - 19ubuntu2 gcc-12-aarch64-linux-gnu-base - 19ubuntu2 gcc-12-arm-linux-gnueabi - 19ubuntu2 gcc-12-arm-linux-gnueabi-base - 19ubuntu2 gcc-12-arm-linux-gnueabihf - 19ubuntu2 gcc-12-arm-linux-gnueabihf-base - 19ubuntu2 gcc-12-cross-base - 19ubuntu2 gcc-12-i686-linux-gnu - 19ubuntu2 gcc-12-i686-linux-gnu-base - 19ubuntu2 gcc-12-multilib-i686-linux-gnu - 19ubuntu2 gcc-12-multilib-powerpc-linux-gnu - 19ubuntu2 gcc-12-multilib-x86-64-linux-gnu - 19ubuntu2 gcc-12-powerpc-linux-gnu - 19ubuntu2 gcc-12-powerpc-linux-gnu-base - 19ubuntu2 gcc-12-powerpc64le-linux-gnu - 19ubuntu2 gcc-12-powerpc64le-linux-gnu-base - 19ubuntu2 gcc-12-s390x-linux-gnu - 19ubuntu2 gcc-12-s390x-linux-gnu-base - 19ubuntu2 gcc-12-x86-64-linux-gnu - 19ubuntu2 gcc-12-x86-64-linux-gnu-base - 19ubuntu2 gccgo-12-aarch64-linux-gnu - 19ubuntu2 gccgo-12-arm-linux-gnueabi - 19ubuntu2 gccgo-12-arm-linux-gnueabihf - 19ubuntu2 gccgo-12-i686-linux-gnu - 19ubuntu2 gccgo-12-multilib-i686-linux-gnu - 19ubuntu2 gccgo-12-multilib-powerpc-linux-gnu - 19ubuntu2 gccgo-12-multilib-x86-64-linux-gnu - 19ubuntu2 gccgo-12-powerpc-linux-gnu - 19ubuntu2 gccgo-12-powerpc64le-linux-gnu - 19ubuntu2 gccgo-12-s390x-linux-gnu - 19ubuntu2 gccgo-12-x86-64-linux-gnu - 19ubuntu2 gdc-12-aarch64-linux-gnu - 19ubuntu2 gdc-12-arm-linux-gnueabi - 19ubuntu2 gdc-12-arm-linux-gnueabihf - 19ubuntu2 gdc-12-i686-linux-gnu - 19ubuntu2 gdc-12-multilib-i686-linux-gnu - 19ubuntu2 gdc-12-multilib-powerpc-linux-gnu - 19ubuntu2 gdc-12-multilib-x86-64-linux-gnu - 19ubuntu2 gdc-12-powerpc-linux-gnu - 19ubuntu2 gdc-12-powerpc64le-linux-gnu - 19ubuntu2 gdc-12-s390x-linux-gnu - 19ubuntu2 gdc-12-x86-64-linux-gnu - 19ubuntu2 gfortran-12-aarch64-linux-gnu - 19ubuntu2 gfortran-12-arm-linux-gnueabi - 19ubuntu2 gfortran-12-arm-linux-gnueabihf - 19ubuntu2 gfortran-12-i686-linux-gnu - 19ubuntu2 gfortran-12-multilib-i686-linux-gnu - 19ubuntu2 gfortran-12-multilib-powerpc-linux-gnu - 19ubuntu2 gfortran-12-multilib-x86-64-linux-gnu - 19ubuntu2 gfortran-12-powerpc-linux-gnu - 19ubuntu2 gfortran-12-powerpc64le-linux-gnu - 19ubuntu2 gfortran-12-s390x-linux-gnu - 19ubuntu2 gfortran-12-x86-64-linux-gnu - 19ubuntu2 gm2-12-aarch64-linux-gnu - 19ubuntu2 gm2-12-arm-linux-gnueabi - 19ubuntu2 gm2-12-arm-linux-gnueabihf - 19ubuntu2 gm2-12-i686-linux-gnu - 19ubuntu2 gm2-12-powerpc64le-linux-gnu - 19ubuntu2 gm2-12-s390x-linux-gnu - 19ubuntu2 gm2-12-x86-64-linux-gnu - 19ubuntu2 gnat-12-aarch64-linux-gnu - 19ubuntu2 gnat-12-arm-linux-gnueabi - 19ubuntu2 gnat-12-arm-linux-gnueabihf - 19ubuntu2 gnat-12-i686-linux-gnu - 19ubuntu2 gnat-12-powerpc-linux-gnu - 19ubuntu2 gnat-12-powerpc64le-linux-gnu - 19ubuntu2 gnat-12-s390x-linux-gnu - 19ubuntu2 gnat-12-x86-64-linux-gnu - 19ubuntu2 gobjc++-12-aarch64-linux-gnu - 19ubuntu2 gobjc++-12-arm-linux-gnueabi - 19ubuntu2 gobjc++-12-arm-linux-gnueabihf - 19ubuntu2 gobjc++-12-i686-linux-gnu - 19ubuntu2 gobjc++-12-multilib-i686-linux-gnu - 19ubuntu2 gobjc++-12-multilib-powerpc-linux-gnu - 19ubuntu2 gobjc++-12-multilib-x86-64-linux-gnu - 19ubuntu2 gobjc++-12-powerpc-linux-gnu - 19ubuntu2 gobjc++-12-powerpc64le-linux-gnu - 19ubuntu2 gobjc++-12-s390x-linux-gnu - 19ubuntu2 gobjc++-12-x86-64-linux-gnu - 19ubuntu2 gobjc-12-aarch64-linux-gnu - 19ubuntu2 gobjc-12-arm-linux-gnueabi - 19ubuntu2 gobjc-12-arm-linux-gnueabihf - 19ubuntu2 gobjc-12-i686-linux-gnu - 19ubuntu2 gobjc-12-multilib-i686-linux-gnu - 19ubuntu2 gobjc-12-multilib-powerpc-linux-gnu - 19ubuntu2 gobjc-12-multilib-x86-64-linux-gnu - 19ubuntu2 gobjc-12-powerpc-linux-gnu - 19ubuntu2 gobjc-12-powerpc64le-linux-gnu - 19ubuntu2 gobjc-12-s390x-linux-gnu - 19ubuntu2 gobjc-12-x86-64-linux-gnu - 19ubuntu2 lib32go21-amd64-cross - 19ubuntu2 lib32gphobos3-amd64-cross - 19ubuntu2 lib64go21-i386-cross - 19ubuntu2 lib64go21-powerpc-cross - 19ubuntu2 lib64gphobos3-i386-cross - 19ubuntu2 lib64gphobos3-powerpc-cross - 19ubuntu2 libgm2-17-amd64-cross - 19ubuntu2 libgm2-17-arm64-cross - 19ubuntu2 libgm2-17-armel-cross - 19ubuntu2 libgm2-17-armhf-cross - 19ubuntu2 libgm2-17-i386-cross - 19ubuntu2 libgm2-17-ppc64el-cross - 19ubuntu2 libgm2-17-s390x-cross - 19ubuntu2 libgnat-12-amd64-cross - 19ubuntu2 libgnat-12-arm64-cross - 19ubuntu2 libgnat-12-armel-cross - 19ubuntu2 libgnat-12-armhf-cross - 19ubuntu2 libgnat-12-i386-cross - 19ubuntu2 libgnat-12-powerpc-cross - 19ubuntu2 libgnat-12-ppc64el-cross - 19ubuntu2 libgnat-12-s390x-cross - 19ubuntu2 libgo21-amd64-cross - 19ubuntu2 libgo21-arm64-cross - 19ubuntu2 libgo21-armel-cross - 19ubuntu2 libgo21-armhf-cross - 19ubuntu2 libgo21-i386-cross - 19ubuntu2 libgo21-powerpc-cross - 19ubuntu2 libgo21-ppc64el-cross - 19ubuntu2 libgo21-s390x-cross - 19ubuntu2 libgphobos3-amd64-cross - 19ubuntu2 libgphobos3-arm64-cross - 19ubuntu2 libgphobos3-armel-cross - 19ubuntu2 libgphobos3-armhf-cross - 19ubuntu2 libgphobos3-i386-cross - 19ubuntu2 libgphobos3-powerpc-cross - 19ubuntu2 libgphobos3-ppc64el-cross - 19ubuntu2 libgphobos3-s390x-cross - 19ubuntu2 libstdc++-12-pic-amd64-cross - 19ubuntu2 libstdc++-12-pic-arm64-cross - 19ubuntu2 libstdc++-12-pic-armel-cross - 19ubuntu2 libstdc++-12-pic-armhf-cross - 19ubuntu2 libstdc++-12-pic-i386-cross - 19ubuntu2 libstdc++-12-pic-powerpc-cross - 19ubuntu2 libstdc++-12-pic-ppc64el-cross - 19ubuntu2 libstdc++-12-pic-s390x-cross - 19ubuntu2 libx32go21-amd64-cross - 19ubuntu2 libx32go21-i386-cross - 19ubuntu2 libx32gphobos3-amd64-cross - 19ubuntu2 libx32gphobos3-i386-cross - 19ubuntu2 No subscription required cpp-13-alpha-linux-gnu - 14ubuntu4 cpp-13-arc-linux-gnu - 14ubuntu4 cpp-13-arm-linux-gnueabi - 14ubuntu4 cpp-13-hppa-linux-gnu - 14ubuntu4 cpp-13-loongarch64-linux-gnu - 14ubuntu4 cpp-13-m68k-linux-gnu - 14ubuntu4 cpp-13-powerpc64-linux-gnu - 14ubuntu4 cpp-13-sh4-linux-gnu - 14ubuntu4 cpp-13-sparc64-linux-gnu - 14ubuntu4 cpp-13-x86-64-linux-gnux32 - 14ubuntu4 g++-13-alpha-linux-gnu - 14ubuntu4 g++-13-arc-linux-gnu - 14ubuntu4 g++-13-arm-linux-gnueabi - 14ubuntu4 g++-13-hppa-linux-gnu - 14ubuntu4 g++-13-loongarch64-linux-gnu - 14ubuntu4 g++-13-m68k-linux-gnu - 14ubuntu4 g++-13-multilib-powerpc64-linux-gnu - 14ubuntu4 g++-13-multilib-sparc64-linux-gnu - 14ubuntu4 g++-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 g++-13-powerpc64-linux-gnu - 14ubuntu4 g++-13-sh4-linux-gnu - 14ubuntu4 g++-13-sparc64-linux-gnu - 14ubuntu4 g++-13-x86-64-linux-gnux32 - 14ubuntu4 gcc-13-alpha-linux-gnu - 14ubuntu4 gcc-13-alpha-linux-gnu-base - 14ubuntu4 gcc-13-arc-linux-gnu - 14ubuntu4 gcc-13-arc-linux-gnu-base - 14ubuntu4 gcc-13-arm-linux-gnueabi - 14ubuntu4 gcc-13-arm-linux-gnueabi-base - 14ubuntu4 gcc-13-cross-base-ports - 14ubuntu4 gcc-13-hppa-linux-gnu - 14ubuntu4 gcc-13-hppa-linux-gnu-base - 14ubuntu4 gcc-13-loongarch64-linux-gnu - 14ubuntu4 gcc-13-loongarch64-linux-gnu-base - 14ubuntu4 gcc-13-m68k-linux-gnu - 14ubuntu4 gcc-13-m68k-linux-gnu-base - 14ubuntu4 gcc-13-multilib-powerpc64-linux-gnu - 14ubuntu4 gcc-13-multilib-sparc64-linux-gnu - 14ubuntu4 gcc-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 gcc-13-powerpc64-linux-gnu - 14ubuntu4 gcc-13-powerpc64-linux-gnu-base - 14ubuntu4 gcc-13-sh4-linux-gnu - 14ubuntu4 gcc-13-sh4-linux-gnu-base - 14ubuntu4 gcc-13-sparc64-linux-gnu - 14ubuntu4 gcc-13-sparc64-linux-gnu-base - 14ubuntu4 gcc-13-x86-64-linux-gnux32 - 14ubuntu4 gcc-13-x86-64-linux-gnux32-base - 14ubuntu4 gccgo-13-alpha-linux-gnu - 14ubuntu4 gccgo-13-arm-linux-gnueabi - 14ubuntu4 gccgo-13-multilib-powerpc64-linux-gnu - 14ubuntu4 gccgo-13-multilib-sparc64-linux-gnu - 14ubuntu4 gccgo-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 gccgo-13-powerpc64-linux-gnu - 14ubuntu4 gccgo-13-sparc64-linux-gnu - 14ubuntu4 gccgo-13-x86-64-linux-gnux32 - 14ubuntu4 gdc-13-arm-linux-gnueabi - 14ubuntu4 gdc-13-hppa-linux-gnu - 14ubuntu4 gdc-13-multilib-powerpc64-linux-gnu - 14ubuntu4 gdc-13-multilib-sparc64-linux-gnu - 14ubuntu4 gdc-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 gdc-13-powerpc64-linux-gnu - 14ubuntu4 gdc-13-sparc64-linux-gnu - 14ubuntu4 gdc-13-x86-64-linux-gnux32 - 14ubuntu4 gfortran-13-alpha-linux-gnu - 14ubuntu4 gfortran-13-arc-linux-gnu - 14ubuntu4 gfortran-13-arm-linux-gnueabi - 14ubuntu4 gfortran-13-hppa-linux-gnu - 14ubuntu4 gfortran-13-loongarch64-linux-gnu - 14ubuntu4 gfortran-13-m68k-linux-gnu - 14ubuntu4 gfortran-13-multilib-powerpc64-linux-gnu - 14ubuntu4 gfortran-13-multilib-sparc64-linux-gnu - 14ubuntu4 gfortran-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 gfortran-13-powerpc64-linux-gnu - 14ubuntu4 gfortran-13-sh4-linux-gnu - 14ubuntu4 gfortran-13-sparc64-linux-gnu - 14ubuntu4 gfortran-13-x86-64-linux-gnux32 - 14ubuntu4 gm2-13-alpha-linux-gnu - 14ubuntu4 gm2-13-arc-linux-gnu - 14ubuntu4 gm2-13-arm-linux-gnueabi - 14ubuntu4 gm2-13-hppa-linux-gnu - 14ubuntu4 gm2-13-m68k-linux-gnu - 14ubuntu4 gm2-13-sparc64-linux-gnu - 14ubuntu4 gm2-13-x86-64-linux-gnux32 - 14ubuntu4 gnat-13-alpha-linux-gnu - 14ubuntu4 gnat-13-arm-linux-gnueabi - 14ubuntu4 gnat-13-hppa-linux-gnu - 14ubuntu4 gnat-13-m68k-linux-gnu - 14ubuntu4 gnat-13-powerpc64-linux-gnu - 14ubuntu4 gnat-13-sh4-linux-gnu - 14ubuntu4 gnat-13-sparc64-linux-gnu - 14ubuntu4 gnat-13-x86-64-linux-gnux32 - 14ubuntu4 gobjc++-13-alpha-linux-gnu - 14ubuntu4 gobjc++-13-arc-linux-gnu - 14ubuntu4 gobjc++-13-arm-linux-gnueabi - 14ubuntu4 gobjc++-13-hppa-linux-gnu - 14ubuntu4 gobjc++-13-loongarch64-linux-gnu - 14ubuntu4 gobjc++-13-m68k-linux-gnu - 14ubuntu4 gobjc++-13-multilib-powerpc64-linux-gnu - 14ubuntu4 gobjc++-13-multilib-sparc64-linux-gnu - 14ubuntu4 gobjc++-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 gobjc++-13-powerpc64-linux-gnu - 14ubuntu4 gobjc++-13-sh4-linux-gnu - 14ubuntu4 gobjc++-13-sparc64-linux-gnu - 14ubuntu4 gobjc++-13-x86-64-linux-gnux32 - 14ubuntu4 gobjc-13-alpha-linux-gnu - 14ubuntu4 gobjc-13-arc-linux-gnu - 14ubuntu4 gobjc-13-arm-linux-gnueabi - 14ubuntu4 gobjc-13-hppa-linux-gnu - 14ubuntu4 gobjc-13-loongarch64-linux-gnu - 14ubuntu4 gobjc-13-m68k-linux-gnu - 14ubuntu4 gobjc-13-multilib-powerpc64-linux-gnu - 14ubuntu4 gobjc-13-multilib-sparc64-linux-gnu - 14ubuntu4 gobjc-13-multilib-x86-64-linux-gnux32 - 14ubuntu4 gobjc-13-powerpc64-linux-gnu - 14ubuntu4 gobjc-13-sh4-linux-gnu - 14ubuntu4 gobjc-13-sparc64-linux-gnu - 14ubuntu4 gobjc-13-x86-64-linux-gnux32 - 14ubuntu4 lib32go22-ppc64-cross - 14ubuntu4 lib32go22-sparc64-cross - 14ubuntu4 lib32go22-x32-cross - 14ubuntu4 lib32gphobos4-ppc64-cross - 14ubuntu4 lib32gphobos4-sparc64-cross - 14ubuntu4 lib32gphobos4-x32-cross - 14ubuntu4 lib64go22-x32-cross - 14ubuntu4 lib64gphobos4-x32-cross - 14ubuntu4 libgm2-18-alpha-cross - 14ubuntu4 libgm2-18-arc-cross - 14ubuntu4 libgm2-18-armel-cross - 14ubuntu4 libgm2-18-hppa-cross - 14ubuntu4 libgm2-18-m68k-cross - 14ubuntu4 libgm2-18-sparc64-cross - 14ubuntu4 libgm2-18-x32-cross - 14ubuntu4 libgnat-13-alpha-cross - 14ubuntu4 libgnat-13-armel-cross - 14ubuntu4 libgnat-13-hppa-cross - 14ubuntu4 libgnat-13-m68k-cross - 14ubuntu4 libgnat-13-ppc64-cross - 14ubuntu4 libgnat-13-sh4-cross - 14ubuntu4 libgnat-13-sparc64-cross - 14ubuntu4 libgnat-13-x32-cross - 14ubuntu4 libgo22-alpha-cross - 14ubuntu4 libgo22-armel-cross - 14ubuntu4 libgo22-ppc64-cross - 14ubuntu4 libgo22-sparc64-cross - 14ubuntu4 libgo22-x32-cross - 14ubuntu4 libgphobos4-armel-cross - 14ubuntu4 libgphobos4-hppa-cross - 14ubuntu4 libgphobos4-ppc64-cross - 14ubuntu4 libgphobos4-sparc64-cross - 14ubuntu4 libgphobos4-x32-cross - 14ubuntu4 libstdc++-13-pic-alpha-cross - 14ubuntu4 libstdc++-13-pic-arc-cross - 14ubuntu4 libstdc++-13-pic-armel-cross - 14ubuntu4 libstdc++-13-pic-hppa-cross - 14ubuntu4 libstdc++-13-pic-loong64-cross - 14ubuntu4 libstdc++-13-pic-m68k-cross - 14ubuntu4 libstdc++-13-pic-ppc64-cross - 14ubuntu4 libstdc++-13-pic-sh4-cross - 14ubuntu4 libstdc++-13-pic-sparc64-cross - 14ubuntu4 libstdc++-13-pic-x32-cross - 14ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-09-12 15:00:00 UTC 2023-09-12 15:00:00 UTC https://ubuntu.com/security/notices/USN-7700-1 CVE-2023-4039 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability inSierra Wireless, Inc ALEOS could potentially allow a remote attacker totrigger aDenial of Service (DoS) condition for ACEManager without impairingother router functions. This condition is cleared by restarting thedevice. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059315 CVE-2023-40458 RARLAB WinRAR Recovery Volume Improper Validation of Array Index RemoteCode Execution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of RARLAB WinRAR. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the processing of recovery volumes. Theissue results from the lack of proper validation of user-supplied data,which can result in a memory access past the end of an allocated buffer. Anattacker can leverage this vulnerability to execute code in the context ofthe current process. Was ZDI-CAN-21233. Update Instructions: Run `sudo pro fix CVE-2023-40477` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rar - 2:6.23-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-25 2023-08-25 https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2046372 https://ubuntu.com/security/notices/USN-6569-1 https://ubuntu.com/security/notices/USN-7349-1 https://ubuntu.com/security/notices/USN-7350-1 CVE-2023-40477 A flaw was found in Shim when an error happened while creating a new ESLvariable. If Shim fails to create the new variable, it tries to print anerror message to the user; however, the number of parameters used by thelogging function doesn't match the format string used by it, leading to acrash under certain circumstances. Update Instructions: Run `sudo pro fix CVE-2023-40546` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: shim-signed - 1.58 No subscription required shim - 15.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/2051151 https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151 CVE-2023-40546 A remote code execution vulnerability was found in Shim. The Shim bootsupport trusts attacker-controlled values when parsing an HTTP response.This flaw allows an attacker to craft a specific malicious HTTP request,leading to a completely controlled out-of-bounds write primitive andcomplete system compromise. This flaw is only exploitable during the earlyboot phase, an attacker needs to perform a Man-in-the-Middle or compromisethe boot server to be able to exploit this vulnerability successfully. Update Instructions: Run `sudo pro fix CVE-2023-40547` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: shim-signed - 1.58 No subscription required shim - 15.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 Bill Demirkapi https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/2051151 https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151 CVE-2023-40547 A buffer overflow was found in Shim in the 32-bit system. The overflowhappens due to an addition operation involving a user-controlled valueparsed from the PE binary being used by Shim. This value is further usedfor memory allocation operations, leading to a heap-based buffer overflow.This flaw causes memory corruption and can lead to a crash or dataintegrity issues during the boot phase. Update Instructions: Run `sudo pro fix CVE-2023-40548` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: shim-signed - 1.58 No subscription required shim - 15.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 Greg Kirkpatrick https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151 CVE-2023-40548 An out-of-bounds read flaw was found in Shim due to the lack of properboundary verification during the load of a PE binary. This flaw allows anattacker to load a crafted PE binary, triggering the issue and crashingShim, resulting in a denial of service. Update Instructions: Run `sudo pro fix CVE-2023-40549` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: shim-signed - 1.58 No subscription required shim - 15.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 Greg Kirkpatrick https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151 CVE-2023-40549 An out-of-bounds read flaw was found in Shim when it tried to validate theSBAT information. This issue may expose sensitive data during the system'sboot phase. Update Instructions: Run `sudo pro fix CVE-2023-40550` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: shim-signed - 1.58 No subscription required shim - 15.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 Greg Kirkpatrick https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151 CVE-2023-40550 A flaw was found in the MZ binary format in Shim. An out-of-bounds read mayoccur, leading to a crash or possible exposure of sensitive data during thesystem's boot phase. Update Instructions: Run `sudo pro fix CVE-2023-40551` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: shim-signed - 1.58 No subscription required shim - 15.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 Greg Kirkpatrick https://bugs.launchpad.net/ubuntu/+source/shim/+bug/2051151 CVE-2023-40551 Pyramid is an open source Python web framework. A path traversalvulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python3.11 that are using a Pyramid static view with a full filesystem path andhave a `index.html` file that is located exactly one directory above thelocation of the static view's file system path. No further path traversalexists, and the only file that could be disclosed accidentally is`index.html`. Pyramid version 2.0.2 rejects any path that contains anull-byte out of caution. While valid in directory/file names, we wouldstrongly consider it a mistake to use null-bytes in namingfiles/directories. Secondly, Python 3.11, and 3.12 has fixed the underlyingissue in `os.path.normpath` to no longer truncate on the first `0x00`found, returning the behavior to pre-3.11 Python, un an as of yetunreleased version. Fixes will be available in:Python 3.12.0rc2 and 3.11.5.Some workarounds are available. Use a version of Python 3 that is notaffected, downgrade to Python 3.10 series temporarily, or wait until Python3.11.5 is released and upgrade to the latest version of Python 3.11 series. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-08-25 21:15:00 UTC CVE-2023-40587 phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untrusteddata which may lead to remote code execution because user-controlled datais directly passed to the PHP 'unserialize()' function in multiple places.An example is the functionality to manage tables in 'tables.php' where the'ma[]' POST parameter is deserialized. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-20 18:15:00 UTC CVE-2023-40619 An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtainsensitive information and execute arbitrary code via the zippluginPathparameter. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-28 22:15:00 UTC CVE-2023-40826 An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtainsensitive information and execute arbitrary code via the loadpluginPathparameter. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-28 22:15:00 UTC CVE-2023-40827 An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtainsensitive information and execute arbitrary code via the expandIfZip methodin the extract function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-28 22:15:00 UTC CVE-2023-40828 A heap-based buffer overflow exists in the qr_reader_match_centers functionof ZBar 0.23.90. Specially crafted QR codes may lead to informationdisclosure and/or arbitrary code execution. To trigger this vulnerability,an attacker can digitally input the malicious QR code, or prepare it to bephysically scanned by the vulnerable scanner. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-29 17:15:00 UTC 2023-08-29 17:15:00 UTC https://ubuntu.com/security/notices/USN-7118-1 CVE-2023-40889 A stack-based buffer overflow vulnerability exists in the lookup_sequencefunction of ZBar 0.23.90. Specially crafted QR codes may lead toinformation disclosure and/or arbitrary code execution. To trigger thisvulnerability, an attacker can digitally input the malicious QR code, orprepare it to be physically scanned by the vulnerable scanner. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-29 17:15:00 UTC 2023-08-29 17:15:00 UTC https://ubuntu.com/security/notices/USN-7118-1 CVE-2023-40890 A vulnerability was discovered in Samba, where the flaw allows SMB clientsto truncate files, even with read-only permissions when the Samba VFSmodule "acl_xattr" is configured with "acl_xattr:ignore system acls = yes".The SMB protocol allows opening files when the client requests read-onlyaccess but then implicitly truncates the opened file to 0 bytes if theclient specifies a separate OVERWRITE create disposition request. The issuearises in configurations that bypass kernel file system permissions checks,relying solely on Samba's permissions. Update Instructions: Run `sudo pro fix CVE-2023-4091` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-10 2023-10-10 Sri Nagasubramanian https://bugzilla.samba.org/show_bug.cgi?id=15439 https://ubuntu.com/security/notices/USN-6425-1 https://ubuntu.com/security/notices/USN-6425-3 CVE-2023-4091 Firebird is a relational database. Versions 4.0.0 through 4.0.3 and version5.0 beta1 are vulnerable to a server crash when a user uses a specific formof SET BIND statement. Any non-privileged user with minimum access to aserver may type a statement with a long `CHAR` length, which causes theserver to crash due to stack corruption. Versions 4.0.4.2981 and 5.0.0.117contain fixes for this issue. No known workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 15:15:00 UTC CVE-2023-41038 GitPython is a python library used to interact with Git repositories. Inorder to resolve some git references, GitPython reads files from the `.git`directory, in some places the name of the file being read is provided bythe user, GitPython doesn't check if this file is located outside the`.git` directory. This allows an attacker to make GitPython read any filefrom the system. This vulnerability is present inhttps://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175.That code joins the base directory with a user given string withoutchecking if the final path is located outside the base directory. Thisvulnerability cannot be used to read the contents of files but could intheory be used to trigger a denial of service for the program. This issuehas been addressed in version 3.1.37. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-30 22:15:00 UTC CVE-2023-41040 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORMauthentication feature Apache Tomcat.This issue affects Apache Tomcat: from11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1through 9.0.79 and from 8.5.0 through 8.5.92.Older, EOL versions may also be affected.The vulnerability is limited to the ROOT (default) web application. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-25 21:15:00 UTC 2023-08-25 21:15:00 UTC https://ubuntu.com/security/notices/USN-7106-1 CVE-2023-41080 In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5,django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial ofservice) attack via certain inputs with a very large number of Unicodecharacters. Update Instructions: Run `sudo pro fix CVE-2023-41164` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.4-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-04 11:00:00 UTC 2023-09-04 11:00:00 UTC MProgrammer https://ubuntu.com/security/notices/USN-6378-1 https://ubuntu.com/security/notices/USN-6414-2 CVE-2023-41164 A design flaw was found in Samba's DirSync control implementation, whichexposes passwords and secrets in Active Directory to privileged users andRead-Only Domain Controllers (RODCs). This flaw allows RODCs and userspossessing the GET_CHANGES right to access all attributes, includingsensitive secrets and passwords. Even in a default setup, RODC DC accounts,which should only replicate some passwords, can gain access to all domainsecrets, including the vital krbtgt, effectively eliminating the RODC / DCdistinction. Furthermore, the vulnerability fails to account for errorconditions (fail open), like out-of-memory situations, potentially grantingaccess to secret attributes, even under low-privileged attacker influence. Update Instructions: Run `sudo pro fix CVE-2023-4154` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-10 2023-10-10 Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=15424 https://ubuntu.com/security/notices/USN-6425-1 https://ubuntu.com/security/notices/USN-6425-3 CVE-2023-4154 Catdoc v0.95 was discovered to contain a NULL pointer dereference via thecomponent xls2csv at src/fileutil.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-01 19:15:00 UTC CVE-2023-41633 ZoneMinder is a free, open source Closed-circuit television softwareapplication. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sqlquery without sanitizing it which makes it vulnerable to sql injection.This vulnerability is fixed in 1.36.34. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 20:15:00 UTC CVE-2023-41884 Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. Thisvulnerability allows network-adjacent attackers to execute arbitrary codeon affected installations of Exim libspf2. Authentication is not requiredto exploit this vulnerability.The specific flaw exists within the parsing of SPF macros. When parsing SPFmacros, the process does not properly validate user-supplied data, whichcan result in an integer underflow before writing to memory. An attackercan leverage this vulnerability to execute code in the context of theservice account.. Was ZDI-CAN-17578. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:15:00 UTC https://github.com/shevek/libspf2/issues/45 https://bugs.exim.org/show_bug.cgi?id=3032 CVE-2023-42118 The ip package before 1.1.9 for Node.js might allow SSRF because some IPaddresses (such as 0x7f.1) are improperly categorized as globally routablevia isPublic. Update Instructions: Run `sudo pro fix CVE-2023-42282` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: node-ip - 2.0.0+~1.1.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 2024-02-09 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063535 https://ubuntu.com/security/notices/USN-6643-1 CVE-2023-42282 An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to executearbitrary code and cause a denial of service via the read_rle_imagefunction of file bifs/unquantize.c Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-23 15:15:00 UTC CVE-2023-42295 A flaw was found in ofono, an Open Source Telephony on Linux. A stackoverflow bug is triggered within the decode_status_report() function duringthe SMS decoding. It is assumed that the attack scenario is accessible froma compromised modem, a malicious base station, or just SMS. There is abound check for this memcpy length in decode_submit(), but it was forgottenin decode_status_report(). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 23:15:00 UTC 2024-04-17 23:15:00 UTC Mitch Zakocs https://bugzilla.redhat.com/show_bug.cgi?id=2255394 https://bugzilla.suse.com/show_bug.cgi?id=1218293 https://ubuntu.com/security/notices/USN-7151-1 CVE-2023-4232 A flaw was found in ofono, an Open Source Telephony on Linux. A stackoverflow bug is triggered within the sms_decode_address_field() functionduring the SMS PDU decoding. It is assumed that the attack scenario isaccessible from a compromised modem, a malicious base station, or just SMS. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 23:15:00 UTC 2024-04-17 23:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2255396 https://ubuntu.com/security/notices/USN-7141-1 CVE-2023-4233 A flaw was found in ofono, an Open Source Telephony on Linux. A stackoverflow bug is triggered within the decode_deliver_report() functionduring the SMS decoding. It is assumed that the attack scenario isaccessible from a compromised modem, a malicious base station, or just SMS.There is a bound check for this memcpy length in decode_submit(), but itwas forgotten in decode_deliver_report(). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 23:15:00 UTC 2024-04-17 23:15:00 UTC Mitch Zakocs https://bugzilla.redhat.com/show_bug.cgi?id=2255402 https://ubuntu.com/security/notices/USN-7151-1 CVE-2023-4235 A use-after-free vulnerability was discovered in xasprintf function inxfuncs_printf.c:344 in BusyBox v.1.36.1. Update Instructions: Run `sudo pro fix CVE-2023-42363` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: busybox - 1:1.36.1-6ubuntu4 busybox-initramfs - 1:1.36.1-6ubuntu4 busybox-static - 1:1.36.1-6ubuntu4 busybox-syslogd - 1:1.36.1-6ubuntu4 udhcpc - 1:1.36.1-6ubuntu4 udhcpd - 1:1.36.1-6ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-27 22:15:00 UTC 2023-11-27 22:15:00 UTC https://bugs.busybox.net/show_bug.cgi?id=15865 https://ubuntu.com/security/notices/USN-6961-1 CVE-2023-42363 A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers tocause a denial of service via a crafted awk pattern in the awk.c evaluatefunction. Update Instructions: Run `sudo pro fix CVE-2023-42364` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: busybox - 1:1.36.1-6ubuntu4 busybox-initramfs - 1:1.36.1-6ubuntu4 busybox-static - 1:1.36.1-6ubuntu4 busybox-syslogd - 1:1.36.1-6ubuntu4 udhcpc - 1:1.36.1-6ubuntu4 udhcpd - 1:1.36.1-6ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-27 23:15:00 UTC 2023-11-27 23:15:00 UTC https://bugs.busybox.net/show_bug.cgi?id=15868 https://bugs.busybox.net/show_bug.cgi?id=15871 (bug for CVE-2023-42365) https://ubuntu.com/security/notices/USN-6961-1 CVE-2023-42364 A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via acrafted awk pattern in the awk.c copyvar function. Update Instructions: Run `sudo pro fix CVE-2023-42365` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: busybox - 1:1.36.1-6ubuntu4 busybox-initramfs - 1:1.36.1-6ubuntu4 busybox-static - 1:1.36.1-6ubuntu4 busybox-syslogd - 1:1.36.1-6ubuntu4 udhcpc - 1:1.36.1-6ubuntu4 udhcpd - 1:1.36.1-6ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-27 23:15:00 UTC 2023-11-27 23:15:00 UTC https://bugs.busybox.net/show_bug.cgi?id=15871 https://bugs.busybox.net/show_bug.cgi?id=15868 (bug for CVE-2023-42364) https://ubuntu.com/security/notices/USN-6961-1 CVE-2023-42365 A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_tokenfunction at awk.c:1159. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-27 23:15:00 UTC https://bugs.busybox.net/show_bug.cgi?id=15874 CVE-2023-42366 A flaw was found in the Ansible Automation Platform. When creating a newkeypair, the ec2_key module prints out the private key directly to thestandard output. This flaw allows an attacker to fetch those keys from thelog files, compromising the system's confidentiality, integrity, andavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-04 15:15:00 UTC CVE-2023-4237 Gradle is a build tool with a focus on build automation and support formulti-language development. In some cases, when Gradle parses XML files,resolving XML external entities is not disabled. Combined with an Out OfBand XXE attack (OOB-XXE), just parsing XML can lead to exfiltration oflocal text files to a remote server. Gradle parses XML files for severalpurposes. Most of the time, Gradle parses XML files it generated or werealready present locally. Only Ivy XML descriptors and Maven POM files canbe fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3and 8.4, resolving XML external entities has been disabled for all usecases to protect against this vulnerability. Gradle will now refuse toparse XML files that have XML external entities. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-06 14:15:00 UTC CVE-2023-42445 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). In affected versionsspecific DATA submessages can be sent to a discovery locator which maytrigger a free error. This can remotely crash any Fast-DDS process. Thecall to free() could potentially leave the pointer in the attackers controlwhich could lead to a double free. This issue has been addressed inversions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. Users are advised to upgrade.There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-16 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054163 CVE-2023-42459 Improper Input Validation, Uncontrolled Resource Consumption vulnerabilityin Apache Commons Compress in TAR parsing.This issue affects Apache CommonsCompress: from 1.22 before 1.24.0.Users are recommended to upgrade to version 1.24.0, which fixes the issue.A third party can create a malformed TAR file by manipulating filemodification times headers, which when parsed with Apache Commons Compress,will cause a denial of service issue via CPU consumption.In version 1.22 of Apache Commons Compress, support was added for filemodification times with higher precision (issue # COMPRESS-612 [1]). Theformat for the PAX extended headers carrying this data consists of twonumbers separated by a period [2], indicating seconds and subsecondprecision (for example “1647221103.5998539”). The impacted fields are“atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No inputvalidation is performed prior to the parsing of header values.Parsing of these numbers uses the BigDecimal [3] class from the JDK whichhas a publicly known algorithmic complexity issue when doing operations onlarge numbers, causing denial of service (see issue # JDK-6560193 [4]). Athird party can manipulate file time headers in a TAR file by placing anumber with a very long fraction (300,000 digits) or a number with exponentnotation (such as “9e9999999”) within a file modification time header, andthe parsing of files with these headers will take hours instead of seconds,leading to a denial of service via exhaustion of CPU resources. This issueis similar to CVE-2012-2098 [5].[1]: https://issues.apache.org/jira/browse/COMPRESS-612[2]:https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05[3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html[4]: https://bugs.openjdk.org/browse/JDK-6560193[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098Only applications using CompressorStreamFactory class (with auto-detectionof file types), TarArchiveInputStream and TarFile classes to parse TARfiles are impacted. Since this code was introduced in v1.22, only thatversion and later versions are impacted. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-14 08:15:00 UTC CVE-2023-42503 An out-of-bounds write issue has been discovered in the backspace handlingof the checkType() function in etc.c within the W3M application. Thisvulnerability is triggered by supplying a specially crafted HTML file tothe w3m binary. Exploitation of this flaw could lead to applicationcrashes, resulting in a denial of service condition. Update Instructions: Run `sudo pro fix CVE-2023-4255` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: w3m - 0.5.3+git20230121-2ubuntu1 w3m-img - 0.5.3+git20230121-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-02 2024-01-02 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059265 https://github.com/tats/w3m/issues/268 https://ubuntu.com/security/notices/USN-6580-1 CVE-2023-4255 A vulnerability was found in Samba's "rpcecho" development server, anon-Windows RPC server used to test Samba's DCE/RPC stack elements. Thisvulnerability stems from an RPC function that can be blocked indefinitely.The issue arises because the "rpcecho" service operates with only oneworker in the main RPC task, allowing calls to the "rpcecho" server to beblocked for a specified time, causing service disruptions. This disruptionis triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" functionunder specific conditions. Authenticated users or attackers can exploitthis vulnerability to make calls to the "rpcecho" server, requesting it toblock for a specified duration, effectively disrupting most services andleading to a complete denial of service on the AD DC. The DoS affects allother services as "rpcecho" runs in the main RPC task. Update Instructions: Run `sudo pro fix CVE-2023-42669` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ctdb - 2:4.22.3+dfsg-4ubuntu2 libnss-winbind - 2:4.22.3+dfsg-4ubuntu2 libpam-winbind - 2:4.22.3+dfsg-4ubuntu2 libsmbclient0 - 2:4.22.3+dfsg-4ubuntu2 libwbclient0 - 2:4.22.3+dfsg-4ubuntu2 python3-samba - 2:4.22.3+dfsg-4ubuntu2 registry-tools - 2:4.22.3+dfsg-4ubuntu2 samba - 2:4.22.3+dfsg-4ubuntu2 samba-ad-dc - 2:4.22.3+dfsg-4ubuntu2 samba-ad-provision - 2:4.22.3+dfsg-4ubuntu2 samba-common - 2:4.22.3+dfsg-4ubuntu2 samba-common-bin - 2:4.22.3+dfsg-4ubuntu2 samba-dsdb-modules - 2:4.22.3+dfsg-4ubuntu2 samba-libs - 2:4.22.3+dfsg-4ubuntu2 samba-testsuite - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-ceph - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-glusterfs - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules - 2:4.22.3+dfsg-4ubuntu2 samba-vfs-modules-extra - 2:4.22.3+dfsg-4ubuntu2 smbclient - 2:4.22.3+dfsg-4ubuntu2 winbind - 2:4.22.3+dfsg-4ubuntu2 ldb-tools - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libldb2 - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 python3-ldb - 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 libtalloc2 - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 python3-talloc - 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 libtdb1 - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 python3-tdb - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 tdb-tools - 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 libtevent0t64 - 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-10 2023-10-10 Andrew Bartlett https://bugzilla.samba.org/show_bug.cgi?id=15474 https://ubuntu.com/security/notices/USN-6425-1 https://ubuntu.com/security/notices/USN-6425-3 CVE-2023-42669 Incomplete Cleanup vulnerability in Apache Tomcat.When recycling variousinternal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0through 8.5.93, an error couldcause Tomcat to skip some parts of the recycling process leading toinformation leaking from the current request/response to the next.Older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2023-42795` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-10 18:15:00 UTC 2023-10-10 18:15:00 UTC https://ubuntu.com/security/notices/USN-7106-1 https://ubuntu.com/security/notices/USN-7562-1 CVE-2023-42795 An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.xthrough 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if acorrupted font is loaded via QFontDatabase::addApplicationFont{FromData],then it can cause the application to crash because of missing lengthchecks. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-18 07:15:00 UTC CVE-2023-43114 Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to5.9.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-08-14 16:15:00 UTC CVE-2023-4322 Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remoteattacker to cause a denial of service via a crafted file to thestbi_load_gif_main function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 18:17:00 UTC CVE-2023-43281 Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a localattacker to execute arbitrary code and cause a denial of service during theconversion of wav files to ogg files. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-02 21:15:00 UTC CVE-2023-43361 libcue provides an API for parsing and extracting data from CUE sheets.Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. Auser of the GNOME desktop environment can be exploited by downloading a cuesheet from a malicious webpage. Because the file is saved to `~/Downloads`,it is then automatically scanned by tracker-miners. And because it has a.cue filename extension, tracker-miners use libcue to parse the file. Thefile exploits the vulnerability in libcue to gain code execution. Thisissue is patched in version 2.3.0. Update Instructions: Run `sudo pro fix CVE-2023-43641` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libcue2 - 2.2.1-4ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-09 17:00:00 UTC 2023-10-09 17:00:00 UTC Kevin Backhouse https://ubuntu.com/security/notices/USN-6423-1 https://ubuntu.com/security/notices/USN-6423-2 CVE-2023-43641 snappy-java is a Java port of the snappy, a fast C++compresser/decompresser developed by Google. The SnappyInputStream wasfound to be vulnerable to Denial of Service (DoS) attacks whendecompressing data with a too large chunk size. Due to missing upper boundcheck on chunk length, an unrecoverable fatal error can occur. All versionsof snappy-java including the latest released version 1.1.10.3 arevulnerable to this issue. A fix has been introduced in commit `9f8c3cf74`which will be included in the 1.1.10.4 release. Users are advised toupgrade. Users unable to upgrade should only accept compressed data fromtrusted sources. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-25 20:15:00 UTC Jan Werner, Mukul Khullar and Bharadwaj Machiraju CVE-2023-43642 AntiSamy is a library for performing fast, configurable cleansing of HTMLcoming from untrusted sources. Prior to version 1.7.4, there is a potentialfor a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawedparsing of the HTML being sanitized. To be subject to this vulnerabilitythe `preserveComments` directive must be enabled in your policy file andalso allow for certain tags at the same time. As a result, certain craftyinputs can result in elements in comment tags being interpreted asexecutable when using AntiSamy's sanitized output. This issue has beenpatched in AntiSamy 1.7.4 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-09 14:15:00 UTC CVE-2023-43643 get-func-name is a module to retrieve a function's name securely andconsistently both in NodeJS and the browser. Versions prior to 2.0.1 aresubject to a regular expression denial of service (redos) vulnerabilitywhich may lead to a denial of service when parsing malicious input. Thisvulnerability can be exploited when there is an imbalance in parentheses,which results in excessive backtracking and subsequently increases the CPUload and processing time significantly. This vulnerability can be triggeredusing the following input: '\t'.repeat(54773) + '\t/function/i'. This issuehas been addressed in commit `f934b228b` which has been included inreleases from 2.0.1. Users are advised to upgrade. There are no knownworkarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-27 15:19:00 UTC CVE-2023-43646 In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, thedjango.utils.text.Truncator chars() and words() methods (when used withhtml=True) are subject to a potential DoS (denial of service) attack viacertain inputs with very long, potentially malformed HTML text. The chars()and words() methods are used to implement the truncatechars_html andtruncatewords_html template filters, which are thus also vulnerable. NOTE:this issue exists because of an incomplete fix for CVE-2019-14232. Update Instructions: Run `sudo pro fix CVE-2023-43665` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.4-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-04 15:00:00 UTC 2023-10-04 15:00:00 UTC Wenchao Li https://ubuntu.com/security/notices/USN-6414-1 https://ubuntu.com/security/notices/USN-6414-2 CVE-2023-43665 A vulnerability was found in libX11 due to an infinite loop within thePutSubImage() function. This flaw allows a local user to consume allavailable system resources and cause a denial of service condition. Update Instructions: Run `sudo pro fix CVE-2023-43786` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libx11-6 - 2:1.8.6-1ubuntu1 libx11-data - 2:1.8.6-1ubuntu1 libx11-xcb1 - 2:1.8.6-1ubuntu1 No subscription required libxpm4 - 1:3.5.12-1.1ubuntu1 xpmutils - 1:3.5.12-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 2023-10-03 Yair Mizrahi https://ubuntu.com/security/notices/USN-6407-1 https://ubuntu.com/security/notices/USN-6408-1 https://ubuntu.com/security/notices/USN-6407-2 https://ubuntu.com/security/notices/USN-6408-2 CVE-2023-43786 A vulnerability was found in libX11 due to an integer overflow within theXCreateImage() function. This flaw allows a local user to trigger aninteger overflow and execute arbitrary code with elevated privileges. Update Instructions: Run `sudo pro fix CVE-2023-43787` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libx11-6 - 2:1.8.6-1ubuntu1 libx11-data - 2:1.8.6-1ubuntu1 libx11-xcb1 - 2:1.8.6-1ubuntu1 No subscription required libxpm4 - 1:3.5.12-1.1ubuntu1 xpmutils - 1:3.5.12-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 2023-10-03 Yair Mizrahi https://ubuntu.com/security/notices/USN-6407-1 https://ubuntu.com/security/notices/USN-6408-1 https://ubuntu.com/security/notices/USN-6407-2 https://ubuntu.com/security/notices/USN-6408-2 CVE-2023-43787 A vulnerability was found in libXpm due to a boundary condition within theXpmCreateXpmImageFromBuffer() function. This flaw allows a local attackerto trigger an out-of-bounds read error and read the contents of memory onthe system. Update Instructions: Run `sudo pro fix CVE-2023-43788` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxpm4 - 1:3.5.12-1.1ubuntu1 xpmutils - 1:3.5.12-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 2023-10-03 Alan Coopersmith https://ubuntu.com/security/notices/USN-6408-1 https://ubuntu.com/security/notices/USN-6408-2 CVE-2023-43788 A vulnerability was found in libXpm where a vulnerability exists due to aboundary condition, a local user can trigger an out-of-bounds read errorand read contents of memory on the system. Update Instructions: Run `sudo pro fix CVE-2023-43789` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxpm4 - 1:3.5.12-1.1ubuntu1 xpmutils - 1:3.5.12-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 2023-10-03 Alan Coopersmith https://ubuntu.com/security/notices/USN-6408-1 https://ubuntu.com/security/notices/USN-6408-2 CVE-2023-43789 A logic flaw exists in Ansible Automation platform. Whenever a privateproject is created with incorrect credentials, they are logged inplaintext. This flaw allows an attacker to retrieve the credentials fromthe log, resulting in the loss of confidentiality, integrity, andavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-04 15:15:00 UTC CVE-2023-4380 Nothings stb 2.28 was discovered to contain a Null Pointer Dereference viathe function stbi__convert_format. This vulnerability allows attackers tocause a Denial of Service (DoS) via a crafted pic file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 21:15:00 UTC CVE-2023-43898 The DNS message parsing code in `named` includes a section whosecomputational complexity is overly high. It does not cause problems fortypical DNS traffic, but crafted queries and responses may cause excessiveCPU load on the affected `named` instance by exploiting this flaw. Thisissue affects both authoritative servers and recursive resolvers.This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. Update Instructions: Run `sudo pro fix CVE-2023-4408` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.24-0ubuntu1 bind9-dnsutils - 1:9.18.24-0ubuntu1 bind9-host - 1:9.18.24-0ubuntu1 bind9-libs - 1:9.18.24-0ubuntu1 bind9-utils - 1:9.18.24-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-13 2024-02-13 Shoham Danino, Anat Bremler-Barr, Yehuda Afek, Yuval Shavitt https://ubuntu.com/security/notices/USN-6633-1 https://ubuntu.com/security/notices/USN-6642-1 CVE-2023-4408 An issue was discovered in PostCSS before 8.4.31. The vulnerability affectslinters using PostCSS to parse external untrusted CSS. An attacker canprepare CSS in such a way that it will contains parts parsed by PostCSS asa CSS comment. After processing by PostCSS, it will be included in thePostCSS output in CSS nodes (rules, properties) despite being included in acomment. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-29 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053282 CVE-2023-44270 Gradle is a build tool with a focus on build automation and support formulti-language development. When copying or archiving symlinked files,Gradle resolves them but applies the permissions of the symlink itselfinstead of the permissions of the linked file to the resulting file. Thisleads to files having too much permissions given that symlinks usually areworld readable and writeable. While it is unlikely this results in a directvulnerability for the impacted build, it may open up attack vectorsdepending on where build artifacts end up being copied to or un-archived.In versions 7.6.3, 8.4 and above, Gradle will now properly use thepermissions of the file pointed at by the symlink to set permissions of thecopied or archived file. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-05 18:15:00 UTC CVE-2023-44387 MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of MuseScore. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of CAP files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-20769. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070860 CVE-2023-44428 GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of GStreamer. Interactionwith this library is required to exploit this vulnerability but attackvectors may vary depending on the implementation.The specific flaw exists within the parsing of AV1 encoded video files. Theissue results from the lack of proper validation of the length ofuser-supplied data prior to copying it to a fixed-length heap-based buffer.An attacker can leverage this vulnerability to execute code in the contextof the current process. Was ZDI-CAN-22226. Update Instructions: Run `sudo pro fix CVE-2023-44429` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gst-plugins-bad-1.0 - 1.22.4-1ubuntu2 gstreamer1.0-opencv - 1.22.4-1ubuntu2 gstreamer1.0-plugins-bad - 1.22.4-1ubuntu2 gstreamer1.0-plugins-bad-apps - 1.22.4-1ubuntu2 libgstreamer-opencv1.0-0 - 1.22.4-1ubuntu2 libgstreamer-plugins-bad1.0-0 - 1.22.4-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-17 2023-11-17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056102 https://ubuntu.com/security/notices/USN-6526-1 CVE-2023-44429 BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows network-adjacent attackers toexecute arbitrary code via Bluetooth on affected installations of BlueZ.User interaction is required to exploit this vulnerability in that thetarget must connect to a malicious device.The specific flaw exists within the handling of the AVRCP protocol. Theissue results from the lack of proper validation of the length ofuser-supplied data prior to copying it to a fixed-length stack-basedbuffer. An attacker can leverage this vulnerability to execute code in thecontext of root. Was ZDI-CAN-19909. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077687 CVE-2023-44431 All versions of Apache Santuario - XML Security for Java prior to 2.2.6,2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issuewhere a private key may be disclosed in log files when generating an XMLSignature and logging with debug level is enabled. Users are recommended toupgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-20 10:15:00 UTC CVE-2023-44483 VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash relatedto encoding. Update Instructions: Run `sudo pro fix CVE-2023-44488` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvpx9 - 1.12.0-1ubuntu2 vpx-tools - 1.12.0-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-02 2023-10-02 https://ubuntu.com/security/notices/USN-6403-1 https://ubuntu.com/security/notices/USN-6403-2 https://ubuntu.com/security/notices/USN-6403-3 CVE-2023-44488 Inadequate encryption strength in mycli 1.27.0 allows attackers to viewsensitive information via /mycli/config.py Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-19 22:15:00 UTC CVE-2023-44690 Due to failure in validating the length provided by an attacker-crafted PPDPostScript document, CUPS and libppd are susceptible to a heap-based bufferoverflow and possibly code execution. This issue has been fixed in CUPSversion 2.4.7, released in September of 2023. Update Instructions: Run `sudo pro fix CVE-2023-4504` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cups - 2.4.6-0ubuntu2 cups-bsd - 2.4.6-0ubuntu2 cups-client - 2.4.6-0ubuntu2 cups-common - 2.4.6-0ubuntu2 cups-core-drivers - 2.4.6-0ubuntu2 cups-daemon - 2.4.6-0ubuntu2 cups-ipp-utils - 2.4.6-0ubuntu2 cups-ppdc - 2.4.6-0ubuntu2 cups-server-common - 2.4.6-0ubuntu2 libcups2t64 - 2.4.6-0ubuntu2 libcupsimage2t64 - 2.4.6-0ubuntu2 No subscription required libppd-tests - 2:2.0~rc1-0ubuntu4 libppd-utils - 2:2.0~rc1-0ubuntu4 libppd2 - 2:2.0~rc1-0ubuntu4 libppd2-common - 2:2.0~rc1-0ubuntu4 ppdc - 2:2.0~rc1-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-20 12:00:00 UTC 2023-09-20 12:00:00 UTC zenofex and WanderingGlitch https://ubuntu.com/security/notices/USN-6391-1 https://ubuntu.com/security/notices/USN-6392-1 https://ubuntu.com/security/notices/USN-6391-2 CVE-2023-4504 Adminer and AdminerEvo are vulnerable to SSRF via database connectionfields. This could allow an unauthenticated remote attacker to enumerate oraccess systems the attacker would not otherwise have access to. Adminer isno longer supported, but this issue was fixed in AdminerEvo version 4.8.4. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-24 22:15:00 UTC CVE-2023-45195 fsevents before 1.2.11 depends on thehttps://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allowan adversary to execute arbitrary code if any JavaScript project (thatdepends on fsevents) distributes code that was obtained from that URL at atime when it was controlled by an adversary. NOTE: some sources feel thatthis means that no version is affected any longer, because the URL is notcontrolled by an adversary. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-06 21:15:00 UTC CVE-2023-45311 An issue was discovered in the Vector Skin component for MediaWiki before1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is notescaped, but should be, because the line param can have markup. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 06:15:00 UTC CVE-2023-45359 An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.xbefore 1.39.5, and 1.40.x before 1.40.1. There is XSS inyouhavenewmessagesmanyusers and youhavenewmessages i18n messages. This isrelated to MediaWiki:Youhavenewmessagesfromusers. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-03 05:15:00 UTC CVE-2023-45360 An issue was discovered in VectorComponentUserLinks.php in the Vector Skincomponent in MediaWiki before 1.39.5 and 1.40.x before 1.40.1.vector-intro-page MalformedTitleException is uncaught if it is not a validtitle, leading to incorrect web pages. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 06:15:00 UTC CVE-2023-45361 An issue was discovered in DifferenceEngine.php in MediaWiki before1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1.diff-multi-sameuser (aka "X intermediate revisions by the same user notshown") ignores username suppression. This is an information leak. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-03 05:15:00 UTC CVE-2023-45362 An issue was discovered in ApiPageSet.php in MediaWiki before 1.35.12,1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It allowsattackers to cause a denial of service (unbounded loop andRequestTimeoutException) when querying pages redirected to other variantswith redirects and converttitles set. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-09 05:15:00 UTC CVE-2023-45363 An issue was discovered in includes/page/Article.php in MediaWiki 1.36.xthrough 1.39.x before 1.39.5 and 1.40.x before 1.40.1. Deleted revisionexistence is leaked due to incorrect permissions being checked. Thisreveals that a given revision ID belonged to the given page title, and itstimestamp, both of which are not supposed to be public information. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-09 05:15:00 UTC CVE-2023-45364 Improper Handling of Exceptional Conditions vulnerability in Daurnimatorlua-http library allows Excessive Allocation and a denial of service (DoS)attack to be executed by sending a properly crafted request to the server.Such a request causes the program to enter an infinite loop.This issue affects lua-http: all versions before commit ddab283. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-05 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051511 CVE-2023-4540 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTPtrailer headers. A speciallycrafted, invalid trailer header could cause Tomcat to treat a singlerequest as multiple requests leading to the possibility of requestsmuggling when behind a reverse proxy.Older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. Update Instructions: Run `sudo pro fix CVE-2023-45648` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-10 19:15:00 UTC 2023-10-10 19:15:00 UTC https://ubuntu.com/security/notices/USN-7106-1 https://ubuntu.com/security/notices/USN-7562-1 CVE-2023-45648 stb_image is a single file MIT licensed library for processing images. Acrafted image file may trigger out of bounds memcpy read in`stbi__gif_load_next`. This happens because two_back points to a memoryaddress lower than the start of the buffer out. This issue may be used toleak internal memory allocation information. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45661 stb_image is a single file MIT licensed library for processing images. When`stbi_set_flip_vertically_on_load` is set to `TRUE` and `req_comp` is setto a number that doesn’t match the real number of components per pixel, thelibrary attempts to flip the image vertically. A crafted image file cantrigger `memcpy` out-of-bounds read because `bytes_per_pixel` used tocalculate `bytes_per_row` doesn’t match the real image array dimensions. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45662 stb_image is a single file MIT licensed library for processing images. Thestbi__getn function reads a specified number of bytes from context(typically a file) into the specified buffer. In case the file streampoints to the end, it returns zero. There are two places where its returnvalue is not checked: In the `stbi__hdr_load` function and in the`stbi__tga_load` function. The latter of the two is likely more exploitableas an attacker may also control the size of an uninitialized buffer. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45663 stb_image is a single file MIT licensed library for processing images. Acrafted image file can trigger `stbi__load_gif_main_outofmem` attempt todouble-free the out variable. This happens in `stbi__load_gif_main` becausewhen the `layers * stride` value is zero the behavior is implementationdefined, but common that realloc frees the old memory and returns nullpointer. Since it attempts to double-free the memory a few lines below thefirst “free”, the issue can be potentially exploited only in amulti-threaded environment. In the worst case this may lead to codeexecution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45664 stb_image is a single file MIT licensed library for processing images. Itmay look like `stbi__load_gif_main` doesn’t give guarantees about thecontent of output value `*delays` upon failure. Although it sets `*delays`to zero at the beginning, it doesn’t do it in case the image is notrecognized as GIF and a call to `stbi__load_gif_main_outofmem` only freespossibly allocated memory in `*delays` without resetting it to zero. Thusit would be fair to say the caller of `stbi__load_gif_main` is responsibleto free the allocated memory in `*delays` only if `stbi__load_gif_main`returns a non null value. However at the same time the function may returnnull value, but fail to free the memory in `*delays` if internally`stbi__convert_format` is called and fails. Thus the issue may lead to amemory leak if the caller chooses to free `delays` only when`stbi__load_gif_main` didn’t fail or to a double-free if the `delays` isalways freed Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45666 stb_image is a single file MIT licensed library for processing images.If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns anull pointer and may keep the `z` variable uninitialized. In case thecaller also sets the flip vertically flag, it continues and calls`stbi__vertical_flip_slices` with the null pointer result value and theuninitialized `z` value. This may result in a program crash. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45667 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger out of bounds write in `f->vendor[len] =(char)'\0';`. The root cause is that if the len read in `start_decoder` is`-1` and `len + 1` becomes 0 when passed to `setup_malloc`. The`setup_malloc` behaves differently when `f->alloc.alloc_buffer` ispre-allocated. Instead of returning `NULL` as in `malloc` case it shiftsthe pre-allocated buffer by zero and returns the currently available memoryblock. This issue may lead to code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45675 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger out of bounds write in `f->vendor[i] =get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`.A sufficiently large value in the variable `sz` overflows with `sz+7` inand the negative value passes the maximum available memory buffer check.This issue may lead to code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45676 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger out of bounds write in `f->vendor[len] =(char)'\0';`. The root cause is that if `len` read in `start_decoder` is anegative number and `setup_malloc` successfully allocates memory in thatcase, but memory write is done with a negative index `len`. Similarly iflen is INT_MAX the integer overflow len+1 happens in `f->vendor =(char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] =(char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead tocode execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45677 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger out of buffer write in `start_decoder`because at maximum `m->submaps` can be 16 but `submap_floor` and`submap_residue` are declared as arrays of 15 elements. This issue may leadto code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45678 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger memory allocation failure in`start_decoder`. In that case the function returns early, but some of thepointers in `f->comment_list` are left initialized and later `setup_free`is called on these pointers in `vorbis_deinit`. This issue may lead to codeexecution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45679 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger memory allocation failure in`start_decoder`. In that case the function returns early, the`f->comment_list` is set to `NULL`, but `f->comment_list_length` is notreset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer.This issue may lead to denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45680 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger memory write past an allocated heapbuffer in `start_decoder`. The root cause is a potential integer overflowin `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc`allocate less memory than required. Since there is another integer overflowan attacker may overflow it too to force `setup_malloc` to return 0 andmake the exploit more reliable. This issue may lead to code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45681 stb_vorbis is a single file MIT licensed library for processing ogg vorbisfiles. A crafted file may trigger out of bounds read in `DECODE` macro when`var` is negative. As it can be seen in the definition of `DECODE_RAW` anegative `var` is a valid value. This issue may be used to leak internalmemory allocation information. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-21 00:15:00 UTC CVE-2023-45682 Northern.tech CFEngine Enterprise before 3.21.3 allows SQL Injection. Thefixed versions are 3.18.6 and 3.21.3. The earliest affected version is3.6.0. The issue is in the Mission Portal login page in the CFEngine hub. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-14 15:15:00 UTC CVE-2023-45684 When a HTTP/2 stream was reset (RST frame) by a client, there was a timewindow were the request's memory resources were not reclaimed immediately.Instead, de-allocation was deferred to connection close. A client couldsend new requests and resets, keeping the connection busy and open andcausing the memory footprint to keep on growing. On connection close, allresources were reclaimed, but the process might run out of memory beforethat.This was found by the reporter during testing of CVE-2023-44487 (HTTP/2Rapid Reset Exploit) with their own test client. During "normal" HTTP/2use, the probability to hit this bug is very low. The kept memory would notbecome noticeable before the connection closes or times out.Users are recommended to upgrade to version 2.4.58, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2023-45802` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.58-1ubuntu1 apache2-bin - 2.4.58-1ubuntu1 apache2-data - 2.4.58-1ubuntu1 apache2-suexec-custom - 2.4.58-1ubuntu1 apache2-suexec-pristine - 2.4.58-1ubuntu1 apache2-utils - 2.4.58-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-23 07:15:00 UTC 2023-10-23 07:15:00 UTC Will Dormann and David Warren https://ubuntu.com/security/notices/USN-6506-1 CVE-2023-45802 pdm is a Python package and dependency manager supporting the latest PEPstandards. It's possible to craft a malicious `pdm.lock` file that couldallow e.g. an insider or a malicious open source project to appear todepend on a trusted PyPI project, but actually install another project. Aproject `foo` can be targeted by creating the project `foo-2` and uploadingthe file `foo-2-2.tar.gz` to pypi.org. PyPI will see this as project`foo-2` version `2`, while PDM will see this as project `foo` version`2-2`. The version must only be `parseable as a version` and the filenamemust be a prefix of the project name, but it's not verified to match theversion being installed. Version `2-2` is also not a valid normalizedversion per PEP 440. Matching the project name exactly (not just prefix)would fix the issue. When installing dependencies with PDM, what's actuallyinstalled could differ from what's listed in `pyproject.toml` (includingarbitrary code execution on install). It could also be used for downgradeattacks by only changing the version. This issue has been addressed incommit `6853e2642df` which is included in release version `2.9.4`. Usersare advised to upgrade. There are no known workarounds for thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-20 19:15:00 UTC CVE-2023-45805 An issue discovered in Axios 1.5.1 inadvertently reveals the confidentialXSRF-TOKEN stored in cookies by including it in the HTTP headerX-XSRF-TOKEN for every request made to any host allowing attackers to viewsensitive information. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-08 21:15:00 UTC https://github.com/axios/axios/issues/6006 CVE-2023-45857 An issue was discovered in Qt before 6.2.11 and 6.3.x through 6.6.x before6.6.1. When a QML image refers to an image whose content is not known yet,there is an assumption that it is an SVG document, leading to a denial ofservice (application crash) if it is not actually an SVG document. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 06:15:00 UTC CVE-2023-45872 S-Lang 2.3.2 was discovered to contain an arithmetic exception via thefunction tt_sprintf(). Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-03-27 04:15:00 UTC CVE-2023-45927 S-Lang 2.3.2 was discovered to contain a segmentation fault via thefunction fixup_tgetstr(). Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-03-27 04:15:00 UTC CVE-2023-45929 gifsicle-1.94 was found to have a floating point exception (FPE)vulnerability via resize_stream at src/xform.c. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-10-18 16:15:00 UTC CVE-2023-46009 RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API didnot enforce an HTTP request body limit, making it vulnerable for denial ofservice (DoS) attacks with very large messages. An authenticated user withsufficient credentials can publish a very large messages over the HTTP APIand cause target node to be terminated by an "out-of-memory killer"-likemechanism. This vulnerability has been patched in versions 3.11.24 and3.12.7. Update Instructions: Run `sudo pro fix CVE-2023-46118` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rabbitmq-server - 3.12.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 18:17:00 UTC 2023-10-25 18:17:00 UTC https://ubuntu.com/security/notices/USN-6501-1 CVE-2023-46118 The RabbitMQ Java client library allows Java and JVM-based applications toconnect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not usedwhen receiving Message objects. Attackers could send a very large Messagecausing a memory overflow and triggering an OOM Error. Users of RabbitMQmay suffer from DoS attacks from RabbitMQ Java client which willultimately exhaust the memory of the consumer. This vulnerability waspatched in version 5.18.0. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 18:17:00 UTC CVE-2023-46120 yt-dlp is a youtube-dl fork with additional features and fixes. The GenericExtractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxyfor a request to an arbitrary url, allowing the attacker to MITM therequest made from yt-dlp's HTTP session. This could lead to cookieexfiltration in some cases. Version 2023.11.14 removed the ability tosmuggle `http_headers` to the Generic extractor, as well as otherextractors that use the same pattern. Users are advised to upgrade. Usersunable to upgrade should disable the Ggneric extractor (or only passtrusted sites with trusted content) and ake caution when using`--no-check-certificate`. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-15 00:15:00 UTC CVE-2023-46121 Twisted is an event-based framework for internet applications. Prior toversion 23.10.0rc1, when sending multiple HTTP requests in one TCP packet,twisted.web will process the requests asynchronously without guaranteeingthe response order. If one of the endpoints is controlled by an attacker,the attacker can delay the response on purpose to manipulate the responseof the second request when a victim launched two requests using HTTPpipeline. Version 23.10.0rc1 contains a patch for this issue. Update Instructions: Run `sudo pro fix CVE-2023-46137` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-twisted - 22.4.0-4ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 21:15:00 UTC 2023-10-25 21:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054913 https://ubuntu.com/security/notices/USN-6575-1 CVE-2023-46137 pypdf is a free and open-source pure-python PDF library. An attacker whouses a vulnerability present in versions 3.7.0 through 3.16.4 can craft aPDF which leads to an infinite loop. This infinite loop blocks the currentprocess and can utilize a single core of the CPU by 100%. It does notaffect memory usage. That is, for example, the case when the pypdf-usermanipulates an incoming malicious PDF e.g. by merging it with another PDFor by adding annotations. The issue was fixed in version 3.17.0. As aworkaround, apply the patch manually by modifying`pypdf/generic/_data_structures.py`. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-31 16:15:00 UTC CVE-2023-46250 please (aka pleaser) through 0.5.4 allows privilege escalation through theTIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX aredisabled, this cannot be exploited.) Ubuntu 26.04 LTS High Copyright (C) 2023 Canonical Ltd. 2023-10-20 05:15:00 UTC https://gitlab.com/edneville/please/-/issues/13 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054289 CVE-2023-46277 XSS exists in NagVis before 1.9.38 via the select function inshare/server/core/functions/html.php. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-20 14:15:00 UTC CVE-2023-46287 link_to_local_path in ebooks/conversion/plugins/html_input.py in calibrebefore 6.19.0 can, by default, add resources outside of the document root. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-22 18:15:00 UTC CVE-2023-46303 WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in inDataSegment::IsValidRange(), which lead to segmentation fault. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-23 17:15:00 UTC CVE-2023-46331 WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write inDataSegment::Drop(), which lead to segmentation fault. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-23 16:15:00 UTC CVE-2023-46332 Catdoc v0.95 was discovered to contain a NULL pointer dereference via thecomponent xls2csv at src/xlsparse.c. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-26 00:15:00 UTC CVE-2023-46345 Artifex Software jbig2dec v0.20 was discovered to contain a SEGVvulnerability via jbig2_error at /jbig2dec/jbig2.c. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-10-31 06:15:00 UTC Zeng Yunxiang and Song Jiaxuan https://bugs.ghostscript.com/show_bug.cgi?id=707308 (dupe) https://bugs.ghostscript.com/show_bug.cgi?id=705041 (similar issue) CVE-2023-46361 jbig2enc v0.28 was discovered to contain a heap-use-after-free viajbig2enc_auto_threshold_using_hash in src/jbig2enc.cc. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-08 21:15:00 UTC https://github.com/agl/jbig2enc/issues/84 CVE-2023-46362 jbig2enc v0.28 was discovered to contain a SEGV via jbig2_add_page insrc/jbig2enc.cc:512. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-11-08 21:15:00 UTC https://github.com/agl/jbig2enc/issues/85 CVE-2023-46363 A flaw was found in Undertow, which incorrectly parses cookies with certainvalue-delimiting characters in incoming requests. This issue could allow anattacker to construct a cookie value to exfiltrate HttpOnly cookie valuesor spoof arbitrary additional cookie values, leading to unauthorized dataaccess or modification. The main threat from this flaw impacts dataconfidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-17 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063539 CVE-2023-4639 SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker toobtain sensitive information via the form_actions() function in themanagers.php function. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-27 22:15:00 UTC CVE-2023-46490 An out-of-bounds read in radare2 v.5.8.9 and before exists in theprint_insn32_fpu function of libr/arch/p/nds32/nds32-dis.h. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-28 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054908 CVE-2023-46569 An out-of-bounds read in radare2 v.5.8.9 and before exists in theprint_insn32 function of libr/arch/p/nds32/nds32-dis.h. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-28 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054908 CVE-2023-46570 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTPtrailer headers. A trailer header that exceeded the header size limit couldcause Tomcat to treat a singlerequest as multiple requests leading to the possibility of requestsmuggling when behind a reverse proxy.Older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. Update Instructions: Run `sudo pro fix CVE-2023-46589` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-28 16:15:00 UTC 2023-11-28 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057082 https://ubuntu.com/security/notices/USN-7032-1 CVE-2023-46589 Squid is a caching proxy for the Web. Due to an Improper Validation ofSpecified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to6.4 compiled using `--with-openssl` are vulnerable to a Denial of Serviceattack against SSL Certificate validation. This problem allows a remoteserver to perform Denial of Service against Squid Proxy by initiating a TLSHandshake with a specially crafted SSL Certificate in a server certificatechain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed inSquid version 6.4. In addition, patches addressing this problem for thestable releases can be found in Squid's patch archives. Those who you use aprepackaged version of Squid should refer to the package vendor foravailability information on updated packages. Update Instructions: Run `sudo pro fix CVE-2023-46724` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 6.1-2ubuntu2 squid-cgi - 6.1-2ubuntu2 squid-common - 6.1-2ubuntu2 squid-openssl - 6.1-2ubuntu2 squid-purge - 6.1-2ubuntu2 squidclient - 6.1-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-01 20:15:00 UTC 2023-11-01 20:15:00 UTC Joshua Rogers https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2041837 https://ubuntu.com/security/notices/USN-6500-1 CVE-2023-46724 Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a pathtraversal attack that results in an authentication bypass when usedtogether with path rewritingMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure`blockSemicolon` is enabled (this is the default). Update Instructions: Run `sudo pro fix CVE-2023-46749` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libshiro-java - 1.3.2-5ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-15 10:15:00 UTC 2024-01-15 10:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060754 https://ubuntu.com/security/notices/USN-7147-1 CVE-2023-46749 URL Redirection to Untrusted Site ('Open Redirect') vulnerability when"form" authentication is used in Apache Shiro.Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+. Update Instructions: Run `sudo pro fix CVE-2023-46750` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libshiro-java - 1.3.2-5ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 09:15:00 UTC 2023-12-14 09:15:00 UTC https://ubuntu.com/security/notices/USN-7147-1 CVE-2023-46750 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occurfor a crafted BGP UPDATE message without mandatory attributes, e.g., onewith only an unknown transit attribute. Update Instructions: Run `sudo pro fix CVE-2023-46753` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 8.4.4-1.1ubuntu2 frr-pythontools - 8.4.4-1.1ubuntu2 frr-rpki-rtrlib - 8.4.4-1.1ubuntu2 frr-snmp - 8.4.4-1.1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-26 05:15:00 UTC 2023-10-26 05:15:00 UTC https://ubuntu.com/security/notices/USN-6481-1 https://ubuntu.com/security/notices/USN-6482-1 https://ubuntu.com/security/notices/USN-6807-1 CVE-2023-46753 The current setup of the quarantine page tables assumes that thequarantine domain (dom_io) has been initialized with an address widthof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels.However dom_io being a PV domain gets the AMD-Vi IOMMU page tableslevels based on the maximum (hot pluggable) RAM address, and hence onsystems with no RAM above the 512GB mark only 3 page-table levels areconfigured in the IOMMU.On systems without RAM above the 512GB boundaryamd_iommu_quarantine_init() will setup page tables for the scratchpage with 4 levels, while the IOMMU will be configured to use 3 levelsonly, resulting in the last page table directory (PDE) effectivelybecoming a page table entry (PTE), and hence a device in quarantinemode gaining write access to the page destined to be a PDE.Due to this page table level mismatch, the sink page the device getsread/write access to is no longer cleared between device assignment,possibly leading to data leaks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-46835 The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (SpeculativeReturn Stack Overflow) are not IRQ-safe. It was believed that themitigations always operated in contexts with IRQs disabled.However, the original XSA-254 fix for Meltdown (XPTI) deliberately leftinterrupts enabled on two entry paths; one unconditionally, and oneconditionally on whether XPTI was active.As BTC/SRSO and Meltdown affect different CPU vendors, the mitigationsare not active together by default. Therefore, there is a racecondition whereby a malicious PV guest can bypass BTC/SRSO protectionsand launch a BTC/SRSO attack against Xen. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-46836 Arm provides multiple helpers to clean & invalidate the cachefor a given region. This is, for instance, used when allocatingguest memory to ensure any writes (such as the ones during scrubbing)have reached memory before handing over the page to a guest.Unfortunately, the arithmetics in the helpers can overflow and wouldthen result to skip the cache cleaning/invalidation. Therefore thereis no guarantee when all the writes will reach the memory.This undefined behavior was meant to be addressed by XSA-437, but theapproach was not sufficient. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-05 17:15:00 UTC CVE-2023-46837 PCI devices can make use of a functionality called phantom functions,that when enabled allows the device to generate requests using the IDsof functions that are otherwise unpopulated. This allows a device toextend the number of outstanding requests.Such phantom functions need an IOMMU context setup, but failure tosetup the context is not fatal when the device is assigned. Notfailing device assignment when such failure happens can lead to theprimary device being assigned to a guest, while some of the phantomfunctions are assigned to a different domain. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 11:15:00 UTC CVE-2023-46839 Incorrect placement of a preprocessor directive in source code resultsin logic that doesn't operate as intended when support for HVM guests iscompiled out of Xen. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 11:15:00 UTC CVE-2023-46840 Recent x86 CPUs offer functionality named Control-flow EnforcementTechnology (CET). A sub-feature of this are Shadow Stacks (CET-SS).CET-SS is a hardware feature designed to protect against Return OrientedProgramming attacks. When enabled, traditional stacks holding both dataand return addresses are accompanied by so called "shadow stacks",holding little more than return addresses. Shadow stacks aren'twritable by normal instructions, and upon function returns theircontents are used to check for possible manipulation of a return addresscoming from the traditional stack.In particular certain memory accesses need intercepting by Xen. Invarious cases the necessary emulation involves kind of replaying ofthe instruction. Such replaying typically involves filling and theninvoking of a stub. Such a replayed instruction may raise anexceptions, which is expected and dealt with accordingly.Unfortunately the interaction of both of the above wasn't right:Recovery involves removal of a call frame from the (traditional) stack.The counterpart of this operation for the shadow stack was missing. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 11:15:00 UTC CVE-2023-46841 Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit andother modes. This in particular means that they may set registers usedto pass 32-bit-mode hypercall arguments to values outside of the range32-bit code would be able to set them to.When processing of hypercalls takes a considerable amount of time,the hypervisor may choose to invoke a hypercall continuation. Doing soinvolves putting (perhaps updated) hypercall arguments in respectiveregisters. For guests not running in 64-bit mode this further involvesa certain amount of translation of the values.Unfortunately internal sanity checking of these translated valuesassumes high halves of registers to always be clear when invoking ahypercall. When this is found not to be the case, it triggers aconsistency check in the hypervisor and causes a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-16 14:15:00 UTC CVE-2023-46842 SQUID is vulnerable to HTTP request smuggling, caused by chunked decoderlenience, allows a remote attacker to perform Request/Response smugglingpast firewall and frontend security systems. Update Instructions: Run `sudo pro fix CVE-2023-46846` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 6.1-2ubuntu2 squid-cgi - 6.1-2ubuntu2 squid-common - 6.1-2ubuntu2 squid-openssl - 6.1-2ubuntu2 squid-purge - 6.1-2ubuntu2 squidclient - 6.1-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-03 08:15:00 UTC 2023-11-03 08:15:00 UTC Keran Mu and Jianjun Chen https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2041837 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054537 https://ubuntu.com/security/notices/USN-6500-1 CVE-2023-46846 An issue discovered in esptool 4.6.2 allows attackers to view sensitiveinformation via weak cryptographic algorithm. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-09 16:15:00 UTC CVE-2023-46894 An out-of-bounds write flaw was found in grub2's NTFS filesystem driver.This issue may allow an attacker to present a specially crafted NTFSfilesystem image, leading to grub's heap metadata corruption. In somecircumstances, the attack may also corrupt the UEFI firmware heap metadata.As a result, arbitrary code execution and secure boot protection bypass maybe achieved. Update Instructions: Run `sudo pro fix CVE-2023-4692` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: grub-efi-amd64 - 2.12~rc1-10ubuntu4 grub-efi-amd64-bin - 2.12~rc1-10ubuntu4 grub-efi-amd64-unsigned - 2.12~rc1-10ubuntu4 grub-efi-arm64 - 2.12~rc1-10ubuntu4 grub-efi-arm64-bin - 2.12~rc1-10ubuntu4 grub-efi-arm64-unsigned - 2.12~rc1-10ubuntu4 No subscription required grub-efi-amd64-signed - 1.197 grub-efi-arm64-signed - 1.197 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 2023-10-03 https://ubuntu.com/security/notices/USN-6410-1 CVE-2023-4692 An out-of-bounds read flaw was found on grub2's NTFS filesystem driver.This issue may allow a physically present attacker to present a speciallycrafted NTFS file system image to read arbitrary memory locations. Asuccessful attack allows sensitive data cached in memory or EFI variablevalues to be leaked, presenting a high Confidentiality risk. Update Instructions: Run `sudo pro fix CVE-2023-4693` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: grub-efi-amd64-signed - 1.199 grub-efi-arm64-signed - 1.199 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-03 2023-10-03 https://ubuntu.com/security/notices/USN-6410-1 CVE-2023-4693 Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0allows a remote attacker to execute arbitrary code via a crafted payload toalert(), confirm(), prompt() functions. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-07 05:15:00 UTC CVE-2023-46998 radare2 5.8.9 has an out-of-bounds read in r_bin_object_set_items inlibr/bin/bobj.c, causing a crash in r_read_le32 in libr/include/r_endian.h. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-22 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056930 CVE-2023-47016 A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurswhen a crafted regular expression is compiled by perl, which can allow anattacker controlled byte buffer overflow in a heap allocated buffer. Update Instructions: Run `sudo pro fix CVE-2023-47038` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libperl5.40 - 5.36.0-10ubuntu1 perl - 5.36.0-10ubuntu1 perl-base - 5.36.0-10ubuntu1 perl-debug - 5.36.0-10ubuntu1 perl-modules-5.40 - 5.36.0-10ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-25 17:00:00 UTC 2023-11-25 17:00:00 UTC Nathan Mills https://ubuntu.com/security/notices/USN-6517-1 CVE-2023-47038 A heap-based buffer overflow vulnerability exists in the commentfunctionality of stb _vorbis.c v1.22. A specially crafted .ogg file canlead to an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-01 16:15:00 UTC CVE-2023-47212 Stack-buffer-overflow vulnerability in ReadyMedia (MiniDLNA) v1.3.3 allowsattackers to cause a denial of service via via the SendContainer() functionat tivo_commands.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 22:37:00 UTC CVE-2023-47430 Arbitrary File Overwrite in Eclipse JGit <= 6.6.0In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic linkpresent in a specially crafted git repository can be used to write a fileto locations outside the working tree when this repository is cloned withJGit to a case-insensitive filesystem, or when a checkout from a clone ofsuch a repository is performed on a case-insensitive filesystem.This can happen on checkout (DirCacheCheckout), merge (ResolveMerger viaits WorkingTreeUpdater), pull (PullCommand using merge), and when applyinga patch (PatchApplier). This can be exploited for remote code execution(RCE), for instance if the file written outside the working tree is a gitfilter that gets executed on a subsequent git command.The issue occurs only on case-insensitive filesystems, like the defaultfilesystems on Windows and macOS. The user performing the clone or checkoutmust have the rights to create symbolic links for the problem to occur, andsymbolic links must be enabled in the git configuration.Setting git configuration option core.symlinks = false before checking outavoids the problem.The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and6.7.0.202309050840-r, available via Maven Centralhttps://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.orghttps://repo.eclipse.org/content/repositories/jgit-releases/ . A backportis available in 5.13.3 starting from 5.13.3.202401111512-r.The JGit maintainers would like to thank RyotaK for finding and reportingthis issue. Ubuntu 26.04 LTS Negligible Copyright (C) 2023 Canonical Ltd. 2023-09-12 10:15:00 UTC CVE-2023-4759 A Cross-Site scripting vulnerability has been found in CKSource CKEditoraffecting versions 4.15.1 and earlier. An attacker could send maliciousjavascript code through the /ckeditor/samples/old/ajax.html file andretrieve an authorized user's information. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-16 14:15:00 UTC CVE-2023-4771 Lack of error handling in the TCP server in Google's gRPC starting version1.23 on posix-compatible platforms (ex. Linux) allows an attacker to causea denial of service by initiating a significant number of connections withthe server. Note that gRPC C++ Python, and Ruby are affected, but gRPCJava, and Go are NOT affected. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-13 17:15:00 UTC CVE-2023-4785 An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc inFreeImage 3.18.0 allows attackers to obtain sensitive information, cause adenial-of-service attacks and/or run arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-09 23:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060691 CVE-2023-47992 A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 inFreeImage 3.18.0 allows attackers to cause a denial-of-service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-09 23:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060691 CVE-2023-47993 An integer overflow vulnerability in LoadPixelDataRLE4 function inPluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain sensitiveinformation, cause a denial of service and/or run arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-09 23:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060691 CVE-2023-47994 Memory Allocation with Excessive Size Value discovered inBitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0 allowsattackers to cause a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-09 23:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060862 CVE-2023-47995 An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir inFreeImage 3.18.0 allows attackers to obtain information and cause a denialof service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-09 23:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060691 CVE-2023-47996 An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap inFreeImage 3.18.0 leads to an infinite loop and allows attackers to cause adenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-10 00:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060691 CVE-2023-47997 Missing SSL certificate validation in HTTPie v3.2.2 allows attackers toeavesdrop on communications between the host and server via aman-in-the-middle attack. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-16 18:15:00 UTC CVE-2023-48052 A flaw has been identified in glibc. In an extremely rare situation, thegetaddrinfo function may access memory that has been freed, resulting in anapplication crash. This issue is only exploitable when a NSS moduleimplements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hookswithout implementing the _nss_*_gethostbyname3_r hook. The resolved nameshould return a large number of IPv6 and IPv4, and the call to thegetaddrinfo function should have the AF_INET6 address family withAI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. Update Instructions: Run `sudo pro fix CVE-2023-4806` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.38-1ubuntu5 libc-bin - 2.38-1ubuntu5 libc6 - 2.38-1ubuntu5 libc6-amd64 - 2.38-1ubuntu5 libc6-i386 - 2.38-1ubuntu5 libc6-x32 - 2.38-1ubuntu5 locales - 2.38-1ubuntu5 locales-all - 2.38-1ubuntu5 nscd - 2.38-1ubuntu5 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-09-18 17:15:00 UTC 2023-09-18 17:15:00 UTC https://sourceware.org/bugzilla/show_bug.cgi?id=30843 https://ubuntu.com/security/notices/USN-6541-1 https://ubuntu.com/security/notices/USN-6541-2 CVE-2023-4806 Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 01:15:00 UTC CVE-2023-48104 An insecure default to allow UEFI Shell in EDK2 was left enabled inUbuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot. Update Instructions: Run `sudo pro fix CVE-2023-48733` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: efi-shell-aa64 - 2023.11-7 efi-shell-arm - 2023.11-7 efi-shell-ia32 - 2023.11-7 efi-shell-loongarch64 - 2023.11-7 efi-shell-riscv64 - 2023.11-7 efi-shell-x64 - 2023.11-7 ovmf - 2023.11-7 ovmf-ia32 - 2023.11-7 ovmf-inteltdx - 2023.11-7 qemu-efi-aarch64 - 2023.11-7 qemu-efi-arm - 2023.11-7 qemu-efi-loongarch64 - 2023.11-7 qemu-efi-riscv64 - 2023.11-7 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-14 2024-02-14 Mate Kukri https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139 https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137 https://ubuntu.com/security/notices/USN-6638-1 CVE-2023-48733 The SSH transport protocol with certain OpenSSH extensions, found inOpenSSH before 9.6 and other products, allows remote attackers to bypassintegrity checks such that some packets are omitted (from the extensionnegotiation message), and a client and server may consequently end up witha connection for which some security features have been downgraded ordisabled, aka a Terrapin attack. This occurs because the SSH Binary PacketProtocol (BPP), implemented by these extensions, mishandles the handshakephase and mishandles use of sequence numbers. For example, there is aneffective attack against SSH's use of ChaCha20-Poly1305 (and CBC withEncrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and(if CBC is used) the -etm@openssh.com MAC algorithms. This also affectsMaverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1,Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, NetgatepfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSHthrough 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYXCycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTPbefore 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshdthrough 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh26401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8,PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4,Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSHServer before 9.32, Bitvise SSH Client before 9.33, KiTTY through0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and theRussh crate before 0.40.2 for Rust. Update Instructions: Run `sudo pro fix CVE-2023-48795` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:9.6p1-3ubuntu1 openssh-client-gssapi - 1:9.6p1-3ubuntu1 openssh-server - 1:9.6p1-3ubuntu1 openssh-server-gssapi - 1:9.6p1-3ubuntu1 openssh-sftp-server - 1:9.6p1-3ubuntu1 openssh-tests - 1:9.6p1-3ubuntu1 ssh - 1:9.6p1-3ubuntu1 ssh-askpass-gnome - 1:9.6p1-3ubuntu1 No subscription required python3-paramiko - 2.12.0-2ubuntu4 No subscription required python3-asyncssh - 2.10.1-2ubuntu1 No subscription required filezilla - 3.66.4-1 filezilla-common - 3.66.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-18 15:00:00 UTC 2023-12-18 15:00:00 UTC Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk https://github.com/golang/go/issues/64784 https://github.com/paramiko/paramiko/issues/2337 https://github.com/libssh2/libssh2/issues/1290 https://ubuntu.com/security/notices/USN-6560-1 https://ubuntu.com/security/notices/USN-6561-1 https://ubuntu.com/security/notices/USN-6560-2 https://ubuntu.com/security/notices/USN-6585-1 https://ubuntu.com/security/notices/USN-6589-1 https://ubuntu.com/security/notices/USN-6598-1 https://ubuntu.com/security/notices/USN-6738-1 https://ubuntu.com/security/notices/USN-7051-1 https://ubuntu.com/security/notices/USN-7297-1 https://ubuntu.com/security/notices/USN-7292-1 CVE-2023-48795 A stack overflow in openlink virtuoso-opensource v7.2.11 allows attackersto cause a Denial of Service (DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC 2023-11-29 20:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-48945 An issue in the box_mpy function of openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) after running a SELECTstatement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC 2023-11-29 20:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-48946 An issue in the cha_cmp function of openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) after running a SELECTstatement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC 2023-11-29 20:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-48947 An issue in the box_div function in openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) after running a SELECTstatement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC CVE-2023-48948 An issue in the box_add function in openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) after running a SELECTstatement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC CVE-2023-48949 An issue in the box_col_len function in openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) after running aSELECT statement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC 2023-11-29 20:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-48950 An issue in the box_equal function in openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) after running a SELECTstatement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC 2023-11-29 20:15:00 UTC https://ubuntu.com/security/notices/USN-6879-1 CVE-2023-48951 An issue in the box_deserialize_reusing function in openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) after running a SELECT statement. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-29 20:15:00 UTC CVE-2023-48952 The Jupyter Server provides the backend (i.e. the core services, APIs, andREST endpoints) for Jupyter web applications like Jupyter notebook,JupyterLab, and Voila. Unhandled errors in API requests coming from anauthenticated user include traceback information, which can include pathinformation. There is no known mechanism by which to trigger these errorswithout authentication, so the paths revealed are not consideredparticularly sensitive, given that the requesting user has arbitraryexecution permissions already in the same environment. A fix has beenintroduced in commit `0056c3aa52` which no longer includes tracebackinformation in JSON error responses. For compatibility, the traceback fieldis present, but always empty. This commit has been included in version2.11.2. Users are advised to upgrade. There are no known workarounds forthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-04 21:15:00 UTC CVE-2023-49080 fish is a smart and user-friendly command line shell for macOS, Linux, andthe rest of the family. fish shell uses certain Unicode non-charactersinternally for marking wildcards and expansions. It will incorrectly allowthese markers to be read on command substitution output, rather thantransforming them into a safe internal representation. While this may causeunexpected behavior with direct input (for example, echo \UFDD2HOME has thesame output as echo $HOME), this may become a minor security problem if theoutput is being fed from an external program into a command substitutionwhere this output may not be expected. This design flaw was introduced invery early versions of fish, predating the version control system, and isthought to be present in every version of fish released in the last 15years or more, although with different characters. Code execution does notappear to be possible, but denial of service (through large braceexpansion) or information disclosure (such as variable expansion) ispotentially possible under certain circumstances. fish shell 3.6.2 has beenreleased to correct this issue. Users are advised to upgrade. There are noknown workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-05 00:15:00 UTC CVE-2023-49284 TinyDir is a lightweight C directory and file reader. Buffer overflows inthe `tinydir_file_open()` function. This vulnerability has been patched inversion 1.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-04 06:15:00 UTC CVE-2023-49287 Asterisk is an open source private branch exchange and telephony toolkit.In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well ascertified-asterisk prior to 18.9-cert6, it is possible to read anyarbitrary file even when the `live_dangerously` is not enabled. This allowsarbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1,as well as certified-asterisk prior to 18.9-cert6, contain a fix for thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 20:15:00 UTC CVE-2023-49294 OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenariosinvolving applications that try to rely on efficient copying of file data,can replace file contents with zero-valued bytes and thus potentiallydisable security mechanisms. NOTE: this issue is not always securityrelated, but can be security related in realistic situations. A possibleexample is cp, from a recent GNU Core Utilities (coreutils) version, whenattempting to preserve a rule set for denying unauthorized access. (Onemight use cp when configuring access control, such as with the/etc/hosts.deny file specified in the IBM Support reference.) NOTE: thisissue occurs less often in version 2.2.1, and in versions before 2.1.4,because of the default configuration in those versions. Update Instructions: Run `sudo pro fix CVE-2023-49298` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvpair3linux - 2.2.2-0ubuntu2 libpam-zfs - 2.2.2-0ubuntu2 libuutil3linux - 2.2.2-0ubuntu2 libzfs6linux - 2.2.2-0ubuntu2 libzfsbootenv1linux - 2.2.2-0ubuntu2 libzpool6linux - 2.2.2-0ubuntu2 python3-pyzfs - 2.2.2-0ubuntu2 zfs-dkms - 2.2.2-0ubuntu2 zfs-dracut - 2.2.2-0ubuntu2 zfs-initramfs - 2.2.2-0ubuntu2 zfs-test - 2.2.2-0ubuntu2 zfs-zed - 2.2.2-0ubuntu2 zfsutils-linux - 2.2.2-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-24 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056752 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 https://github.com/openzfs/zfs/issues/15526 https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/2044657 CVE-2023-49298 Temporary data passed between application components by Budgie ExtrasClockworks applet could potentially be viewed or manipulated. The data isstored in a location that is accessible to any user who has local access tothe system. Attackers may pre-create and control this file to present falseinformation to users or deny access to the application and panel. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 2023-12-14 https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373 https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49342 Temporary data passed between application components by Budgie ExtrasDropby applet could potentially be viewed or manipulated. The data isstored in a location that is accessible to any user who has local access tothe system. Attackers may pre-create and control this file to present falseinformation to users or deny access to the application and panel. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 2023-12-14 https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373 https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49343 Temporary data passed between application components by Budgie ExtrasWindow Shuffler applet could potentially be viewed or manipulated. The datais stored in a location that is accessible to any user who has local accessto the system. Attackers may pre-create and control this file to presentfalse information to users or deny access to the application and panel. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 2023-12-14 Matthias Gerstner https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373 https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49344 Temporary data passed between application components by Budgie ExtrasTakeabreak applet could potentially be viewed or manipulated. The data isstored in a location that is accessible to any user who has local access tothe system. Attackers may pre-create and control this file to present falseinformation to users or deny access to the application and panel. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 2023-12-14 Matthias Gerstner https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373 https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49345 Temporary data passed between application components by Budgie ExtrasWeatherShow applet could potentially be viewed or manipulated. The data isstored in a location that is accessible to any user who has local access tothe system. Attackers may pre-create and control this file to present falseinformation to users or deny access to the application and panel. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 2023-12-14 Matthias Gerstner https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373 https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49346 Temporary data passed between application components by Budgie ExtrasWindows Previews could potentially be viewed or manipulated. The data isstored in a location that is accessible to any user who has local access tothe system. Attackers may read private information from windows, presentfalse information to users, or deny access to the application. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 2023-12-14 Matthias Gerstner https://bugs.launchpad.net/ubuntu/+source/budgie-extras/+bug/2044373 https://ubuntu.com/security/notices/USN-6556-1 CVE-2023-49347 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denialof service via the mjs_getretvalpos function in the msj.c file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-02 23:15:00 UTC https://github.com/cesanta/mjs/issues/251 CVE-2023-49549 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denialof service via the mjs+0x4ec508 component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-02 23:15:00 UTC https://github.com/cesanta/mjs/issues/252 CVE-2023-49550 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denialof service via the mjs_op_json_parse function in the msj.c file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-02 23:15:00 UTC https://github.com/cesanta/mjs/issues/257 CVE-2023-49551 An Out of Bounds Write in Cesanta mjs 2.20.0 allows a remote attacker tocause a denial of service via the mjs_op_json_stringify function in themsj.c file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-02 23:15:00 UTC https://github.com/cesanta/mjs/issues/256 CVE-2023-49552 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denialof service via the mjs_destroy function in the msj.c file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-02 23:15:00 UTC https://github.com/cesanta/mjs/issues/253 CVE-2023-49553 Use After Free vulnerability in YASM 1.3.0.86.g9def allows a remoteattacker to cause a denial of service via the do_directive function in themodules/preprocs/nasm/nasm-pp.c component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-03 00:15:00 UTC https://github.com/yasm/yasm/issues/249 CVE-2023-49554 An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denialof service via the expand_smacro function in themodules/preprocs/nasm/nasm-pp.c component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-03 00:15:00 UTC https://github.com/yasm/yasm/issues/248 CVE-2023-49555 Buffer Overflow vulnerability in YASM 1.3.0.86.g9def allows a remoteattacker to cause a denial of service via the expr_delete_term function inthe libyasm/expr.c component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-03 00:15:00 UTC https://github.com/yasm/yasm/issues/250 CVE-2023-49556 An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denialof service via the yasm_section_bcs_first function in the libyasm/section.ccomponent. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-03 00:15:00 UTC https://github.com/yasm/yasm/issues/253 CVE-2023-49557 An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denialof service via the expand_mmac_params function in themodules/preprocs/nasm/nasm-pp.c component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-03 00:15:00 UTC https://github.com/yasm/yasm/issues/252 CVE-2023-49558 An out-of-bounds write vulnerability exists in the PlyFile ply_cast_asciifunctionality of libigl v2.5.0. A specially crafted .ply file can lead to aheap buffer overflow. An attacker can provide a malicious file to triggerthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2023-49600 A use-after-free vulnerability exists in the HTTP Connection Headersparsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTPheader can trigger reuse of previously freed memory, which leads to memorycorruption and could lead to remote code execution. An attacker needs tomake an unauthenticated HTTP request to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2023-49606` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: tinyproxy - 1.11.2-1 tinyproxy-bin - 1.11.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-01 16:15:00 UTC 2024-05-01 16:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/2074351 https://ubuntu.com/security/notices/USN-7190-1 CVE-2023-49606 ** UNSUPPORTED WHEN ASSIGNED **The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on thesession was not validated while resolving XML definition files, leading topossible path traversal and eventually SSRF/XXE when passinguser-controlled data to this key. Passing user-controlled data to this keymay be relatively common, as it was also used like that to set the languagein the 'tiles-test' application shipped with Tiles.This issue affects Apache Tiles from version 2 onwards.NOTE: This vulnerability only affects products that are no longer supportedby the maintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-30 22:15:00 UTC Joseph Beeton of Contrast Security CVE-2023-49735 Asterisk is an open source private branch exchange and telephony toolkit.In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well ascertified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoSdue to a race condition in the hello handshake phase of the DTLS protocolwhen handling DTLS-SRTP for media setup. This attack can be donecontinuously, thus denying new DTLS-SRTP encrypted calls during the attack.Abuse of this vulnerability may lead to a massive Denial of Service onvulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commitd7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part ofversions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 20:15:00 UTC CVE-2023-49786 An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. ANULL pointer dereference leads to denial of service. The fixed versions are22.05.11, 23.02.7, and 23.11.1. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-14 05:15:00 UTC CVE-2023-49936 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inApache Solr.The Solr Metrics API publishes all unprotected environment variablesavailable to each Apache Solr instance. Users are able to specify whichenvironment variables to hide, however, the default list is designed towork for known secret Java system properties. Environment variables cannotbe strictly defined in Solr, like Java system properties can be, and may beset for the entire host, unlike Java system properties which are setper-Java-proccess.The Solr Metrics API is protected by the "metrics-read" permission.Therefore, Solr Clouds with Authorization setup will only be vulnerable viausers with the "metrics-read" permission.This issue affects Apache Solr: from 9.0.0 before 9.3.0.Users are recommended to upgrade to version 9.3.0 or later, in whichenvironment variables are not published via the Metrics API. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-15 10:15:00 UTC CVE-2023-50290 Insufficiently Protected Credentials vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0before 9.3.0.One of the two endpoints that publishes the Solr process' Java systemproperties, /admin/info/properties, was only setup to hide systemproperties that had "password" contained in the name.There are a number of sensitive system properties, such as "basicauth" and"aws.secretKey" do not contain "password", thus their values were publishedvia the "/admin/info/properties" endpoint.This endpoint populates the list of System Properties on the home screen ofthe Solr Admin page, making the exposed credentials visible in the UI.This /admin/info/properties endpoint is protected under the "config-read"permission.Therefore, Solr Clouds with Authorization enabled will only be vulnerablethrough logged-in users that have the "config-read" permission.Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixesthe issue.A single option now controls hiding Java system property for all endpoints,"-Dsolr.hiddenSysProps".By default all known sensitive properties are hidden (including"-Dbasicauth"), as well as any property with a name containing "secret" or"password".Users who cannot upgrade can also use the following Java system property tofix the issue:  '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*' Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 18:15:00 UTC CVE-2023-50291 Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,and related RFCs) allow remote attackers to cause a denial of service (CPUconsumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. Oneof the concerns is that, when there is a zone with many DNSKEY and RRSIGrecords, the protocol specification implies that an algorithm must evaluateall combinations of DNSKEY and RRSIG records. Update Instructions: Run `sudo pro fix CVE-2023-50387` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.24-0ubuntu1 bind9-dnsutils - 1:9.18.24-0ubuntu1 bind9-host - 1:9.18.24-0ubuntu1 bind9-libs - 1:9.18.24-0ubuntu1 bind9-utils - 1:9.18.24-0ubuntu1 No subscription required libunbound8 - 1.19.1-1ubuntu1 python3-unbound - 1.19.1-1ubuntu1 unbound - 1.19.1-1ubuntu1 unbound-anchor - 1.19.1-1ubuntu1 unbound-host - 1.19.1-1ubuntu1 No subscription required dnsmasq - 2.90-1 dnsmasq-base - 2.90-1 dnsmasq-base-lua - 2.90-1 dnsmasq-utils - 2.90-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-13 2024-02-13 Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner https://ubuntu.com/security/notices/USN-6633-1 https://ubuntu.com/security/notices/USN-6642-1 https://ubuntu.com/security/notices/USN-6657-1 https://ubuntu.com/security/notices/USN-6665-1 https://ubuntu.com/security/notices/USN-6723-1 https://ubuntu.com/security/notices/USN-6657-2 CVE-2023-50387 Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Executionvia the environment parameter, a different vulnerability thanCVE-2022-22817 (which was about the expression parameter). Update Instructions: Run `sudo pro fix CVE-2023-50447` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 10.2.0-1 python3-pil.imagetk - 10.2.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-19 20:15:00 UTC 2024-01-19 20:15:00 UTC Duarte Santos http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061172 https://ubuntu.com/security/notices/USN-6618-1 https://ubuntu.com/security/notices/USN-8135-1 CVE-2023-50447 An issue in the component GroovyEngine.execute of jline-groovy v3.24.1allows attackers to cause an OOM (OutofMemory) error. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-29 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059726 https://github.com/jline/jline3/issues/909 CVE-2023-50572 In exiftags 1.01, nikon_prop1 in nikon.c has a heap-based buffer overflow(write of size 28) because snprintf can write to an unexpected address. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-11 17:15:00 UTC CVE-2023-50671 eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the DataDistribution Service standard of the Object Management Group. Prior toversions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAGSubmessage causes a bad-free error, and the Fast-DDS process can beremotely terminated. If an invalid Data_Frag packet is sent, the`Inline_qos, SerializedPayload` member of object `ch` will attempt torelease memory without initialization, resulting in a 'bad-free' error.Versions 2.13.0, 2.12.2, 2.11.3, 2.10.2, and 2.6.7 fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-06 18:15:00 UTC CVE-2023-50716 Denial of Service in JSON-Java versions up to and including 20230618.  Abug in the parser means that an input string of modest size can lead toindefinite amounts of memory being used. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-12 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053882 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053883 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053884 CVE-2023-5072 A flaw was found in m2crypto. This issue may allow a remote attacker todecrypt captured messages in TLS servers that use RSA key exchanges, whichmay lead to exposure of confidential or sensitive data. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-05 21:15:00 UTC CVE-2023-50781 The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC9276 guidance is skipped) allows remote attackers to cause a denial ofservice (CPU consumption for SHA-1 computations) via DNSSEC responses in arandom subdomain attack, aka the "NSEC3" issue. The RFC 5155 specificationimplies that an algorithm must perform thousands of iterations of a hashfunction in certain situations. Update Instructions: Run `sudo pro fix CVE-2023-50868` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.24-0ubuntu1 bind9-dnsutils - 1:9.18.24-0ubuntu1 bind9-host - 1:9.18.24-0ubuntu1 bind9-libs - 1:9.18.24-0ubuntu1 bind9-utils - 1:9.18.24-0ubuntu1 No subscription required libunbound8 - 1.19.1-1ubuntu1 python3-unbound - 1.19.1-1ubuntu1 unbound - 1.19.1-1ubuntu1 unbound-anchor - 1.19.1-1ubuntu1 unbound-host - 1.19.1-1ubuntu1 No subscription required dnsmasq - 2.90-1 dnsmasq-base - 2.90-1 dnsmasq-base-lua - 2.90-1 dnsmasq-utils - 2.90-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-13 2024-02-13 https://ubuntu.com/security/notices/USN-6633-1 https://ubuntu.com/security/notices/USN-6642-1 https://ubuntu.com/security/notices/USN-6657-1 https://ubuntu.com/security/notices/USN-6665-1 https://ubuntu.com/security/notices/USN-6723-1 https://ubuntu.com/security/notices/USN-6657-2 CVE-2023-50868 A bug in QEMU could cause a guest I/O operation otherwise addressed to anarbitrary disk offset to be targeted to offset 0 instead (potentiallyoverwriting the VM's boot code). This could be used, for example, by L2guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1(vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1,potentially gaining control of L1 at its next reboot. Update Instructions: Run `sudo pro fix CVE-2023-5088` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:8.1.3+ds-1ubuntu1 qemu-block-supplemental - 1:8.1.3+ds-1ubuntu1 qemu-guest-agent - 1:8.1.3+ds-1ubuntu1 qemu-system - 1:8.1.3+ds-1ubuntu1 qemu-system-arm - 1:8.1.3+ds-1ubuntu1 qemu-system-common - 1:8.1.3+ds-1ubuntu1 qemu-system-data - 1:8.1.3+ds-1ubuntu1 qemu-system-gui - 1:8.1.3+ds-1ubuntu1 qemu-system-mips - 1:8.1.3+ds-1ubuntu1 qemu-system-misc - 1:8.1.3+ds-1ubuntu1 qemu-system-modules-opengl - 1:8.1.3+ds-1ubuntu1 qemu-system-modules-spice - 1:8.1.3+ds-1ubuntu1 qemu-system-ppc - 1:8.1.3+ds-1ubuntu1 qemu-system-riscv - 1:8.1.3+ds-1ubuntu1 qemu-system-s390x - 1:8.1.3+ds-1ubuntu1 qemu-system-sparc - 1:8.1.3+ds-1ubuntu1 qemu-system-x86 - 1:8.1.3+ds-1ubuntu1 qemu-system-x86-xen - 1:8.1.3+ds-1ubuntu1 qemu-system-xen - 1:8.1.3+ds-1ubuntu1 qemu-user - 1:8.1.3+ds-1ubuntu1 qemu-user-binfmt - 1:8.1.3+ds-1ubuntu1 qemu-utils - 1:8.1.3+ds-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-03 14:15:00 UTC 2023-11-03 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2247283 https://ubuntu.com/security/notices/USN-6567-1 CVE-2023-5088 erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackersto cause a denial of service (CPU consumption) via a large p2c (aka PBES2Count) value in a JOSE header. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-19 15:15:00 UTC CVE-2023-50966 latchset jose through version 11 allows attackers to cause a denial ofservice (CPU consumption) via a large p2c (aka PBES2 Count) value. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 16:15:00 UTC CVE-2023-50967 Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel duringdecryption with PKCS#1 v1.5 padding. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-18 04:15:00 UTC https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50979 gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to causea denial of service (application crash) via DER public-key data for anF(2^m) curve, if the degree of each term in the polynomial is not strictlydecreasing. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-18 04:15:00 UTC https://github.com/weidai11/cryptopp/issues/1248 CVE-2023-50980 ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows attackersto cause a denial of service (infinite loop) via crafted DER public-keydata associated with squared odd numbers, such as the square of268995137513890432434389773128616504853. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-18 04:15:00 UTC https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50981 json-path v2.8.0 was discovered to contain a stack overflow via theCriteria.parse() method. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-27 21:15:00 UTC CVE-2023-51074 A floating point exception (divide-by-zero) vulnerability was discovered inArtifex MuPDF 1.23.4 in functon compute_color() of jquant2.c. NOTE: this isdisputed by the supplier because there was not reasonable evidence todetermine the existence of a vulnerability or identify the affectedproduct. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-26 15:15:00 UTC CVE-2023-51107 An absolute path traversal attack exists in the Ansible automationplatform. This flaw allows an attacker to craft a malicious Ansible roleand make the victim execute the role. A symlink can be used to overwrite afile outside of the extraction path. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-18 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2233810 CVE-2023-5115 An invalid memory write issue in Jasper-Software Jasper v.4.1.1 and beforeallows a local attacker to execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 02:15:00 UTC CVE-2023-51257 A memory leak issue discovered in YASM v.1.3.0 allows a local attacker tocause a denial of service via the new_Token function in themodules/preprocs/nasm/nasm-pp:1512. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-01-18 21:15:00 UTC CVE-2023-51258 In ssh in OpenSSH before 9.6, OS command injection might occur if a username or host name has shell metacharacters, and this name is referenced byan expansion token in certain situations. For example, an untrusted Gitrepository can have a submodule with shell metacharacters in a user name orhost name. Update Instructions: Run `sudo pro fix CVE-2023-51385` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:9.6p1-3ubuntu1 openssh-client-gssapi - 1:9.6p1-3ubuntu1 openssh-server - 1:9.6p1-3ubuntu1 openssh-server-gssapi - 1:9.6p1-3ubuntu1 openssh-sftp-server - 1:9.6p1-3ubuntu1 openssh-tests - 1:9.6p1-3ubuntu1 ssh - 1:9.6p1-3ubuntu1 ssh-askpass-gnome - 1:9.6p1-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-20 2023-12-20 https://ubuntu.com/security/notices/USN-6565-1 https://ubuntu.com/security/notices/USN-6560-2 https://ubuntu.com/security/notices/USN-6560-3 CVE-2023-51385 ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability inApache Axis allowed users with access to the admin service to performpossible SSRFThis issue affects Apache Axis: through 1.3.As Axis 1 has been EOL we recommend you migrate to a different SOAP engine,such as Apache Axis 2/Java. Alternatively you could use a build of Axiswith the patch fromhttps://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.xreleasefixing this problem, though contributors that would like to work towards this are welcome. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-06 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060169 CVE-2023-51441 A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806introduced the potential for a memory leak, which may result in anapplication crash. Update Instructions: Run `sudo pro fix CVE-2023-5156` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.38-1ubuntu5 libc-bin - 2.38-1ubuntu5 libc6 - 2.38-1ubuntu5 libc6-amd64 - 2.38-1ubuntu5 libc6-i386 - 2.38-1ubuntu5 libc6-x32 - 2.38-1ubuntu5 locales - 2.38-1ubuntu5 locales-all - 2.38-1ubuntu5 nscd - 2.38-1ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-25 16:15:00 UTC 2023-09-25 16:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2240541 https://sourceware.org/bugzilla/show_bug.cgi?id=30884 https://ubuntu.com/security/notices/USN-6541-1 https://ubuntu.com/security/notices/USN-6541-2 CVE-2023-5156 BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds ReadInformation Disclosure Vulnerability. This vulnerability allowsnetwork-adjacent attackers to disclose sensitive information via Bluetoothon affected installations of BlueZ. User interaction is required to exploitthis vulnerability in that the target must connect to a malicious device.The specific flaw exists within the handling of the AVRCP protocol. Theissue results from the lack of proper validation of user-supplied data,which can result in a read past the end of an allocated buffer. An attackercan leverage this in conjunction with other vulnerabilities to executearbitrary code in the context of root. Was ZDI-CAN-20852. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:16:00 UTC CVE-2023-51580 BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds ReadInformation Disclosure Vulnerability. This vulnerability allowsnetwork-adjacent attackers to disclose sensitive information via Bluetoothon affected installations of BlueZ. User interaction is required to exploitthis vulnerability in that the target must connect to a malicious device.The specific flaw exists within the handling of the AVRCP protocol. Theissue results from the lack of proper validation of user-supplied data,which can result in a read past the end of an allocated buffer. An attackercan leverage this in conjunction with other vulnerabilities to executearbitrary code in the context of root. Was ZDI-CAN-20853. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:16:00 UTC CVE-2023-51589 BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read InformationDisclosure Vulnerability. This vulnerability allows network-adjacentattackers to disclose sensitive information via Bluetooth on affectedinstallations of BlueZ. User interaction is required to exploit thisvulnerability in that the target must connect to a malicious device.The specific flaw exists within the handling of the AVRCP protocol. Theissue results from the lack of proper validation of user-supplied data,which can result in a read past the end of an allocated buffer. An attackercan leverage this in conjunction with other vulnerabilities to executearbitrary code in the context of root. Was ZDI-CAN-20854. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:16:00 UTC CVE-2023-51592 BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability.This vulnerability allows network-adjacent attackers to disclose sensitiveinformation on affected installations of BlueZ. User interaction isrequired to exploit this vulnerability in that the target must connect to amalicious Bluetooth device.The specific flaw exists within the handling of OBEX protocol parameters.The issue results from the lack of proper validation of user-supplied data,which can result in a read past the end of an allocated buffer. An attackercan leverage this in conjunction with other vulnerabilities to executearbitrary code in the context of root. Was ZDI-CAN-20937. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:16:00 UTC CVE-2023-51594 BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows network-adjacentattackers to execute arbitrary code on affected installations of BlueZ.User interaction is required to exploit this vulnerability in that thetarget must connect to a malicious Bluetooth device.The specific flaw exists within the handling of the Phone Book Accessprofile. The issue results from the lack of proper validation of the lengthof user-supplied data prior to copying it to a fixed-length heap-basedbuffer. An attacker can leverage this vulnerability to execute code in thecontext of root. Was ZDI-CAN-20939. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074419 CVE-2023-51596 Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKINGconfigurations. Remote attackers can use a published exploitation techniqueto inject e-mail messages with a spoofed MAIL FROM address, allowing bypassof an SPF protection mechanism. This occurs because Exim supports<LF>.<CR><LF> but some other popular e-mail servers do not. Update Instructions: Run `sudo pro fix CVE-2023-51766` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: exim4 - 4.97-3 exim4-base - 4.97-3 exim4-config - 4.97-3 exim4-daemon-heavy - 4.97-3 exim4-daemon-light - 4.97-3 eximon4 - 4.97-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-24 06:15:00 UTC 2023-12-24 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059387 https://bugs.exim.org/show_bug.cgi?id=3063 https://ubuntu.com/security/notices/USN-6611-1 CVE-2023-51766 The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass ofidentity checks via a sign/encryption confusion attack. For example, JWEcan sometimes be used to bypass JSON::JWT.decode. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-29 01:42:00 UTC https://github.com/nov/json-jwt/issues/113 CVE-2023-51774 The jose4j component before 0.9.4 for Java allows attackers to cause adenial of service (CPU consumption) via a large p2c (aka PBES2 Count)value. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-29 01:42:00 UTC https://bitbucket.org/b_c/jose4j/issues/212 CVE-2023-51775 An issue in obgm and Libcoap v.a3ed466 allows a remote attacker to cause adenial of service via thecoap_context_t function in thesrc/coap_threadsafe.c:297:3 component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-06 22:15:00 UTC CVE-2023-51847 A path traversal vulnerability exists in Ansible when extracting tarballs.An attacker could craft a malicious tarball so that when using the galaxyimporter of Ansible Automation Hub, a symlink could be dropped on the disk,resulting in files being overwritten. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-14 23:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2234387 CVE-2023-5189 A flaw was found in libnbd. A server can reply with a block size largerthan 2^63 (the NBD spec states the size is a 64-bit unsigned value). Thisissue could lead to an application crash or other unintended behavior forNBD clients that doesn't treat the return value of the nbd_get_size()function correctly. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-09-28 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2241041 CVE-2023-5215 The implementation of PEAP in wpa_supplicant through 2.10 allowsauthentication bypass. For a successful attack, wpa_supplicant must beconfigured to not verify the network's TLS certificate during Phase 1authentication, and an eap_peap_decrypt vulnerability can then be abused toskip Phase 2 authentication. The attack vector is sending an EAP-TLVSuccess packet instead of starting Phase 2. This allows an adversary toimpersonate Enterprise Wi-Fi networks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-22 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064061 CVE-2023-52160 A segment fault (SEGV) flaw was found in libtiff that could be triggered bypassing a crafted tiff file to the TIFFReadRGBATileExt() API. This flawallows a remote attacker to cause a heap-buffer overflow, leading to adenial of service. Update Instructions: Run `sudo pro fix CVE-2023-52356` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.5.1+git230720-4ubuntu1 libtiff-tools - 4.5.1+git230720-4ubuntu1 libtiff6 - 4.5.1+git230720-4ubuntu1 libtiffxx6 - 4.5.1+git230720-4ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-25 20:15:00 UTC 2024-01-25 20:15:00 UTC https://gitlab.com/libtiff/libtiff/-/issues/622 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061524 https://bugzilla.redhat.com/show_bug.cgi?id=2251344 https://ubuntu.com/security/notices/USN-6644-1 https://ubuntu.com/security/notices/USN-6644-2 CVE-2023-52356 UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow andresultant stack buffer overflow because Poco::UTF32Encoding::convert() andPoco::UTF32::queryConvert() may return a negative integer if a UTF-32 bytesequence evaluates to a value of 0x80000000 or higher. This is fixed in1.11.8p2, 1.12.5p2, and 1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-27 03:15:00 UTC CVE-2023-52389 The IEEE 802.11 standard sometimes enables an adversary to trick a victiminto connecting to an unintended or untrusted network with Home WEP, HomeWPA3 SAE-loop. Enterprise 802.1X/EAP, Mesh AMPE, or FILS, aka an "SSIDConfusion" issue. This occurs because the SSID is not always used to derivethe pairwise master key or session keys, and because there is not aprotected exchange of an SSID during a 4-way handshake. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-17 21:15:00 UTC CVE-2023-52424 libexpat through 2.5.0 allows a denial of service (resource consumption)because many full reparsings are required in the case of a large token forwhich multiple buffer fills are needed. Update Instructions: Run `sudo pro fix CVE-2023-52425` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.6.0-1 libexpat1 - 2.6.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-04 20:15:00 UTC 2024-02-04 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238 https://ubuntu.com/security/notices/USN-6694-1 CVE-2023-52425 libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD isundefined at compile time. Update Instructions: Run `sudo pro fix CVE-2023-52426` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.6.0-1 libexpat1 - 2.6.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-04 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063240 CVE-2023-52426 In the Linux kernel, the following vulnerability has been resolved:tracing: Have trace_event_file have ref countersThe following can crash the kernel: # cd /sys/kernel/tracing # echo 'p:sched schedule' > kprobe_events # exec 5>>events/kprobes/sched/enable # > kprobe_events # exec 5>&-The above commands: 1. Change directory to the tracefs directory 2. Create a kprobe event (doesn't matter what one) 3. Open bash file descriptor 5 on the enable file of the kprobe event 4. Delete the kprobe event (removes the files too) 5. Close the bash file descriptor 5The above causes a crash! BUG: kernel NULL pointer dereference, address: 0000000000000028 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 877 Comm: bash Not tainted6.5.0-rc4-test-00008-g2c6b6b1029d4-dirty #186 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:tracing_release_file_tr+0xc/0x50What happens here is that the kprobe event creates a trace_event_file"file" descriptor that represents the file in tracefs to the event. Itmaintains state of the event (is it enabled for the given instance?).Opening the "enable" file gets a reference to the event "file" descriptorvia the open file descriptor. When the kprobe event is deleted, the file isalso deleted from the tracefs system which also frees the event "file"descriptor.But as the tracefs file is still opened by user space, it will not betotally removed until the final dput() is called on it. But this is nottrue with the event "file" descriptor that is already freed. If the userdoes a write to or simply closes the file descriptor it will reference theevent "file" descriptor that was just freed, causing a use-after-free bug.To solve this, add a ref count to the event "file" descriptor as well as anew flag called "FREED". The "file" will not be freed until the lastreference is released. But the FREE flag will be set when the event isremoved to prevent any more modifications to that event from happening,even if there's still a reference to the event "file" descriptor. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-21 16:15:00 UTC CVE-2023-52879 In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Perform lockless command completion in abort pathWhile adding and removing the controller, the following call trace wasobserved:WARNING: CPU: 3 PID: 623596 at kernel/dma/mapping.c:532dma_free_attrs+0x33/0x50CPU: 3 PID: 623596 Comm: sh Kdump: loaded Not tainted 5.14.0-96.el9.x86_64#1RIP: 0010:dma_free_attrs+0x33/0x50Call Trace: qla2x00_async_sns_sp_done+0x107/0x1b0 [qla2xxx] qla2x00_abort_srb+0x8e/0x250 [qla2xxx] ? ql_dbg+0x70/0x100 [qla2xxx] __qla2x00_abort_all_cmds+0x108/0x190 [qla2xxx] qla2x00_abort_all_cmds+0x24/0x70 [qla2xxx] qla2x00_abort_isp_cleanup+0x305/0x3e0 [qla2xxx] qla2x00_remove_one+0x364/0x400 [qla2xxx] pci_device_remove+0x36/0xa0 __device_release_driver+0x17a/0x230 device_release_driver+0x24/0x30 pci_stop_bus_device+0x68/0x90 pci_stop_and_remove_bus_device_locked+0x16/0x30 remove_store+0x75/0x90 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 ? do_user_addr_fault+0x1d8/0x680 ? do_syscall_64+0x69/0x80 ? exc_page_fault+0x62/0x140 ? asm_exc_page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xaeThe command was completed in the abort path during driver unload with alock held, causing the warning in abort path. Hence complete the commandwithout any lock held. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-02 16:15:00 UTC 2025-05-02 16:15:00 UTC https://ubuntu.com/security/notices/USN-8163-1 https://ubuntu.com/security/notices/USN-8163-2 CVE-2023-53041 Issue summary: A bug has been identified in the processing of key andinitialisation vector (IV) lengths. This can lead to potential truncationor overruns during the initialisation of some symmetric ciphers.Impact summary: A truncation in the IV can result in non-uniqueness,which could result in loss of confidentiality for some cipher modes.When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() orEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed afterthe key and IV have been established. Any alterations to the key length,via the "keylen" parameter or the IV length, via the "ivlen" parameter,within the OSSL_PARAM array will not take effect as intended, potentiallycausing truncation or overreading of these values. The following ciphersand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.For the CCM, GCM and OCB cipher modes, truncation of the IV can result inloss of confidentiality. For example, when following NIST's SP 800-38Dsection 8.2.1 guidance for constructing a deterministic IV for AES inGCM mode, truncation of the counter portion could lead to IV reuse.Both truncations and overruns of the key and overruns of the IV willproduce incorrect results and could, in some cases, trigger a memoryexception. However, these issues are not currently assessed as securitycritical.Changing the key and/or IV lengths is not considered to be a commonoperationand the vulnerable API was recently introduced. Furthermore it is likelythatapplication developers will have spotted this problem during testing sincedecryption would fail unless both peers in the communication were similarlyvulnerable. For these reasons we expect the probability of an applicationbeingvulnerable to this to be quite low. However if an application is vulnerablethenthis issue is considered very serious. For these reasons we have assessedthisissue as Moderate severity overall.The OpenSSL SSL/TLS implementation is not affected by this issue.The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this becausethe issue lies outside of the FIPS provider boundary.OpenSSL 3.1 and 3.0 are vulnerable to this issue. Update Instructions: Run `sudo pro fix CVE-2023-5363` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.10-1ubuntu2.1 openssl - 3.0.10-1ubuntu2.1 openssl-provider-legacy - 3.0.10-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-24 2023-10-24 Tony Battersby https://ubuntu.com/security/notices/USN-6450-1 CVE-2023-5363 In the Linux kernel, the following vulnerability has been resolved:x86: fix clear_user_rep_good() exception handling annotationThis code no longer exists in mainline, because it was removed incommit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memoryclearing") upstream.However, rather than backport the full range of x86 memory clearing andcopying cleanups, fix the exception table annotation placement for thefinal 'rep movsb' in clear_user_rep_good(): rather than pointing at theactual instruction that did the user space access, it pointed to theregister move just before it.That made sense from a code flow standpoint, but not from an actualusage standpoint: it means that if user access takes an exception, theexception handler won't actually find the instruction in the exceptiontables.As a result, rather than fixing it up and returning -EFAULT, it wouldthen turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page ... RIP: 0010:clear_user_rep_good+0x1c/0x30arch/x86/lib/clear_page_64.S:147 ... Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] iomap_dio_iter fs/iomap/direct-io.c:440 [inline] __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline] ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline] do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline] __se_sys_preadv2 fs/read_write.c:1061 [inline] __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcdwhich then looks like a filesystem bug rather than the incorrectexception annotation that it is.[ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memorycopies") 20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memoryclearing") adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies") * d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memoryclearing") 3639a535587d ("x86: move stac/clac from user copy routines intocallers") 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRMcase") 8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function") 427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function") * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") e1f2750edc4a ("x86: remove 'zerorest' argument from__copy_user_nocache()") 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function") with either the whole series or at a minimum the two marked commits being needed to fix this issue ] Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-07 16:15:00 UTC CVE-2023-53642 A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisementpackets between virtual machines to bypass OpenFlow rules. This issue mayallow a local attacker to create specially crafted packets with a modifiedor spoofed target IP address field that can redirect ICMPv6 traffic toarbitrary IP addresses. Update Instructions: Run `sudo pro fix CVE-2023-5366` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openvswitch-common - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-ipsec - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-pki - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-source - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-switch - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-switch-dpdk - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-test - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-testcontroller - 3.3.0~git20240118.e802fe7-3ubuntu1 openvswitch-vtep - 3.3.0~git20240118.e802fe7-3ubuntu1 python3-openvswitch - 3.3.0~git20240118.e802fe7-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-06 18:15:00 UTC 2023-10-06 18:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2006347 https://bugzilla.redhat.com/show_bug.cgi?id=2005408 (private) https://ubuntu.com/security/notices/USN-6514-1 https://ubuntu.com/security/notices/USN-6690-1 CVE-2023-5366 A out-of-bounds write flaw was found in the xorg-x11-server. This issueoccurs due to an incorrect calculation of a buffer offset when copying datastored in the heap in the XIChangeDeviceProperty function inXi/xiproperty.c and in RRChangeOutputProperty function inrandr/rrproperty.c, allowing for possible escalation of privileges ordenial of service. Update Instructions: Run `sudo pro fix CVE-2023-5367` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.7-3ubuntu2.1 xorg-server-source - 2:21.1.7-3ubuntu2.1 xserver-common - 2:21.1.7-3ubuntu2.1 xserver-xephyr - 2:21.1.7-3ubuntu2.1 xserver-xorg-core - 2:21.1.7-3ubuntu2.1 xserver-xorg-legacy - 2:21.1.7-3ubuntu2.1 xvfb - 2:21.1.7-3ubuntu2.1 No subscription required xwayland - 2:23.2.0-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 00:00:00 UTC 2023-10-25 00:00:00 UTC Jan-Niklas Sohn working with Trend Micro Zero Day Initiative https://ubuntu.com/security/notices/USN-6453-1 https://ubuntu.com/security/notices/USN-6453-2 CVE-2023-5367 A flaw was found in Undertow. When an AJP request is sent that exceeds themax-header-size attribute in ajp-listener, JBoss EAP is marked in an errorstate by mod_cluster in httpd, causing JBoss EAP to close the TCPconnection without returning an AJP response. This happens becausemod_proxy_cluster marks the JBoss EAP instance as an error worker when theTCP connection is closed from the backend after sending the AJP requestwithout receiving an AJP response, and stops forwarding. This issue couldallow a malicious user could to repeatedly send requests that exceed themax-header-size, causing a Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-12 22:15:00 UTC CVE-2023-5379 A use-after-free flaw was found in the xorg-x11-server. An X server crashmay occur in a very specific and legacy configuration (a multi-screen setupwith multiple protocol screens, also known as Zaphod mode) if the pointeris warped from within a window on one screen to the root window of theother screen and if the original window is destroyed followed by anotherwindow being destroyed. Update Instructions: Run `sudo pro fix CVE-2023-5380` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.7-3ubuntu2.1 xorg-server-source - 2:21.1.7-3ubuntu2.1 xserver-common - 2:21.1.7-3ubuntu2.1 xserver-xephyr - 2:21.1.7-3ubuntu2.1 xserver-xorg-core - 2:21.1.7-3ubuntu2.1 xserver-xorg-legacy - 2:21.1.7-3ubuntu2.1 xvfb - 2:21.1.7-3ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-25 00:00:00 UTC 2023-10-25 00:00:00 UTC Sri working with Trend Micro Zero Day Initiative https://ubuntu.com/security/notices/USN-6453-1 https://ubuntu.com/security/notices/USN-6453-2 CVE-2023-5380 Spip 4.1.10 contains a file upload vulnerability that allows attackers toupload malicious SVG files with embedded external links. Attackers cantrick administrators into clicking a crafted SVG logo that redirects to apotentially dangerous URL through improper file upload filtering. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 18:16:00 UTC CVE-2023-53900 FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allowsattackers to execute malicious code by placing a crafted TextShaping.dll inthe application directory. Attackers can generate a reverse shell payloadusing msfvenom and replace the missing DLL to achieve remote code executionwhen the application launches. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-19 21:15:00 UTC CVE-2023-53959 In the Linux kernel, the following vulnerability has been resolved:can: isotp: check CAN address family in isotp_bind()Add missing check to block non-AF_CAN binds.Syzbot created some code which matched the right sockaddr struct sizebut used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address familyfield:bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^This has no funtional impact but the userspace should be notified aboutthe wrong address family field content. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-24 13:16:00 UTC CVE-2023-54105 In the Linux kernel, the following vulnerability has been resolved:f2fs: fix potential corruption when moving a directoryF2FS has the same issue in ext4_rename causing crash revealed byxfstests/generic/707.See also commit 0813299c586b ("ext4: Fix possible corruption when moving adirectory") Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 13:16:00 UTC CVE-2023-54187 In the Linux kernel, the following vulnerability has been resolved:leds: led-core: Fix refcount leak in of_led_get()class_find_device_by_of_node() calls class_find_device(), it will takethe reference, use the put_device() to drop the reference when not needanymore. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 13:16:00 UTC CVE-2023-54190 An attacker who is logged into OTRS as an user with privileges to createand change customer user data may manipulate the CustomerID field toexecute JavaScript code that runsimmediatly after the data is saved.The issue onlyoccurs if theconfiguration for AdminCustomerUser::UseAutoComplete was changed before.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-10-16 09:15:00 UTC CVE-2023-5421 The functions to fetch e-mail via POP3 or IMAP as well as sending e-mailvia SMTP use OpenSSL for static SSL or TLS based communication. As theSSL_get_verify_result() function is not used the certificated is trustedalways and it can not be ensured that the certificatesatisfies all necessary security requirements.This could allow anattacker to use an invalid certificate to claim to be a trusted host,use expired certificates, or conduct other attacks that could bedetected if the certificate is properly validated.This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-10-16 09:15:00 UTC CVE-2023-5422 In the Linux kernel, the following vulnerability has been resolved:dm: fix a race condition in retrieve_depsThere's a race condition in the multipath target when retrieve_depsraces with multipath_message calling dm_get_device and dm_put_device.retrieve_deps walks the list of open devices without holding any lockbut multipath may add or remove devices to the list while it isrunning. The end result may be memory corruption or use-after-freememory access.See this description of a UAF with multipath_message():https://listman.redhat.com/archives/dm-devel/2022-October/052373.htmlFix this bug by introducing a new rw semaphore "devices_lock". We grabdevices_lock for read in retrieve_deps and we grab it for write indm_get_device and dm_put_device. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 13:16:00 UTC CVE-2023-54324 Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote codeexecution vulnerability in the console interface that allowsunauthenticated attackers to execute arbitrary code by exploiting the forkcommand functionality. Attackers can establish a telnet connection to theOSGi console, perform a telnet handshake, and send fork commands todownload and execute malicious Java code, establishing a reverse shellconnection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 12:16:00 UTC CVE-2023-54342 Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code executionvulnerability that allows unauthenticated attackers to execute arbitrarycommands by sending payloads to the console interface. Attackers canconnect to the OSGi console port and send base64-encoded bash commandswrapped in fork directives to achieve code execution and establish reverseshell connections. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 12:16:00 UTC CVE-2023-54344 A Cross-site request forgery vulnerability exists inipa/session/login_password in all supported versions of IPA. This flawallows an attacker to trick the user into submitting a request that couldperform actions as the user, resulting in a loss of confidentiality andsystem integrity. During community penetration testing it was found thatfor certain HTTP end-points FreeIPA does not ensure CSRF protection. Due toimplementation details one cannot use this flaw for reflection of a cookierepresenting already logged-in user. An attacker would always have to gothrough a new authentication attempt. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-10 13:15:00 UTC CVE-2023-5455 A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occursin Xvfb with a very specific and legacy configuration (a multi-screen setupwith multiple protocol screens, also known as Zaphod mode). If the pointeris warped from a screen 1 to a screen 0, a use-after-free issue may betriggered during shutdown or reset of the Xvfb server, allowing forpossible escalation of privileges or denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-10-25 00:00:00 UTC Sri working with Trend Micro Zero Day Initiative CVE-2023-5574 In Ubuntu, gnome-control-center did not properly reflect SSH remote loginstatus when the system was configured to use systemd socket activation foropenssh-server. This could unknowingly leave the local machine exposed toremote SSH access contrary to expectation of the user. Update Instructions: Run `sudo pro fix CVE-2023-5616` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnome-control-center - 1:45.0-1ubuntu4 gnome-control-center-data - 1:45.0-1ubuntu4 gnome-control-center-faces - 1:45.0-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-13 00:00:00 UTC 2023-12-13 00:00:00 UTC Zygmunt Krynicki https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/2039577 https://ubuntu.com/security/notices/USN-6554-1 CVE-2023-5616 Issue summary: Generating excessively long X9.42 DH keys or checkingexcessively long X9.42 DH keys or parameters may be very slow.Impact summary: Applications that use the functions DH_generate_key() togenerate an X9.42 DH key may experience long delays. Likewise,applicationsthat use DH_check_pub_key(), DH_check_pub_key_ex() orEVP_PKEY_public_check()to check an X9.42 DH key or X9.42 DH parameters may experience long delays.Where the key or parameters that are being checked have been obtained froman untrusted source this may lead to a Denial of Service.While DH_check() performs all the necessary checks (as of CVE-2023-3817),DH_check_pub_key() doesn't make any of these checks, and is thereforevulnerable for excessively large P and Q parameters.Likewise, while DH_generate_key() performs a check for an excessively largeP, it doesn't check for an excessively large Q.An application that calls DH_generate_key() or DH_check_pub_key() andsupplies a key or parameters obtained from an untrusted source could bevulnerable to a Denial of Service attack.DH_generate_key() and DH_check_pub_key() are also called by a number ofother OpenSSL functions. An application calling any of those otherfunctions may similarly be affected. The other functions affected by thisare DH_check_pub_key_ex(), EVP_PKEY_public_check(), andEVP_PKEY_generate().Also vulnerable are the OpenSSL pkey command line application when usingthe"-pubcheck" option, as well as the OpenSSL genpkey command lineapplication.The OpenSSL SSL/TLS implementation is not affected by this issue.The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2023-5678` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.10-1ubuntu4 openssl - 3.0.10-1ubuntu4 openssl-provider-legacy - 3.0.10-1ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-11-06 16:15:00 UTC 2023-11-06 16:15:00 UTC David Benjamin https://ubuntu.com/security/notices/USN-6622-1 https://ubuntu.com/security/notices/USN-6632-1 https://ubuntu.com/security/notices/USN-6709-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-5678 A flaw was found in XNIO. The XNIO NotifierState that can cause a StackOverflow Exception when the chain of notifier states becomesproblematically large can lead to uncontrolled resource management and apossible denial of service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-22 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065847 CVE-2023-5685 Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to5.9.0. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-10-20 17:15:00 UTC CVE-2023-5686 A template injection flaw was found in Ansible where a user's controllerinternal templating operations may remove the unsafe designation fromtemplate data. This issue could allow an attacker to use a speciallycrafted file to introduce templating injection when supplying templatingdata. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-12 22:15:00 UTC 2023-12-12 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057427 https://ubuntu.com/security/notices/USN-6846-1 CVE-2023-5764 A flaw was found in Squid. The limits applied for validation of HTTPresponse headers are applied before caching. However, Squid may grow acached HTTP response header beyond the configured maximum size, causing astall or crash of the worker process when a large header is retrieved fromthe disk cache, resulting in a denial of service. Update Instructions: Run `sudo pro fix CVE-2023-5824` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 6.5-1ubuntu1 squid-cgi - 6.5-1ubuntu1 squid-common - 6.5-1ubuntu1 squid-openssl - 6.5-1ubuntu1 squid-purge - 6.5-1ubuntu1 squidclient - 6.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-03 08:15:00 UTC 2023-11-03 08:15:00 UTC elisehdy Joshua Rogers of Opera Software and by The Measurement Factory https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2041837 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054537 https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2060880 (regression) https://ubuntu.com/security/notices/USN-6728-1 https://ubuntu.com/security/notices/USN-6728-2 https://ubuntu.com/security/notices/USN-6728-3 CVE-2023-5824 Issue summary: The POLY1305 MAC (message authentication code)implementationcontains a bug that might corrupt the internal state of applicationsrunningon PowerPC CPU based platforms if the CPU provides vector instructions.Impact summary: If an attacker can influence whether the POLY1305 MACalgorithm is used, the application state might be corrupted with variousapplication dependent consequences.The POLY1305 MAC (message authentication code) implementation in OpenSSLforPowerPC CPUs restores the contents of vector registers in a different orderthan they are saved. Thus the contents of some of these vector registersare corrupted when returning to the caller. The vulnerable code is usedonlyon newer PowerPC processors supporting the PowerISA 2.07 instructions.The consequences of this kind of internal application state corruption canbe various - from no consequences, if the calling application does notdepend on the contents of non-volatile XMM registers at all, to the worstconsequences, where the attacker could get complete control of theapplicationprocess. However unless the compiler uses the vector registers for storingpointers, the most likely consequence, if any, would be an incorrect resultof some application dependent calculations or a crash leading to a denialofservice.The POLY1305 MAC algorithm is most frequently used as part of theCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)algorithm. The most common usage of this AEAD cipher is with TLS protocolversions 1.2 and 1.3. If this cipher is enabled on the server a maliciousclient can influence whether this AEAD cipher is used. This implies thatTLS server applications using OpenSSL can be potentially impacted. Howeverwe are currently not aware of any concrete application that would beaffectedby this issue therefore we consider this a Low severity security issue. Update Instructions: Run `sudo pro fix CVE-2023-6129` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.10-1ubuntu4 openssl - 3.0.10-1ubuntu4 openssl-provider-legacy - 3.0.10-1ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-01-09 17:15:00 UTC 2024-01-09 17:15:00 UTC Sverker Eriksson https://ubuntu.com/security/notices/USN-6622-1 CVE-2023-6129 An issue was found in the tiffcp utility distributed by the libtiff packagewhere a crafted TIFF file on processing may cause a heap-based bufferoverflow leads to an application crash. Update Instructions: Run `sudo pro fix CVE-2023-6228` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.5.1+git230720-4ubuntu1 libtiff-tools - 4.5.1+git230720-4ubuntu1 libtiff6 - 4.5.1+git230720-4ubuntu1 libtiffxx6 - 4.5.1+git230720-4ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-12-18 14:15:00 UTC 2023-12-18 14:15:00 UTC https://gitlab.com/libtiff/libtiff/-/issues/606 https://ubuntu.com/security/notices/USN-6644-1 https://ubuntu.com/security/notices/USN-6644-2 CVE-2023-6228 Issue summary: Checking excessively long invalid RSA public keys may takea long time.Impact summary: Applications that use the function EVP_PKEY_public_check()to check RSA public keys may experience long delays. Where the key thatis being checked has been obtained from an untrusted source this may leadto a Denial of Service.When function EVP_PKEY_public_check() is called on RSA public keys,a computation is done to confirm that the RSA modulus, n, is composite.For valid RSA keys, n is a product of two or more large primes and thiscomputation completes quickly. However, if n is an overly large prime,then this computation would take a long time.An application that calls EVP_PKEY_public_check() and supplies an RSA keyobtained from an untrusted source could be vulnerable to a Denial ofServiceattack.The function EVP_PKEY_public_check() is not called from other OpenSSLfunctions however it is called from the OpenSSL pkey command lineapplication. For that reason that application is also vulnerable if usedwith the '-pubin' and '-check' options on untrusted data.The OpenSSL SSL/TLS implementation is not affected by this issue.The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Update Instructions: Run `sudo pro fix CVE-2023-6237` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.10-1ubuntu4 openssl - 3.0.10-1ubuntu4 openssl-provider-legacy - 3.0.10-1ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-01-15 2024-01-15 https://ubuntu.com/security/notices/USN-6622-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2023-6237 A buffer overflow vulnerability was found in the NVM Express (NVMe) driverin the Linux kernel. Only privileged user could specify a small meta bufferand let the device perform larger Direct Memory Access (DMA) into the samebuffer, overwriting unrelated kernel memory, causing random kernel crashesand memory corruption. Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-11-21 21:15:00 UTC Vincent Fu https://bugzilla.redhat.com/show_bug.cgi?id=2250834 https://bugzilla.suse.com/show_bug.cgi?id=1217384 CVE-2023-6238 A Marvin vulnerability side-channel leakage was found in the RSA decryptionoperation in the Linux Kernel. This issue may allow a network attacker todecrypt ciphertexts or forge signatures, limiting the services that usethat private key. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-04 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2250843 https://bugzilla.suse.com/show_bug.cgi?id=1219556 CVE-2023-6240 A vulnerability classified as problematic was found in Apryse iText 8.0.2.This vulnerability affects the function main of the file PdfDocument.java.The manipulation leads to improper validation of array index. The attackcan be initiated remotely. The exploit has been disclosed to the public andmay be used. The real existence of this vulnerability is still doubted atthe moment. The identifier of this vulnerability is VDB-246124. NOTE: Thevendor was contacted early about this disclosure but did not respond in anyway. A statement published afterwards explains that the exception is not avulnerability and the identified CWEs might not apply to the software. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-26 23:15:00 UTC CVE-2023-6298 A vulnerability, which was classified as problematic, has been found inApryse iText 8.0.1. This issue affects some unknown processing of the filePdfDocument.java of the component Reference Table Handler. The manipulationleads to memory leak. The attack may be initiated remotely. The exploit hasbeen disclosed to the public and may be used. Upgrading to version 8.0.2 isable to address this issue. It is recommended to upgrade the affectedcomponent. The identifier VDB-246125 was assigned to this vulnerability.NOTE: The vendor was contacted early about this vulnerability. The fix wasintroduced in the iText 8.0.2 release on October 25th 2023, prior to thedisclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-11-26 23:15:00 UTC CVE-2023-6299 A flaw was found in xorg-server. Querying or changing XKB button actionssuch as moving from a touchpad to a mouse can result in out-of-boundsmemory reads and writes. This may allow local privilege escalation orpossible remote code execution in cases where X11 forwarding is involved. Update Instructions: Run `sudo pro fix CVE-2023-6377` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.10-1ubuntu1 xorg-server-source - 2:21.1.10-1ubuntu1 xserver-common - 2:21.1.10-1ubuntu1 xserver-xephyr - 2:21.1.10-1ubuntu1 xserver-xorg-core - 2:21.1.10-1ubuntu1 xserver-xorg-legacy - 2:21.1.10-1ubuntu1 xvfb - 2:21.1.10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-13 00:00:00 UTC 2023-12-13 00:00:00 UTC Jan-Niklas Sohn working with Trend Micro Zero Day Initiative https://ubuntu.com/security/notices/USN-6555-1 https://ubuntu.com/security/notices/USN-6555-2 CVE-2023-6377 A flaw was found in xorg-server. A specially crafted request toRRChangeProviderProperty or RRChangeOutputProperty can trigger an integeroverflow which may lead to a disclosure of sensitive information. Update Instructions: Run `sudo pro fix CVE-2023-6478` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.10-1ubuntu1 xorg-server-source - 2:21.1.10-1ubuntu1 xserver-common - 2:21.1.10-1ubuntu1 xserver-xephyr - 2:21.1.10-1ubuntu1 xserver-xorg-core - 2:21.1.10-1ubuntu1 xserver-xorg-legacy - 2:21.1.10-1ubuntu1 xvfb - 2:21.1.10-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-13 00:00:00 UTC 2023-12-13 00:00:00 UTC Jan-Niklas Sohn working with Trend Micro Zero Day Initiative https://ubuntu.com/security/notices/USN-6555-1 https://ubuntu.com/security/notices/USN-6555-2 https://ubuntu.com/security/notices/USN-6587-5 CVE-2023-6478 A flaw was found in FFmpeg's HLS demuxer. This vulnerability allowsbypassing unsafe file extension checks and triggering arbitrary demuxersvia base64-encoded data URIs appended with specific file extensions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-06 17:15:00 UTC CVE-2023-6601 A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allowspossible data exfiltration via improper parsing of non-TTY-compliant inputfiles in HLS playlists. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-31 15:15:00 UTC CVE-2023-6602 A flaw was found in FFmpeg's HLS playlist parsing. This vulnerabilityallows a denial of service via a maliciously crafted HLS playlist thattriggers a null pointer dereference during initialization. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-31 15:15:00 UTC 2024-12-31 15:15:00 UTC https://ubuntu.com/security/notices/USN-7830-1 https://ubuntu.com/security/notices/USN-7890-1 CVE-2023-6603 A flaw was found in FFmpeg. This vulnerability allows unexpected additionalCPU load and storage consumption, potentially leading to degradedperformance or denial of service via the demuxing of arbitrary data asXBIN-formatted data without proper format validation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-06 17:15:00 UTC CVE-2023-6604 A flaw was found in FFmpeg's DASH playlist support. This vulnerabilityallows arbitrary HTTP GET requests to be made on behalf of the machinerunning FFmpeg via a crafted DASH playlist containing malicious URLs. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-06 17:15:00 UTC 2025-01-06 17:15:00 UTC https://ubuntu.com/security/notices/USN-7830-1 CVE-2023-6605 A vulnerability was found in JWCrypto. This flaw allows an attacker tocause a denial of service (DoS) attack and possible password brute-forceand dictionary attacks to be more resource-intensive. This issue can resultin a large amount of computational consumption, causing a denial of serviceattack. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-12 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2260843 CVE-2023-6681 A flaw was found in X.Org server. Both DeviceFocusEvent and theXIQueryPointer reply contain a bit for each logical button currently down.Buttons can be arbitrarily mapped to any value up to 255, but the X.OrgServer was only allocating space for the device's particular number ofbuttons, leading to a heap overflow if a bigger value was used. Update Instructions: Run `sudo pro fix CVE-2023-6816` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.11-1ubuntu1 xorg-server-source - 2:21.1.11-1ubuntu1 xserver-common - 2:21.1.11-1ubuntu1 xserver-xephyr - 2:21.1.11-1ubuntu1 xserver-xorg-core - 2:21.1.11-1ubuntu1 xserver-xorg-legacy - 2:21.1.11-1ubuntu1 xvfb - 2:21.1.11-1ubuntu1 No subscription required xwayland - 2:23.2.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 00:00:00 UTC 2024-01-16 00:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-6587-1 https://ubuntu.com/security/notices/USN-6587-2 https://ubuntu.com/security/notices/USN-6587-5 CVE-2023-6816 A vulnerability has been identified in the Performance Co-Pilot (PCP)package, stemming from the mixed privilege levels utilized by systemdservices associated with PCP. While certain services operate within theconfines of limited PCP user/group privileges, others are granted full rootprivileges. This disparity in privilege levels poses a risk when privilegedroot processes interact with directories or directory trees owned byunprivileged PCP users. Specifically, this vulnerability may lead to thecompromise of PCP user isolation and facilitate local PCP-to-root exploits,particularly through symlink attacks. These vulnerabilities underscore theimportance of maintaining robust privilege separation mechanisms within PCPto mitigate the potential for unauthorized privilege escalation. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-28 15:15:00 UTC CVE-2023-6917 A vulnerability was found in systemd-resolved. This issue may allowsystemd-resolved to accept records of DNSSEC-signed domains even when theyhave no signature, allowing man-in-the-middles (or the upstream DNSresolver) to manipulate records. Update Instructions: Run `sudo pro fix CVE-2023-7008` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-myhostname - 255.2-3ubuntu1 libnss-mymachines - 255.2-3ubuntu1 libnss-resolve - 255.2-3ubuntu1 libnss-systemd - 255.2-3ubuntu1 libpam-systemd - 255.2-3ubuntu1 libsystemd-shared - 255.2-3ubuntu1 libsystemd0 - 255.2-3ubuntu1 libudev1 - 255.2-3ubuntu1 systemd - 255.2-3ubuntu1 systemd-boot - 255.2-3ubuntu1 systemd-boot-efi - 255.2-3ubuntu1 systemd-boot-tools - 255.2-3ubuntu1 systemd-container - 255.2-3ubuntu1 systemd-coredump - 255.2-3ubuntu1 systemd-cryptsetup - 255.2-3ubuntu1 systemd-homed - 255.2-3ubuntu1 systemd-journal-remote - 255.2-3ubuntu1 systemd-oomd - 255.2-3ubuntu1 systemd-repart - 255.2-3ubuntu1 systemd-resolved - 255.2-3ubuntu1 systemd-standalone-shutdown - 255.2-3ubuntu1 systemd-standalone-sysusers - 255.2-3ubuntu1 systemd-standalone-tmpfiles - 255.2-3ubuntu1 systemd-sysv - 255.2-3ubuntu1 systemd-tests - 255.2-3ubuntu1 systemd-timesyncd - 255.2-3ubuntu1 systemd-ukify - 255.2-3ubuntu1 systemd-userdbd - 255.2-3ubuntu1 udev - 255.2-3ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2023 Canonical Ltd. 2023-12-23 13:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2222672 https://github.com/systemd/systemd/issues/15158 (older) https://github.com/systemd/systemd/issues/25676 (newer) CVE-2023-7008 A vulnerability, which was classified as critical, has been found inMicroPython 1.21.0/1.22.0-preview. Affected by this issue is the functionpoll_set_add_fd of the file extmod/modselect.c. The manipulation leads touse after free. The exploit has been disclosed to the public and may beused. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26.It is recommended to apply a patch to fix this issue. VDB-249158 is theidentifier assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-29 05:15:00 UTC CVE-2023-7152 A vulnerability was found in MicroPython up to 1.21.0. It has beenclassified as critical. Affected is the function slice_indices of the fileobjslice.c. The manipulation leads to heap-based buffer overflow. It ispossible to launch the attack remotely. The exploit has been disclosed tothe public and may be used. Upgrading to version 1.22.0 is able to addressthis issue. It is recommended to upgrade the affected component. Theidentifier of this vulnerability is VDB-249180. Ubuntu 26.04 LTS Medium Copyright (C) 2023 Canonical Ltd. 2023-12-29 07:15:00 UTC CVE-2023-7158 A path traversal vulnerability was found in the CPIO utility. This issuecould allow a remote unauthenticated attacker to trick a user into openinga specially crafted archive. During the extraction process, the archivercould follow symlinks outside of the intended directory, which allows filesto be written in arbitrary directories through symlinks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-05 15:15:00 UTC CVE-2023-7216 NVIDIA CUDA toolkit for all platforms contains a vulnerability in cuobjdumpand nvdisasm where an attacker may cause a crash by tricking a user intoreading a malformed ELF file. A successful exploit of this vulnerabilitymay lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-05 18:15:00 UTC CVE-2024-0072 NVIDIA CUDA toolkit for all platforms contains a vulnerability in cuobjdumpand nvdisasm where an attacker may cause a crash by tricking a user intoreading a malformed ELF file. A successful exploit of this vulnerabilitymay lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-05 18:15:00 UTC CVE-2024-0076 NVIDIA GPU driver for Windows and Linux contains a vulnerability where auser can cause an out-of-bounds write. A successful exploit of thisvulnerability might lead to code execution, denial of service, escalationof privileges, information disclosure, and data tampering. Update Instructions: Run `sudo pro fix CVE-2024-0090` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.183.01-0ubuntu5 libnvidia-common-535-server - 535.183.01-0ubuntu5 libnvidia-compute-535-server - 535.183.01-0ubuntu5 libnvidia-decode-535-server - 535.183.01-0ubuntu5 libnvidia-encode-535-server - 535.183.01-0ubuntu5 libnvidia-extra-535-server - 535.183.01-0ubuntu5 libnvidia-fbc1-535-server - 535.183.01-0ubuntu5 libnvidia-gl-535-server - 535.183.01-0ubuntu5 nvidia-compute-utils-535-server - 535.183.01-0ubuntu5 nvidia-dkms-535-server - 535.183.01-0ubuntu5 nvidia-dkms-535-server-open - 535.183.01-0ubuntu5 nvidia-driver-535-server - 535.183.01-0ubuntu5 nvidia-driver-535-server-open - 535.183.01-0ubuntu5 nvidia-headless-535-server - 535.183.01-0ubuntu5 nvidia-headless-535-server-open - 535.183.01-0ubuntu5 nvidia-headless-no-dkms-535-server - 535.183.01-0ubuntu5 nvidia-headless-no-dkms-535-server-open - 535.183.01-0ubuntu5 nvidia-kernel-common-535-server - 535.183.01-0ubuntu5 nvidia-kernel-source-535-server - 535.183.01-0ubuntu5 nvidia-kernel-source-535-server-open - 535.183.01-0ubuntu5 nvidia-utils-535-server - 535.183.01-0ubuntu5 xserver-xorg-video-nvidia-535-server - 535.183.01-0ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-13 22:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-535-server/+bug/2066367 https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-470/+bug/2067598 CVE-2024-0090 NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabilitywhere a user can cause an untrusted pointer dereference by executing adriver API. A successful exploit of this vulnerability might lead to denialof service, information disclosure, and data tampering. Update Instructions: Run `sudo pro fix CVE-2024-0091` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.183.01-0ubuntu5 libnvidia-common-535-server - 535.183.01-0ubuntu5 libnvidia-compute-535-server - 535.183.01-0ubuntu5 libnvidia-decode-535-server - 535.183.01-0ubuntu5 libnvidia-encode-535-server - 535.183.01-0ubuntu5 libnvidia-extra-535-server - 535.183.01-0ubuntu5 libnvidia-fbc1-535-server - 535.183.01-0ubuntu5 libnvidia-gl-535-server - 535.183.01-0ubuntu5 nvidia-compute-utils-535-server - 535.183.01-0ubuntu5 nvidia-dkms-535-server - 535.183.01-0ubuntu5 nvidia-dkms-535-server-open - 535.183.01-0ubuntu5 nvidia-driver-535-server - 535.183.01-0ubuntu5 nvidia-driver-535-server-open - 535.183.01-0ubuntu5 nvidia-headless-535-server - 535.183.01-0ubuntu5 nvidia-headless-535-server-open - 535.183.01-0ubuntu5 nvidia-headless-no-dkms-535-server - 535.183.01-0ubuntu5 nvidia-headless-no-dkms-535-server-open - 535.183.01-0ubuntu5 nvidia-kernel-common-535-server - 535.183.01-0ubuntu5 nvidia-kernel-source-535-server - 535.183.01-0ubuntu5 nvidia-kernel-source-535-server-open - 535.183.01-0ubuntu5 nvidia-utils-535-server - 535.183.01-0ubuntu5 xserver-xorg-video-nvidia-535-server - 535.183.01-0ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-13 22:15:00 UTC CVE-2024-0091 NVIDIA GPU Driver for Windows and Linux contains a vulnerability where animproper check or improper handling of exception conditions might lead todenial of service. Update Instructions: Run `sudo pro fix CVE-2024-0092` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.183.01-0ubuntu5 libnvidia-common-535-server - 535.183.01-0ubuntu5 libnvidia-compute-535-server - 535.183.01-0ubuntu5 libnvidia-decode-535-server - 535.183.01-0ubuntu5 libnvidia-encode-535-server - 535.183.01-0ubuntu5 libnvidia-extra-535-server - 535.183.01-0ubuntu5 libnvidia-fbc1-535-server - 535.183.01-0ubuntu5 libnvidia-gl-535-server - 535.183.01-0ubuntu5 nvidia-compute-utils-535-server - 535.183.01-0ubuntu5 nvidia-dkms-535-server - 535.183.01-0ubuntu5 nvidia-dkms-535-server-open - 535.183.01-0ubuntu5 nvidia-driver-535-server - 535.183.01-0ubuntu5 nvidia-driver-535-server-open - 535.183.01-0ubuntu5 nvidia-headless-535-server - 535.183.01-0ubuntu5 nvidia-headless-535-server-open - 535.183.01-0ubuntu5 nvidia-headless-no-dkms-535-server - 535.183.01-0ubuntu5 nvidia-headless-no-dkms-535-server-open - 535.183.01-0ubuntu5 nvidia-kernel-common-535-server - 535.183.01-0ubuntu5 nvidia-kernel-source-535-server - 535.183.01-0ubuntu5 nvidia-kernel-source-535-server-open - 535.183.01-0ubuntu5 nvidia-utils-535-server - 535.183.01-0ubuntu5 xserver-xorg-video-nvidia-535-server - 535.183.01-0ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-13 22:15:00 UTC CVE-2024-0092 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasm,where an attacker can cause an out-of-bounds read issue by deceiving a userinto reading a malformed ELF file. A successful exploit of thisvulnerability might lead to denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-08 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076164 CVE-2024-0102 NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` where auser may cause a crash by passing in a malformed ELF file. A successfulexploit of this vulnerability may cause an out of bounds read in theunprivileged process memory which could lead to a limited denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-31 09:15:00 UTC CVE-2024-0109 NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` where auser may cause an out-of-bound write by passing in a malformed ELF file. Asuccessful exploit of this vulnerability may lead to code execution ordenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-31 09:15:00 UTC CVE-2024-0110 NVIDIA CUDA Toolkit contains a vulnerability in command 'cuobjdump' where auser may cause a crash or produce incorrect output by passing a malformedELF file. A successful exploit of this vulnerability may lead to a limiteddenial of service or data tampering. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-31 09:15:00 UTC CVE-2024-0111 NVIDIA CUDA toolkit for Windows and Linux contains a vulnerability in thenvdisasm command line tool where an attacker may cause an impropervalidation in input issue by tricking the user into running nvdisasm on amalicious ELF file. A successful exploit of this vulnerability may lead todenial of service. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-03 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084054 CVE-2024-0123 NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in thenvdisam command line tool, where a user can cause nvdisasm to read freedmemory by running it on a malformed ELF file. A successful exploit of thisvulnerability might lead to a limited denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-03 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084054 CVE-2024-0124 NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability in thenvdisam command line tool, where a user can cause a NULL pointerdereference by running nvdisasm on a malformed ELF file. A successfulexploit of this vulnerability might lead to a limited denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-03 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084054 CVE-2024-0125 NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabilitywhich could allow a privileged attacker to escalate permissions. Asuccessful exploit of this vulnerability might lead to code execution,denial of service, escalation of privileges, information disclosure, anddata tampering. Update Instructions: Run `sudo pro fix CVE-2024-0126` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.216.03-0ubuntu1 libnvidia-common-535-server - 535.216.03-0ubuntu1 libnvidia-compute-535-server - 535.216.03-0ubuntu1 libnvidia-decode-535-server - 535.216.03-0ubuntu1 libnvidia-encode-535-server - 535.216.03-0ubuntu1 libnvidia-extra-535-server - 535.216.03-0ubuntu1 libnvidia-fbc1-535-server - 535.216.03-0ubuntu1 libnvidia-gl-535-server - 535.216.03-0ubuntu1 nvidia-compute-utils-535-server - 535.216.03-0ubuntu1 nvidia-dkms-535-server - 535.216.03-0ubuntu1 nvidia-dkms-535-server-open - 535.216.03-0ubuntu1 nvidia-driver-535-server - 535.216.03-0ubuntu1 nvidia-driver-535-server-open - 535.216.03-0ubuntu1 nvidia-headless-535-server - 535.216.03-0ubuntu1 nvidia-headless-535-server-open - 535.216.03-0ubuntu1 nvidia-headless-no-dkms-535-server - 535.216.03-0ubuntu1 nvidia-headless-no-dkms-535-server-open - 535.216.03-0ubuntu1 nvidia-kernel-common-535-server - 535.216.03-0ubuntu1 nvidia-kernel-source-535-server - 535.216.03-0ubuntu1 nvidia-kernel-source-535-server-open - 535.216.03-0ubuntu1 nvidia-utils-535-server - 535.216.03-0ubuntu1 xserver-xorg-video-nvidia-535-server - 535.216.03-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-26 08:15:00 UTC CVE-2024-0126 NVIDIA GPU kernel driver for Windows and Linux contains a vulnerabilitywhere a potential user-mode attacker could read  a buffer with an incorrectlength. A successful exploit of this vulnerability might lead to denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-02 01:15:00 UTC Xiaochen Zou CVE-2024-0131 NVIDIA GPU display driver for Windows and Linux contains a vulnerabilitywhere referencing memory after it has been freed can lead to denial ofservice or data tampering. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 04:15:00 UTC CVE-2024-0147 NVIDIA GPU Display Driver for Linux contains a vulnerability which couldallow an attacker unauthorized access to files. A successful exploit ofthis vulnerability might lead to limited information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 04:15:00 UTC CVE-2024-0149 NVIDIA GPU display driver for Windows and Linux contains a vulnerabilitywhere data is written past the end or before the beginning of a buffer. Asuccessful exploit of this vulnerability might lead to informationdisclosure, denial of service, or data tampering. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 04:15:00 UTC CVE-2024-0150 A use-after-free flaw was found in PackageKitd. In some conditions, theorder of cleanup mechanics for a transaction could be impacted. As aresult, some memory access could occur on memory regions that werepreviously freed. Once freed, a memory region can be reused for otherallocations and any previously stored data in this memory region isconsidered lost. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-01-03 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2256624 CVE-2024-0217 An out-of-bounds memory access flaw was found in the X.Org server. Thisissue can be triggered when a device frozen by a sync grab is reattached toa different master device. This issue may lead to an application crash,local privilege escalation (if the server runs with extended privileges),or remote code execution in SSH X11 forwarding environments. Update Instructions: Run `sudo pro fix CVE-2024-0229` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.11-1ubuntu1 xorg-server-source - 2:21.1.11-1ubuntu1 xserver-common - 2:21.1.11-1ubuntu1 xserver-xephyr - 2:21.1.11-1ubuntu1 xserver-xorg-core - 2:21.1.11-1ubuntu1 xserver-xorg-legacy - 2:21.1.11-1ubuntu1 xvfb - 2:21.1.11-1ubuntu1 No subscription required xwayland - 2:23.2.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 00:00:00 UTC 2024-01-16 00:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-6587-1 https://ubuntu.com/security/notices/USN-6587-2 https://ubuntu.com/security/notices/USN-6587-5 CVE-2024-0229 A flaw was found in the X.Org server. The GLX PBuffer code does not callthe XACE hook when creating the buffer, leaving it unlabeled. When theclient issues another request to access that resource (as with aGetGeometry) or when it creates another resource that needs to access thatbuffer, such as a GC, the XSELINUX code will try to use an object that wasnever labeled and crash because the SID is NULL. Update Instructions: Run `sudo pro fix CVE-2024-0408` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.11-1ubuntu1 xorg-server-source - 2:21.1.11-1ubuntu1 xserver-common - 2:21.1.11-1ubuntu1 xserver-xephyr - 2:21.1.11-1ubuntu1 xserver-xorg-core - 2:21.1.11-1ubuntu1 xserver-xorg-legacy - 2:21.1.11-1ubuntu1 xvfb - 2:21.1.11-1ubuntu1 No subscription required xwayland - 2:23.2.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 00:00:00 UTC 2024-01-16 00:00:00 UTC Olivier Fourdan and Donn Seeley https://ubuntu.com/security/notices/USN-6587-1 https://ubuntu.com/security/notices/USN-6587-2 https://ubuntu.com/security/notices/USN-6587-5 CVE-2024-0408 A flaw was found in the X.Org server. The cursor code in both Xephyr andXwayland uses the wrong type of private at creation. It uses the cursorbits type with the cursor as private, and when initiating the cursor, thatoverwrites the XSELINUX context. Update Instructions: Run `sudo pro fix CVE-2024-0409` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.11-1ubuntu1 xorg-server-source - 2:21.1.11-1ubuntu1 xserver-common - 2:21.1.11-1ubuntu1 xserver-xephyr - 2:21.1.11-1ubuntu1 xserver-xorg-core - 2:21.1.11-1ubuntu1 xserver-xorg-legacy - 2:21.1.11-1ubuntu1 xvfb - 2:21.1.11-1ubuntu1 No subscription required xwayland - 2:23.2.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 00:00:00 UTC 2024-01-16 00:00:00 UTC Olivier Fourdan https://ubuntu.com/security/notices/USN-6587-1 https://ubuntu.com/security/notices/USN-6587-2 CVE-2024-0409 A vulnerability was found in GnuTLS. The response times to malformedciphertexts in RSA-PSK ClientKeyExchange differ from the response times ofciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remoteattacker to perform a timing side-channel attack in the RSA-PSK keyexchange, potentially leading to the leakage of sensitive data.CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. Update Instructions: Run `sudo pro fix CVE-2024-0553` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.3-1ubuntu1 libgnutls-dane0t64 - 3.8.3-1ubuntu1 libgnutls-openssl27t64 - 3.8.3-1ubuntu1 libgnutls30t64 - 3.8.3-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 12:15:00 UTC 2024-01-16 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061046 https://gitlab.com/gnutls/gnutls/-/issues/1522 https://bugzilla.redhat.com/show_bug.cgi?id=2258412 https://ubuntu.com/security/notices/USN-6593-1 CVE-2024-0553 A flaw was found in the Linux kernel's memory deduplication mechanism. Themax page sharing of Kernel Samepage Merging (KSM), added in Linux kernelversion 4.4.0-96.119, can create a side channel. When the attacker and thevictim share the same host and the default setting of KSM is "max pagesharing=256", it is possible for the attacker to time the unmap to mergewith the victim's page. The unmapping time depends on whether it mergeswith the victim's page and additional physical pages are created beyond theKSM's "max page share". Through these operations, the attacker can leak thevictim's page. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-01-30 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2258514 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513 https://bugzilla.suse.com/show_bug.cgi?id=1219054 CVE-2024-0564 An information disclosure flaw was found in ansible-core due to a failureto respect the ANSIBLE_NO_LOG configuration in some scenarios. Informationis still included in the output in certain tasks, such as loop items.Depending on the task, this issue may include sensitive information, suchas decrypted secret values. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-06 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061156 https://bugzilla.redhat.com/show_bug.cgi?id=2259013 CVE-2024-0690 Issue summary: Processing a maliciously formatted PKCS12 file may leadOpenSSLto crash leading to a potential Denial of Service attackImpact summary: Applications loading files in the PKCS12 format fromuntrustedsources might terminate abruptly.A file in PKCS12 format can contain certificates and keys and may come fromanuntrusted source. The PKCS12 specification allows certain fields to beNULL, butOpenSSL does not correctly check for this case. This can lead to a NULLpointerdereference that results in OpenSSL crashing. If an application processesPKCS12files from an untrusted source using the OpenSSL APIs then that applicationwillbe vulnerable to this issue.OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),PKCS12_unpack_authsafes()and PKCS12_newpass().We have also fixed a similar issue in SMIME_write_PKCS7(). However sincethisfunction is related to writing data we do not consider it securitysignificant.The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2024-0727` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.0.10-1ubuntu4 openssl - 3.0.10-1ubuntu4 openssl-provider-legacy - 3.0.10-1ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-01-26 09:15:00 UTC 2024-01-26 09:15:00 UTC Bahaa Naamneh https://ubuntu.com/security/notices/USN-6622-1 https://ubuntu.com/security/notices/USN-6632-1 https://ubuntu.com/security/notices/USN-6709-1 https://ubuntu.com/security/notices/USN-7018-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-0727 A malicious client can send many DNS messages over TCP, potentially causingthe server to become unstable while the attack is in progress. The servermay recover after the attack ceases. Use of ACLs will not mitigate theattack.This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through9.19.24, and 9.18.11-S1 through 9.18.27-S1. Update Instructions: Run `sudo pro fix CVE-2024-0760` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.28-0ubuntu1 bind9-dnsutils - 1:9.18.28-0ubuntu1 bind9-host - 1:9.18.28-0ubuntu1 bind9-libs - 1:9.18.28-0ubuntu1 bind9-utils - 1:9.18.28-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-23 2024-07-23 https://ubuntu.com/security/notices/USN-6909-1 CVE-2024-0760 Remotely executed SEGV and out of bounds read allows malicious packetsender to crash or cause an out of bounds read via sending a malformedpacket with the correct length. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 23:15:00 UTC https://github.com/wolfSSL/wolfssl/issues/7089 CVE-2024-0901 A timing side-channel vulnerability has been discovered in the opencryptokipackage while processing RSA PKCS#1 v1.5 padded ciphertexts. This flawcould potentially enable unauthorized RSA ciphertext decryption or signing,even without access to the corresponding private key. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-31 05:15:00 UTC CVE-2024-0914 A vulnerability was found in obgm libcoap 4.3.4. It has been rated ascritical. Affected by this issue is the function get_split_entry of thefile src/coap_oscore.c of the component Configuration File Handler. Themanipulation leads to stack-based buffer overflow. The attack may belaunched remotely. The exploit has been disclosed to the public and may beused. It is recommended to apply a patch to fix this issue. VDB-252206 isthe identifier assigned to this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-27 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061704 CVE-2024-0962 A weak hashing algorithm and small sizes of seeds/secrets in Google'sgVisor allowed for a remote attacker to calculate a local IP address and aper-boot identifier that could aid in tracking of a device in certaincircumstances. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-30 20:15:00 UTC CVE-2024-10026 ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypassfor path-based payloads submitted via specially crafted request URLs.ModSecurity v3 decodes percent-encoded characters present in request URLsbefore it separates the URL path component from the optional query stringcomponent. This results in an impedance mismatch versus RFC compliantback-end applications. The vulnerability hides an attack payload in thepath component of the URL from WAF rules inspecting it. A back-end may bevulnerable if it uses the path component of request URLs to constructqueries. Integrators and users are advised to upgrade to 3.0.12. TheModSecurity v2 release line is not affected by this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-30 16:15:00 UTC CVE-2024-1019 An out-of-bounds write flaw was found in mpg123 when handling craftedstreams. When decoding PCM, the libmpg123 may write past the end of aheap-located buffer. Consequently, heap corruption may happen, andarbitrary code execution is not discarded. The complexity required toexploit this flaw is considered high as the payload must be validated bythe MPEG decoder and the PCM synth before execution. Additionally, tosuccessfully execute the attack, the user must scan through the stream,making web live stream content (such as web radios) a very unlikely attackvector. Update Instructions: Run `sudo pro fix CVE-2024-10573` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmpg123-0t64 - 1.32.8-1 libout123-0t64 - 1.32.8-1 libsyn123-0t64 - 1.32.8-1 mpg123 - 1.32.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-30 2024-10-30 https://mpg123.org/bugs/322 https://ubuntu.com/security/notices/USN-7092-1 https://ubuntu.com/security/notices/USN-7092-2 CVE-2024-10573 Weaknesses in the generation of TCP/UDP source ports and some other headervalues in Google's gVisor allowed them to be predicted by an externalattacker in some circumstances. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-30 20:15:00 UTC CVE-2024-10603 A heap overflow flaw was found in 389-ds-base. This issue leads to a denialof service when writing a value larger than 256 chars in log_entry_attr. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-12 13:15:00 UTC CVE-2024-1062 An integer underflow during deserialization may allow any unauthenticateduser to read out of bounds heap memory. This may result into secret data orpointers revealing the layout of the address space to be included into adeserialized data structure, which may potentially lead to thread crashesor cause denial of service conditions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-12 13:15:00 UTC CVE-2024-10838 A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPAcommand line to journalctl. As a consequence, during the FreeIPAinstallation process, it inadvertently leaks the administrative usercredentials, including the administrator password, to the journal database.In the worst-case scenario, where the journal log is centralized, userswith access to it can have improper access to the FreeIPA administratorcredentials. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-15 13:15:00 UTC CVE-2024-11029 When asked to both use a `.netrc` file for credentials and to follow HTTPredirects, curl could leak the password used for the first host to thefollowed-to host under certain circumstances.This flaw only manifests itself if the netrc file has an entry that matchesthe redirect target hostname but the entry either omits just the passwordoromits both login and password. Update Instructions: Run `sudo pro fix CVE-2024-11053` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.11.1-1ubuntu1 libcurl3t64-gnutls - 8.11.1-1ubuntu1 libcurl4t64 - 8.11.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-12-11 2024-12-11 Harry Sintonen https://ubuntu.com/security/notices/USN-7162-1 CVE-2024-11053 A flaw was found in Ansible-Core. This vulnerability allows attackers tobypass unsafe content protections using the hostvars object to referenceand execute templated content. This issue can lead to arbitrary codeexecution if remote data or module outputs are improperly templated withinplaybooks. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-11-12 00:15:00 UTC CVE-2024-11079 It is possible to construct a zone such that some queries to it willgenerate responses containing numerous records in the Additional section.An attacker sending many such queries can cause either the authoritativeserver itself or an independent resolver to use disproportionate resourcesprocessing the queries. Zones will usually need to have been deliberatelycrafted to attack this exposure.This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and9.18.11-S1 through 9.18.32-S1. Update Instructions: Run `sudo pro fix CVE-2024-11187` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.0-2ubuntu4 bind9-dnsutils - 1:9.20.0-2ubuntu4 bind9-host - 1:9.20.0-2ubuntu4 bind9-libs - 1:9.20.0-2ubuntu4 bind9-utils - 1:9.20.0-2ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-29 2025-01-29 Toshifumi Sakaguchi https://ubuntu.com/security/notices/USN-7241-1 CVE-2024-11187 A vulnerability was found in `podman build` and `buildah.` This issueoccurs in a container breakout by using --jobs=2 and a race condition whenbuilding a malicious Containerfile. SELinux might mitigate it, but evenwith SELinux on, it still allows the enumeration of files and directorieson the host. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-22 05:15:00 UTC CVE-2024-11218 Gunicorn fails to properly validate Transfer-Encoding headers, leading toHTTP Request Smuggling (HRS) vulnerabilities. By crafting requests withconflicting Transfer-Encoding headers, attackers can bypass securityrestrictions and access restricted endpoints. This issue is due toGunicorn's handling of Transfer-Encoding headers, where it incorrectlyprocesses requests with multiple, conflicting Transfer-Encoding headers,treating them as chunked regardless of the final encoding specified. Thisvulnerability allows for a range of attacks including cache poisoning,session manipulation, and data exposure. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-16 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069126 CVE-2024-1135 There exists a denial of service through Data corruption in gRPC-C++- gRPC-C++ servers with transmit zero copy enabled through the channel argGRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. Thedata sent by the application may be corrupted before transmission over thenetwork thus leading the receiver to receive an incorrect set of bytescausing RPC requests to fail. We recommend upgrading pastcommit e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088806 CVE-2024-11407 A vulnerability was found in python-glance-store. The issue occurs when thepackage logs the access_key for the glance-store when the DEBUG log levelis enabled. Update Instructions: Run `sudo pro fix CVE-2024-1141` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-glance-store - 4.6.1-0ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-01 15:15:00 UTC 2024-02-01 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2258836 https://bugs.launchpad.net/glance-store/+bug/2047688 https://ubuntu.com/security/notices/USN-6630-1 CVE-2024-1141 A flaw was found in npm-serialize-javascript. The vulnerability occursbecause the serialize-javascript module does not properly sanitize certaininputs, such as regex or other JavaScript object types, allowing anattacker to inject malicious code. This code could be executed whendeserialized by a web browser, causing Cross-site scripting (XSS) attacks.This issue is critical in environments where serialized data is sent to webclients, potentially compromising the security of the website or webapplication using this package. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-10 16:15:00 UTC CVE-2024-11831 A flaw was found in Radare2, which contains a command injectionvulnerability caused by insufficient input validation when handling PebbleApplication files. Maliciously crafted inputs can inject shell commandsduring command parsing, leading to unintended behavior during fileprocessing​ Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-15 14:15:00 UTC CVE-2024-11858 A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 dataprocessing. Due to an inefficient algorithm in libtasn1, decoding certainDER-encoded certificate data can take excessive time, leading to increasedresource consumption. This flaw allows a remote attacker to send aspecially crafted certificate, causing GnuTLS to become unresponsive orslow, resulting in a denial-of-service condition. Update Instructions: Run `sudo pro fix CVE-2024-12243` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.9-2ubuntu1 libgnutls-dane0t64 - 3.8.9-2ubuntu1 libgnutls-openssl27t64 - 3.8.9-2ubuntu1 libgnutls30t64 - 3.8.9-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-10 16:15:00 UTC 2025-02-10 16:15:00 UTC Bing Shi https://gitlab.com/gnutls/gnutls/-/issues/1553 https://bugzilla.redhat.com/show_bug.cgi?id=2344615 https://gitlab.com/gnutls/libtasn1/-/issues/52 https://ubuntu.com/security/notices/USN-7281-1 CVE-2024-12243 Improper access control in the auth_oauth module of Odoo Community 15.0 andOdoo Enterprise 15.0 allows an internal user to export the OAuth tokens ofother users. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 18:15:00 UTC CVE-2024-12368 Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/ormemory by flooding it with crafted valid or invalid HTTP/2 traffic.This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. Update Instructions: Run `sudo pro fix CVE-2024-12705` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.0-2ubuntu4 bind9-dnsutils - 1:9.20.0-2ubuntu4 bind9-host - 1:9.20.0-2ubuntu4 bind9-libs - 1:9.20.0-2ubuntu4 bind9-utils - 1:9.20.0-2ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-29 2025-01-29 Jean-François Billaud https://ubuntu.com/security/notices/USN-7241-1 CVE-2024-12705 An Improper Link Resolution Before File Access ("Link Following") andImproper Limitation of a Pathname to a Restricted Directory ("PathTraversal"). This vulnerability occurs when extracting a maliciouslycrafted tar file, which can result in unauthorized file writes oroverwrites outside the intended extraction directory. The issue isassociated with index.js in the tar-fs package.This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before2.1.2, from 3.0.0 before 3.0.8. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 17:15:00 UTC CVE-2024-12905 Issue summary: A timing side-channel which could potentially allowrecoveringthe private key exists in the ECDSA signature computation.Impact summary: A timing side-channel in ECDSA signature computationscould allow recovering the private key by an attacker. However, measuringthe timing would require either local access to the signing application ora very fast network connection with low latency.There is a timing signal of around 300 nanoseconds when the top word ofthe inverted ECDSA nonce value is zero. This can happen with significantprobability only for some of the supported elliptic curves. In particularthe NIST P-521 curve is affected. To be able to measure this leak, theattackerprocess must either be located in the same physical computer or musthave a very fast network connection with low latency. For that reasonthe severity of this vulnerability is Low.The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. Update Instructions: Run `sudo pro fix CVE-2024-13176` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.4.1-1ubuntu1 openssl - 3.4.1-1ubuntu1 openssl-provider-legacy - 3.4.1-1ubuntu1 No subscription required efi-shell-aa64 - 2025.02-8ubuntu3 efi-shell-arm - 2025.02-8ubuntu3 efi-shell-ia32 - 2025.02-8ubuntu3 efi-shell-loongarch64 - 2025.02-8ubuntu3 efi-shell-riscv64 - 2025.02-8ubuntu3 efi-shell-x64 - 2025.02-8ubuntu3 ovmf - 2025.02-8ubuntu3 ovmf-ia32 - 2025.02-8ubuntu3 ovmf-inteltdx - 2025.02-8ubuntu3 qemu-efi-aarch64 - 2025.02-8ubuntu3 qemu-efi-arm - 2025.02-8ubuntu3 qemu-efi-loongarch64 - 2025.02-8ubuntu3 qemu-efi-riscv64 - 2025.02-8ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-01-20 14:15:00 UTC 2025-01-20 14:15:00 UTC George Pantelakis and Alicja Kario https://ubuntu.com/security/notices/USN-7264-1 https://ubuntu.com/security/notices/USN-7278-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-13176 An issue has been discovered in GitLab CE/EE affecting all versions before16.9.6, all versions starting from 16.10 before 16.10.4, all versionsstarting from 16.11 before 16.11.1. Under certain conditions, an attackerthrough a crafted email address may be able to bypass domain basedrestrictions on an instance or a group. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-25 11:15:00 UTC CVE-2024-1347 String::Compare::ConstantTime for Perl through 0.321 is vulnerable totiming attacks that allow an attacker to guess the length of a secretstring.As stated in the documentation: "If the lengths of the strings aredifferent, because equals returns false right away the size of the secretstring may be leaked (but not its contents)."This is similar to CVE-2020-36829 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 03:15:00 UTC CVE-2024-13939 A vulnerability was found in LibTIFF up to 4.7.0. It has been declared asproblematic. Affected by this vulnerability is the functiont2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps.The manipulation leads to null pointer dereference. The attack needs to beapproached locally. The complexity of an attack is rather high. Theexploitation appears to be difficult. The patch is named2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply apatch to fix this issue. Update Instructions: Run `sudo pro fix CVE-2024-13978` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.7.0-3ubuntu2 libtiff-tools - 4.7.0-3ubuntu2 libtiff6 - 4.7.0-3ubuntu2 libtiffxx6 - 4.7.0-3ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-01 22:15:00 UTC CVE-2024-13978 A vulnerability, which was classified as problematic, was found in KDEPlasma Workspace up to 5.93.0. This affects the functionEventPluginsManager::enabledPlugins of the filecomponents/calendar/eventpluginsmanager.cpp of the component Theme FileHandler. The manipulation of the argument pluginId leads to path traversal.It is possible to initiate the attack remotely. The complexity of an attackis rather high. The exploitability is told to be difficult. The patch isnamed 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to applya patch to fix this issue. The associated identifier of this vulnerabilityis VDB-253407. NOTE: This requires write access to user's home or theinstallation of third party global themes. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-11 23:15:00 UTC CVE-2024-1433 An off-by-one error flaw was found in the udevListInterfacesByStatus()function in libvirt when the number of interfaces exceeds the size of the`names` array. This issue can be reproduced by sending specially crafteddata to the libvirt daemon, allowing an unprivileged client to perform adenial of service attack by causing the libvirt daemon to crash. Update Instructions: Run `sudo pro fix CVE-2024-1441` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-libvirt - 10.0.0-2ubuntu8.1 libvirt-clients - 10.0.0-2ubuntu8.1 libvirt-clients-qemu - 10.0.0-2ubuntu8.1 libvirt-common - 10.0.0-2ubuntu8.1 libvirt-daemon - 10.0.0-2ubuntu8.1 libvirt-daemon-common - 10.0.0-2ubuntu8.1 libvirt-daemon-config-network - 10.0.0-2ubuntu8.1 libvirt-daemon-config-nwfilter - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-interface - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-lxc - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-network - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-nodedev - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-nwfilter - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-qemu - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-secret - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-disk - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-gluster - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-iscsi - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-iscsi-direct - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-logical - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-mpath - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-rbd - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-scsi - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-zfs - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-vbox - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-xen - 10.0.0-2ubuntu8.1 libvirt-daemon-lock - 10.0.0-2ubuntu8.1 libvirt-daemon-log - 10.0.0-2ubuntu8.1 libvirt-daemon-plugin-lockd - 10.0.0-2ubuntu8.1 libvirt-daemon-plugin-sanlock - 10.0.0-2ubuntu8.1 libvirt-daemon-system - 10.0.0-2ubuntu8.1 libvirt-daemon-system-systemd - 10.0.0-2ubuntu8.1 libvirt-daemon-system-sysv - 10.0.0-2ubuntu8.1 libvirt-l10n - 10.0.0-2ubuntu8.1 libvirt-login-shell - 10.0.0-2ubuntu8.1 libvirt-sanlock - 10.0.0-2ubuntu8.1 libvirt-ssh-proxy - 10.0.0-2ubuntu8.1 libvirt-wireshark - 10.0.0-2ubuntu8.1 libvirt0 - 10.0.0-2ubuntu8.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-11 14:15:00 UTC 2024-03-11 14:15:00 UTC Alexander Kuznetsov http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066058 https://bugzilla.redhat.com/show_bug.cgi?id=2263841 https://ubuntu.com/security/notices/USN-6734-1 https://ubuntu.com/security/notices/USN-6734-2 CVE-2024-1441 A path traversal vulnerability was found in Undertow. This issue may allowa remote attacker to append a specially-crafted sequence to an HTTP requestfor an application deployed to JBoss EAP, which may permit access toprivileged or restricted files and directories. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-12 21:15:00 UTC Robb Gatica https://bugzilla.redhat.com/show_bug.cgi?id=2259475 CVE-2024-1459 A flaw was found in FreeIPA. This issue may allow a remote attacker tocraft a HTTP request with parameters that can be interpreted as commandarguments to kinit on the FreeIPA server, which can lead to a denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-10 21:15:00 UTC CVE-2024-1481 The side-channel protected T-Table implementation in wolfSSL up to version5.6.5 protects against a side-channel attacker with cache-line resolution.In a controlled environment such as Intel SGX, an attacker can gain a perinstruction sub-cache-line resolution allowing them to break thecache-line-level protection. For details on the attack refer to:https://doi.org/10.46586/tches.v2024.i1.457-500 Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-29 23:15:00 UTC CVE-2024-1543 Generating the ECDSA nonce k samples a random number r and thentruncates this randomness with a modular reduction mod n where n is theorder of the elliptic curve. Meaning k = r mod n. The division usedduring the reduction estimates a factor q_e by dividing the upper twodigits (a digit having e.g. a size of 8 byte) of r by the upper digit ofn and then decrements q_e in a loop until it has the correct size.Observing the number of times q_e is decremented through a control-flowrevealing side-channel reveals a bias in the most significant bits ofk. Depending on the curve this is either a negligible bias or asignificant bias large enough to reconstruct k with lattice reductionmethods. For SECP160R1, e.g., we find a bias of 15 bits. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 19:15:00 UTC CVE-2024-1544 Fault Injection vulnerability in RsaPrivateDecryption function inwolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allowsremote attacker co-resides in the same system with a victim processto disclose information and escalate privileges via Rowhammer faultinjection to the RsaKey structure. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-29 23:15:00 UTC CVE-2024-1545 A vulnerability was found in Undertow. This vulnerability impacts a serverthat supports the wildfly-http-client protocol. Whenever a malicious useropens and closes a connection with the HTTP port of the server and thencloses the connection immediately, the server will end with both memory andopen file limits exhausted at some point, depending on the amount of memoryavailable.At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaksconnections if RemotingConnection is closed by RemotingServerConnectionOpenListener. Because the remoting connection originates inUndertow as part of the HTTP upgrade, there is an external layer to theremoting connection. This connection is unaware of the outermost layer whenclosing the connection during the connection opening procedure. Hence, theUndertow WriteTimeoutStreamSinkConduit is not notified of the closedconnection in this scenario. Because WriteTimeoutStreamSinkConduit createsa timeout task, the whole dependency tree leaks via that task, which isadded to XNIO WorkerThread. So, the workerThread points to the Undertowconduit, which contains the connections and causes the leak. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-19 22:15:00 UTC CVE-2024-1635 Resolver caches and authoritative zone databases that hold significantnumbers of RRs for the same hostname (of any RTYPE) can suffer fromdegraded performance as content is being added or updated, and also whenhandling client queries for this name.This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through9.18.27-S1. Update Instructions: Run `sudo pro fix CVE-2024-1737` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.28-0ubuntu1 bind9-dnsutils - 1:9.18.28-0ubuntu1 bind9-host - 1:9.18.28-0ubuntu1 bind9-libs - 1:9.18.28-0ubuntu1 bind9-utils - 1:9.18.28-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-23 2024-07-23 Toshifumi Sakaguchi https://ubuntu.com/security/notices/USN-6909-1 https://ubuntu.com/security/notices/USN-6909-2 https://ubuntu.com/security/notices/USN-6909-3 CVE-2024-1737 A flaw was found in Buildah (and subsequently Podman Build) which allowscontainers to mount arbitrary locations on the host filesystem into buildcontainers. A malicious Containerfile can use a dummy image with a symboliclink to the root filesystem as a mount source and cause the mount operationto mount the host root filesystem inside the RUN step. The commands insidethe RUN step will then have read-write access to the host filesystem,allowing for full container escape at build time. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-18 15:15:00 UTC CVE-2024-1753 If a server hosts a zone containing a "KEY" Resource Record, or a resolverDNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain incache, a client can exhaust resolver CPU resources by sending a stream ofSIG(0) signed requests.This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through9.18.27-S1. Update Instructions: Run `sudo pro fix CVE-2024-1975` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.18.28-0ubuntu1 bind9-dnsutils - 1:9.18.28-0ubuntu1 bind9-host - 1:9.18.28-0ubuntu1 bind9-libs - 1:9.18.28-0ubuntu1 bind9-utils - 1:9.18.28-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-23 2024-07-23 https://ubuntu.com/security/notices/USN-6909-1 https://ubuntu.com/security/notices/USN-6909-2 https://ubuntu.com/security/notices/USN-6909-3 CVE-2024-1975 A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV)versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6 andprior versions, all 0.105.x versions, all 0.104.x versions, and 0.103.11and all prior versions could allow an unauthenticated, remote attacker tocause a denial of service (DoS) condition on an affected device.The vulnerability is due to an out of bounds read. An attacker couldexploit this vulnerability by submitting a crafted PDF file to be scannedby ClamAV on an affected device. An exploit could allow the attacker toterminate the scanning process. Update Instructions: Run `sudo pro fix CVE-2024-20505` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: clamav - 1.3.1+dfsg-5ubuntu2 clamav-base - 1.3.1+dfsg-5ubuntu2 clamav-daemon - 1.3.1+dfsg-5ubuntu2 clamav-freshclam - 1.3.1+dfsg-5ubuntu2 clamav-milter - 1.3.1+dfsg-5ubuntu2 clamav-testfiles - 1.3.1+dfsg-5ubuntu2 clamdscan - 1.3.1+dfsg-5ubuntu2 libclamav12 - 1.3.1+dfsg-5ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-04 22:15:00 UTC 2024-09-04 22:15:00 UTC https://ubuntu.com/security/notices/USN-7011-1 https://ubuntu.com/security/notices/USN-7011-2 CVE-2024-20505 A vulnerability in the ClamD service module of Clam AntiVirus (ClamAV)versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6 andprior versions, all 0.105.x versions, all 0.104.x versions, and 0.103.11and all prior versions could allow an authenticated, local attacker tocorrupt critical system files.The vulnerability is due to allowing the ClamD process to write to its logfile while privileged without checking if the logfile has been replacedwith a symbolic link. An attacker could exploit this vulnerability if theyreplace the ClamD log file with a symlink to a critical system file andthen find a way to restart the ClamD process. An exploit could allow theattacker to corrupt a critical system file by appending ClamD log messagesafter restart. Update Instructions: Run `sudo pro fix CVE-2024-20506` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: clamav - 1.3.1+dfsg-5ubuntu2 clamav-base - 1.3.1+dfsg-5ubuntu2 clamav-daemon - 1.3.1+dfsg-5ubuntu2 clamav-freshclam - 1.3.1+dfsg-5ubuntu2 clamav-milter - 1.3.1+dfsg-5ubuntu2 clamav-testfiles - 1.3.1+dfsg-5ubuntu2 clamdscan - 1.3.1+dfsg-5ubuntu2 libclamav12 - 1.3.1+dfsg-5ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-04 22:15:00 UTC 2024-09-04 22:15:00 UTC https://ubuntu.com/security/notices/USN-7011-1 https://ubuntu.com/security/notices/USN-7011-2 CVE-2024-20506 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JavaFX). Supported versions that areaffected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition:20.3.12 and 21.3.8. Difficult to exploit vulnerability allowsunauthenticated attacker with logon to the infrastructure where Oracle JavaSE, Oracle GraalVM Enterprise Edition executes to compromise Oracle JavaSE, Oracle GraalVM Enterprise Edition. Successful attacks require humaninteraction from a person other than the attacker. Successful attacks ofthis vulnerability can result in unauthorized update, insert or deleteaccess to some of Oracle Java SE, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability does not apply to Java deployments, typically in servers,that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 22:15:00 UTC CVE-2024-20922 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JavaFX). Supported versions that areaffected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition:20.3.12 and 21.3.8. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks require human interaction from a person other than the attacker.Successful attacks of this vulnerability can result in unauthorized readaccess to a subset of Oracle Java SE, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. Thisvulnerability does not apply to Java deployments, typically in servers,that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSSVector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-17 02:15:00 UTC CVE-2024-20923 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: JavaFX). Supported versions that areaffected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition:20.3.12 and 21.3.8. Difficult to exploit vulnerability allowsunauthenticated attacker with network access via multiple protocols tocompromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successfulattacks require human interaction from a person other than the attacker.Successful attacks of this vulnerability can result in unauthorizedupdate, insert or delete access to some of Oracle Java SE, Oracle GraalVMEnterprise Edition accessible data. Note: This vulnerability applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-17 02:15:00 UTC CVE-2024-20925 Vulnerability in the MySQL Connectors product of Oracle MySQL (component:Connector/Python). Supported versions that are affected are 8.3.0 andprior. Easily exploitable vulnerability allows unauthenticated attackerwith network access via multiple protocols to compromise MySQL Connectors.Successful attacks of this vulnerability can result in unauthorized abilityto cause a hang or frequently repeatable crash (complete DOS) of MySQLConnectors. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-16 22:15:00 UTC CVE-2024-21090 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.16. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in takeover of Oracle VM VirtualBox. Note: This vulnerabilityapplies to Linux hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-16 22:15:00 UTC CVE-2024-21103 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.20. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-16 23:15:00 UTC CVE-2024-21141 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.20. Easily exploitable vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerabilityapplies to Linux hosts only. CVSS 3.1 Base Score 5.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-16 23:15:00 UTC CVE-2024-21161 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.20. Difficult to exploit vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 2.5 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-16 23:15:00 UTC CVE-2024-21164 Vulnerability in the MySQL Connectors product of Oracle MySQL (component:Connector/Python). Supported versions that are affected are 8.4.0 andprior. Easily exploitable vulnerability allows low privileged attacker withnetwork access via multiple protocols to compromise MySQL Connectors.Successful attacks of this vulnerability can result in unauthorizedupdate, insert or delete access to some of MySQL Connectors accessible dataas well as unauthorized read access to a subset of MySQL Connectorsaccessible data and unauthorized ability to cause a partial denial ofservice (partial DOS) of MySQL Connectors. CVSS 3.1 Base Score 6.3(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-16 23:15:00 UTC CVE-2024-21170 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf,11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23;Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVM forJDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, OracleGraalVM Enterprise Edition. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSSVector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2024-21208` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u432-ga~us1-0ubuntu1 openjdk-8-source - 8u432-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.26~3ea-1ubuntu1 openjdk-11-source - 11.0.26~3ea-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC 2024-10-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7096-1 https://ubuntu.com/security/notices/USN-7097-1 https://ubuntu.com/security/notices/USN-7099-1 https://ubuntu.com/security/notices/USN-7098-1 https://ubuntu.com/security/notices/USN-7124-1 https://ubuntu.com/security/notices/USN-7338-1 https://ubuntu.com/security/notices/USN-7339-1 CVE-2024-21208 Vulnerability in Oracle Java SE (component: Hotspot). Supported versionsthat are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12,21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticatedattacker with network access via multiple protocols to compromise OracleJava SE. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SEaccessible data. Note: This vulnerability can be exploited by using APIs inthe specified Component, e.g., through a web service which supplies data tothe APIs. This vulnerability also applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. CVSS 3.1 Base Score3.7 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2024-21210` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u432-ga~us1-0ubuntu1 openjdk-8-source - 8u432-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.26~3ea-1ubuntu1 openjdk-11-source - 11.0.26~3ea-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC 2024-10-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7096-1 https://ubuntu.com/security/notices/USN-7097-1 https://ubuntu.com/security/notices/USN-7099-1 https://ubuntu.com/security/notices/USN-7098-1 https://ubuntu.com/security/notices/USN-7124-1 https://ubuntu.com/security/notices/USN-7338-1 https://ubuntu.com/security/notices/USN-7339-1 CVE-2024-21210 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Serialization).Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf,11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23;Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVM forJDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, OracleGraalVM Enterprise Edition. Note: This vulnerability can be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. This vulnerability also applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2024-21217` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u432-ga~us1-0ubuntu1 openjdk-8-source - 8u432-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.26~3ea-1ubuntu1 openjdk-11-source - 11.0.26~3ea-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC 2024-10-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7096-1 https://ubuntu.com/security/notices/USN-7097-1 https://ubuntu.com/security/notices/USN-7099-1 https://ubuntu.com/security/notices/USN-7098-1 https://ubuntu.com/security/notices/USN-7124-1 https://ubuntu.com/security/notices/USN-7338-1 https://ubuntu.com/security/notices/USN-7339-1 CVE-2024-21217 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf,11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4,23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult toexploit vulnerability allows unauthenticated attacker with network accessvia multiple protocols to compromise Oracle Java SE, Oracle GraalVM forJDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized update, insert or delete accessto some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data as well as unauthorized read access toa subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data. Note: This vulnerability can beexploited by using APIs in the specified Component, e.g., through a webservice which supplies data to the APIs. This vulnerability also applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2024-21235` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk - 8u432-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u432-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u432-ga~us1-0ubuntu1 openjdk-8-source - 8u432-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk - 11.0.26~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.26~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.26~3ea-1ubuntu1 openjdk-11-source - 11.0.26~3ea-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC 2024-10-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7096-1 https://ubuntu.com/security/notices/USN-7097-1 https://ubuntu.com/security/notices/USN-7099-1 https://ubuntu.com/security/notices/USN-7098-1 https://ubuntu.com/security/notices/USN-7124-1 https://ubuntu.com/security/notices/USN-7338-1 https://ubuntu.com/security/notices/USN-7339-1 CVE-2024-21235 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.22 and prior to 7.1.2. Difficult to exploit vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products (scope change). Successful attacks of thisvulnerability can result in unauthorized update, insert or delete accessto some of Oracle VM VirtualBox accessible data as well as unauthorizedread access to a subset of Oracle VM VirtualBox accessible data andunauthorized ability to cause a partial denial of service (partial DOS) ofOracle VM VirtualBox. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrityand Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC CVE-2024-21248 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.22. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks of this vulnerabilitycan result in unauthorized ability to cause a partial denial of service(partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3(Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC CVE-2024-21253 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.22 and prior to 7.1.2. Difficult to exploit vulnerability allows highprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products (scope change). Successful attacks of thisvulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 BaseScore 7.5 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC CVE-2024-21259 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.22 and prior to 7.1.2. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksof this vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle VM VirtualBox andunauthorized read access to a subset of Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.1 (Confidentiality and Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC CVE-2024-21263 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.22 and prior to 7.1.2. Easily exploitable vulnerability allows highprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products (scope change). Successful attacks of thisvulnerability can result in unauthorized access to critical data orcomplete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 BaseScore 6.0 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 20:15:00 UTC CVE-2024-21273 Versions of the package sanitize-html before 2.12.1 are vulnerable toInformation Exposure when used on the backend and with the style attributeallowed, allowing enumeration of files in the system (including projectdependencies). An attacker could exploit this vulnerability to gatherdetails about the file system structure and dependencies of the targetedserver. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-24 05:15:00 UTC CVE-2024-21501 Versions of the package black before 24.3.0 are vulnerable to RegularExpression Denial of Service (ReDoS) via thelines_with_leading_tabs_expanded function in the strings.py file. Anattacker could exploit this vulnerability by crafting a malicious inputthat causes a denial of service. Exploiting this vulnerability is possiblewhen running Black on untrusted input, or if you habitually put thousandsof leading tab characters in your docstrings. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-19 05:15:00 UTC CVE-2024-21503 Versions of the package markdown-to-jsx before 7.4.0 are vulnerable toCross-site Scripting (XSS) via the src property due to improper inputsanitization. An attacker can execute arbitrary code by injecting amalicious iframe element in the markdown. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085375 CVE-2024-21535 Apktool is a tool for reverse engineering Android APK files. In versions2.9.1 and prior, Apktool infers resource files' output path according totheir resource names which can be manipulated by attacker to place files atdesired location on the system Apktool runs on. Affected environments arethose in which an attacker may write/overwrite any file that user has writeaccess, and either user name is known or cwd is under user folder. Commitd348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-03 17:15:00 UTC CVE-2024-21633 Improper input validation allows for header injection in MIME4J librarywhen using MIME4J DOM for composing message.This can be exploited by an attacker to add unintended headers to MIMEmessages. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-27 17:15:00 UTC CVE-2024-21742 A flaw was found in X.Org server. In the XISendDeviceHierarchyEventfunction, it is possible to exceed the allocated array length when certainnew device IDs are added to the xXIHierarchyInfo struct. This can trigger aheap buffer overflow condition, which may lead to an application crash orremote code execution in SSH X11 forwarding environments. Update Instructions: Run `sudo pro fix CVE-2024-21885` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.11-1ubuntu1 xorg-server-source - 2:21.1.11-1ubuntu1 xserver-common - 2:21.1.11-1ubuntu1 xserver-xephyr - 2:21.1.11-1ubuntu1 xserver-xorg-core - 2:21.1.11-1ubuntu1 xserver-xorg-legacy - 2:21.1.11-1ubuntu1 xvfb - 2:21.1.11-1ubuntu1 No subscription required xwayland - 2:23.2.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 00:00:00 UTC 2024-01-16 00:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-6587-1 https://ubuntu.com/security/notices/USN-6587-2 https://ubuntu.com/security/notices/USN-6587-5 CVE-2024-21885 A heap buffer overflow flaw was found in the DisableDevice function in theX.Org server. This issue may lead to an application crash or, in somecircumstances, remote code execution in SSH X11 forwarding environments. Update Instructions: Run `sudo pro fix CVE-2024-21886` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.11-1ubuntu1 xorg-server-source - 2:21.1.11-1ubuntu1 xserver-common - 2:21.1.11-1ubuntu1 xserver-xephyr - 2:21.1.11-1ubuntu1 xserver-xorg-core - 2:21.1.11-1ubuntu1 xserver-xorg-legacy - 2:21.1.11-1ubuntu1 xvfb - 2:21.1.11-1ubuntu1 No subscription required xwayland - 2:23.2.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-16 00:00:00 UTC 2024-01-16 00:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-6587-1 https://ubuntu.com/security/notices/USN-6587-2 https://ubuntu.com/security/notices/USN-6587-5 CVE-2024-21886 The Node.js Permission Model does not clarify in the documentation thatwildcards should be only used as the last character of a file path. Forexample:``` --allow-fs-read=/home/node/.ssh/*.pub```will ignore `pub` and give access to everything after `.ssh/`.This misleading documentation affects all users using the experimentalpermission model in Node.js 20 and Node.js 21.Please note that at the time this CVE was issued, the permission model isan experimental feature of Node.js. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-20 02:15:00 UTC CVE-2024-21890 Improper input validation in IOMMU could allow a malicious hypervisor toreconfigure IOMMU registers resulting in loss of guest data integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2024-21953 A denial of service vulnerability was found in 389-ds-base ldap server.This issue may allow an authenticated user to cause a server crash whilemodifying `userPassword` using malformed input. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 12:15:00 UTC CVE-2024-2199 User with no permission to any of the Hosts can access and view host count& other statistics through System Information Widget in Global ViewDashboard. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-22114 An administrator with restricted permissions can exploit the scriptexecution functionality within the Monitoring Hosts section. The lack ofdefault escaping for script parameters enabled this user ability to executearbitrary code via the Ping script, thereby compromising infrastructure. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-22116 The cause of vulnerability is improper validation of form input field“Name” on Graph page in Items section. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 09:15:00 UTC CVE-2024-22119 Zabbix server can perform command execution for configured scripts. Aftercommand is executed, audit entry is added to "Audit Log". Due to "clientip"field is not sanitized, it is possible to injection SQL into "clientip" andexploit time based blind SQL injection. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-17 10:15:00 UTC CVE-2024-22120 A non-admin user can change or remove important features within the ZabbixAgent application, thus impacting the integrity and availability of theapplication. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-22121 Zabbix allows to configure SMS notifications. AT command injection occurson "Zabbix Server" because there is no validation of "Number" field on Webnor on Zabbix server side. Attacker can run test of SMS providing speciallycrafted phone number and execute additional AT commands on modem. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-22122 Setting SMS media allows to set GSM modem file. Later this file is used asLinux device. But due everything is a file for Linux, it is possible to setanother file, e.g. log file and zabbix_server will try to communicate withit as modem. As a result, log file will be broken with AT commands andsmall part for log file content will be leaked to UI. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-22123 An out-of-bounds write vulnerability exists in the readNODE functionalityof libigl v2.5.0. A specially crafted .node file can lead to anout-of-bounds write. An attacker can provide a malicious file to triggerthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-22181 GitPython is a python library used to interact with Git repositories. Thereis an incomplete fix for CVE-2023-40590. On Windows, GitPython uses anuntrusted search path if it uses a shell to run `git`, as well as when itruns `bash.exe` to interpret hooks. If either of those features are used onWindows, a malicious `git.exe` or `bash.exe` may be run from an untrustedrepository. This issue has been patched in version 3.1.41. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-11 02:15:00 UTC CVE-2024-22190 Applications that use UriComponentsBuilder to parse an externally providedURL (e.g. through a query parameter) AND perform validation checks on thehost of the parsed URL may be vulnerable to a open redirecthttps://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attackif the URL is used after passing validation checks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-23 05:15:00 UTC CVE-2024-22243 Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 -1.2.2 and older unsupported versions are susceptible to a PKCE DowngradeAttack for Confidential Clients.Specifically, an application is vulnerable when a Confidential Client usesPKCE for the Authorization Code Grant.An application is not vulnerable when a Public Client uses PKCE for theAuthorization Code Grant. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 04:15:00 UTC CVE-2024-22258 Applications that use UriComponentsBuilder in Spring Framework to parse anexternally provided URL (e.g. through a query parameter) AND performvalidation checks on the host of the parsed URL may be vulnerable to aopen redirect https://cwe.mitre.org/data/definitions/601.html  attack or toa SSRF attack if the URL is used after passing validation checks.This is the same as CVE-2024-22243https://spring.io/security/cve-2024-22243 , but with different input. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-16 05:15:00 UTC CVE-2024-22259 Applications that use UriComponentsBuilder to parse an externally providedURL (e.g. through a query parameter) AND perform validation checks on thehost of the parsed URL may be vulnerable to a open redirecthttps://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attackif the URL is used after passing validation checks.This is the same as CVE-2024-22259https://spring.io/security/cve-2024-22259  and CVE-2024-22243https://spring.io/security/cve-2024-22243 , but with different input. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-16 06:15:00 UTC CVE-2024-22262 A timing-based side-channel flaw was found in libgcrypt's RSAimplementation. This issue may allow a remote attacker to initiate aBleichenbacher-style attack, which can lead to the decryption of RSAciphertexts. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-03-06 22:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2268268 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683 https://dev.gnupg.org/T7136 CVE-2024-2236 yt-dlp is a youtube-dl fork with additional features and fixes. The patchthat addressed CVE-2023-40581 attempted to prevent RCE when using `--exec`with `%q` by replacing double quotes with two double quotes. However, thisescaping is not sufficient, and still allows expansion of environmentvariables. Support for output template expansion in `--exec`, along withthis vulnerable behavior, was added to `yt-dlp` in version 2021.04.11.yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. Itreplaces them with `%%cd:~,%`, a variable that expands to nothing, leavingonly the leading percent. It is recommended to upgrade yt-dlp to version2024.04.09 as soon as possible. Also, always be careful when using`--exec`, because while this specific vulnerability has been patched, usingunvalidated input in shell commands is inherently dangerous. For Windowsusers who are not able to upgrade, avoid using any output templateexpansion in `--exec` other than `{}` (filepath); if expansion in `--exec`is needed, verify the fields you are using do not contain `"`, `|` or `&`;and/or instead of using `--exec`, write the info json and load the fieldsfrom it instead. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-09 18:15:00 UTC CVE-2024-22423 djangorestframework-simplejwt version 5.3.1 and before is vulnerable toinformation disclosure. A user can access web application resources evenafter their account has been disabled due to missing user validation checksvia the for_user method. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-16 07:15:00 UTC CVE-2024-22513 TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial ofService) if parsing an untrusted HTML page with a crafted color. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-19 16:15:00 UTC CVE-2024-22640 TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular ExpressionDenial of Service) if parsing an untrusted SVG file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 21:16:00 UTC CVE-2024-22641 yasm commit 9defefae was discovered to contain a NULL pointer dereferencevia the yasm_section_bcs_append function at section.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-29 15:15:00 UTC CVE-2024-22653 An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker tocause a denial of service (DoS) via the clojure.core$partial$fn__5920function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-29 02:15:00 UTC CVE-2024-22871 Very large headers can cause resource exhaustion when parsing message. Themessage-parser normally reads reasonably sized chunks of the message.However, when it feeds them to message-header-parser, it starts building up"full_value" buffer out of the smaller chunks. The full_value buffer has nosize limit, so large headers can cause large memory usage. It doesn'tmatter whether it's a single long header line, or a single header splitinto multiple lines. This bug exists in all Dovecot versions. Incomingmails typically have some size limits set by MTA, so even largest possibleheader size may still fit into Dovecot's vsz_limit. So attackers probablycan't DoS a victim user this way. A user could APPEND larger mails though,allowing them to DoS themselves (although maybe cause some memory issuesfor the backend in general). One can implement restrictions on headers onMTA component preceding Dovecot. No publicly available exploits are known. Update Instructions: Run `sudo pro fix CVE-2024-23185` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dovecot-auth-lua - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-core - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-flatcurve - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-gssapi - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-imapd - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-ldap - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-lmtpd - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-managesieved - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-mysql - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-pgsql - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-pop3d - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-sieve - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-solr - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-sqlite - 1:2.3.21.1+dfsg1-1ubuntu1 dovecot-submissiond - 1:2.3.21.1+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-24 2024-08-24 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078877 https://ubuntu.com/security/notices/USN-6982-1 https://ubuntu.com/security/notices/USN-7013-1 CVE-2024-23185 Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrdwhen using GRUB_RESCUE=y. This allows local attackers to gain access tosystem secrets otherwise only readable by root. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-12 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060747 CVE-2024-23301 aiohttp is an asynchronous HTTP client/server framework for asyncio andPython. When using aiohttp as a web server and configuring static routes,it is necessary to specify the root path for static files. Additionally,the option 'follow_symlinks' can be used to determine whether to followsymbolic links outside the static root directory. When 'follow_symlinks' isset to True, there is no validation to check if reading a file is withinthe root directory. This can lead to directory traversal vulnerabilities,resulting in unauthorized access to arbitrary files on the system, evenwhen symlinks are not present. Disabling follow_symlinks and using areverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-29 23:15:00 UTC 2024-01-29 23:15:00 UTC sayun https://ubuntu.com/security/notices/USN-6991-1 CVE-2024-23334 The `ecdsa` PyPI package is a pure Python implementation of ECC (EllipticCurve Cryptography) with support for ECDSA (Elliptic Curve DigitalSignature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) andECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior arevulnerable to the Minerva attack. As of time of publication, no knownpatched version exists. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-23 00:15:00 UTC CVE-2024-23342 AntiSamy is a library for performing fast, configurable cleansing of HTMLcoming from untrusted sources. Prior to 1.7.5, there is a potential for amutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing ofthe HTML being sanitized. To be subject to this vulnerability the`preserveComments` directive must be enabled in your policy file. As aresult, certain crafty inputs can result in elements in comment tags beinginterpreted as executable when using AntiSamy's sanitized output. Patchedin AntiSamy 1.7.5 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-02 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1062846 CVE-2024-23635 Squid is a caching proxy for the Web. Due to an expired pointer referencebug, Squid prior to version 6.6 is vulnerable to a Denial of Service attackagainst Cache Manager error responses. This problem allows a trusted clientto perform Denial of Service when generating error pages for Client Managerreports. Squid older than 5.0.5 have not been tested and should be assumedto be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. AllSquid-6.x up to and including 6.5 are vulnerable. This bug is fixed bySquid version 6.6. In addition, patches addressing this problem for thestable releases can be found in Squid's patch archives. As a workaround,prevent access to Cache Manager using Squid's main access control:`http_access deny manager`. Update Instructions: Run `sudo pro fix CVE-2024-23638` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 6.6-1ubuntu1 squid-cgi - 6.6-1ubuntu1 squid-common - 6.6-1ubuntu1 squid-openssl - 6.6-1ubuntu1 squid-purge - 6.6-1ubuntu1 squidclient - 6.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-24 00:15:00 UTC 2024-01-24 00:15:00 UTC Joshua Rogers https://ubuntu.com/security/notices/USN-6728-1 CVE-2024-23638 Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. Itwas possible for WebSocket clients to keep WebSocket connections openleading to increased resource consumption.This issue affects Apache Tomcat:from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.Older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or8.5.99 which fix the issue. Update Instructions: Run `sudo pro fix CVE-2024-23672` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-13 16:15:00 UTC 2024-03-13 16:15:00 UTC https://ubuntu.com/security/notices/USN-7106-1 https://ubuntu.com/security/notices/USN-7562-1 CVE-2024-23672 Improper Input Validation vulnerability in the upload functionality foruser avatars allows functionality misuse due to missing check of filetypes.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through8.0.37, from 2023 through 2023.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-29 10:15:00 UTC CVE-2024-23790 Insertion of debug information into log file during building the elasticsearch index allows reading of sensitive information from articles.Thisissue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37,from 2023.X through 2023.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-29 10:15:00 UTC CVE-2024-23791 When adding attachments to ticket comments,another user can add attachments as well impersonating the orginal user.The attack requires alogged-in other user to know the UUID. While the legitimate usercompletes the comment, the malicious user can add more files to thecomment.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through8.0.37, from 2023.X through 2023.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-01-29 10:15:00 UTC CVE-2024-23792 The file upload feature in OTRS and ((OTRS)) Community Edition has a pathtraversal vulnerability. This issue permits authenticated agents orcustomer users to upload potentially harmful files to directoriesaccessible by the web server, potentially leading to the execution of localcode like Perl scripts.This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through6.0.34. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-06 19:15:00 UTC CVE-2024-23793 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to version 7.0.3,excessive memory use during pgsql parsing could lead to OOM-relatedcrashes. This vulnerability is patched in 7.0.3. As workaround, users candisable the pgsql app layer parser. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-26 16:27:00 UTC CVE-2024-23835 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to versions 6.0.16 and7.0.3, an attacker can craft traffic to cause Suricata to use far more CPUand memory for processing the traffic than needed, which can lead toextreme slow downs and denial of service. This vulnerability is patched in6.0.16 or 7.0.3. Workarounds include disabling the affected protocolapp-layer parser in the yaml and reducing the `stream.reassembly.depth`value helps reduce the severity of the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-26 16:27:00 UTC CVE-2024-23836 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to 7.0.3, speciallycrafted traffic can cause a heap use after free if the ruleset uses thehttp.request_header or http.response_header keyword. The vulnerability hasbeen patched in 7.0.3. To work around the vulnerability, avoid thehttp.request_header and http.response_header keywords. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-26 16:27:00 UTC CVE-2024-23839 Multiple improper array index validation vulnerabilities exist in thereadMSH functionality of libigl v2.5.0. A specially crafted .msh file canlead to an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the`igl::MshLoader::parse_nodes` function while handling a `binary` `.msh`file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-23947 Multiple improper array index validation vulnerabilities exist in thereadMSH functionality of libigl v2.5.0. A specially crafted .msh file canlead to an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the`igl::MshLoader::parse_nodes` function while handling an `ascii`.msh` file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-23948 Multiple improper array index validation vulnerabilities exist in thereadMSH functionality of libigl v2.5.0. A specially crafted .msh file canlead to an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the`igl::MshLoader::parse_node_field` function while handling an `ascii`.msh`file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-23949 Multiple improper array index validation vulnerabilities exist in thereadMSH functionality of libigl v2.5.0. A specially crafted .msh file canlead to an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the`igl::MshLoader::parse_element_field` function while handling an`binary`.msh` file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-23950 Multiple improper array index validation vulnerabilities exist in thereadMSH functionality of libigl v2.5.0. A specially crafted .msh file canlead to an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the`igl::MshLoader::parse_element_field` function while handling an`ascii`.msh` file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-23951 When an application tells libcurl it wants to allow HTTP/2 server push, andthe amount of received headers for the push surpasses the maximum allowedlimit (1000), libcurl aborts the server push. When aborting, libcurlinadvertently does not free all the previously allocated headers andinstead leaks the memory. Further, this error condition fails silently andis therefore not easily detected by an application. Update Instructions: Run `sudo pro fix CVE-2024-2398` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.5.0-2ubuntu10.1 libcurl3t64-gnutls - 8.5.0-2ubuntu10.1 libcurl4t64 - 8.5.0-2ubuntu10.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-27 07:00:00 UTC 2024-03-27 07:00:00 UTC w0x42 on hackerone https://ubuntu.com/security/notices/USN-6718-1 https://ubuntu.com/security/notices/USN-6718-2 https://ubuntu.com/security/notices/USN-6718-3 CVE-2024-2398 freeglut 3.4.0 was discovered to contain a memory leak via the menuEntryvariable in the glutAddSubMenu function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-05 18:15:00 UTC 2024-02-05 18:15:00 UTC https://ubuntu.com/security/notices/USN-7870-1 CVE-2024-24258 freeglut through 3.4.0 was discovered to contain a memory leak via themenuEntry variable in the glutAddMenuEntry function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-05 18:15:00 UTC 2024-02-05 18:15:00 UTC https://ubuntu.com/security/notices/USN-7870-1 CVE-2024-24259 An issue has been discovered in GitLab affecting all versions of GitLabCE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to16.11.1 where path traversal could lead to DoS and restricted file read. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-25 11:15:00 UTC CVE-2024-2434 Denial of Service due to improper input validation vulnerability for HTTP/2requests in Apache Tomcat. When processing an HTTP/2 request, if therequest exceeded any of the configured limits for headers, the associatedHTTP/2 stream was not reset until after all of the headers had beenprocessed.This issue affects Apache Tomcat: from 11.0.0-M1 through11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85,from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or8.5.99 which fix the issue. Update Instructions: Run `sudo pro fix CVE-2024-24549` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-13 16:15:00 UTC 2024-03-13 16:15:00 UTC https://ubuntu.com/security/notices/USN-7562-1 CVE-2024-24549 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to 7.0.3, the rulesinspecting HTTP2 headers can get bypassed by crafted traffic. Thevulnerability has been patched in 7.0.3. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-26 16:27:00 UTC CVE-2024-24568 Multiple out-of-bounds read vulnerabilities exist in the readMSHfunctionality of libigl v2.5.0. A specially crafted .msh file can lead toan out-of-bounds read. An attacker can provide a malicious file to triggerthis vulnerability.This vulnerabilitty concerns the`readMSH` function whileprocessing `MshLoader::ELEMENT_TRI` elements. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-24583 Multiple out-of-bounds read vulnerabilities exist in the readMSHfunctionality of libigl v2.5.0. A specially crafted .msh file can lead toan out-of-bounds read. An attacker can provide a malicious file to triggerthis vulnerability.This vulnerabilitty concerns the`readMSH` function whileprocessing `MshLoader::ELEMENT_TET` elements. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-24584 A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSApackage, which could be sufficient to recover plaintext across a network ina Bleichenbacher-style attack. To achieve successful decryption, anattacker would have to be able to send a large number of trial messages.The vulnerability affects the legacy PKCS#1v1.5 RSA encryption paddingmode. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-25 17:15:00 UTC Hubert Kario https://github.com/toddr/Crypt-OpenSSL-RSA/issues/42 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066969 CVE-2024-2467 Multiple stack-based buffer overflow vulnerabilities exist in the readOFFfunctionality of libigl v2.5.0. A specially crafted .off file can lead tostack-based buffer overflow. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the header parsingoccuring while processing an `.off` file via the `readOFF` function.We can see above that at [0] a stack-based buffer called `comment` isdefined with an hardcoded size of `1000 bytes`. The call to `fscanf` at[1] is unsafe and if the first line of the header of the `.off` files islonger than 1000 bytes it will overflow the `header` buffer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-24684 Multiple stack-based buffer overflow vulnerabilities exist in the readOFFfunctionality of libigl v2.5.0. A specially crafted .off file can lead tostack-based buffer overflow. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the parsing ofcomments within the vertex section of an `.off` file processed via the`readOFF` function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-24685 Multiple stack-based buffer overflow vulnerabilities exist in the readOFFfunctionality of libigl v2.5.0. A specially crafted .off file can lead tostack-based buffer overflow. An attacker can provide a malicious file totrigger this vulnerability.This vulnerability concerns the parsing ofcomments within the faces section of an `.off` file processed via the`readOFF` function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 14:15:00 UTC CVE-2024-24686 Undici is an HTTP/1.1 client, written from scratch for Node.js. In affectedversions calling `fetch(url)` and not consuming the incoming body ((orconsuming it very slowing) will lead to a memory leak. This issue has beenaddressed in version 6.6.1. Users are advised to upgrade. Users unable toupgrade should make sure to always consume the incoming body. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-16 22:15:00 UTC CVE-2024-24750 Undici is an HTTP/1.1 client, written from scratch for Node.js. Undicialready cleared Authorization headers on cross-origin redirects, but didnot clear `Proxy-Authentication` headers. This issue has been patched inversions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no knownworkarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-16 22:15:00 UTC CVE-2024-24758 The protojson.Unmarshal function can enter an infinite loop whenunmarshaling certain forms of invalid JSON. This condition can occur whenunmarshaling into a message which contains a google.protobuf.Any value, orwhen the UnmarshalOptions.DiscardUnknown option is set. Update Instructions: Run `sudo pro fix CVE-2024-24786` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: google-guest-agent - 20240213.00-0ubuntu4 No subscription required google-osconfig-agent - 20240320.00-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-05 23:15:00 UTC 2024-03-05 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065684 https://ubuntu.com/security/notices/USN-6746-1 https://ubuntu.com/security/notices/USN-6746-2 CVE-2024-24786 Parsing a corrupt or malicious image with invalid color indices can cause apanic. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-27 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074426 CVE-2024-24792 HTTP Response splitting in multiple modules in Apache HTTP Server allows anattacker that can inject malicious response headers into backendapplications to cause an HTTP desynchronization attack.Users are recommended to upgrade to version 2.4.59, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-24795` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.58-1ubuntu8.1 apache2-bin - 2.4.58-1ubuntu8.1 apache2-data - 2.4.58-1ubuntu8.1 apache2-suexec-custom - 2.4.58-1ubuntu8.1 apache2-suexec-pristine - 2.4.58-1ubuntu8.1 apache2-utils - 2.4.58-1ubuntu8.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-04 20:15:00 UTC 2024-04-04 20:15:00 UTC Keran Mu and Jianjun Chen http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068412 https://ubuntu.com/security/notices/USN-6729-1 https://ubuntu.com/security/notices/USN-6729-2 https://ubuntu.com/security/notices/USN-6729-3 CVE-2024-24795 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Across-site scripting vulnerability has been discovered in the core HTMLparsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affectall editor instances that enabled full-page editing mode or enabled CDATAelements in Advanced Content Filtering configuration (defaults to `script`and `style` elements). The vulnerability allows attackers to injectmalformed HTML content bypassing Advanced Content Filtering mechanism,which could result in executing JavaScript code. An attacker could abusefaulty CDATA content detection and use it to prepare an intentional attackon the editor. A fix is available in version 4.24.0-lts. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-07 16:15:00 UTC 2024-02-07 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063536 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063537 CVE-2024-24815 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Across-site scripting vulnerability vulnerability has been discovered inversions prior to 4.24.0-lts in samples that use the `preview` feature. Allintegrators that use these samples in the production code can be affected.The vulnerability allows an attacker to execute JavaScript code by abusingthe misconfigured preview feature. It affects all users using the CKEditor4 at version < 4.24.0-lts with affected samples used in a productionenvironment. A fix is available in version 4.24.0-lts. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-07 17:15:00 UTC 2024-02-07 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063536 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063537 CVE-2024-24816 A race condition was found in the Linux kernel's media/dvb-core indvbdmx_write() function. This can result in a null pointer dereferenceissue, possibly leading to a kernel panic or denial of service issue. Ubuntu 26.04 LTS Negligible Copyright (C) 2024 Canonical Ltd. 2024-02-05 08:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1219624 https://bugzilla.openanolis.cn/show_bug.cgi?id=8178 CVE-2024-24864 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inopenEuler kernel on Linux allows Resource Leak Exposure. This vulnerabilityis associated with program fileshttps://gitee.Com/openeuler/kernel/blob/openEuler-1.0-LTS/drivers/staging/gmjstcm/tcm.C.This issue affects kernel: from 4.19.90-2109.1.0.0108 before4.19.90-2403.4.0.0244. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-15 12:15:00 UTC https://gitee.com/openeuler/kernel/pulls/2810/ CVE-2024-24891 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inopenEuler kernel on Linux allows Resource Leak Exposure. This vulnerabilityis associated with program fileshttps://gitee.Com/openeuler/kernel/blob/openEuler-1.0-LTS/drivers/staging/gmjstcm/tcm.C.This issue affects kernel: from 4.19.90-2109.1.0.0108 before4.19.90-2403.4.0.0244. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-15 12:15:00 UTC https://gitee.com/openeuler/kernel/pulls/2810 CVE-2024-24898 A flaw was found in the RPC library APIs of libvirt. The RPC serverdeserialization code allocates memory for arrays before the non-negativelength check is performed by the C API entry points. Passing a negativelength to the g_new0 function results in a crash due to the negative lengthbeing treated as a huge positive number. This flaw allows a local,unprivileged user to perform a denial of service attack by causing thelibvirt daemon to crash. Update Instructions: Run `sudo pro fix CVE-2024-2494` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-libvirt - 10.0.0-2ubuntu8.1 libvirt-clients - 10.0.0-2ubuntu8.1 libvirt-clients-qemu - 10.0.0-2ubuntu8.1 libvirt-common - 10.0.0-2ubuntu8.1 libvirt-daemon - 10.0.0-2ubuntu8.1 libvirt-daemon-common - 10.0.0-2ubuntu8.1 libvirt-daemon-config-network - 10.0.0-2ubuntu8.1 libvirt-daemon-config-nwfilter - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-interface - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-lxc - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-network - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-nodedev - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-nwfilter - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-qemu - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-secret - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-disk - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-gluster - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-iscsi - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-iscsi-direct - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-logical - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-mpath - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-rbd - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-scsi - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-storage-zfs - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-vbox - 10.0.0-2ubuntu8.1 libvirt-daemon-driver-xen - 10.0.0-2ubuntu8.1 libvirt-daemon-lock - 10.0.0-2ubuntu8.1 libvirt-daemon-log - 10.0.0-2ubuntu8.1 libvirt-daemon-plugin-lockd - 10.0.0-2ubuntu8.1 libvirt-daemon-plugin-sanlock - 10.0.0-2ubuntu8.1 libvirt-daemon-system - 10.0.0-2ubuntu8.1 libvirt-daemon-system-systemd - 10.0.0-2ubuntu8.1 libvirt-daemon-system-sysv - 10.0.0-2ubuntu8.1 libvirt-l10n - 10.0.0-2ubuntu8.1 libvirt-login-shell - 10.0.0-2ubuntu8.1 libvirt-sanlock - 10.0.0-2ubuntu8.1 libvirt-ssh-proxy - 10.0.0-2ubuntu8.1 libvirt-wireshark - 10.0.0-2ubuntu8.1 libvirt0 - 10.0.0-2ubuntu8.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 12:00:00 UTC 2024-03-20 12:00:00 UTC https://ubuntu.com/security/notices/USN-6734-1 https://ubuntu.com/security/notices/USN-6734-2 CVE-2024-2494 Issue summary: Some non-default TLS server configurations can causeunboundedmemory growth when processing TLSv1.3 sessionsImpact summary: An attacker may exploit certain server configurations totriggerunbounded memory growth that would lead to a Denial of ServiceThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKEToption isbeing used (but not if early_data support is also configured and thedefaultanti-replay protection is in use). In this case, under certain conditions,thesession cache can get into an incorrect state and it will fail to flushproperlyas it fills. The session cache will continue to grow in an unboundedmanner. Amalicious client could deliberately create the scenario for this failure toforce a Denial of Service. It may also happen by accident in normaloperation.This issue only affects TLS servers supporting TLSv1.3. It does not affectTLSclients.The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.OpenSSL1.0.2 is also not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2024-2511` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.2.2-1ubuntu1 openssl - 3.2.2-1ubuntu1 openssl-provider-legacy - 3.2.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-08 14:15:00 UTC 2024-04-08 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068658 https://ubuntu.com/security/notices/USN-6937-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-2511 The UAMQP is a general purpose C library for AMQP 1.0. During a call toopen_get_offered_capabilities, a memory allocation may fail causing ause-after-free issue and if a client called it during connectioncommunication it may cause a remote code execution. Users are advised toupdate the submodule with commit `30865c9c`. There are no known workaroundsfor this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-12 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064051 CVE-2024-25110 Squid is a web proxy cache. Starting in version 3.5.27 and prior to version6.8, Squid may be vulnerable to a Denial of Service attack against HTTPChunked decoder due to an uncontrolled recursion bug. This problem allows aremote attacker to cause Denial of Service when sending a crafted, chunked,encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition,patches addressing this problem for the stable releases can be found inSquid's patch archives. There is no workaround for this issue. Update Instructions: Run `sudo pro fix CVE-2024-25111` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: squid - 6.6-1ubuntu4 squid-cgi - 6.6-1ubuntu4 squid-common - 6.6-1ubuntu4 squid-openssl - 6.6-1ubuntu4 squid-purge - 6.6-1ubuntu4 squidclient - 6.6-1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-06 19:15:00 UTC 2024-03-06 19:15:00 UTC Joshua Rogers https://ubuntu.com/security/notices/USN-6728-1 CVE-2024-25111 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have astack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-07 17:15:00 UTC CVE-2024-25176 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have anunsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service(DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-07 17:15:00 UTC CVE-2024-25177 LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have anout-of-bounds read in the stack-overflow handler in lj_state.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-07 17:15:00 UTC CVE-2024-25178 libjwt 1.15.3 uses strcmp (which is not constant time) to verifyauthentication, which makes it easier to bypass authentication via a timingside channel. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-08 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063534 CVE-2024-25189 An issue in flvmeta v.1.2.2 allows a local attacker to cause a denial ofservice via the flvmeta/src/flv.c:375:21 function in flv_close. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-22 19:15:00 UTC CVE-2024-25385 An issue in the HuginBase::PanoramaMemento::loadPTScript function of Huginv2022.0.0 allows attackers to cause a heap buffer overflow via parsing acrafted image. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 15:15:00 UTC https://bugs.launchpad.net/hugin/+bug/2025032 CVE-2024-25442 An issue in the HuginBase::ImageVariable<double>::linkWith function ofHugin v2022.0.0 allows attackers to cause a heap-use-after-free via parsinga crafted image. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 15:15:00 UTC https://bugs.launchpad.net/hugin/+bug/2025035 CVE-2024-25443 Improper handling of values in HuginBase::PTools::Transform::transform ofHugin 2022.0.0 leads to an assertion failure. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 15:15:00 UTC https://bugs.launchpad.net/hugin/+bug/2025038 CVE-2024-25445 An issue in the HuginBase::PTools::setDestImage function of Hugin v2022.0.0allows attackers to cause a heap buffer overflow via parsing a craftedimage. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 15:15:00 UTC https://bugs.launchpad.net/hugin/+bug/2025037 CVE-2024-25446 An issue in the imlib_free_image_and_decache function of imlib2 v1.9.1allows attackers to cause a heap buffer overflow via parsing a craftedimage. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 15:15:00 UTC CVE-2024-25448 imlib2 v1.9.1 was discovered to mishandle memory allocation in the functioninit_imlib_fonts(). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-09 15:15:00 UTC CVE-2024-25450 An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17,6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before6.6.2. A buffer overflow and application crash can occur via a crafted KTXimage file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-27 03:15:00 UTC 2024-03-27 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064052 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064053 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064054 https://ubuntu.com/security/notices/USN-7923-1 CVE-2024-25580 An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to adenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-03 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083285 CVE-2024-25590 Helm is a tool for managing Charts. Charts are packages of pre-configuredKubernetes resources. When either the Helm client or SDK is used to save achart whose name within the `Chart.yaml` file includes a relative pathchange, the chart would be saved outside its expected directory based onthe changes in the relative path. The validation and linting did not detectthe path changes in the name. This issue has been resolved in Helm v3.14.1.Users unable to upgrade should check all charts used by Helm for pathchanges in their name as found in the `Chart.yaml` file. This includesdependencies. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-15 00:15:00 UTC CVE-2024-25620 dnsjava is an implementation of DNS in Java. Records in DNS replies are notchecked for their relevance to the query, allowing an attacker to respondwith RRs from different zones. This vulnerability is fixed in 3.6.0. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-07-22 14:15:00 UTC CVE-2024-25638 Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability inApache Commons Compress.This issue affects Apache Commons Compress: from1.3 through 1.25.0.Users are recommended to upgrade to version 1.26.0 which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-19 09:15:00 UTC CVE-2024-25710 A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.cin the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is notreleased. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-12 03:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2263881 https://bugzilla.suse.com/show_bug.cgi?id=1219830 CVE-2024-25740 In the Linux kernel through 6.9, an untrusted hypervisor can inject virtualinterrupts 0 and 14 at any point in time and can trigger the SIGFPE signalhandler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-15 18:15:00 UTC Supraja Sridhara, Benedict Schlüter, Mark Kuhne, Andrin Bertschi, and Shweta Shinde https://bugzilla.redhat.com/show_bug.cgi?id=2270836 https://bugzilla.suse.com/show_bug.cgi?id=1223307 CVE-2024-25743 OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in/OpenDMARC/libopendmarc/opendmarc_policy.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-26 18:15:00 UTC CVE-2024-25768 An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allowsattackers to cause a Regular expression Denial of Service (ReDOS) viasupplying a crafted string. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-08 18:15:00 UTC CVE-2024-25885 cbor2 provides encoding and decoding for the Concise Binary ObjectRepresentation (CBOR) (RFC 8949) serialization format. Starting in version5.5.1 and prior to version 5.6.2, an attacker can crash a service usingcbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2contains a patch for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-19 23:15:00 UTC CVE-2024-26134 Rails is a web-application framework. Starting in version 7.1.0, there is apossible ReDoS vulnerability in the Accept header parsing routines ofAction Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 hasmitigations for this problem, so Rails applications using Ruby 3.2 or newerare unaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-27 16:15:00 UTC CVE-2024-26142 Rails is a web-application framework. There is a possible XSS vulnerabilitywhen using the translation helpers in Action Controller. Applications usingtranslation methods like translate, or t on a controller, with a key endingin "_html", a :default key which contains untrusted user input, and theresulting string is used in a view, may be susceptible to an XSSvulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-27 16:15:00 UTC CVE-2024-26143 Rails is a web-application framework. Starting with version 5.2.0, there isa possible sensitive session information leak in Active Storage. Bydefault, Active Storage sends a Set-Cookie header along with the user'ssession cookie when serving blobs. It also sets Cache-Control to public.Certain proxies may cache the Set-Cookie, leading to an information leak.The vulnerability is fixed in 7.0.8.1 and 6.1.7.7. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-27 16:15:00 UTC CVE-2024-26144 Helm is a package manager for Charts for Kubernetes. Versions prior to3.14.2 contain an uninitialized variable vulnerability when Helm parsesindex and plugin yaml files missing expected content. When either an`index.yaml` file or a plugins `plugin.yaml` file were missing all metadataa panic would occur in Helm. In the Helm SDK, this is found when using the`LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package orthe `LoadDir` function in the `plugin` package. For the Helm client thisimpacts functions around adding a repository and all Helm functions if amalicious plugin is added as Helm inspects all known plugins on eachinvocation. This issue has been resolved in Helm v3.14.2. If a maliciousplugin has been added which is causing all Helm client commands to panic,the malicious plugin can be manually removed from the filesystem. If usingHelm SDK versions prior to 3.14.2, calls to affected functions can use`recover` to catch the panic. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-21 23:15:00 UTC CVE-2024-26147 Allocation of Resources Without Limits or Throttling vulnerability inApache Commons Compress.This issue affects Apache Commons Compress: from1.21 before 1.26.Users are recommended to upgrade to version 1.26, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-19 09:15:00 UTC CVE-2024-26308 An issue in the HistoryQosPolicy component of FastDDS v2.12.x, v2.11.x,v2.10.x, and v2.6.x leads to a SIGABRT (signal abort) upon receivingDataWriter's data. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-19 06:15:00 UTC CVE-2024-26369 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in/krb5/src/lib/rpc/pmap_rmt.c. Update Instructions: Run `sudo pro fix CVE-2024-26458` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: krb5-admin-server - 1.21.3-4ubuntu2 krb5-gss-samples - 1.21.3-4ubuntu2 krb5-k5tls - 1.21.3-4ubuntu2 krb5-kdc - 1.21.3-4ubuntu2 krb5-kdc-ldap - 1.21.3-4ubuntu2 krb5-kpropd - 1.21.3-4ubuntu2 krb5-locales - 1.21.3-4ubuntu2 krb5-multidev - 1.21.3-4ubuntu2 krb5-otp - 1.21.3-4ubuntu2 krb5-pkinit - 1.21.3-4ubuntu2 krb5-user - 1.21.3-4ubuntu2 libgssapi-krb5-2 - 1.21.3-4ubuntu2 libgssrpc4t64 - 1.21.3-4ubuntu2 libk5crypto3 - 1.21.3-4ubuntu2 libkadm5clnt-mit12 - 1.21.3-4ubuntu2 libkadm5srv-mit12 - 1.21.3-4ubuntu2 libkdb5-10t64 - 1.21.3-4ubuntu2 libkrad0 - 1.21.3-4ubuntu2 libkrb5-3 - 1.21.3-4ubuntu2 libkrb5support0 - 1.21.3-4ubuntu2 No subscription required Ubuntu 26.04 LTS Negligible Copyright (C) 2024 Canonical Ltd. 2024-02-29 01:44:00 UTC 2024-02-29 01:44:00 UTC https://ubuntu.com/security/notices/USN-7314-1 CVE-2024-26458 Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in/krb5/src/lib/gssapi/krb5/k5sealv3.c. Update Instructions: Run `sudo pro fix CVE-2024-26461` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: krb5-admin-server - 1.21.3-4ubuntu2 krb5-gss-samples - 1.21.3-4ubuntu2 krb5-k5tls - 1.21.3-4ubuntu2 krb5-kdc - 1.21.3-4ubuntu2 krb5-kdc-ldap - 1.21.3-4ubuntu2 krb5-kpropd - 1.21.3-4ubuntu2 krb5-locales - 1.21.3-4ubuntu2 krb5-multidev - 1.21.3-4ubuntu2 krb5-otp - 1.21.3-4ubuntu2 krb5-pkinit - 1.21.3-4ubuntu2 krb5-user - 1.21.3-4ubuntu2 libgssapi-krb5-2 - 1.21.3-4ubuntu2 libgssrpc4t64 - 1.21.3-4ubuntu2 libk5crypto3 - 1.21.3-4ubuntu2 libkadm5clnt-mit12 - 1.21.3-4ubuntu2 libkadm5srv-mit12 - 1.21.3-4ubuntu2 libkdb5-10t64 - 1.21.3-4ubuntu2 libkrad0 - 1.21.3-4ubuntu2 libkrb5-3 - 1.21.3-4ubuntu2 libkrb5support0 - 1.21.3-4ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-02-29 01:44:00 UTC 2024-02-29 01:44:00 UTC https://ubuntu.com/security/notices/USN-7314-1 CVE-2024-26461 An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8allows a local attacker to cause a denial of service via thegrub_sfs_read_extent function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-14 22:15:00 UTC CVE-2024-26475 A vulnerability was found in FreeIPA in how the initial implementation ofMS-SFU by MIT Kerberos was missing a condition for granting the"forwardable" flag on S4U2Self tickets. Fixing this mistake required addinga special case for the check_allowed_to_delegate() function: If the targetservice argument is NULL, then it means the KDC is probing for generalconstrained delegation rules and not checking a specific S4U2Proxy request.In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to matchthe changes from upstream MIT Kerberos 1.20. However, a mistake resultingin this mechanism applies in cases where the target service argument is setAND where it is unset. This results in S4U2Proxy requests being acceptedregardless of whether or not there is a matching service delegation rule. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-12 08:15:00 UTC CVE-2024-2698 Cacti provides an operational monitoring and fault management framework.Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-sitescripting, a type of cross-site scripting where malicious scripts arepermanently stored on a target server and served to users who access aparticular page. Version 1.2.27 contains a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:11:00 UTC CVE-2024-27082 es5-ext contains ECMAScript 5 extensions. Passing functions with very longnames or complex default argument names into `function#copy` or`function#toStringTokens` may cause the script to stall. The vulnerabilityis patched in v0.10.63. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-26 17:15:00 UTC CVE-2024-27088 The uAMQP is a C library for AMQP 1.0 communication to Azure CloudServices. When processing an incorrect `AMQP_VALUE` failed state, may causea double free problem. This may cause a RCE. Update submodule with commit2ca42b6e4e098af2d17e487814a91d05f6ae4987. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-02-27 19:04:00 UTC CVE-2024-27099 An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby3.x through 3.3.0. When parsing .rdoc_options (used for configuration inRDoc) as a YAML file, object injection and resultant remote code executionare possible because there are no restrictions on the classes that can berestored. (When loading the documentation cache, object injection andresultant remote code execution are also possible if there were a craftedcache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixedversion is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:11:00 UTC 2024-05-14 15:11:00 UTC ooooooo_q https://ubuntu.com/security/notices/USN-6838-1 https://ubuntu.com/security/notices/USN-6838-2 CVE-2024-27281 An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplieddata is provided to the Ruby regex compiler, it is possible to extractarbitrary heap data relative to the start of the text, including pointersand sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and3.3.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:11:00 UTC 2024-05-14 15:11:00 UTC sp2ip http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069968 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069969 https://ubuntu.com/security/notices/USN-6838-1 https://ubuntu.com/security/notices/USN-7734-1 CVE-2024-27282 aiosmtpd is a reimplementation of the Python stdlib smtpd.py based onasyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smugglingis a novel vulnerability based on not so novel interpretation differencesof the SMTP protocol. By exploiting SMTP smuggling, an attacker may sendsmuggle/spoof e-mails with fake sender addresses, allowing advancedphishing attacks. This issue is also existed in other SMTP software likePostfix. With the right SMTP server constellation, an attacker can sendspoofed e-mails to inbound/receiving aiosmtpd instances. This issue hasbeen addressed in version 1.4.5. Users are advised to upgrade. There are noknown workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-12 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066820 CVE-2024-27305 HTTP/2 incoming headers exceeding the limit are temporarily buffered innghttp2 in order to generate an informative HTTP 413 response. If a clientdoes not stop sending headers, this leads to memory exhaustion. Update Instructions: Run `sudo pro fix CVE-2024-27316` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.58-1ubuntu8.1 apache2-bin - 2.4.58-1ubuntu8.1 apache2-data - 2.4.58-1ubuntu8.1 apache2-suexec-custom - 2.4.58-1ubuntu8.1 apache2-suexec-pristine - 2.4.58-1ubuntu8.1 apache2-utils - 2.4.58-1ubuntu8.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-27 2024-03-27 Bartek Nowotarski https://ubuntu.com/security/notices/USN-6729-1 https://ubuntu.com/security/notices/USN-6729-2 https://ubuntu.com/security/notices/USN-6729-3 CVE-2024-27316 In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, thedjango.utils.text.Truncator.words() method (with html=True) and thetruncatewords_html template filter are subject to a potential regularexpression denial-of-service attack via a crafted string. NOTE: this issueexists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. Update Instructions: Run `sudo pro fix CVE-2024-27351` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.11-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-04 09:00:00 UTC 2024-03-04 09:00:00 UTC Seokchan Yoon https://ubuntu.com/security/notices/USN-6674-1 https://ubuntu.com/security/notices/USN-6674-2 CVE-2024-27351 Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker toexecute arbitrary code via the EctEnhancedCT method component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-28 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074483 CVE-2024-27628 An issue in dc2niix before v.1.0.20240202 allows a local attacker toexecute arbitrary code via the generated file name is not properly escapedand injected into a system call when certain types of compression are used. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-28 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074534 CVE-2024-27629 In RPyC before 6.0.0, when a server exposes a method that calls theattribute named __array__ for a client-provided netref (e.g.,np.array(client_netref)), a remote attacker can craft a class that resultsin remote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-12 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066879 CVE-2024-27758 The issue was addressed with improved bounds checks. This issue is fixed inSafari 17.5, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5,visionOS 1.2, watchOS 10.5. Processing maliciously crafted web content maylead to arbitrary code execution. Update Instructions: Run `sudo pro fix CVE-2024-27851` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.46.0-2 gir1.2-javascriptcoregtk-6.0 - 2.46.0-2 gir1.2-webkit-6.0 - 2.46.0-2 gir1.2-webkit2-4.1 - 2.46.0-2 libjavascriptcoregtk-4.0-bin - 2.46.0-2 libjavascriptcoregtk-4.1-0 - 2.46.0-2 libjavascriptcoregtk-6.0-1 - 2.46.0-2 libjavascriptcoregtk-bin - 2.46.0-2 libwebkit2gtk-4.1-0 - 2.46.0-2 libwebkitgtk-6.0-4 - 2.46.0-2 webkit2gtk-driver - 2.46.0-2 webkitgtk-webdriver - 2.46.0-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-10 21:15:00 UTC CVE-2024-27851 Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its useof MIME-tools, has an Interpretation Conflict (relative to some mail useragents) when there are multiple boundary parameters in a MIME emailmessage. Consequently, there can be an incorrect check for banned files ormalware. Update Instructions: Run `sudo pro fix CVE-2024-28054` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amavisd-new - 1:2.13.0-6ubuntu1 amavisd-new-postfix - 1:2.13.0-6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-18 17:15:00 UTC 2024-03-18 17:15:00 UTC https://gitlab.com/amavis/amavis/-/issues/112 https://ubuntu.com/security/notices/USN-6790-1 CVE-2024-28054 wall in util-linux through 2.40, often installed with setgid ttypermissions, allows escape sequences to be sent to other users' terminalsthrough argv. (Specifically, escape sequences received from stdin areblocked, but escape sequences received from argv are not blocked.) Theremay be plausible scenarios where this leads to account takeover. Update Instructions: Run `sudo pro fix CVE-2024-28085` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bsdextrautils - 2.41-4ubuntu4 eject - 2.41-4ubuntu4 fdisk - 2.41-4ubuntu4 lastlog2 - 2.41-4ubuntu4 libblkid1 - 2.41-4ubuntu4 libfdisk1 - 2.41-4ubuntu4 liblastlog2-2 - 2.41-4ubuntu4 libmount1 - 2.41-4ubuntu4 libpam-lastlog2 - 2.41-4ubuntu4 libsmartcols1 - 2.41-4ubuntu4 libuuid1 - 2.41-4ubuntu4 mount - 2.41-4ubuntu4 rfkill - 2.41-4ubuntu4 util-linux - 2.41-4ubuntu4 util-linux-extra - 2.41-4ubuntu4 util-linux-locales - 2.41-4ubuntu4 uuid-runtime - 2.41-4ubuntu4 bsdutils - 1:2.41-4ubuntu4 login - 1:4.16.0-2+really2.41-4ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-27 2024-03-27 Skyler Ferrante https://ubuntu.com/security/notices/USN-6719-1 https://ubuntu.com/security/notices/USN-6719-2 CVE-2024-28085 JWCrypto implements JWK, JWS, and JWE specifications usingpython-cryptography. Prior to version 1.5.6, an attacker can cause a denialof service attack by passing in a malicious JWE Token with a highcompression ratio. When the server processes this token, it will consume alot of memory and processing time. Version 1.5.6 fixes this vulnerabilityby limiting the maximum token length. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-21 02:52:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688 CVE-2024-28102 Action Pack is a framework for handling and responding to web requests.Since 6.1.0, the application configurable Permissions-Policy is only servedon responses with an HTML related Content-Type. This vulnerability is fixedin 6.1.7.8, 7.0.8.2, and 7.1.3.3. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-04 20:15:00 UTC CVE-2024-28103 An incorrect type conversion vulnerability exists in theDVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8.A specially crafted malformed file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-23 15:15:00 UTC 2024-04-23 15:15:00 UTC https://ubuntu.com/security/notices/USN-7010-1 CVE-2024-28130 Improper Restriction of XML External Entity Reference ('XXE') vulnerabilityin Apache XML Graphics FOP.This issue affects Apache XML Graphics FOP: 2.9.Users are recommended to upgrade to version 2.10, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 12:15:00 UTC CVE-2024-28168 WeasyPrint helps web developers to create PDF documents. Since version61.0, there's a vulnerability which allows attaching content of arbitraryfiles and URLs to a generated PDF document, even if `url_fetcher` isconfigured to prevent access to files and URLs. This vulnerability has beenpatched in version 61.2. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-09 01:15:00 UTC CVE-2024-28184 Jupyter Scheduler is collection of extensions for programming jobs to runnow or run on a schedule. The list of conda environments of`jupyter-scheduler` users maybe be exposed, potentially revealinginformation about projects that a specific user may be working on. Thisvulnerability has been patched in version(s) 1.1.6, 1.2.1, 1.8.2 and 2.5.2. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-23 12:15:00 UTC CVE-2024-28188 eprosima Fast DDS is a C++ implementation of the Data Distribution Servicestandard of the Object Management Group. Prior to versions 2.14.0, 2.13.4,2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heapoverflow error in the Fast-DDS process, causing the process to beterminated remotely. Additionally, the payload_size in the DATA Submessagepacket is declared as uint32_t. When a negative number, such as -1, isinput into this variable, it results in an Integer Overflow (for example,-1 gets converted to 0xFFFFFFFF). This eventually leads to aheap-buffer-overflow, causing the program to terminate. Versions 2.14.0,2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067393 CVE-2024-28231 JupyterHub is an open source multi-user server for Jupyter notebooks. Bytricking a user into visiting a malicious subdomain, the attacker canachieve an XSS directly affecting the former's session. More precisely, inthe context of JupyterHub, this XSS could achieve full access to JupyterHubAPI and user's single-user server. The affected configurations aresingle-origin JupyterHub deployments and JupyterHub deployments withuser-controlled applications running on subdomains or peer subdomains ofeither the Hub or a single-user server. This vulnerability is fixed in4.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-27 19:15:00 UTC CVE-2024-28233 A vulnerability was found in Matthias-Wandel jhead 3.08 and classified ascritical. This issue affects the function PrintFormatNumber of the fileexif.c. The manipulation leads to heap-based buffer overflow. The attackmay be initiated remotely. The exploit has been disclosed to the public andmay be used. The associated identifier of this vulnerability is VDB-257711. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-22 18:15:00 UTC CVE-2024-2824 A Fault Injection vulnerability in the SymmetricDecrypt function incryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker toco-reside in the same system with a victim process to disclose informationand escalate privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:14:00 UTC CVE-2024-28285 An issue has been discovered in GitLab CE/EE affecting all versionsstarting from 12.5 before 16.9.6, all versions starting from 16.10 before16.10.4, all versions starting from 16.11 before 16.11.1. A craftedwildcard filter in FileFinder may lead to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-25 11:15:00 UTC CVE-2024-2829 An issue in the component js2py.disable_pyimport() of js2py up to v0.74allows attackers to execute arbitrary code via a crafted API call. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-20 17:15:00 UTC CVE-2024-28397 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via theImf_2_2::copyIntoFrameBuffer() component when reading images in EXR format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28562 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theImf_2_2::DwaCompressor::Classifier::Classifier() function when readingimages in EXR format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28563 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theImf_2_2::CharPtrIO::readChars() function when reading images in EXR format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28564 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via thepsdParser::ReadImageData() function when reading images in PSD format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28565 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via the AssignPixel()function when reading images in TIFF format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28566 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theFreeImage_CreateICCProfile() function when reading images in TIFF format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28567 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theread_iptc_profile() function when reading images in TIFF format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28568 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via theImf_2_2::Xdr::read() function when reading images in EXR format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28569 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theprocessMakerNote() function when reading images in JPEG format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28570 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via thefill_input_buffer() function when reading images in JPEG format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28571 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theFreeImage_SetTagValue() function when reading images in JPEG format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28572 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via thejpeg_read_exif_profile() function when reading images in JPEG format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28573 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theopj_j2k_copy_default_tcp_and_create_tcd() function when reading images inJ2K format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28574 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theopj_j2k_read_mct() function when reading images in J2K format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28575 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theopj_j2k_tcp_destroy() function when reading images in J2K format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28576 Null Pointer Dereference vulnerability in open source FreeImage v.3.19.0[r1909] allows a local attacker to cause a denial of service (DoS) via thejpeg_read_exif_profile_raw() function when reading images in JPEG format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28577 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via the Load() functionwhen reading images in RAS format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28578 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to cause a denial of service (DoS) via theFreeImage_Unload() function when reading images in HDR format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28579 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via the ReadData()function when reading images in RAS format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28580 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via the _assignPixel<>()function when reading images in TARGA format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28581 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via thergbe_RGBEToFloat() function when reading images in HDR format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28582 Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909]allows a local attacker to execute arbitrary code via the readLine()function when reading images in XPM format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28583 Null Pointer Dereference vulnerability in open source FreeImage v.3.19.0[r1909] allows a local attacker to cause a denial of service (DoS) via theJ2KImageToFIBITMAP() function when reading images in J2K format. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-20 06:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068461 CVE-2024-28584 An issue in OpenStack magnum yoga-eom version allows a remote attacker toexecute arbitrary code via the cert_manager.py. component. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-12 13:15:00 UTC https://bugs.launchpad.net/magnum/+bug/2047690 CVE-2024-28718 libexpat through 2.6.1 allows an XML Entity Expansion attack when there isisolated use of external parsers (created viaXML_ExternalEntityParserCreate). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-10 2024-03-10 https://github.com/libexpat/libexpat/issues/839 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065868 https://bugzilla.redhat.com/show_bug.cgi?id=2268766 https://ubuntu.com/security/notices/USN-6694-1 CVE-2024-28757 An issue was discovered in GitLab CE/EE affecting all versions startingfrom 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, andstarting from 17.1 prior to 17.1.2 in which a user with`admin_group_member` custom role permission could ban group members. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-11 07:15:00 UTC CVE-2024-2880 Buffer overflow in the extract_openvpn_cr function in openvpn-cr.c inopenvpn-auth-ldap (aka the Three Rings Auth-LDAP plugin for OpenVPN) 2.0.4allows attackers with a valid LDAP username and who can control thechallenge/response password field to pass a string with more than 14 colonsinto this field and cause a buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-27 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074425 CVE-2024-28820 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine developed by the OISF and theSuricata community. When parsing an overly long SSH banner, Suricata canuse excessive CPU resources, as well as cause excessive logging volume inalert records. This issue has been patched in versions 6.0.17 and 7.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-03 22:15:00 UTC CVE-2024-28870 Exposure of Sensitive Information in Shared Microarchitectural Structuresduring Transient Execution for some Intel(R) Processors may allow anauthenticated user to potentially enable information disclosure via localaccess. Update Instructions: Run `sudo pro fix CVE-2024-28956` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: intel-microcode - 3.20250512.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-13 21:15:00 UTC 2025-05-13 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105172 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105193 https://ubuntu.com/security/notices/USN-7535-1 CVE-2024-28956 Netty is an asynchronous event-driven network application framework forrapid development of maintainable high performance protocol servers &clients. The `HttpPostRequestDecoder` can be tricked to accumulate data.While the decoder can store items on the disk if configured so, there areno limits to the number of fields the form can have, an attacher can send achunked post consisting of many small fields that will be accumulated inthe `bodyListHttpData` list. The decoder cumulates bytes in the`undecodedChunk` buffer until it can decode a field, this field cancumulate data without limits. This vulnerability is fixed in 4.1.108.Final. Update Instructions: Run `sudo pro fix CVE-2024-29025` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnetty-java - 4.1.48-10 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 20:15:00 UTC 2024-03-25 20:15:00 UTC https://ubuntu.com/security/notices/USN-7284-1 CVE-2024-29025 tpm2-tools is the source repository for the Trusted Platform Module(TPM2.0) tools. A malicious attacker can generate arbitrary quote datawhich is not detected by `tpm2 checkquote`. This issue was patched inversion 5.7. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-28 14:15:00 UTC CVE-2024-29038 tpm2 is the source repository for the Trusted Platform Module (TPM2.0)tools. This vulnerability allows attackers to manipulate tpm2_checkquoteoutputs by altering the TPML_PCR_SELECTION in the PCR input file. As aresult, digest values are incorrectly mapped to PCR slots and banks,providing a misleading picture of the TPM state. This issue has beenpatched in version 5.7. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-28 16:15:00 UTC CVE-2024-29039 This repository hosts source code implementing the Trusted ComputingGroup's (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned byFapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure`TPMS_ATTEST`. For the field `TPM2_GENERATED magic` of this structure anynumber can be used in the JSON structure. The verifier can receive a statewhich does not represent the actual, possibly malicious state of the deviceunder test. The malicious device might get access to data it shouldn't, orcan use services it shouldn't be able to. Thisissue has been patched in version 4.1.0. Update Instructions: Run `sudo pro fix CVE-2024-29040` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtss2-esys-3.0.2-0t64 - 4.1.0-1ubuntu1 libtss2-fapi1t64 - 4.1.0-1ubuntu1 libtss2-mu-4.0.1-0t64 - 4.1.0-1ubuntu1 libtss2-policy0t64 - 4.1.0-1ubuntu1 libtss2-rc0t64 - 4.1.0-1ubuntu1 libtss2-sys1t64 - 4.1.0-1ubuntu1 libtss2-tcti-cmd0t64 - 4.1.0-1ubuntu1 libtss2-tcti-i2c-ftdi0 - 4.1.0-1ubuntu1 libtss2-tcti-i2c-helper0 - 4.1.0-1ubuntu1 libtss2-tcti-libtpms0t64 - 4.1.0-1ubuntu1 libtss2-tcti-mssim0t64 - 4.1.0-1ubuntu1 libtss2-tcti-pcap0t64 - 4.1.0-1ubuntu1 libtss2-tcti-spi-ftdi0 - 4.1.0-1ubuntu1 libtss2-tcti-spi-helper0t64 - 4.1.0-1ubuntu1 libtss2-tcti-spi-ltt2go0 - 4.1.0-1ubuntu1 libtss2-tcti-spidev0 - 4.1.0-1ubuntu1 libtss2-tcti-swtpm0t64 - 4.1.0-1ubuntu1 libtss2-tctildr0t64 - 4.1.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-30 2024-04-30 https://ubuntu.com/security/notices/USN-6796-1 CVE-2024-29040 The azure-c-shared-utility is a C library for AMQP/MQTT communication toAzure Cloud Services. This library may be used by the Azure IoT C SDK forcommunication between IoT Hub and IoT Hub devices. An attacker can cause aninteger wraparound or under-allocation or heap buffer overflow due tovulnerabilities in parameter checking mechanism, by exploiting the bufferlength parameter in Azure C SDK, which may lead to remote code execution.Requirements for RCE are 1. Compromised Azure account allowing malformedpayloads to be sent to the device via IoT Hub service, 2. By passing IoThub service max message payload limit of 128KB, and 3. Ability to overwritecode space with remote code. Fixed in commithttps://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-26 03:15:00 UTC CVE-2024-29195 In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS)condition by crafting a malicious JSON Web Encryption (JWE) token with anexceptionally high compression ratio. When this token is processed by theserver, it results in significant memory allocation and processing timeduring decompression. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-17 16:16:00 UTC CVE-2024-29371 The ip package through 2.0.1 for Node.js might allow SSRF because some IPaddresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and::fFFf:127.0.0.1) are improperly categorized as globally routable viaisPublic. NOTE: this issue exists because of an incomplete fix forCVE-2023-42282. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-27 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072121 CVE-2024-29415 xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer Overflow vialibs/dicom/basic.c which allows an attacker to execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-22 18:15:00 UTC CVE-2024-29421 The iconv() function in the GNU C Library versions 2.39 and older mayoverflow the output buffer passed to it by up to 4 bytes when convertingstrings to the ISO-2022-CN-EXT character set, which may be used to crash anapplication or overwrite a neighbouring variable. Update Instructions: Run `sudo pro fix CVE-2024-2961` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.39-0ubuntu8.1 libc-bin - 2.39-0ubuntu8.1 libc6 - 2.39-0ubuntu8.1 libc6-amd64 - 2.39-0ubuntu8.1 libc6-i386 - 2.39-0ubuntu8.1 libc6-x32 - 2.39-0ubuntu8.1 locales - 2.39-0ubuntu8.1 locales-all - 2.39-0ubuntu8.1 nscd - 2.39-0ubuntu8.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 2024-04-17 Charles Fol https://ubuntu.com/security/notices/USN-6737-1 https://ubuntu.com/security/notices/USN-6737-2 https://ubuntu.com/security/notices/USN-6762-1 CVE-2024-2961 Buffer Overflow vulnerability in radarorg radare2 v.5.8.8 allows anattacker to execute arbitrary code via the parse_die function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 15:15:00 UTC CVE-2024-29645 Buffer Overflow vulnerability in radarorg radare2 v.5.8.8 allows anattacker to execute arbitrary code via the name, type, or group fields. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-17 22:15:00 UTC CVE-2024-29646 Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by negativeobject number in indirect reference in the input PDF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-26 22:15:00 UTC CVE-2024-2971 Distrobox before 1.7.0.1 allows attackers to execute arbitrary code viacommand injection into exported executables. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-21 04:15:00 UTC CVE-2024-29864 Cacti provides an operational monitoring and fault management framework. Acommand injection vulnerability on the 1.3.x DEV branch allows anyunauthenticated user to execute arbitrary command on the server when`register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119,the `$poller_id` used as part of the command execution is sourced from`$_SERVER['argv']`, which can be controlled by URL when`register_argc_argv` option of PHP is `On`. And this option is `On` bydefault in many environments such as the main PHP Docker image for PHP.Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for theissue, but this commit was reverted in commit99633903cad0de5ace636249de16f77e57a3c8fc. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:17:00 UTC CVE-2024-29895 In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessedvia a dangling pointer in Qt for WebAssembly (wasm). (Earlier and laterversions are unaffected.) Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-24 01:15:00 UTC CVE-2024-30161 A flaw was found in PCP. The default pmproxy configuration exposes theRedis server backend to the local network, allowing remote commandexecution with the privileges of the Redis user. This issue can only beexploited when pmproxy is running. By default, pmproxy is not running andneeds to be started manually. The pmproxy service is usually started fromthe 'Metrics settings' page of the Cockpit web interface. This flaw affectsPCP versions 4.3.4 and newer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-28 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068112 CVE-2024-3019 In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turningon Org mode. This affects Org Mode before 9.6.23. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 15:15:00 UTC 2024-03-25 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067630 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067663 https://ubuntu.com/security/notices/USN-7375-1 CVE-2024-30202 In Emacs before 29.3, Gnus treats inline MIME contents as trusted. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 15:15:00 UTC 2024-03-25 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067630 https://ubuntu.com/security/notices/USN-7027-1 CVE-2024-30203 In Emacs before 29.3, LaTeX preview is enabled by default for e-mailattachments. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 15:15:00 UTC 2024-03-25 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067630 https://ubuntu.com/security/notices/USN-7027-1 CVE-2024-30204 In Emacs before 29.3, Org mode considers contents of remote files to betrusted. This affects Org Mode before 9.6.23. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-25 15:15:00 UTC 2024-03-25 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067630 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067663 https://ubuntu.com/security/notices/USN-7027-1 https://ubuntu.com/security/notices/USN-7375-1 CVE-2024-30205 Cacti provides an operational monitoring and fault management framework. Areflected cross-site scripting vulnerability on the 1.3.x DEV branch allowsattackers to obtain cookies of administrator and other users and fake theirlogin using obtained cookies. This issue is fixed in commita38b9046e9772612fda847b46308f9391a49891e. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:22:00 UTC CVE-2024-30268 A flaw was found in Booth, a cluster ticket manager. If a specially-craftedhash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC tobe accepted by the Booth server. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-06 06:15:00 UTC CVE-2024-3049 InfluxDB OSS 2.x through 2.7.11 stores the administrative operator tokenunder the default organization which allows authorized users with readaccess to the authorization resource of the default organization toretrieve the operator token. InfluxDB OSS 1.x, Enterprise, Cloud, CloudDedicated and Clustered are not affected. NOTE: The researcher states thatInfluxDB allows allAccess administrators to retrieve all raw tokens via an"influx auth ls" command. The supplier indicates that the organizationsfeature is operating as intended and that users may choose to add users tonon-default organizations. A future release of InfluxDB 2.x will remove theability to retrieve tokens from the API. The supplier has stated thatInfluxDB 2.8.0 has addressed this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-21 11:15:00 UTC CVE-2024-30896 An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows alocal attacker to cause a denial of service (DoS) and obtain sensitiveinformation via a crafted max_samples parameter in DurabilityService QoScomponent. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-11 06:15:00 UTC CVE-2024-30916 An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows alocal attacker to cause a denial of service (DoS) and obtain sensitiveinformation via a crafted history_depth parameter in DurabilityService QoScomponent. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-11 06:15:00 UTC CVE-2024-30917 An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to causeundefined behavior via a sequence of messages leading to unsigned integeroverflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 19:15:00 UTC CVE-2024-31031 A heap-based buffer over-read vulnerability was found in the X.org server'sProcXIGetSelectedEvents() function. This issue occurs when byte-swappedlength values are used in replies, potentially leading to memory leakageand segmentation faults, particularly when triggered by a client with adifferent endianness. This vulnerability could be exploited by an attackerto cause the X server to read heap memory values and then transmit themback to the client until encountering an unmapped page, resulting in acrash. Despite the attacker's inability to control the specific memorycopied into the replies, the small length values typically stored in a32-bit integer can result in significant attempted out-of-bounds reads. Update Instructions: Run `sudo pro fix CVE-2024-31080` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.12-1ubuntu1 xorg-server-source - 2:21.1.12-1ubuntu1 xserver-common - 2:21.1.12-1ubuntu1 xserver-xephyr - 2:21.1.12-1ubuntu1 xserver-xorg-core - 2:21.1.12-1ubuntu1 xserver-xorg-legacy - 2:21.1.12-1ubuntu1 xvfb - 2:21.1.12-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-04 00:00:00 UTC 2024-03-04 00:00:00 UTC https://ubuntu.com/security/notices/USN-6721-1 CVE-2024-31080 A heap-based buffer over-read vulnerability was found in the X.org server'sProcXIPassiveGrabDevice() function. This issue occurs when byte-swappedlength values are used in replies, potentially leading to memory leakageand segmentation faults, particularly when triggered by a client with adifferent endianness. This vulnerability could be exploited by an attackerto cause the X server to read heap memory values and then transmit themback to the client until encountering an unmapped page, resulting in acrash. Despite the attacker's inability to control the specific memorycopied into the replies, the small length values typically stored in a32-bit integer can result in significant attempted out-of-bounds reads. Update Instructions: Run `sudo pro fix CVE-2024-31081` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.12-1ubuntu1 xorg-server-source - 2:21.1.12-1ubuntu1 xserver-common - 2:21.1.12-1ubuntu1 xserver-xephyr - 2:21.1.12-1ubuntu1 xserver-xorg-core - 2:21.1.12-1ubuntu1 xserver-xorg-legacy - 2:21.1.12-1ubuntu1 xvfb - 2:21.1.12-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-04 00:00:00 UTC 2024-03-04 00:00:00 UTC https://ubuntu.com/security/notices/USN-6721-1 CVE-2024-31081 A heap-based buffer over-read vulnerability was found in the X.org server'sProcAppleDRICreatePixmap() function. This issue occurs when byte-swappedlength values are used in replies, potentially leading to memory leakageand segmentation faults, particularly when triggered by a client with adifferent endianness. This vulnerability could be exploited by an attackerto cause the X server to read heap memory values and then transmit themback to the client until encountering an unmapped page, resulting in acrash. Despite the attacker's inability to control the specific memorycopied into the replies, the small length values typically stored in a32-bit integer can result in significant attempted out-of-bounds reads. Update Instructions: Run `sudo pro fix CVE-2024-31082` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.12-1ubuntu1 xorg-server-source - 2:21.1.12-1ubuntu1 xserver-common - 2:21.1.12-1ubuntu1 xserver-xephyr - 2:21.1.12-1ubuntu1 xserver-xorg-core - 2:21.1.12-1ubuntu1 xserver-xorg-legacy - 2:21.1.12-1ubuntu1 xvfb - 2:21.1.12-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-04 00:00:00 UTC 2024-03-04 00:00:00 UTC https://ubuntu.com/security/notices/USN-6721-1 CVE-2024-31082 A use-after-free vulnerability was found in the ProcRenderAddGlyphs()function of Xorg servers. This issue occurs when AllocateGlyph() is calledto store new glyphs sent by the client to the X server, potentiallyresulting in multiple entries pointing to the same non-refcounted glyphs.Consequently, ProcRenderAddGlyphs() may free a glyph, leading to ause-after-free scenario when the same glyph pointer is subsequentlyaccessed. This flaw allows an authenticated attacker to execute arbitrarycode on the system by sending a specially crafted request. Update Instructions: Run `sudo pro fix CVE-2024-31083` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.12-1ubuntu1 xorg-server-source - 2:21.1.12-1ubuntu1 xserver-common - 2:21.1.12-1ubuntu1 xserver-xephyr - 2:21.1.12-1ubuntu1 xserver-xorg-core - 2:21.1.12-1ubuntu1 xserver-xorg-legacy - 2:21.1.12-1ubuntu1 xvfb - 2:21.1.12-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-03-04 00:00:00 UTC 2024-03-04 00:00:00 UTC https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/2060354 https://ubuntu.com/security/notices/USN-6721-1 https://ubuntu.com/security/notices/USN-6721-2 CVE-2024-31083 Because of a logical error in XSA-407 (Branch Type Confusion), themitigation is not applied properly when it is intended to be used.XSA-434 (Speculative Return Stack Overflow) uses the sameinfrastructure, so is equally impacted.For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-16 14:15:00 UTC CVE-2024-31142 An optional feature of PCI MSI called "Multiple Message" allows adevice to use multiple consecutive interrupt vectors. Unlike for MSI-X,the setting up of these consecutive vectors needs to happen all in onego. In this handling an error path could be taken in differentsituations, with or without a particular lock held. This error pathwrongly releases the lock even when it is not currently held. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-18 14:15:00 UTC CVE-2024-31143 For a brief summary of Xapi terminology, see:https://xapi-project.github.io/xen-api/overview.html#object-model-overviewXapi contains functionality to backup and restore metadata about VirtualMachines and Storage Repositories (SRs).The metadata itself is stored in a Virtual Disk Image (VDI) inside anSR. This is used for two purposes; a general backup of metadata(e.g. to recover from a host failure if the filer is still good), andPortable SRs (e.g. using an external hard drive to move VMs to anotherhost).Metadata is only restored as an explicit administrator action, butoccurs in cases where the host has no information about the SR, and mustlocate the metadata VDI in order to retrieve the metadata.The metadata VDI is located by searching (in UUID alphanumeric order)each VDI, mounting it, and seeing if there is a suitable metadata filepresent. The first matching VDI is deemed to be the metadata VDI, andis restored from.In the general case, the content of VDIs are controlled by the VM owner,and should not be trusted by the host administrator.A malicious guest can manipulate its disk to appear to be a metadatabackup.A guest cannot choose the UUIDs of its VDIs, but a guest with one diskhas a 50% chance of sorting ahead of the legitimate metadata backup. Aguest with two disks has a 75% chance, etc. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-14 21:15:00 UTC CVE-2024-31144 Certain PCI devices in a system might be assigned Reserved MemoryRegions (specified via Reserved Memory Region Reporting, "RMRR") forIntel VT-d or Unity Mapping ranges for AMD-Vi. These are typically usedfor platform tasks such as legacy USB emulation.Since the precise purpose of these regions is unknown, once a deviceassociated with such a region is active, the mappings of these regionsneed to remain continuouly accessible by the device. In the logicestablishing these mappings, error handling was flawed, resulting insuch mappings to potentially remain in place when they should have beenremoved again. Respective guests would then gain access to memoryregions which they aren't supposed to have access to. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-25 11:15:00 UTC CVE-2024-31145 When multiple devices share resources and one of them is to be passedthrough to a guest, security of the entire system and of respectiveguests individually cannot really be guaranteed without knowinginternals of any of the involved guests. Therefore such a configurationcannot really be security-supported, yet making that explicit was so farmissing.Resources the sharing of which is known to be problematic include, butare not limited to- - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86),- - INTx lines. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-25 11:15:00 UTC CVE-2024-31146 A buffer overflow vulnerability exists in all versions of sngrep sincev0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' SIP headers.The functions sip_get_callid and sip_get_xcallid in sip.c use the strncpyfunction to copy header contents into fixed-size buffers without checkingthe data length. This flaw allows remote attackers to execute arbitrarycode or cause a denial of service (DoS) through specially crafted SIPmessages. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-10 00:15:00 UTC CVE-2024-3119 A stack-buffer overflow vulnerability exists in all versions of sngrepsince v1.4.1. The flaw is due to inadequate bounds checking when copying'Content-Length' and 'Warning' headers into fixed-size buffers in thesip_validate_packet and sip_parse_extra_headers functions within src/sip.c.This vulnerability allows remote attackers to execute arbitrary code orcause a denial of service (DoS) via crafted SIP messages. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-10 00:15:00 UTC CVE-2024-3120 Synapse is an open-source Matrix homeserver. A remote Matrix user withmalicious intent, sharing a room with Synapse instances before 1.105.1, candispatch specially crafted events to exploit a weakness in the V2 stateresolution algorithm. This can induce high CPU consumption and accumulateexcessive data in the database of such instances, resulting in a denial ofservice. Servers in private federations, or those that do not federate, arenot affected. Server administrators should upgrade to 1.105.1 or later.Some workarounds are available. One can ban the malicious users or ACLblock servers from the rooms and/or leave the room and purge the room usingthe admin API. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-23 18:15:00 UTC 2024-04-23 18:15:00 UTC Alexey Shchepin https://ubuntu.com/security/notices/USN-7444-1 CVE-2024-31208 Redis is an open source, in-memory database that persists on disk. Anauthenticated user may use a specially crafted Lua script to trigger astack buffer overflow in the bit library, which may potentially lead toremote code execution. The problem exists in all versions of Redis with Luascripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and7.4.1. Users are advised to upgrade. There are no known workarounds forthis vulnerability. Ubuntu 26.04 LTS High Copyright (C) 2024 Canonical Ltd. 2024-10-07 20:15:00 UTC 2024-10-07 20:15:00 UTC https://ubuntu.com/security/notices/USN-8169-1 CVE-2024-31449 libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based bufferoverflow in the PluginXPM.cpp Load function via an XPM file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-19 17:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082380 CVE-2024-31570 XMLUnit for Java before 2.10.0, in the default configuration, might allowcode execution via an untrusted stylesheet (used for an XSLTtransformation), because XSLT extension functions are enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-17 19:15:00 UTC CVE-2024-31573 PyTorch before v2.2.0 was discovered to contain a heap buffer overflowvulnerability in the component /runtime/vararg_functions.cpp. Thisvulnerability allows attackers to cause a Denial of Service (DoS) via acrafted input. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 19:15:00 UTC CVE-2024-31580 Pytorch before version v2.2.0 was discovered to contain a use-after-freevulnerability in torch/csrc/jit/mobile/interpreter.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 19:15:00 UTC CVE-2024-31583 Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via thecomponent torch/csrc/jit/mobile/flatbuffer_loader.cpp. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-19 21:15:00 UTC CVE-2024-31584 A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ isencrypted using the client’s session key. This key is different for eachnew session, which protects it from brute force attacks. However, theticket it contains is encrypted using the target principal key directly.For user principals, this key is a hash of a public per-principalrandomly-generated salt and the user’s password.If a principal is compromised it means the attacker would be able toretrieve tickets encrypted to any principal, all of them being encrypted bytheir own key directly. By taking these tickets and salts offline, theattacker could run brute force attacks to find character strings able todecrypt tickets when combined to a principal salt (i.e. find theprincipal’s password). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-12 09:15:00 UTC CVE-2024-3183 DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-stringvulnerability, with a threat model similar to CVE-2017-7938. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-30 07:15:00 UTC CVE-2024-31837 A vulnerability, which was classified as critical, was found in c-blosc2 upto 2.13.2. Affected is the function ndlz8_decompress of the file/src/c-blosc2/plugins/codecs/ndlz/ndlz8x8.c. The manipulation leads toheap-based buffer overflow. It is possible to launch the attack remotely.The exploit has been disclosed to the public and may be used. Upgrading toversion 2.14.3 is able to address this issue. It is recommended to upgradethe affected component. VDB-259050 is the identifier assigned to thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-02 22:15:00 UTC CVE-2024-3203 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 arevulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g.deactivate with `/bpp:32` or `/rfx` as it is on by default). Update Instructions: Run `sudo pro fix CVE-2024-32039` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.0+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.0+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.0+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.0+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.0+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.0+dfsg1-0ubuntu1 winpr3-utils - 3.5.0+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-23 2024-04-23 Evgeny Legerov https://ubuntu.com/security/notices/USN-6749-1 https://ubuntu.com/security/notices/USN-7341-1 CVE-2024-32039 A vulnerability has been found in c-blosc2 up to 2.13.2 and classified ascritical. Affected by this vulnerability is the function ndlz4_decompressof the file /src/c-blosc2/plugins/codecs/ndlz/ndlz4x4.c. The manipulationleads to heap-based buffer overflow. The attack can be launched remotely.The exploit has been disclosed to the public and may be used. Upgrading toversion 2.14.3 is able to address this issue. It is recommended to upgradethe affected component. The associated identifier of this vulnerability isVDB-259051. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-02 22:15:00 UTC CVE-2024-3204 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 andhave connections to servers using the `NSC` codec are vulnerable to integerunderflow. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, donot use the NSC codec (e.g. use `-nsc`). Update Instructions: Run `sudo pro fix CVE-2024-32040` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.0+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.0+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.0+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.0+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.0+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.0+dfsg1-0ubuntu1 winpr3-utils - 3.5.0+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 2024-04-23 Evgeny Legerov https://ubuntu.com/security/notices/USN-6749-1 https://ubuntu.com/security/notices/USN-7341-1 CVE-2024-32040 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 arevulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch theissue. As a workaround, deactivate `/gfx` (on by default, set `/bpp` or`/rfx` options instead. Update Instructions: Run `sudo pro fix CVE-2024-32041` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.0+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.0+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.0+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.0+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.0+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.0+dfsg1-0ubuntu1 winpr3-utils - 3.5.0+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 2024-04-23 Evgeny Legerov https://ubuntu.com/security/notices/USN-6749-1 https://ubuntu.com/security/notices/USN-7341-1 CVE-2024-32041 A vulnerability was found in UPX up to 4.2.2. It has been rated ascritical. This issue affects the function get_ne64 of the file bele.h. Themanipulation leads to heap-based buffer overflow. The exploit has beendisclosed to the public and may be used. The associated identifier of thisvulnerability is VDB-259055. NOTE: The vendor was contacted early aboutthis disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-02 23:15:00 UTC CVE-2024-3209 The network server of fceux 2.7.0 has a path traversal vulnerability,allowing attackers to overwrite any files on the server withoutauthentication by fake ROM. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-23 16:15:00 UTC CVE-2024-32258 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 arevulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch theissue. As a workaround, use `/gfx` or `/rfx` modes (on by default, requireserver side support). Update Instructions: Run `sudo pro fix CVE-2024-32458` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.0+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.0+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.0+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.0+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.0+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.0+dfsg1-0ubuntu1 winpr3-utils - 3.5.0+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 2024-04-23 Evgeny Legerov https://ubuntu.com/security/notices/USN-6749-1 https://ubuntu.com/security/notices/USN-7371-1 CVE-2024-32458 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients and servers that use a version of FreeRDP prior to 3.5.0 or2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6patch the issue. No known workarounds are available. Update Instructions: Run `sudo pro fix CVE-2024-32459` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.0+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.0+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.0+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.0+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.0+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.0+dfsg1-0ubuntu1 winpr3-utils - 3.5.0+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 2024-04-23 Evgeny Legerov https://ubuntu.com/security/notices/USN-6749-1 https://ubuntu.com/security/notices/USN-7371-1 CVE-2024-32459 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased based clients using `/bpp:32` legacy `GDI` drawing path with aversion of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-boundsread. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, usemodern drawing paths (e.g. `/rfx` or `/gfx` options). The workaroundrequires server side support. Update Instructions: Run `sudo pro fix CVE-2024-32460` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.0+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.0+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.0+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.0+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.0+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.0+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.0+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.0+dfsg1-0ubuntu1 winpr3-utils - 3.5.0+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 2024-04-23 Evgeny Legerov https://ubuntu.com/security/notices/USN-6749-1 https://ubuntu.com/security/notices/USN-7341-1 CVE-2024-32460 Flatpak is a system for building, distributing, and running sandboxeddesktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6,and 1.15.8, a malicious or compromised Flatpak app could execute arbitrarycode outside its sandbox. Normally, the `--command` argument of `flatpakrun` expects to be given a command to run in the specified Flatpak app,optionally along with some arguments. However it is possible to insteadpass `bwrap` arguments to `--command=`, such as `--bind`. It's possible topass an arbitrary `commandline` to the portal interface`org.freedesktop.portal.Background.RequestBackground` from within a Flatpakapp. When this is converted into a `--command` and arguments, it achievesthe same effect of passing arguments directly to `bwrap`, and thus can beused for a sandbox escape. The solution is to pass the `--` argument to`bwrap`, which makes it stop processing options. This has been supportedsince bubblewrap 0.3.0. All supported versions of Flatpak require at leastthat version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigatethis vulnerability by only allowing Flatpak apps to create .desktop filesfor commands that do not start with --. The vulnerability is patched in1.15.8, 1.10.9, 1.12.9, and 1.14.6. Update Instructions: Run `sudo pro fix CVE-2024-32462` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: flatpak - 1.14.6-1 flatpak-tests - 1.14.6-1 gir1.2-flatpak-1.0 - 1.14.6-1 libflatpak0 - 1.14.6-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-18 18:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2062406 CVE-2024-32462 Action Text brings rich text content and editing to Rails. Instances ofActionText::Attachable::ContentAttachment included within a rich_text_areatag could potentially contain unsanitized HTML. This vulnerability is fixedin 7.1.3.4 and 7.2.0.beta2. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-04 20:15:00 UTC CVE-2024-32464 In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads toinfinite recursion and a stack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-02 23:15:00 UTC CVE-2024-3247 In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads toinfinite recursion and a stack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-02 23:15:00 UTC CVE-2024-3248 An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticketdetail view in the customer front allows the execution of externalJavaScript. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-29 17:15:00 UTC CVE-2024-32492 An issue was discovered in OpenStack Cinder through 24.0.0, Glance before28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via customQCOW2 external data. By supplying a crafted QCOW2 image that references aspecific data file path, an authenticated user may convince systems toreturn a copy of that file's contents from the server, resulting inunauthorized access to potentially sensitive data. All Cinder and Novadeployments are affected; only Glance deployments with image conversionenabled are affected. Update Instructions: Run `sudo pro fix CVE-2024-32498` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: cinder-api - 2:24.1.0+git2024080717.383b830b-0ubuntu1 cinder-backup - 2:24.1.0+git2024080717.383b830b-0ubuntu1 cinder-common - 2:24.1.0+git2024080717.383b830b-0ubuntu1 cinder-scheduler - 2:24.1.0+git2024080717.383b830b-0ubuntu1 cinder-volume - 2:24.1.0+git2024080717.383b830b-0ubuntu1 python3-cinder - 2:24.1.0+git2024080717.383b830b-0ubuntu1 No subscription required glance - 2:28.0.1-0ubuntu3 glance-api - 2:28.0.1-0ubuntu3 glance-common - 2:28.0.1-0ubuntu3 python3-glance - 2:28.0.1-0ubuntu3 No subscription required nova-ajax-console-proxy - 3:29.0.1-0ubuntu4 nova-api - 3:29.0.1-0ubuntu4 nova-api-metadata - 3:29.0.1-0ubuntu4 nova-api-os-compute - 3:29.0.1-0ubuntu4 nova-api-os-volume - 3:29.0.1-0ubuntu4 nova-cells - 3:29.0.1-0ubuntu4 nova-common - 3:29.0.1-0ubuntu4 nova-compute - 3:29.0.1-0ubuntu4 nova-compute-ironic - 3:29.0.1-0ubuntu4 nova-compute-kvm - 3:29.0.1-0ubuntu4 nova-compute-libvirt - 3:29.0.1-0ubuntu4 nova-compute-lxc - 3:29.0.1-0ubuntu4 nova-compute-qemu - 3:29.0.1-0ubuntu4 nova-compute-vmware - 3:29.0.1-0ubuntu4 nova-compute-xen - 3:29.0.1-0ubuntu4 nova-conductor - 3:29.0.1-0ubuntu4 nova-novncproxy - 3:29.0.1-0ubuntu4 nova-scheduler - 3:29.0.1-0ubuntu4 nova-serialproxy - 3:29.0.1-0ubuntu4 nova-spiceproxy - 3:29.0.1-0ubuntu4 nova-volume - 3:29.0.1-0ubuntu4 python3-nova - 3:29.0.1-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-02 15:00:00 UTC 2024-07-02 15:00:00 UTC Martin Kaesberger https://launchpad.net/bugs/2059809 (private) https://ubuntu.com/security/notices/USN-6882-1 https://ubuntu.com/security/notices/USN-6883-1 https://ubuntu.com/security/notices/USN-6884-1 https://ubuntu.com/security/notices/USN-6882-2 https://ubuntu.com/security/notices/USN-8199-1 CVE-2024-32498 Information exposure vulnerability in RT software affecting version 4.4.1.This vulnerability allows an attacker with local access to the device toretrieve sensitive information about the application, such as vulnerabilitytickets, because the application stores the information in the browsercache, leading to information exposure despite session termination. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-04 10:15:00 UTC 2024-04-04 10:15:00 UTC https://ubuntu.com/security/notices/USN-7692-1 CVE-2024-3262 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients prior to version 3.5.1 are vulnerable to out-of-bounds read.Version 3.5.1 contains a patch for the issue. No known workarounds areavailable. Update Instructions: Run `sudo pro fix CVE-2024-32658` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.1+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.1+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.1+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.1+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.1+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.1+dfsg1-0ubuntu1 winpr3-utils - 3.5.1+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 18:15:00 UTC 2024-04-23 18:15:00 UTC https://ubuntu.com/security/notices/USN-6752-1 https://ubuntu.com/security/notices/USN-6759-1 https://ubuntu.com/security/notices/USN-7341-1 CVE-2024-32658 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients prior to version 3.5.1 are vulnerable to out-of-bounds readif `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch forthe issue. No known workarounds are available. Update Instructions: Run `sudo pro fix CVE-2024-32659` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.1+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.1+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.1+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.1+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.1+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.1+dfsg1-0ubuntu1 winpr3-utils - 3.5.1+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 20:15:00 UTC 2024-04-23 20:15:00 UTC https://ubuntu.com/security/notices/USN-6752-1 https://ubuntu.com/security/notices/USN-6759-1 https://ubuntu.com/security/notices/USN-7371-1 CVE-2024-32659 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.5.1, a malicious server can crash the FreeRDP client by sendinginvalid huge allocation size. Version 3.5.1 contains a patch for the issue.No known workarounds are available. Update Instructions: Run `sudo pro fix CVE-2024-32660` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.1+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.1+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.1+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.1+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.1+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.1+dfsg1-0ubuntu1 winpr3-utils - 3.5.1+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 20:15:00 UTC 2024-04-23 20:15:00 UTC https://ubuntu.com/security/notices/USN-6752-1 https://ubuntu.com/security/notices/USN-6759-1 https://ubuntu.com/security/notices/USN-7371-1 CVE-2024-32660 FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDPbased clients prior to version 3.5.1 are vulnerable to a possible `NULL`access and crash. Version 3.5.1 contains a patch for the issue. No knownworkarounds are available. Update Instructions: Run `sudo pro fix CVE-2024-32661` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.5.1+dfsg1-0ubuntu1 freerdp3-proxy-modules - 3.5.1+dfsg1-0ubuntu1 freerdp3-sdl - 3.5.1+dfsg1-0ubuntu1 freerdp3-shadow-x11 - 3.5.1+dfsg1-0ubuntu1 freerdp3-wayland - 3.5.1+dfsg1-0ubuntu1 freerdp3-x11 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-client3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server-proxy3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-server3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow-subsystem3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp-shadow3-3 - 3.5.1+dfsg1-0ubuntu1 libfreerdp3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr-tools3-3 - 3.5.1+dfsg1-0ubuntu1 libwinpr3-3 - 3.5.1+dfsg1-0ubuntu1 winpr3-utils - 3.5.1+dfsg1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-04-23 20:15:00 UTC 2024-04-23 20:15:00 UTC https://ubuntu.com/security/notices/USN-6752-1 https://ubuntu.com/security/notices/USN-6759-1 https://ubuntu.com/security/notices/USN-7341-1 CVE-2024-32661 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, asmall amount of HTTP/2 traffic can lead to Suricata using a large amount ofmemory. The issue has been addressed in Suricata 7.0.5 and 6.0.19.Workarounds include disabling the HTTP/2 parser and reducing`app-layer.protocols.http2.max-table-size` value (default is 65536). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-07 15:15:00 UTC CVE-2024-32663 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19,specially crafted traffic or datasets can cause a limited buffer overflow.This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include notuse rules with `base64_decode` keyword with `bytes` option with value 1, 2or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` tofalse. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-07 15:15:00 UTC CVE-2024-32664 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19,various problems in handling of fragmentation anomalies can lead tomis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or6.0.19. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-07 15:15:00 UTC CVE-2024-32867 Hugo is a static site generator. Starting in version 0.123.0 and prior toversion 0.125.3, title arguments in Markdown for links and images notescaped in internal render hooks. Hugo users who are impacted are those whohave these hooks enabled and do not trust their Markdown content files. Theissue is patched in v0.125.3. As a workaround, replace the templates withuser defined templates or disable the internal templates. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-23 21:15:00 UTC CVE-2024-32875 Kaminari is a paginator for web app frameworks and object relationalmappings. A security vulnerability involving insecure file permissions hasbeen identified in the Kaminari pagination library for Ruby on Rails,concerning insecure file permissions. This vulnerability is of moderateseverity due to the potential for unauthorized write access to particularRuby files managed by the library. Such access could lead to the alterationof application behavior or data integrity issues. Users of affectedversions are advised to update to Kaminari version 0.16.2 or later, wherefile permissions have been adjusted to enhance security. If upgrading isnot feasible immediately, review and adjust the file permissions forparticular Ruby files in Kaminari to ensure they are only accessible byauthorized user. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-27 16:15:00 UTC CVE-2024-32978 An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remoteattacker to conduct HTTP request smuggling via a crafted HEAD request. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-22 16:15:00 UTC CVE-2024-33452 The DNS protocol in RFC 1035 and updates allows remote attackers to cause adenial of service (resource consumption) by arranging for DNS queries to beaccumulated for seconds, such that responses are later sent in a pulsingburst (which can be considered traffic amplification in some cases), akathe "DNSBomb" issue. Update Instructions: Run `sudo pro fix CVE-2024-33655` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.20.0-1ubuntu1 python3-unbound - 1.20.0-1ubuntu1 unbound - 1.20.0-1ubuntu1 unbound-anchor - 1.20.0-1ubuntu1 unbound-host - 1.20.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-05-10 2024-05-10 https://ubuntu.com/security/notices/USN-6791-1 CVE-2024-33655 An issue was discovered in Artifex Ghostscript before 10.03.1.contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driverlibrary, exploitable via a crafted PostScript document. This occurs becausethe Driver parameter for opvp (and oprp) devices can have an arbitrary namefor a dynamic library; this library is then loaded. Update Instructions: Run `sudo pro fix CVE-2024-33871` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ghostscript - 10.02.1~dfsg1-0ubuntu9 libgs-common - 10.02.1~dfsg1-0ubuntu9 libgs10 - 10.02.1~dfsg1-0ubuntu9 libgs10-common - 10.02.1~dfsg1-0ubuntu9 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-09 2024-05-09 sayun https://bugs.ghostscript.com/show_bug.cgi?id=707754 https://ubuntu.com/security/notices/USN-6835-1 CVE-2024-33871 Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability in Maxim K AJAX Login and Registration modalpopup + inline form allows Stored XSS.This issue affects AJAX Login andRegistration modal popup + inline form: from n/a through 2.23. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-03 08:15:00 UTC CVE-2024-33918 aiosmptd is a reimplementation of the Python stdlib smtpd.py based onasyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extraunencrypted commands after STARTTLS, treating them as if they came frominside the encrypted connection. This could be exploited by aman-in-the-middle attack. Version 1.4.6 contains a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-18 19:15:00 UTC CVE-2024-34083 libmodbus v3.1.10 is vulnerable to Buffer Overflow via themodbus_write_bits function. This issue can be triggered when the functionis fed with specially crafted input, which leads to out-of-bounds read andcan potentially cause a crash or other unintended behaviors. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-08 17:15:00 UTC https://github.com/stephane/libmodbus/issues/743 CVE-2024-34244 An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.xbefore 2.80.1. When a GDBus-based client subscribes to signals from atrusted system service such as NetworkManager on a shared computer, otherusers of the same computer can send spoofed D-Bus signals that theGDBus-based client will wrongly interpret as having been sent by thetrusted system service. This could lead to the GDBus-based client behavingincorrectly, with an application-dependent impact. Update Instructions: Run `sudo pro fix CVE-2024-34397` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.80.1-1 gir1.2-glib-2.0 - 2.80.1-1 girepository-tools - 2.80.1-1 libgirepository-2.0-0 - 2.80.1-1 libglib2.0-0t64 - 2.80.1-1 libglib2.0-bin - 2.80.1-1 libglib2.0-data - 2.80.1-1 libglib2.0-tests - 2.80.1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-07 2024-05-07 Alicia Boya García https://gitlab.gnome.org/GNOME/glib/-/issues/3268 https://ubuntu.com/security/notices/USN-6768-1 CVE-2024-34397 A double free vulnerability was found in QEMU virtio devices (virtio-gpu,virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flaginsufficiently protects against DMA reentrancy issues. This issue couldallow a malicious privileged guest user to crash the QEMU process on thehost, resulting in a denial of service or allow arbitrary code executionwithin the context of the QEMU process on the host. Update Instructions: Run `sudo pro fix CVE-2024-3446` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:9.0.2+ds-4ubuntu2 qemu-block-supplemental - 1:9.0.2+ds-4ubuntu2 qemu-guest-agent - 1:9.0.2+ds-4ubuntu2 qemu-system - 1:9.0.2+ds-4ubuntu2 qemu-system-arm - 1:9.0.2+ds-4ubuntu2 qemu-system-common - 1:9.0.2+ds-4ubuntu2 qemu-system-data - 1:9.0.2+ds-4ubuntu2 qemu-system-gui - 1:9.0.2+ds-4ubuntu2 qemu-system-mips - 1:9.0.2+ds-4ubuntu2 qemu-system-misc - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-opengl - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-spice - 1:9.0.2+ds-4ubuntu2 qemu-system-ppc - 1:9.0.2+ds-4ubuntu2 qemu-system-riscv - 1:9.0.2+ds-4ubuntu2 qemu-system-s390x - 1:9.0.2+ds-4ubuntu2 qemu-system-sparc - 1:9.0.2+ds-4ubuntu2 qemu-system-x86 - 1:9.0.2+ds-4ubuntu2 qemu-system-x86-xen - 1:9.0.2+ds-4ubuntu2 qemu-system-xen - 1:9.0.2+ds-4ubuntu2 qemu-user - 1:9.0.2+ds-4ubuntu2 qemu-user-binfmt - 1:9.0.2+ds-4ubuntu2 qemu-utils - 1:9.0.2+ds-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-09 20:15:00 UTC 2024-04-09 20:15:00 UTC fabian https://bugzilla.redhat.com/show_bug.cgi?id=2274211 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068820 https://ubuntu.com/security/notices/USN-7744-1 CVE-2024-3446 Alinto SOGo through 5.10.0 allows XSS during attachment preview. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-04 19:15:00 UTC CVE-2024-34462 A heap-based buffer overflow was found in the SDHCI device emulation ofQEMU. The bug is triggered when both `s->data_count` and the size of`s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. Amalicious guest could use this flaw to crash the QEMU process on the host,resulting in a denial of service condition. Update Instructions: Run `sudo pro fix CVE-2024-3447` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:9.0.2+ds-4ubuntu2 qemu-block-supplemental - 1:9.0.2+ds-4ubuntu2 qemu-guest-agent - 1:9.0.2+ds-4ubuntu2 qemu-system - 1:9.0.2+ds-4ubuntu2 qemu-system-arm - 1:9.0.2+ds-4ubuntu2 qemu-system-common - 1:9.0.2+ds-4ubuntu2 qemu-system-data - 1:9.0.2+ds-4ubuntu2 qemu-system-gui - 1:9.0.2+ds-4ubuntu2 qemu-system-mips - 1:9.0.2+ds-4ubuntu2 qemu-system-misc - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-opengl - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-spice - 1:9.0.2+ds-4ubuntu2 qemu-system-ppc - 1:9.0.2+ds-4ubuntu2 qemu-system-riscv - 1:9.0.2+ds-4ubuntu2 qemu-system-s390x - 1:9.0.2+ds-4ubuntu2 qemu-system-sparc - 1:9.0.2+ds-4ubuntu2 qemu-system-x86 - 1:9.0.2+ds-4ubuntu2 qemu-system-x86-xen - 1:9.0.2+ds-4ubuntu2 qemu-system-xen - 1:9.0.2+ds-4ubuntu2 qemu-user - 1:9.0.2+ds-4ubuntu2 qemu-user-binfmt - 1:9.0.2+ds-4ubuntu2 qemu-utils - 1:9.0.2+ds-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-14 12:15:00 UTC 2024-11-14 12:15:00 UTC fabian https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068821 https://ubuntu.com/security/notices/USN-7744-1 CVE-2024-3447 In Maxima through 5.47.0 before 51704c, the plotting facilities make use ofpredictable names under /tmp. Thus, the contents may be controlled by alocal attacker who can create files in advance with these names. Thisaffects, for example, plot2d. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-05 03:15:00 UTC CVE-2024-34490 dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSEmessage. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-05 20:15:00 UTC 2024-05-05 20:15:00 UTC https://ubuntu.com/security/notices/USN-7010-1 CVE-2024-34508 dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSEmessage. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-05 20:15:00 UTC 2024-05-05 20:15:00 UTC https://ubuntu.com/security/notices/USN-7010-1 CVE-2024-34509 Apache XML Security for C++ through 2.0.4 implements the XML SignatureSyntax and Processing (XMLDsig) specification without protection against anSSRF payload in a KeyInfo element. NOTE: the project disputes this CVERecord on the grounds that any vulnerabilities are the result of a failureto configure XML Security for C++ securely. Even when avoiding thisparticular issue, any use of this library would need considerableadditional code and a deep understanding of the standards and protocolsinvolved to arrive at a secure implementation for any particular use case.We recommend against continued direct use of this library. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-26 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074429 CVE-2024-34580 Improper Handling of Exceptional Conditions, Uncontrolled ResourceConsumption vulnerability in Apache Tomcat. When processing an HTTP/2stream, Tomcat did not handle some cases of excessive HTTP headerscorrectly. This led to a miscounting of active HTTP/2 streams which in turnled to the use of an incorrect infinite timeout which allowed connectionsto remain open which should have been closed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other EOL versions may also beaffected.Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90,which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2024-34750` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-03 20:15:00 UTC 2024-07-03 20:15:00 UTC https://ubuntu.com/security/notices/USN-7562-1 CVE-2024-34750 REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denialof service vulnerability when it parses an XML that has many `<`s in anattribute value. Those who need to parse untrusted XMLs may be impacted tothis vulnerability. The REXML gem 3.2.7 or later include the patch to fixthis vulnerability. As a workaround, don't parse untrusted XMLs. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-16 16:15:00 UTC 2024-05-16 16:15:00 UTC https://ubuntu.com/security/notices/USN-7091-1 https://ubuntu.com/security/notices/USN-7091-2 https://ubuntu.com/security/notices/USN-7418-1 https://ubuntu.com/security/notices/USN-7734-1 https://ubuntu.com/security/notices/USN-7840-1 CVE-2024-35176 The Jupyter Server provides the backend for Jupyter web applications.Jupyter Server on Windows has a vulnerability that lets unauthenticatedattackers leak the NTLMv2 password hash of the Windows user running theJupyter server. An attacker can crack this password to gain access to theWindows machine hosting the Jupyter server, or access othernetwork-accessible machines or 3rd party services using that credential. Oran attacker perform an NTLM relay attack without cracking the credential togain access to other network-accessible machines. This vulnerability isfixed in 2.14.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-06 16:15:00 UTC CVE-2024-35178 Asterisk is an open source private branch exchange and telephony toolkit.After upgrade to 18.23.0, ALL unauthorized SIP requests are identified asPJSIP Endpoint of local asterisk server. This vulnerability is fixed in18.23.1, 20.8.1, and 21.3.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-17 17:15:00 UTC CVE-2024-35190 Requests is a HTTP library. Prior to 2.32.0, when making requests through aRequests `Session`, if the first request is made with `verify=False` todisable cert verification, all subsequent requests to the same host willcontinue to ignore cert verification regardless of changes to the value of`verify`. This behavior will continue for the lifecycle of the connectionin the connection pool. This vulnerability is fixed in 2.32.0. Update Instructions: Run `sudo pro fix CVE-2024-35195` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-requests - 2.32.3+dfsg-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-20 21:15:00 UTC vyomydv CVE-2024-35195 Smarty is a template engine for PHP, facilitating the separation ofpresentation (HTML/CSS) from application logic. In affected versionstemplate authors could inject php code by choosing a malicious file namefor an extends-tag. Sites that cannot fully trust template authors shouldupdate asap. All users are advised to update. There is no patch for userson the v3 branch. There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 21:16:00 UTC 2024-05-28 21:16:00 UTC https://ubuntu.com/security/notices/USN-7158-1 https://ubuntu.com/security/notices/USN-7377-1 CVE-2024-35226 Irontec Sngrep v1.8.1 was discovered to contain a heap buffer overflow viathe function rtp_check_packet at /sngrep/src/rtp.c. This vulnerabilityallows attackers to cause a Denial of Service (DoS) via a crafted SIPpacket. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-29 19:15:00 UTC CVE-2024-35434 Insecure deserialization in sqlitedict up to v2.1.0 allows attackers toexecute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-18 15:15:00 UTC CVE-2024-35515 In the Linux kernel, the following vulnerability has been resolved:bpf, sockmap: Prevent lock inversion deadlock in map delete elemsyzkaller started using corpuses where a BPF tracing program deleteselements from a sockmap/sockhash map. Because BPF tracing programs can beinvoked from any interrupt context, locks taken during a map_delete_elemoperation must be hardirq-safe. Otherwise a deadlock due to lock inversionis possible, as reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&host->lock); lock(&htab->buckets[i].lock); <Interrupt> lock(&host->lock);Locks in sockmap are hardirq-unsafe by design. We expects elements to bedeleted from sockmap/sockhash only in task (normal) context with interruptsenabled, or in softirq context.Detect when map_delete_elem operation is invoked from a context which is_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with anerror.Note that map updates are not affected by this issue. BPF verifier does notallow updating sockmap/sockhash from a BPF tracing program today. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-19 09:15:00 UTC 2024-05-19 09:15:00 UTC https://ubuntu.com/security/notices/USN-6893-1 https://ubuntu.com/security/notices/USN-6896-1 https://ubuntu.com/security/notices/USN-6898-1 https://ubuntu.com/security/notices/USN-6893-2 https://ubuntu.com/security/notices/USN-6896-2 https://ubuntu.com/security/notices/USN-6898-2 https://ubuntu.com/security/notices/USN-6896-3 https://ubuntu.com/security/notices/USN-6898-3 https://ubuntu.com/security/notices/USN-6896-4 https://ubuntu.com/security/notices/USN-6896-5 https://ubuntu.com/security/notices/USN-6893-3 https://ubuntu.com/security/notices/USN-6898-4 https://ubuntu.com/security/notices/USN-6917-1 https://ubuntu.com/security/notices/USN-6919-1 https://ubuntu.com/security/notices/USN-6918-1 https://ubuntu.com/security/notices/USN-6927-1 https://ubuntu.com/security/notices/USN-7019-1 CVE-2024-35895 RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a localattacker who can modify any valid Response (Access-Accept, Access-Reject,or Access-Challenge) to any other response using a chosen-prefix collisionattack against MD5 Response Authenticator signature. Update Instructions: Run `sudo pro fix CVE-2024-3596` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: krb5-admin-server - 1.21.3-4ubuntu1 krb5-gss-samples - 1.21.3-4ubuntu1 krb5-k5tls - 1.21.3-4ubuntu1 krb5-kdc - 1.21.3-4ubuntu1 krb5-kdc-ldap - 1.21.3-4ubuntu1 krb5-kpropd - 1.21.3-4ubuntu1 krb5-locales - 1.21.3-4ubuntu1 krb5-multidev - 1.21.3-4ubuntu1 krb5-otp - 1.21.3-4ubuntu1 krb5-pkinit - 1.21.3-4ubuntu1 krb5-user - 1.21.3-4ubuntu1 libgssapi-krb5-2 - 1.21.3-4ubuntu1 libgssrpc4t64 - 1.21.3-4ubuntu1 libk5crypto3 - 1.21.3-4ubuntu1 libkadm5clnt-mit12 - 1.21.3-4ubuntu1 libkadm5srv-mit12 - 1.21.3-4ubuntu1 libkdb5-10t64 - 1.21.3-4ubuntu1 libkrad0 - 1.21.3-4ubuntu1 libkrb5-3 - 1.21.3-4ubuntu1 libkrb5support0 - 1.21.3-4ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-09 12:00:00 UTC 2024-07-09 12:00:00 UTC Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens and Adam Suhl https://ubuntu.com/security/notices/USN-7055-1 https://ubuntu.com/security/notices/USN-7257-1 CVE-2024-3596 In the Linux kernel, the following vulnerability has been resolved:ACPI: CPPC: Use access_width over bit_width for system memory accessesTo align with ACPI 6.3+, since bit_width can be any 8-bit value, itcannot be depended on to be always on a clean 8b boundary. This wasuncovered on the Cobalt 100 platform.SError Interrupt on CPU26, code 0xbe000011 -- SError CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : cppc_get_perf_caps+0xec/0x410 lr : cppc_get_perf_caps+0xe8/0x410 sp : ffff8000155ab730 x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078 x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000 x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008 x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006 x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028 x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000 Kernel panic - not syncing: Asynchronous SError Interrupt CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted5.15.2.1-13 #1 Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION Call trace: dump_backtrace+0x0/0x1e0 show_stack+0x24/0x30 dump_stack_lvl+0x8c/0xb8 dump_stack+0x18/0x34 panic+0x16c/0x384 add_taint+0x0/0xc0 arm64_serror_panic+0x7c/0x90 arm64_is_fatal_ras_serror+0x34/0xa4 do_serror+0x50/0x6c el1h_64_error_handler+0x40/0x74 el1h_64_error+0x7c/0x80 cppc_get_perf_caps+0xec/0x410 cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq] cpufreq_online+0x2dc/0xa30 cpufreq_add_dev+0xc0/0xd4 subsys_interface_register+0x134/0x14c cpufreq_register_driver+0x1b0/0x354 cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq] do_one_initcall+0x50/0x250 do_init_module+0x60/0x27c load_module+0x2300/0x2570 __do_sys_finit_module+0xa8/0x114 __arm64_sys_finit_module+0x2c/0x3c invoke_syscall+0x78/0x100 el0_svc_common.constprop.0+0x180/0x1a0 do_el0_svc+0x84/0xa0 el0_svc+0x2c/0xc0 el0t_64_sync_handler+0xa4/0x12c el0t_64_sync+0x1a4/0x1a8Instead, use access_width to determine the size and use the offset andwidth to shift and mask the bits to read/write out. Make sure to add acheck for system memory since pcc redefines the access_width tosubspace id.If access_width is not set, then fall back to using bit_width.[ rjw: Subject and changelog edits, comment adjustments ] Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-20 10:15:00 UTC CVE-2024-35995 PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSONinput because keys are not escaped by escape_dict. Update Instructions: Run `sudo pro fix CVE-2024-36039` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pymysql - 1.1.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-21 16:15:00 UTC 2024-05-21 16:15:00 UTC https://ubuntu.com/security/notices/USN-6801-1 CVE-2024-36039 KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1and 6.x before 6.0.5.1 allows connections via ICE based purely on the host,i.e., all local connections are accepted. This allows another user on thesame machine to gain access to the session manager, e.g., use thesession-restore feature to execute arbitrary code as the victim (on thenext boot) via earlier use of the /tmp directory. Update Instructions: Run `sudo pro fix CVE-2024-36041` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libbatterycontrol6 - 4:5.27.11.1-0ubuntu1 libcolorcorrect6 - 4:5.27.11.1-0ubuntu1 libkfontinst6 - 4:5.27.11.1-0ubuntu1 libkfontinstui6 - 4:5.27.11.1-0ubuntu1 libklipper6 - 4:5.27.11.1-0ubuntu1 libkmpris6 - 4:5.27.11.1-0ubuntu1 libkworkspace6-6 - 4:5.27.11.1-0ubuntu1 libnotificationmanager1 - 4:5.27.11.1-0ubuntu1 libtaskmanager6 - 4:5.27.11.1-0ubuntu1 libweather-ion7 - 4:5.27.11.1-0ubuntu1 plasma-session-wayland - 4:5.27.11.1-0ubuntu1 plasma-session-x11 - 4:5.27.11.1-0ubuntu1 plasma-workspace - 4:5.27.11.1-0ubuntu1 plasma-workspace-data - 4:5.27.11.1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-03 2024-06-03 Fabian Vogt https://ubuntu.com/security/notices/USN-6843-1 CVE-2024-36041 QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before6.7.1 uses only the time to seed the PRNG, which may result in guessablevalues. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-18 21:15:00 UTC CVE-2024-36048 Nix through 2.22.1 mishandles certain usage of hash caches, which makes iteasier for attackers to replace current source code withattacker-controlled source code by luring a maintainer into accepting amalicious pull request. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-18 22:15:00 UTC CVE-2024-36050 Citizen is a MediaWiki skin that makes extensions part of the cohesiveexperience. The page `MediaWiki:Tagline` has its contents used unescaped,so custom HTML (including Javascript) can be injected by someone with theability to edit the MediaWiki namespace (typically those with the`editinterface` permission, or sysops). This vulnerability is fixed in2.16.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-03 15:15:00 UTC CVE-2024-36123 Improper access control in mail module of Odoo Community 17.0 and OdooEnterprise 17.0 allows remote authenticated attackers to extract sensitiveinformation via an oracle-based (yes/no response) crafted attack. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 19:15:00 UTC CVE-2024-36259 Mattermost Desktop App versions <=5.7.0 fail to disable certain Electrondebug flags which allows for bypassing TCC restrictions on macOS. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-14 09:15:00 UTC CVE-2024-36287 Improper signature verification in AMD CPU ROM microcode patch loader mayallow an attacker with local administrator privilege to load maliciousmicrocode, potentially resulting in loss of integrity of x86 instructionexecution, loss of confidentiality and integrity of data in x86 CPUprivileged context and compromise of SMM execution environment. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-27 23:15:00 UTC 2025-06-27 23:15:00 UTC Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099830 https://bugzilla.redhat.com/show_bug.cgi?id=2336412 https://ubuntu.com/security/notices/USN-8177-1 https://ubuntu.com/security/notices/USN-8179-1 https://ubuntu.com/security/notices/USN-8177-2 https://ubuntu.com/security/notices/USN-8183-1 https://ubuntu.com/security/notices/USN-8184-1 https://ubuntu.com/security/notices/USN-8179-2 https://ubuntu.com/security/notices/USN-8185-1 https://ubuntu.com/security/notices/USN-8183-2 https://ubuntu.com/security/notices/USN-8179-3 https://ubuntu.com/security/notices/USN-8203-1 https://ubuntu.com/security/notices/USN-8204-1 https://ubuntu.com/security/notices/USN-8185-2 https://ubuntu.com/security/notices/USN-8179-4 https://ubuntu.com/security/notices/USN-8245-1 https://ubuntu.com/security/notices/USN-8257-1 https://ubuntu.com/security/notices/USN-8258-1 https://ubuntu.com/security/notices/USN-8260-1 https://ubuntu.com/security/notices/USN-8261-1 https://ubuntu.com/security/notices/USN-8265-1 CVE-2024-36347 A transient execution vulnerability in some AMD processors may allow anattacker to infer data from previous stores, potentially resulting in theleakage of privileged information. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-08 17:15:00 UTC 2025-07-08 17:15:00 UTC rodrigo-zaiden (amd64-microcode) Oleksii Oleksenko, Cedric Fournet, Jana Hofmann, Boris Köpf, Stavros Volos, and Flavien Solt https://ubuntu.com/security/notices/USN-7833-1 https://ubuntu.com/security/notices/USN-7834-1 https://ubuntu.com/security/notices/USN-7833-2 https://ubuntu.com/security/notices/USN-7833-3 https://ubuntu.com/security/notices/USN-7848-1 https://ubuntu.com/security/notices/USN-7833-4 https://ubuntu.com/security/notices/USN-7856-1 https://ubuntu.com/security/notices/USN-8028-1 https://ubuntu.com/security/notices/USN-8028-2 https://ubuntu.com/security/notices/USN-8031-1 https://ubuntu.com/security/notices/USN-8028-3 https://ubuntu.com/security/notices/USN-8028-4 https://ubuntu.com/security/notices/USN-8028-5 https://ubuntu.com/security/notices/USN-8031-2 https://ubuntu.com/security/notices/USN-8028-6 https://ubuntu.com/security/notices/USN-8031-3 https://ubuntu.com/security/notices/USN-8052-1 https://ubuntu.com/security/notices/USN-8028-7 https://ubuntu.com/security/notices/USN-8028-8 https://ubuntu.com/security/notices/USN-8052-2 https://ubuntu.com/security/notices/USN-8074-1 https://ubuntu.com/security/notices/USN-8074-2 https://ubuntu.com/security/notices/USN-8126-1 CVE-2024-36350 A transient execution vulnerability in some AMD processors may allow anattacker to infer data in the L1D cache, potentially resulting in theleakage of sensitive information across privileged boundaries. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-08 17:15:00 UTC 2025-07-08 17:15:00 UTC rodrigo-zaiden (amd64-microcode) Oleksii Oleksenko, Cedric Fournet, Jana Hofmann, Boris Köpf, Stavros Volos, and Flavien Solt https://ubuntu.com/security/notices/USN-7833-1 https://ubuntu.com/security/notices/USN-7834-1 https://ubuntu.com/security/notices/USN-7833-2 https://ubuntu.com/security/notices/USN-7833-3 https://ubuntu.com/security/notices/USN-7848-1 https://ubuntu.com/security/notices/USN-7833-4 https://ubuntu.com/security/notices/USN-7856-1 https://ubuntu.com/security/notices/USN-8028-1 https://ubuntu.com/security/notices/USN-8028-2 https://ubuntu.com/security/notices/USN-8031-1 https://ubuntu.com/security/notices/USN-8028-3 https://ubuntu.com/security/notices/USN-8028-4 https://ubuntu.com/security/notices/USN-8028-5 https://ubuntu.com/security/notices/USN-8031-2 https://ubuntu.com/security/notices/USN-8028-6 https://ubuntu.com/security/notices/USN-8031-3 https://ubuntu.com/security/notices/USN-8052-1 https://ubuntu.com/security/notices/USN-8028-7 https://ubuntu.com/security/notices/USN-8028-8 https://ubuntu.com/security/notices/USN-8052-2 https://ubuntu.com/security/notices/USN-8074-1 https://ubuntu.com/security/notices/USN-8074-2 https://ubuntu.com/security/notices/USN-8126-1 CVE-2024-36357 The front-end audit log allows viewing of unprotected plaintext passwords,where the passwords are displayed in plain text. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-36460 Within Zabbix, users have the ability to directly modify memory pointers inthe JavaScript engine. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-36461 Uncontrolled resource consumption refers to a software vulnerability wherea attacker or system uses excessive resources, such as CPU, memory, ornetwork bandwidth, without proper limitations or controls. This can cause adenial-of-service (DoS) attack or degrade the performance of the affectedsystem. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-36462 When exporting media types, the password is exported in the YAML in plaintext. This appears to be a best practices type issue and may have no actualimpact. The user would need to have permissions to access the media typesand therefore would be expected to have access to these passwords. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-27 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689 CVE-2024-36464 A low privilege (regular) Zabbix user with API access can use SQL injectionvulnerability in include/classes/api/CApiService.php to execute arbitrarySQL commands via the groupBy parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 06:15:00 UTC CVE-2024-36465 The reported vulnerability is a stack buffer overflow in thezbx_snmp_cache_handle_engineid function within the Zabbix server/proxycode. This issue occurs when copying data from session->securityEngineID tolocal_record.engineid without proper bounds checking. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-27 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689 CVE-2024-36468 Execution time for an unsuccessful login differs when using a non-existingusername compared to using an existing one. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 07:15:00 UTC CVE-2024-36469 An integer overflow vulnerability exists in the Compound Document BinaryFile format parser of the GNOME Project G Structured File Library (libgsf)version v1.14.52. A specially crafted file can result in an integeroverflow when processing the directory from the file that allows for anout-of-bounds index to be used when reading and writing to an array. Thiscan lead to arbitrary code execution. An attacker can provide a maliciousfile to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2024-36474` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gsf-1 - 1.14.52-1ubuntu0.1 libgsf-1-114 - 1.14.52-1ubuntu0.1 libgsf-1-common - 1.14.52-1ubuntu0.1 libgsf-bin - 1.14.52-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-03 16:15:00 UTC 2024-10-03 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084056 https://gitlab.gnome.org/GNOME/libgsf/-/issues/34 https://ubuntu.com/security/notices/USN-7062-1 https://ubuntu.com/security/notices/USN-7062-2 CVE-2024-36474 The Libreswan Project was notified of an issue causing libreswan to restartwhen using IKEv1 without specifying an esp= line. When the peer requestsAES-GMAC, libreswan's default proposal handler causes an assertion failureand crashes and restarts. IKEv2 connections are not affected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-11 02:15:00 UTC CVE-2024-3652 A vulnerability was found in Undertow. This issue requires enabling thelearning-push handler in the server's config, which is disabled by default,leaving the maxAge config in the handler unconfigured. The default is -1,which makes the handler vulnerable. If someone overwrites that config, theserver is not subject to the attack. The attacker needs to be able to reachthe server with a normal HTTP request. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-08 22:15:00 UTC CVE-2024-3653 A flaw was found in 389-ds-base. A specially-crafted LDAP query canpotentially cause a failure on the directory server, leading to a denial ofservice Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-28 13:15:00 UTC CVE-2024-3657 Insecure permissions in DNSCrypt-proxy v2.0.0alpha9 to v2.1.5 allowsnon-privileged attackers to escalate privileges to root via overwriting thebinary dnscrypt-proxy. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-13 19:15:00 UTC CVE-2024-36587 libmodbus v3.1.6 was discovered to contain a heap overflow via themodbus_mapping_free() function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-31 20:15:00 UTC CVE-2024-36843 libmodbus v3.1.6 was discovered to contain a use-after-free via thectx->backend pointer. This vulnerability allows attackers to cause a Denialof Service (DoS) via a crafted message sent to the unit-test-server. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-31 20:15:00 UTC CVE-2024-36844 An invalid pointer in the modbus_receive() function of libmodbus v3.1.6allows attackers to cause a Denial of Service (DoS) via a crafted messagesent to the unit-test-server. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-31 20:15:00 UTC CVE-2024-36845 lepture Authlib before 1.3.1 has algorithm confusion with asymmetric publickeys. Unless an algorithm is specified in a jwt.decode call, HMACverification is allowed with any asymmetric public key. (This is similar toCVE-2022-29217 and CVE-2024-33663.) Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-09 19:15:00 UTC 2024-06-09 19:15:00 UTC https://ubuntu.com/security/notices/USN-8065-1 CVE-2024-37568 Improper input validation in CVC5 Solver v1.1.3 allows attackers to cause aDenial of Service (DoS) via a crafted SMT2 input file. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-06-17 18:15:00 UTC https://github.com/cvc5/cvc5/issues/10813 CVE-2024-37794 A segmentation fault in CVC5 Solver v1.1.3 allows attackers to cause aDenial of Service (DoS) via a crafted SMT-LIB input file containing the`set-logic` command with specific formatting errors. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-06-17 18:15:00 UTC https://github.com/cvc5/cvc5/issues/10813 CVE-2024-37795 ws is an open source WebSocket client and server for Node.js. A requestwith a number of headers exceeding theserver.maxHeadersCount thresholdcould be used to crash a ws server. The vulnerability was fixed inws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3(eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issuecan be mitigated in the following ways: 1. Reduce the maximum allowedlength of the request headers using the --max-http-header-size=size and/orthe maxHeaderSize options so that no more headers than theserver.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to0 so that no limit is applied. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-17 20:15:00 UTC CVE-2024-37890 Allocation of Resources Without Limits or Throttling vulnerability inApache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.35 through 8.5.100 and 7.0.92 through7.0.109. Other EOL versions may also be affected.Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90,which fixes the issue.Apache Tomcat, under certain configurations on any platform, allows anattacker to cause an OutOfMemoryError by abusing the TLS handshake process. Update Instructions: Run `sudo pro fix CVE-2024-38286` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-07 08:15:00 UTC 2024-11-07 08:15:00 UTC https://ubuntu.com/security/notices/USN-7562-1 CVE-2024-38286 TinyMCE is an open source rich text editor. A cross-site scripting (XSS)vulnerability was discovered in TinyMCE’s content extraction code. Whenusing the `noneditable_regexp` option, specially crafted HTML attributescontaining malicious code were able to be executed when content wasextracted from the editor. This vulnerability has been patched in TinyMCE7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when usingthe `noneditable_regexp` option, any content within an attribute isproperly verified to match the configured regular expression before beingadded. Users are advised to upgrade. There are no known workarounds forthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-19 20:15:00 UTC 2024-06-19 20:15:00 UTC https://ubuntu.com/security/notices/USN-8223-1 CVE-2024-38356 TinyMCE is an open source rich text editor. A cross-site scripting (XSS)vulnerability was discovered in TinyMCE’s content parsing code. Thisallowed specially crafted noscript elements containing malicious code to beexecuted when that content was loaded into the editor. This vulnerabilityhas been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS byensuring that content within noscript elements are properly parsed. Usersare advised to upgrade. There are no known workarounds for thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-19 20:15:00 UTC 2024-06-19 20:15:00 UTC https://ubuntu.com/security/notices/USN-8223-1 CVE-2024-38357 Undici is an HTTP/1.1 client, written from scratch for Node.js. Dependingon network and process conditions of a `fetch()` request,`response.arrayBuffer()` might include portion of memory from the Node.jsprocess. This has been patched in v6.19.2. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-08 21:15:00 UTC CVE-2024-38372 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfosubcomponent of a URI, and thus there may be insecure behavior in whichdata that was supposed to be in the userinfo subcomponent is misinterpretedto be part of the host subcomponent. Update Instructions: Run `sudo pro fix CVE-2024-38428` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: wget - 1.24.5-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-16 03:15:00 UTC 2024-06-16 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073523 https://ubuntu.com/security/notices/USN-6852-1 https://ubuntu.com/security/notices/USN-6852-2 CVE-2024-38428 htags in GNU Global through 6.6.12 allows code execution in situationswhere dbpath (aka -d) is untrusted, because shell metacharacters may beused. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-16 14:15:00 UTC CVE-2024-38448 Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlierallows request URLs with incorrect encoding to be sent to backend services,potentially bypassing authentication via crafted requests.Users are recommended to upgrade to version 2.4.60, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-38473` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.62-1ubuntu1 apache2-bin - 2.4.62-1ubuntu1 apache2-data - 2.4.62-1ubuntu1 apache2-suexec-custom - 2.4.62-1ubuntu1 apache2-suexec-pristine - 2.4.62-1ubuntu1 apache2-utils - 2.4.62-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-01 19:15:00 UTC 2024-07-01 19:15:00 UTC Orange Tsai https://ubuntu.com/security/notices/USN-6885-1 CVE-2024-38473 Vulnerability in core of Apache HTTP Server 2.4.59 and earlier arevulnerably to information disclosure, SSRF or local script executionvia backend applications whose response headers are malicious orexploitable.Users are recommended to upgrade to version 2.4.60, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-38476` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.62-1ubuntu1 apache2-bin - 2.4.62-1ubuntu1 apache2-data - 2.4.62-1ubuntu1 apache2-suexec-custom - 2.4.62-1ubuntu1 apache2-suexec-pristine - 2.4.62-1ubuntu1 apache2-utils - 2.4.62-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-01 19:15:00 UTC 2024-07-01 19:15:00 UTC Orange Tsai https://ubuntu.com/security/notices/USN-6885-1 https://ubuntu.com/security/notices/USN-6885-2 https://ubuntu.com/security/notices/USN-6885-3 CVE-2024-38476 null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 andearlier allows an attacker to crash the server via a malicious request.Users are recommended to upgrade to version 2.4.60, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-38477` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.62-1ubuntu1 apache2-bin - 2.4.62-1ubuntu1 apache2-data - 2.4.62-1ubuntu1 apache2-suexec-custom - 2.4.62-1ubuntu1 apache2-suexec-pristine - 2.4.62-1ubuntu1 apache2-utils - 2.4.62-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-01 19:15:00 UTC 2024-07-01 19:15:00 UTC Orange Tsai https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2072648 https://ubuntu.com/security/notices/USN-6885-1 https://ubuntu.com/security/notices/USN-6885-3 CVE-2024-38477 `yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Priorto the fixed versions, `yt-dlp` and `youtube-dl` do not limit theextensions of downloaded files, which could lead to arbitrary filenamesbeing created in the download folder (and path traversal on Windows). Since`yt-dlp` and `youtube-dl` also read config from the working directory (andon Windows executables will be executed from the `yt-dlp` or `youtube-dl`directory), this could lead to arbitrary code being executed.`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowedextensions. `youtube-dl` fixes this issue in commit `d42a222` on the`master` branch and in nightly builds tagged 2024-07-03 or later. Thismight mean some very uncommon extensions might not get downloaded, howeverit will also limit the possible exploitation surface. In addition toupgrading, have `.%(ext)s` at the end of the output template and make surethe user trusts the websites that they are downloading from. Also, makesure to never download to a directory within PATH or other sensitivelocations like one's user directory, `system32`, or other binarieslocations. For users who are not able to upgrade, keep the default outputtemplate (`-o "%(title)s [%(id)s].%(ext)s`); make sure the extension of themedia to download is a common video/audio/sub/... one; try to avoid thegeneric extractor; and/or use `--ignore-config --config-location ...` tonot load config from common locations. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-02 14:15:00 UTC CVE-2024-38519 EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposureof Sensitive Information to an Unauthorized Actor” by local access.Successful exploitation of this vulnerability will lead topossible information disclosure or escalation of privilege and impact Confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122288 https://bugzilla.tianocore.org/show_bug.cgi?id=4760 CVE-2024-38798 EDK2 contains a vulnerability in BIOS where a user may cause an IntegerOverflow or Wraparound by network means. A successful exploitation of thisvulnerability may lead to denial of service. Update Instructions: Run `sudo pro fix CVE-2024-38805` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: efi-shell-aa64 - 2025.02-8ubuntu3 efi-shell-arm - 2025.02-8ubuntu3 efi-shell-ia32 - 2025.02-8ubuntu3 efi-shell-loongarch64 - 2025.02-8ubuntu3 efi-shell-riscv64 - 2025.02-8ubuntu3 efi-shell-x64 - 2025.02-8ubuntu3 ovmf - 2025.02-8ubuntu3 ovmf-ia32 - 2025.02-8ubuntu3 ovmf-inteltdx - 2025.02-8ubuntu3 qemu-efi-aarch64 - 2025.02-8ubuntu3 qemu-efi-arm - 2025.02-8ubuntu3 qemu-efi-loongarch64 - 2025.02-8ubuntu3 qemu-efi-riscv64 - 2025.02-8ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-12 15:15:00 UTC 2025-08-12 15:15:00 UTC https://bugzilla.tianocore.org/show_bug.cgi?id=4207 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-38805 Applications that use spring-boot-loader or spring-boot-loader-classic andcontain custom code that performs signature verification of nested jarfiles may be vulnerable to signature forgery where content that appears tohave been signed by one signer has, in fact, been signed by another. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-23 09:15:00 UTC CVE-2024-38807 In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions,it is possible for a user to provide a specially crafted Spring ExpressionLanguage (SpEL) expression that may cause a denial of service (DoS)condition.Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-20 08:15:00 UTC CVE-2024-38808 Applications that parse ETags from "If-Match" or "If-None-Match" requestheaders are vulnerable to DoS attack.Users of affected versions should upgrade to the corresponding fixedversion.Users of older, unsupported versions could enforce a size limit on"If-Match" and "If-None-Match" headers, e.g. through a Filter. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-27 17:15:00 UTC CVE-2024-38809 Applications serving static resources through the functional web frameworksWebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. Anattacker can craft malicious HTTP requests and obtain any file on the filesystem that is also accessible to the process in which the Springapplication is running.Specifically, an application is vulnerable when both of the following aretrue: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with aFileSystemResource locationHowever, malicious requests are blocked and rejected when any of thefollowing is true: * the Spring Security HTTP Firewallhttps://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-13 06:15:00 UTC CVE-2024-38816 Applications serving static resources through the functional web frameworksWebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. Anattacker can craft malicious HTTP requests and obtain any file on the filesystem that is also accessible to the process in which the Springapplication is running. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-19 18:15:00 UTC CVE-2024-38819 The fix for CVE-2022-22968 made disallowedFields patterns inDataBinder case insensitive. However, String.toLowerCase() has some Localedependent exceptions that could potentially result in fields not protectedas expected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-18 06:15:00 UTC CVE-2024-38820 Spring MVC controller methods with an @RequestBody byte[] method parameterare vulnerable to a DoS attack. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-18 04:15:00 UTC CVE-2024-38828 A vulnerability in Spring LDAP allows data exposure for case sensitivecomparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7,AND all versions prior to 2.4.0.The usage of String.toLowerCase() and String.toUpperCase() has some Localedependent exceptions that could potentially result in unintended columnsfrom being queriedRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820 Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-04 21:15:00 UTC CVE-2024-38829 A flaw was found in Undertow that can cause remote denial of serviceattacks. When the server uses theFormEncodedDataDefinition.doParse(StreamSourceChannel) method to parselarge form data encoding with application/x-www-form-urlencoded, the methodwill cause an OutOfMemory issue. This flaw allows unauthorized users tocause a remote denial of service (DoS) attack. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 19:15:00 UTC CVE-2024-3884 Improper neutralization of input in Nagvis before version 1.9.47 which canlead to livestatus injection Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-27 07:15:00 UTC CVE-2024-38866 Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers tocrash the application via crafted payload to display444as420 function atsdl.cc Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-26 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074416 https://github.com/strukturag/libde265/issues/460 CVE-2024-38949 Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attackers tocrash the application via crafted payload to __interceptor_memcpy function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-26 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074416 https://github.com/strukturag/libde265/issues/460 CVE-2024-38950 jrburke requirejs v2.3.6 was discovered to contain a prototype pollutionvia the function s.contexts._.configure. This vulnerability allowsattackers to execute arbitrary code or cause a Denial of Service (DoS) viainjecting arbitrary properties. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-01 13:15:00 UTC CVE-2024-38999 Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by longUnicode sequence in ActualText. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-17 19:15:00 UTC Sangbin Kim https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-3900 CVE-2024-3900 Heap Buffer Overflow vulnerability in zziplib v0.13.77 allows attackers tocause a denial of service via the __zzip_parse_root_directory() function at/zzip/zip.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-27 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074417 CVE-2024-39133 A Stack Buffer Overflow vulnerability in zziplibv 0.13.77 allows attackersto cause a denial of service via the __zzip_fetch_disk_trailer() functionat /zzip/zip.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-27 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074424 CVE-2024-39134 Incorrect execution-assigned permissions in the Linux kernel mode driverfor the Intel(R) 800 Series Ethernet Driver before version 1.15.4 may allowan authenticated user to potentially enable information disclosure vialocal access. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-12 22:15:00 UTC CVE-2024-39286 In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...)link abbrev even when it specifies an unsafe function, such asshell-command-to-string. This affects Org Mode before 9.7.5. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-23 22:15:00 UTC 2024-06-23 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074137 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074136 https://ubuntu.com/security/notices/USN-7027-1 https://ubuntu.com/security/notices/USN-7375-1 CVE-2024-39331 axios 1.7.2 allows SSRF via unexpected behavior where requests for pathrelative URLs get processed as protocol relative URLs. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC CVE-2024-39338 Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlierallows an attacker to cause unsafe RewriteRules to unexpectedly setup URL'sto be handled by mod_proxy.Users are recommended to upgrade to version 2.4.60, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-39573` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.62-1ubuntu1 apache2-bin - 2.4.62-1ubuntu1 apache2-data - 2.4.62-1ubuntu1 apache2-suexec-custom - 2.4.62-1ubuntu1 apache2-suexec-pristine - 2.4.62-1ubuntu1 apache2-utils - 2.4.62-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-01 19:15:00 UTC 2024-07-01 19:15:00 UTC Orange Tsai https://ubuntu.com/security/notices/USN-6885-1 CVE-2024-39573 A regression in the core of Apache HTTP Server 2.4.60 ignores some use ofthe legacy content-type based configuration of handlers.   "AddType" andsimilar configuration, under some circumstances where files are requestedindirectly, result in source code disclosure of local content. For example,PHP scripts may be served instead of interpreted.Users are recommended to upgrade to version 2.4.61, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-39884` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.62-1ubuntu1 apache2-bin - 2.4.62-1ubuntu1 apache2-data - 2.4.62-1ubuntu1 apache2-suexec-custom - 2.4.62-1ubuntu1 apache2-suexec-pristine - 2.4.62-1ubuntu1 apache2-utils - 2.4.62-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-04 2024-07-04 https://ubuntu.com/security/notices/USN-6885-1 CVE-2024-39884 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoSvulnerabilities when it parses an XML that has many specific characterssuch as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many beimpacted to these vulnerabilities. The REXML gem 3.3.2 or later include thepatches to fix these vulnerabilities. Users are advised to upgrade. Usersunable to upgrade should avoid parsing untrusted XML strings. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-16 18:15:00 UTC 2024-07-16 18:15:00 UTC https://ubuntu.com/security/notices/USN-7091-1 https://ubuntu.com/security/notices/USN-7256-1 https://ubuntu.com/security/notices/USN-7418-1 https://ubuntu.com/security/notices/USN-7840-1 CVE-2024-39908 An issue has been discovered in GitLab CE/EE affecting all versionsstarting from 16.7 before 16.9.6, all versions starting from 16.10 before16.10.4, all versions starting from 16.11 before 16.11.1 where personalaccess scopes were not honored by GraphQL subscriptions Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-25 14:15:00 UTC CVE-2024-4006 An issue has been discovered in GitLab CE/EE affecting all versionsstarting from 7.8 before 16.9.6, all versions starting from 16.10 before16.10.4, all versions starting from 16.11 before 16.11.1. Under certainconditions, an attacker with their Bitbucket account credentials may beable to take over a GitLab account linked to another user's Bitbucketaccount, if Bitbucket is used as an OAuth 2.0 provider on GitLab. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-25 14:15:00 UTC CVE-2024-4024 A flaw was found in Undertow. Servlets using a method that callsHttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryErrorwhen the client sends a request with large parameter names. This issue canbe exploited by an unauthorized user to cause a remote denial-of-service(DoS) attack. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 15:16:00 UTC CVE-2024-4027 An issue in forkosh Mime Tex before v.1.77 allows an attacker to executearbitrary code via a crafted script Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-22 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103801 CVE-2024-40446 Fastapi OPA is an opensource fastapi middleware which includes auth flow.HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even whenthey lack authentication, and are passed through directly to theapplication. `OpaMiddleware` allows all HTTP `OPTIONS` requests withoutevaluating it against any policy. If an application provides differentresponses to HTTP `OPTIONS` requests based on an entity existing (such asto indicate whether an entity is writable on a system level), anunauthenticated attacker could discover which entities exist within anapplication. This issue has been addressed in release version 2.0.1. Allusers are advised to upgrade. There are no known workarounds for thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-15 20:15:00 UTC CVE-2024-40627 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation via a format-agnosticAPI with a feature set, scalability, and robustness needed for feature filmproduction. In affected versions there is a bug in the heif inputfunctionality of OpenImageIO. Specifically, in`HeifInput::seek_subimage()`. In the worst case, this can lead to aninformation disclosure vulnerability, particularly for programs thatdirectly use the `ImageInput` APIs. This bug has been addressed in commit`0a2dcb4c` which is included in the 2.5.13.1 release. Users are advised toupgrade. There are no known workarounds for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-15 20:15:00 UTC CVE-2024-40630 containerd is an open-source container runtime. A bug was found incontainerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containerslaunched with a User set as a `UID:GID` larger than the maximum 32-bitsigned integer can cause an overflow condition where the containerultimately runs as root (UID 0). This could cause unexpected behavior forenvironments that require containers to run as a non-root user. This bughas been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround,ensure that only trusted images are used and that only trusted users havepermissions to import images. Update Instructions: Run `sudo pro fix CVE-2024-40635` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: containerd - 2.0.2-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-17 22:15:00 UTC 2025-03-17 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100806 https://ubuntu.com/security/notices/USN-7374-1 CVE-2024-40635 sentry-sdk is the official Python SDK for Sentry.io. A bug in Sentry'sPython SDK < 2.8.0 allows the environment variables to be passed tosubprocesses despite the `env={}` setting. In Python's `subprocess` calls,all environment variables are passed to subprocesses by default. However,if you specifically do not want them to be passed to subprocesses, you mayuse `env` argument in `subprocess` calls. Due to the bug in Sentry SDK,with the Stdlib integration enabled (which is enabled by default), thisexpectation is not fulfilled, and all environment variables are beingpassed to subprocesses instead. The issue has been patched in pull request#3251 and is included in sentry-sdk==2.8.0. We strongly recommend upgradingto the latest SDK version. However, if it's not possible, and if passingenvironment variables to child processes poses a security risk for you, youcan disable all default integrations. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-18 17:15:00 UTC CVE-2024-40647 The NPM package `micromatch` prior to 4.0.8 is vulnerable to RegularExpression Denial of Service (ReDoS). The vulnerability occurs in`micromatch.braces()` in `index.js` because the pattern `.*` will greedilymatch anything. By passing a malicious payload, the pattern matching willkeep backtracking to the input while it doesn't find the closing bracket.As the input size increases, the consumption time will also increase untilit causes the application to hang or slow down. There was a merged fix butfurther testing shows the issue persists. This issue should be mitigated byusing a safe pattern that won't start backtracking the regular expressiondue to greedy matching. This issue was fixed in version 4.0.8. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:42:00 UTC CVE-2024-4067 In Source of ZipFile.java, there is a possible way for an attacker toexecute arbitrary code by manipulating Dynamic Code Loading due to improperinput validation. This could lead to remote code execution with noadditional execution privileges needed. User interaction is not needed forexploitation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 20:15:00 UTC CVE-2024-40673 The NPM package `braces`, versions prior to 3.0.3, fails to limit thenumber of characters it can handle, which could lead to Memory Exhaustion.In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input,the parsing will enter a loop, which will cause the program to startallocating heap memory without freeing it at any moment of the loop.Eventually, the JavaScript heap limit is reached, and the program willcrash. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-14 15:42:00 UTC CVE-2024-4068 A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61ignores some use of the legacy content-type based configuration ofhandlers. "AddType" and similar configuration, under some circumstanceswhere files are requested indirectly, result in source code disclosure oflocal content. For example, PHP scripts may be served instead ofinterpreted.Users are recommended to upgrade to version 2.4.62, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-40725` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.62-1ubuntu1 apache2-bin - 2.4.62-1ubuntu1 apache2-data - 2.4.62-1ubuntu1 apache2-suexec-custom - 2.4.62-1ubuntu1 apache2-suexec-pristine - 2.4.62-1ubuntu1 apache2-utils - 2.4.62-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-17 2024-07-17 https://ubuntu.com/security/notices/USN-6902-1 CVE-2024-40725 In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, bysupplying a raw format image that is actually a crafted QCOW2 image with abacking file path or VMDK flat image with a descriptor file path, anauthenticated user may convince systems to return a copy of the referencedfile's contents from the server, resulting in unauthorized access topotentially sensitive data. All Nova deployments are affected. NOTE: thisissue exists because of an incomplete fix for CVE-2022-47951 andCVE-2024-32498. Update Instructions: Run `sudo pro fix CVE-2024-40767` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: nova-ajax-console-proxy - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-api - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-api-metadata - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-api-os-compute - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-api-os-volume - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-cells - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-common - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-ironic - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-kvm - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-libvirt - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-lxc - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-qemu - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-vmware - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-compute-xen - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-conductor - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-novncproxy - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-scheduler - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-serialproxy - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-spiceproxy - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 nova-volume - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 python3-nova - 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-23 15:00:00 UTC 2024-07-23 15:00:00 UTC Arnaud Morin with OVH https://launchpad.net/bugs/2071734 (upstream bug) https://ubuntu.com/security/notices/USN-6911-1 CVE-2024-40767 Moby is an open-source project created by Docker for softwarecontainerization. A security vulnerability has been detected in certainversions of Docker Engine, which could allow an attacker to bypassauthorization plugins (AuthZ) under specific circumstances. The baselikelihood of this being exploited is low.Using a specially-crafted API request, an Engine API client could make thedaemon forward the request or response to an authorization plugin withoutthe body. In certain circumstances, the authorization plugin may allow arequest which it would have otherwise denied if the body had been forwardedto it.A security issue was discovered In 2018, where an attacker could bypassAuthZ plugins using a specially crafted API request. This could lead tounauthorized actions, including privilege escalation. Although this issuewas fixed in Docker Engine v18.09.1 in January 2019, the fix was notcarried forward to later major versions, resulting in a regression. Anyonewho depends on authorization plugins that introspect the request and/orresponse body to make access control decisions is potentially impacted.Docker EE v19.03.x and all versions of Mirantis Container Runtime are notvulnerable.docker-ce v27.1.1 containes patches to fix the vulnerability. Patches havealso been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and26.1 release branches. If one is unable to upgrade immediately, avoid usingAuthZ plugins and/or restrict access to the Docker API to trusted parties,following the principle of least privilege. Update Instructions: Run `sudo pro fix CVE-2024-41110` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: docker.io - 26.1.3-0ubuntu2 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2024 Canonical Ltd. 2024-07-24 17:15:00 UTC 2024-07-24 17:15:00 UTC Cory Snider https://ubuntu.com/security/notices/USN-7161-1 https://ubuntu.com/security/notices/USN-7161-2 https://ubuntu.com/security/notices/USN-7161-3 CVE-2024-41110 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoSvulnerabilities when it parses an XML that has many specific characterssuch as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or laterinclude the patches to fix these vulnerabilities. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-01 15:15:00 UTC 2024-08-01 15:15:00 UTC https://ubuntu.com/security/notices/USN-7091-1 https://ubuntu.com/security/notices/USN-7091-2 https://ubuntu.com/security/notices/USN-7418-1 https://ubuntu.com/security/notices/USN-7840-1 CVE-2024-41123 Action Pack is a framework for handling and responding to web requests.Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1,and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameterfiltering routines of Action Dispatch. Carefully crafted query parameterscan cause query parameter filtering to take an unexpected amount of time,possibly resulting in a DoS vulnerability. All users running an affectedrelease should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as aworkaround. Ruby 3.2 has mitigations for this problem, so Railsapplications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1depends on Ruby 3.2 or greater so is unaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 18:15:00 UTC 2024-10-16 18:15:00 UTC https://ubuntu.com/security/notices/USN-7290-1 CVE-2024-41128 In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived through2.3.1, an integer overflow can occur. NOTE: this CVE Record might not beworthwhile because an empty ipset name must be configured by the user. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-07-18 01:15:00 UTC https://github.com/acassen/keepalived/issues/2447#issuecomment-2231329734 CVE-2024-41184 An excessive memory use issue (CWE-770) exists in Email-MIME, beforeversion 1.954, which can cause denial of service when parsing multipartMIME messages. The patch set (from 2020 and 2024) limits excessive depthand the total number of parts. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-02 https://github.com/rjbs/Email-MIME/issues/66 https://github.com/rjbs/Email-MIME/pull/80 https://bugs.debian.org/960062 CVE-2024-4140 Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalidcharacter code in a Type 1 font. The root problem was a bounds check thatwas being optimized away by modern compilers. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-04-24 19:15:00 UTC CVE-2024-4141 SDoP versions prior to 1.11 fails to handle appropriately some parametersinside the input data, resulting in a stack-based buffer overflowvulnerability. When a user of the affected product is tricked to process aspecially crafted XML file, arbitrary code may be executed on the user'senvironment. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-29 09:15:00 UTC CVE-2024-41881 JupyterHub is software that allows one to create a multi-user server forJupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is grantedthe `admin:users` scope, they may escalate their own privileges by makingthemselves a full admin user. The impact is relatively small in that`admin:users` is already an extremely privileged scope only granted totrusted users.In effect, `admin:users` is equivalent to `admin=True`, which is notintended. Note that the change here only prevents escalation to thebuilt-in JupyterHub admin role that has unrestricted permissions. It doesnot prevent users with e.g. `groups` permissions from granting themselvesor other users permissions via group membership, which is intentional.Versions 4.1.6 and 5.1.0 fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-08 15:15:00 UTC CVE-2024-41942 REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoSvulnerability when it parses an XML that has many entity expansions withSAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch tofix the vulnerability. Update Instructions: Run `sudo pro fix CVE-2024-41946` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libruby3.3 - 3.3.4-2ubuntu6 ruby3.3 - 3.3.4-2ubuntu6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-01 15:15:00 UTC 2024-08-01 15:15:00 UTC https://ubuntu.com/security/notices/USN-7091-1 https://ubuntu.com/security/notices/USN-7091-2 https://ubuntu.com/security/notices/USN-7840-1 CVE-2024-41946 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.The floatformat template filter is subject to significant memoryconsumption when given a string representation of a number in scientificnotation with a large exponent. Update Instructions: Run `sudo pro fix CVE-2024-41989` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.15-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 13:00:00 UTC 2024-08-06 13:00:00 UTC https://ubuntu.com/security/notices/USN-6946-1 CVE-2024-41989 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.The urlize() and urlizetrunc() template filters are subject to a potentialdenial-of-service attack via very large inputs with a specific sequence ofcharacters. Update Instructions: Run `sudo pro fix CVE-2024-41990` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.15-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 13:00:00 UTC 2024-08-06 13:00:00 UTC https://ubuntu.com/security/notices/USN-6946-1 CVE-2024-41990 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.The urlize and urlizetrunc template filters, and the AdminURLFieldWidgetwidget, are subject to a potential denial-of-service attack via certaininputs with a very large number of Unicode characters. Update Instructions: Run `sudo pro fix CVE-2024-41991` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.15-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 13:00:00 UTC 2024-08-06 13:00:00 UTC https://ubuntu.com/security/notices/USN-6946-1 CVE-2024-41991 Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from itsinitial commit in 2002 (3861aa5) up to today on any platform allows anattacker on the local network to leak memory from four up to 32 bytes ofmemory stored behind the packet to the network depending on the later useof DHCP-provided parameters via crafted DHCP responses. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-23 15:15:00 UTC Simon Diepold http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081557 CVE-2024-42040 Zabbix API user.get returns all users that share common group with thecalling user. This includes media and other information, such as loginattempts, etc. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 07:15:00 UTC CVE-2024-42325 There was discovered a use after free bug in browser.c in thees_browser_get_variant function Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-27 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689 CVE-2024-42326 When the webdriver for the Browser object downloads data from a HTTPserver, the data pointer is set to NULL and is allocated only incurl_write_cb when receiving data. If the server's response is an emptydocument, then wd->data in the code below will remain NULL and an attemptto read from it will result in a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-27 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088689 CVE-2024-42328 WebOb provides objects for HTTP requests and responses. When WebObnormalizes the HTTP Location header to include the request hostname, itdoes so by parsing the URL that the user is to be redirected to withPython's urlparse, and joining it to the base URL. `urlparse` howevertreats a `//` at the start of a string as a URI without a scheme, and thentreats the next part as the hostname. `urljoin` will then use that hostnamefrom the second part as the hostname replacing the original one from therequest. This vulnerability is patched in WebOb version 1.8.8. Update Instructions: Run `sudo pro fix CVE-2024-42353` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-webob - 1:1.8.7-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-14 21:15:00 UTC 2024-08-14 21:15:00 UTC https://ubuntu.com/security/notices/USN-6984-1 CVE-2024-42353 PDFio is a simple C library for reading and writing PDF files. There is adenial of service (DOS) vulnerability in the TTF parser. Maliciouslycrafted TTF files can cause the program to utilize 100% of the Memory andenter an infinite loop. This can also lead to a heap-buffer-overflowvulnerability. An infinite loop occurs in the read_camp function by nGroupsvalue. The ttf.h library is vulnerable. A value called nGroups is extractedfrom the file, and by changing that value, you can cause the program toutilize 100% of the Memory and enter an infinite loop. If the value ofnGroups in the file is small, an infinite loop will not occur. Thislibrary, whether used as a standalone binary or as part of anotherapplication, is vulnerable to DOS attacks when parsing certain types offiles. Automated systems, including web servers that use this code toconvert PDF submissions into plaintext, can be DOSed if an attacker uploadsa malicious TTF file. This issue has been addressed in release version1.3.1. All users are advised to upgrade. There are no known workarounds forthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 17:15:00 UTC CVE-2024-42358 Asterisk is an open source private branch exchange (PBX) and telephonytoolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 andcertified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with`write=originate` may change all configuration files in the`/etc/asterisk/` directory. This occurs because they are able to curlremote files and write them to disk, but are also able to append toexisting files using the `FILE` function inside the `SET` application. Thisissue may result in privilege escalation, remote code execution and/orblind server-side request forgery with arbitrary protocol. Asteriskversions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions18.9-cert11 and 20.7-cert2 contain a fix for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-08 17:15:00 UTC CVE-2024-42365 An integer overflow vulnerability exists in the Compound Document BinaryFile format parser of v1.14.52 of the GNOME Project G Structured FileLibrary (libgsf). A specially crafted file can result in an integeroverflow that allows for a heap-based buffer overflow when processing thesector allocation table. This can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Update Instructions: Run `sudo pro fix CVE-2024-42415` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gsf-1 - 1.14.52-1ubuntu0.1 libgsf-1-114 - 1.14.52-1ubuntu0.1 libgsf-1-common - 1.14.52-1ubuntu0.1 libgsf-bin - 1.14.52-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-03 16:15:00 UTC 2024-10-03 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084056 https://gitlab.gnome.org/GNOME/libgsf/-/issues/34 https://ubuntu.com/security/notices/USN-7062-1 https://ubuntu.com/security/notices/USN-7062-2 CVE-2024-42415 In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleabilityoccurs because there is a missing signature length check, and thuszero-valued bytes can be removed or appended. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-02 07:16:00 UTC CVE-2024-42459 In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleabilityoccurs because there is a missing check for whether the leading bit of rand s is zero. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-02 07:16:00 UTC CVE-2024-42460 In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleabilityoccurs because BER-encoded signatures are allowed. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-02 07:16:00 UTC CVE-2024-42461 Asterisk is an open-source private branch exchange (PBX). Prior to versions18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIPrequest to a URI whose host portion starts with `.1` or `[.1]`, andres_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receivea patch, users should upgrade to one of the following versions: 18.24.3,20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Twoworkarounds are available. Disable res_resolver_unbound by setting `noload= res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes`on all PJSIP endpoints. NOTE: This may not be appropriate for all Asteriskconfigurations. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-05 18:15:00 UTC CVE-2024-42491 HTTP response splitting in the core of Apache HTTP Server allows anattacker who can manipulate the Content-Type response headers ofapplications hosted or proxied by the server can split the HTTP response.This vulnerability was described as CVE-2023-38709 but the patch includedin Apache HTTP Server 2.4.59 did not address the issue.Users are recommended to upgrade to version 2.4.64, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-42516` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.64-1ubuntu2 apache2-bin - 2.4.64-1ubuntu2 apache2-data - 2.4.64-1ubuntu2 apache2-suexec-custom - 2.4.64-1ubuntu2 apache2-suexec-pristine - 2.4.64-1ubuntu2 apache2-utils - 2.4.64-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 17:15:00 UTC 2025-07-10 17:15:00 UTC https://ubuntu.com/security/notices/USN-7639-1 https://ubuntu.com/security/notices/USN-7639-2 CVE-2024-42516 Integer Overflow in fast_ping.c in SmartDNS Release46 allows remoteattackers to cause a Denial of Service via misaligned memory access. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-22 22:15:00 UTC 2024-10-22 22:15:00 UTC https://github.com/pymumu/smartdns/issues/1779 https://ubuntu.com/security/notices/USN-7370-1 CVE-2024-42643 An eval Injection vulnerability in the component invesalius/reader/dicom.pyof InVesalius 3.1.99991 through 3.1.99998 allows attackers to executearbitrary code via loading a crafted DICOM file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-23 19:15:00 UTC CVE-2024-42845 Buffer Overflow vulnerability in open source exiftags v.1.01 allows a localattacker to execute arbitrary code via the paresetag function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 18:15:00 UTC CVE-2024-42851 SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to sendoutbound proxy requests to a URL controlled by the attacker.  Requires anunlikely configuration where mod_headers is configured to modify theContent-Type request or response header with a value provided in the HTTPrequest.Users are recommended to upgrade to version 2.4.64 which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-43204` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.64-1ubuntu2 apache2-bin - 2.4.64-1ubuntu2 apache2-data - 2.4.64-1ubuntu2 apache2-suexec-custom - 2.4.64-1ubuntu2 apache2-suexec-pristine - 2.4.64-1ubuntu2 apache2-utils - 2.4.64-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 17:15:00 UTC 2025-07-10 17:15:00 UTC xiaojunjie https://ubuntu.com/security/notices/USN-7639-1 https://ubuntu.com/security/notices/USN-7639-2 CVE-2024-43204 ZoneMinder is a free, open source closed-circuit television softwareapplication. ZoneMinder has a cross-site scripting vulnerability in thefilter view via the filter[Id]. This vulnerability is fixed in 1.36.34 and1.37.61. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 21:15:00 UTC CVE-2024-43358 ZoneMinder is a free, open source closed-circuit television softwareapplication. ZoneMinder has a cross-site scripting vulnerability in themontagereview via the displayinterval, speed, and scale parameters. Thisvulnerability is fixed in 1.36.34 and 1.37.61. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 21:15:00 UTC CVE-2024-43359 ZoneMinder is a free, open source closed-circuit television softwareapplication. ZoneMinder is affected by a time-based SQL Injectionvulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 21:15:00 UTC CVE-2024-43360 Cacti is an open source performance and fault management framework. The`fileurl` parameter is not properly sanitized when saving external links in`links.php` . Morever, the said fileurl is placed in some html code whichis passed to the `print` function in `link.php` and `index.php`, finallyleading to stored XSS. Users with the privilege to create external linkscan manipulate the `fileurl` parameter in the http post request whilecreating external links to perform stored XSS attacks. The vulnerabilityknown as XSS (Cross-Site Scripting) occurs when an application allowsuntrusted user input to be displayed on a web page without propervalidation or escaping. This issue has been addressed in release version1.2.28. All users are advised to upgrade. There are no known workaroundsfor this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-07 21:15:00 UTC CVE-2024-43362 Cacti is an open source performance and fault management framework. Anadmin user can create a device with a malicious hostname containing phpcode and repeat the installation process (completing only step 5 of theinstallation process is enough, no need to complete the steps before orafter it) to use a php file as the cacti log file. After having themalicious hostname end up in the logs (log poisoning), one can simply go tothe log file url to execute commands to achieve RCE. This issue has beenaddressed in version 1.2.28 and all users are advised to upgrade. There areno known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-07 21:15:00 UTC CVE-2024-43363 Cacti is an open source performance and fault management framework. The`title` parameter is not properly sanitized when saving external links inlinks.php . Morever, the said title parameter is stored in the database andreflected back to user in index.php, finally leading to stored XSS. Userswith the privilege to create external links can manipulate the `title`parameter in the http post request while creating external links to performstored XSS attacks. The vulnerability known as XSS (Cross-Site Scripting)occurs when an application allows untrusted user input to be displayed on aweb page without proper validation or escaping. This issue has beenaddressed in release version 1.2.28. All users are advised to upgrade.There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-07 21:15:00 UTC CVE-2024-43364 Cacti is an open source performance and fault management framework.The`consolenewsection` parameter is not properly sanitized when savingexternal links in links.php . Morever, the said consolenewsection parameteris stored in the database and reflected back to user in `index.php`,finally leading to stored XSS. Users with the privilege to create externallinks can manipulate the “consolenewsection” parameter in the http postrequest while creating external links to perform stored XSS attacks. Thevulnerability known as XSS (Cross-Site Scripting) occurs when anapplication allows untrusted user input to be displayed on a web pagewithout proper validation or escaping. This issue has been addressed inrelease version 1.2.28. All users are advised to upgrade. There are noknown workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-07 21:15:00 UTC CVE-2024-43365 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoSvulnerability when it parses an XML that has many deep elements that havesame local name attributes. If you need to parse untrusted XMLs with treeparser API like REXML::Document.new, you may be impacted to thisvulnerability. If you use other parser APIs such as stream parser API andSAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 orlater include the patch to fix the vulnerability. Update Instructions: Run `sudo pro fix CVE-2024-43398` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libruby3.3 - 3.3.6-1.1ubuntu1 ruby3.3 - 3.3.6-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-08-22 15:15:00 UTC 2024-08-22 15:15:00 UTC https://ubuntu.com/security/notices/USN-7256-1 https://ubuntu.com/security/notices/USN-7418-1 CVE-2024-43398 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Apotential vulnerability has been discovered in CKEditor 4 Code SnippetGeSHi plugin. The vulnerability allowed a reflected XSS attack byexploiting a flaw in the GeSHi syntax highlighter library hosted by thevictim. The GeSHi library was included as a vendor dependency in CKEditor 4source files. In a specific scenario, an attacker could craft a maliciousscript that could be executed by sending a request to the GeSHi libraryhosted on a PHP web server. The GeSHi library is no longer activelymaintained. Due to the lack of ongoing support and updates, potentialsecurity vulnerabilities have been identified with its continued use. Tomitigate these risks and enhance the overall security of the CKEditor 4, wehave decided to completely remove the GeSHi library as a dependency. Thischange aims to maintain a secure environment and reduce the risk of anysecurity incidents related to outdated or unsupported software. The fix isbe available in version 4.25.0-lts. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-21 15:15:00 UTC CVE-2024-43407 CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. Atheoretical vulnerability has been identified in CKEditor 4.22 (and above).In a highly unlikely scenario where an attacker gains control over thehttps://cke4.ckeditor.com domain, they could potentially execute an attackon CKEditor 4 instances. The issue impacts only editor instances withenabled version notifications. Please note that this feature is disabled bydefault in all CKEditor 4 LTS versions. Therefore, if you use CKEditor 4LTS, it is highly unlikely that you are affected by this vulnerability. Ifyou are unsure, please contact us. The fix is available in version4.25.0-lts. Ubuntu 26.04 LTS Negligible Copyright (C) 2024 Canonical Ltd. 2024-08-21 16:15:00 UTC 2024-08-21 16:15:00 UTC CVE-2024-43411 Improper Neutralization of Input done by an attacker with admin privileges('Cross-site Scripting') in  OTRS (System Configuration modules) and((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within theSystem Configuration targeting other admins.This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.xProducts based on the ((OTRS)) Community Edition also very likely to beaffected Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-26 09:15:00 UTC CVE-2024-43442 Improper Neutralization of Input done by an attacker with admin privileges('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS))Community Edition allows Cross-Site Scripting (XSS) within the ProcessManagement targeting other admins.This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.xProducts based on the ((OTRS)) Community Edition also very likely to beaffected Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-26 09:15:00 UTC CVE-2024-43443 Passwords of agents and customers are displayed in plain text in the OTRSadmin log module if certain configurations regarding the authenticationsources match and debugging for the authentication backend has beenenabled.This issue affects: * OTRS from 7.0.X through 7.0.50 * OTRS 8.0.X * OTRS 2023.X * OTRS from 2024.X through 2024.5.X * ((OTRS)) Community Edition: 6.0.xProducts based on the ((OTRS)) Community Edition also very likely to beaffected Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-26 09:15:00 UTC CVE-2024-43444 xfpt versions prior to 1.01 fails to handle appropriately some parametersinside the input data, resulting in a stack-based buffer overflowvulnerability. When a user of the affected product is tricked to process aspecially crafted file, arbitrary code may be executed on the user'senvironment. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-29 11:15:00 UTC 2024-08-29 11:15:00 UTC https://ubuntu.com/security/notices/USN-7192-1 CVE-2024-43700 Webpack is a module bundler. Its main purpose is to bundle JavaScript filesfor usage in a browser, yet it is also capable of transforming, bundling,or packaging just about any resource or asset. The webpack developers havediscovered a DOM Clobbering vulnerability in Webpack’s`AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module canlead to cross-site scripting (XSS) in web pages where scriptlessattacker-controlled HTML elements (e.g., an `img` tag with an unsanitized`name` attribute) are present. Real-world exploitation of this gadget hasbeen observed in the Canvas LMS which allows a XSS attack to happen througha javascript code compiled by Webpack (the vulnerable part is fromWebpack). DOM Clobbering is a type of code-reuse attack where the attackerfirst embeds a piece of non-script, seemingly benign HTML markups in thewebpage (e.g. through a post or comment) and leverages the gadgets (piecesof js code) living in the existing javascript code to transform it intoexecutable code. This vulnerability can lead to cross-site scripting (XSS)on websites that include Webpack-generated files and allow users to injectcertain scriptless HTML tags with improperly sanitized name or idattributes. This issue has been addressed in release version 5.94.0. Allusers are advised to upgrade. There are no known workarounds for thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 17:15:00 UTC CVE-2024-43788 RequestStore provides per-request global storage for Rack. The filespublished as part of request_store 1.3.2 have 0666 permissions, meaningthat they are world-writable, which allows local users to execute arbitrarycode. This version was published in 2017, and most production environmentsdo not allow access for local users, so the chances of this being exploitedare very low, given that the vast majority of users will have upgraded, andthose that have not, if any, are not likely to be exposed. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-23 15:15:00 UTC CVE-2024-43791 serve-static serves static files. serve-static passes untrusted user input- even after sanitizing it - to redirect() may execute untrusted code. Thisissue is patched in serve-static 1.16.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-10 15:15:00 UTC CVE-2024-43800 jupyterlab is an extensible environment for interactive and reproduciblecomputing, based on the Jupyter Notebook Architecture. This vulnerabilitydepends on user interaction by opening a malicious notebook with Markdowncells, or Markdown file using JupyterLab preview feature. A malicious usercan access any data that the attacked user has access to as well as performarbitrary requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5and Jupyter Notebook v7.2.2 have been patched to resolve this issue. Usersare advised to upgrade. There is no workaround for the underlying DOMClobbering susceptibility. However, select plugins can be disabled ondeployments which cannot update in a timely fashion to minimise the risk.These are: 1. `@jupyterlab/mathjax-extension:plugin` - users will looseability to preview mathematical equations. 2.`@jupyterlab/markdownviewer-extension:plugin` - users will loose ability toopen Markdown previews. 3. `@jupyterlab/mathjax2-extension:plugin` (ifinstalled with optional `jupyterlab-mathjax2` package) - an older versionof the mathjax plugin for JupyterLab 4.x. To disable these extensions run:```jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin&& jupyter labextension disable @jupyterlab/mathjax-extension:plugin &&jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ``` inbash. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-28 20:15:00 UTC CVE-2024-43805 In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1,there is a vulnerability in image processing, in which a crafted imagecould be used by an authenticated user to exploit undesired behaviors inqemu-img, including possible unauthorized access to potentially sensitivedata. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0<23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2,>=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-04 2024-09-04 16:00:00 UTC https://ubuntu.com/security/notices/USN-6989-1 CVE-2024-44082 Incorrect Access Control in GStreamer RTSP server 1.25.0 ingst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial ofservice via a series of specially crafted hexstream requests. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-22 22:15:00 UTC CVE-2024-44331 A flaw was found in the QEMU disk image utility (qemu-img) 'info' command.A specially crafted image file containing a `json:{}` value describingblock devices in QMP could cause the qemu-img process on the host toconsume large amounts of memory or CPU time, leading to denial of serviceor read/write to an existing external file. Update Instructions: Run `sudo pro fix CVE-2024-4467` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:9.0.2+ds-4ubuntu2 qemu-block-supplemental - 1:9.0.2+ds-4ubuntu2 qemu-guest-agent - 1:9.0.2+ds-4ubuntu2 qemu-system - 1:9.0.2+ds-4ubuntu2 qemu-system-arm - 1:9.0.2+ds-4ubuntu2 qemu-system-common - 1:9.0.2+ds-4ubuntu2 qemu-system-data - 1:9.0.2+ds-4ubuntu2 qemu-system-gui - 1:9.0.2+ds-4ubuntu2 qemu-system-mips - 1:9.0.2+ds-4ubuntu2 qemu-system-misc - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-opengl - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-spice - 1:9.0.2+ds-4ubuntu2 qemu-system-ppc - 1:9.0.2+ds-4ubuntu2 qemu-system-riscv - 1:9.0.2+ds-4ubuntu2 qemu-system-s390x - 1:9.0.2+ds-4ubuntu2 qemu-system-sparc - 1:9.0.2+ds-4ubuntu2 qemu-system-x86 - 1:9.0.2+ds-4ubuntu2 qemu-system-x86-xen - 1:9.0.2+ds-4ubuntu2 qemu-system-xen - 1:9.0.2+ds-4ubuntu2 qemu-user - 1:9.0.2+ds-4ubuntu2 qemu-user-binfmt - 1:9.0.2+ds-4ubuntu2 qemu-utils - 1:9.0.2+ds-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-02 16:15:00 UTC 2024-07-02 16:15:00 UTC fabian https://bugzilla.redhat.com/show_bug.cgi?id=2278875 https://ubuntu.com/security/notices/USN-7744-1 CVE-2024-4467 A buffer overflow in the GuitarPro1::read function of MuseScore Studiov4.3.2 allows attackers to to execute arbitrary code or cause a Denial ofService (DoS) via opening a crafted GuitarPro file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-17 19:15:00 UTC CVE-2024-44866 An issue was discovered in Matrix libolm through 3.2.16. The AESimplementation is vulnerable to cache-timing attacks due to use of S-boxes.This is related to software that uses a lookup table for the SubWord step.This refers to the libolm implementation of Olm. NOTE: This vulnerabilityonly affects products that are no longer supported by the maintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-22 16:15:00 UTC CVE-2024-45191 An issue was discovered in Matrix libolm through 3.2.16. Cache-timingattacks can occur due to use of base64 when decoding group session keys.This refers to the libolm implementation of Olm. NOTE: This vulnerabilityonly affects products that are no longer supported by the maintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-22 16:15:00 UTC CVE-2024-45192 An issue was discovered in Matrix libolm through 3.2.16. There is Ed25519signature malleability due to lack of validation criteria (does not ensurethat S < n). This refers to the libolm implementation of Olm. NOTE: Thisvulnerability only affects products that are no longer supported by themaintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-22 16:15:00 UTC CVE-2024-45193 Improper Authentication vulnerability in Apache Solr.Solr instances using the PKIAuthenticationPlugin, which is enabled bydefault when Solr Authentication is used, are vulnerable to Authenticationbypass.A fake ending at the end of any Solr API URL path, will allow requests toskip Authentication while maintaining the API contract with the originalURL Path.This fake ending looks like an unprotected API path, however it is strippedoff internally after authentication but before API routing.This issue affects Apache Solr: from 5.3.0 before 8.11.4, from 9.0.0 before9.7.0.Users are recommended to upgrade to version 9.7.0, or 8.11.4, which fix theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 08:15:00 UTC CVE-2024-45216 Insecure Default Initialization of Resource vulnerability in Apache Solr.New ConfigSets that are created via a Restore command, which copy aconfigSet from the backup and give it a new name, are created withoutsetting the "trusted" metadata.ConfigSets that do not contain the flag are trusted implicitly if themetadata is missing, therefore this leads to "trusted" ConfigSets that maynot have been created with an Authenticated request."trusted" ConfigSets are able to load custom code into classloaders,therefore the flag is supposed to only be set when the request that uploadsthe ConfigSet is Authenticated & Authorized.This issue affects Apache Solr: from 6.6.0 before 8.11.4, from 9.0.0 before9.7.0. This issue does not affect Solr instances that are secured viaAuthentication/Authorization.Users are primarily recommended to use Authentication and Authorizationwhen running Solr. However, upgrading to version 9.7.0, or 8.11.4 willmitigate this issue otherwise. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 08:15:00 UTC CVE-2024-45217 An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and4.2 before 4.2.16. The urlize() and urlizetrunc() template filters aresubject to a potential denial-of-service attack via very large inputs witha specific sequence of characters. Update Instructions: Run `sudo pro fix CVE-2024-45230` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.15-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-03 2024-09-03 https://ubuntu.com/security/notices/USN-6987-1 CVE-2024-45230 An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. Thedjango.contrib.auth.forms.PasswordResetForm class, when used in a viewimplementing password reset flows, allows remote attackers to enumerateuser e-mail addresses by sending password reset requests and observing theoutcome (only when e-mail sending is consistently failing). Update Instructions: Run `sudo pro fix CVE-2024-45231` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.15-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-09-03 2024-09-03 https://ubuntu.com/security/notices/USN-6987-1 CVE-2024-45231 path-to-regexp turns path strings into a regular expressions. In certaincases, path-to-regexp will output a regular expression that can beexploited to cause poor performance. Because JavaScript is single threadedand regex matching runs on the main thread, poor performance will block theevent loop and lead to a DoS. The bad regular expression is generated anytime you have two parameters within a single segment, separated bysomething that is not a period (.). For users of 0.1, upgrade to 0.1.10.All other users should upgrade to 8.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-09 19:15:00 UTC yomonokio CVE-2024-45296 The App::cpanminus package through 1.7047 for Perl downloads code viainsecure HTTP, enabling code execution for network attackers. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 04:15:00 UTC CVE-2024-45321 The HTTP client drops sensitive headers after following a cross-domainredirect. For example, a request to a.com/ containing an Authorizationheader which is redirected to b.com/ will not send that header to b.com. Inthe event that the client received a subsequent same-domain redirect,however, the sensitive headers would be restored. For example, a chain ofredirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectlysend the Authorization header to b.com/2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 02:15:00 UTC 2025-01-28 02:15:00 UTC Kyle Seely https://go.dev/issue/70530 https://ubuntu.com/security/notices/USN-7574-1 CVE-2024-45336 Applications and libraries which misuse connection.serverAuthenticate (viacallback field ServerConfig.PublicKeyCallback) may be susceptible to anauthorization bypass. The documentation for ServerConfig.PublicKeyCallbacksays that "A call to this function does not guarantee that the key offeredis in fact used to authenticate." Specifically, the SSH protocol allowsclients to inquire about whether a public key is acceptable before provingcontrol of the corresponding private key. PublicKeyCallback may be calledwith multiple keys, and the order in which the keys were provided cannot beused to infer which key the client successfully authenticated with, if any.Some applications, which store the key(s) passed to PublicKeyCallback (orderived information) and make security relevant determinations based on itonce the connection is established, may make incorrect assumptions. Forexample, an attacker may send public keys A and B, and then authenticatewith A. PublicKeyCallback would be called only twice, first with A and thenwith B. A vulnerable application may then make authorization decisionsbased on key B for which the attacker does not actually control the privatekey. Since this API is widely misused, as a partial mitigationgolang.org/x/cry...@v0.31.0 enforces the property that, when successfullyauthenticating via public key, the last key passed toServerConfig.PublicKeyCallback will be the key used to authenticate theconnection. PublicKeyCallback will now be called multiple times with thesame key, if necessary. Note that the client may still not control the lastkey passed to PublicKeyCallback if the connection is then authenticatedwith a different method, such as PasswordCallback,KeyboardInteractiveCallback, or NoClientAuth. Users should be using theExtensions field of the Permissions return value from the variousauthentication callbacks to record data associated with the authenticationattempt instead of referencing external state. Once the connection isestablished the state corresponding to the successful authenticationattempt can be retrieved via the ServerConn.Permissions field. Note thatsome third-party libraries misuse the Permissions type by sharing it acrossauthentication attempts; users of third-party libraries should refer to therelevant projects for guidance. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-12 02:02:00 UTC 2024-12-12 02:02:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089754 https://github.com/golang/go/issues/70779 https://ubuntu.com/security/notices/USN-7839-1 https://ubuntu.com/security/notices/USN-7839-2 CVE-2024-45337 An attacker can craft an input to the Parse functions that would beprocessed non-linearly with respect to its length, resulting in extremelyslow parsing. This could cause a denial of service. Update Instructions: Run `sudo pro fix CVE-2024-45338` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: adsys - 0.16.0ubuntu1 adsys-windows - 0.16.0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-18 21:15:00 UTC 2024-12-18 21:15:00 UTC https://ubuntu.com/security/notices/USN-7197-1 CVE-2024-45338 Credentials provided via the new GOAUTH feature were not being properlysegmented by domain, allowing a malicious server to request credentialsthey should not have access to. By default, unless otherwise set, this onlyaffected credentials stored in the users .netrc file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 02:15:00 UTC Juho Forsén (Mattermost) https://go.dev/issue/71249 CVE-2024-45340 A certificate with a URI which has a IPv6 address with a zone ID mayincorrectly satisfy a URI name constraint that applies to the certificatechain. Certificates containing URIs are not permitted in the web PKI, sothis only affects users of private PKIs which make use of URIs. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 02:15:00 UTC 2025-01-28 02:15:00 UTC Juho Forsén https://go.dev/issue/71156 https://ubuntu.com/security/notices/USN-7574-1 CVE-2024-45341 An issue was discovered in libexpat before 2.6.3. xmlparse.c does notreject a negative length for XML_ParseBuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-30 03:15:00 UTC 2024-08-30 03:15:00 UTC Shang-Hung Wan http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080149 https://ubuntu.com/security/notices/USN-7000-1 https://ubuntu.com/security/notices/USN-7001-1 https://ubuntu.com/security/notices/USN-7001-2 https://ubuntu.com/security/notices/USN-7000-2 CVE-2024-45490 An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c canhave an integer overflow for nDefaultAtts on 32-bit platforms (whereUINT_MAX equals SIZE_MAX). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-30 03:15:00 UTC 2024-08-30 03:15:00 UTC Shang-Hung Wan http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080150 https://ubuntu.com/security/notices/USN-7000-1 https://ubuntu.com/security/notices/USN-7001-1 https://ubuntu.com/security/notices/USN-7001-2 https://ubuntu.com/security/notices/USN-7000-2 CVE-2024-45491 An issue was discovered in libexpat before 2.6.3. nextScaffoldPart inxmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms(where UINT_MAX equals SIZE_MAX). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-30 03:15:00 UTC 2024-08-30 03:15:00 UTC Shang-Hung Wan http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080152 https://ubuntu.com/security/notices/USN-7000-1 https://ubuntu.com/security/notices/USN-7000-2 CVE-2024-45492 CKEditor 5 is a JavaScript rich-text editor. Starting in version 40.0.0 andprior to version 43.1.1, a Cross-Site Scripting (XSS) vulnerability ispresent in the CKEditor 5 clipboard package. This vulnerability could betriggered by a specific user action, leading to unauthorized JavaScriptcode execution, if the attacker managed to insert a malicious content intothe editor, which might happen with a very specific editor configuration.This vulnerability only affects installations where the Block Toolbarplugin is enabled and either the General HTML Support (with a configurationthat permits unsafe markup) or the HTML Embed plugin is also enabled. A fixfor the problem is available in version 43.1.1. As a workaround, one maydisable the block toolbar plugin. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-25 14:15:00 UTC CVE-2024-45613 Puma is a Ruby/Rack web server built for parallelism. In affected versionsclients could clobber values set by intermediate proxies (such asX-Forwarded-For) by providing a underscore version of the same header(X-Forwarded_For). Any users relying on proxy set variables is affected.v6.4.3/v5.6.9 now discards any headers using underscores if thenon-underscore version also exists. Effectively, allowing the proxy definedheaders to always win. Users are advised to upgrade. Nginx has aunderscores_in_headers configuration variable to discard these headers atthe proxy level as a mitigation. Any users that are implicitly trusting theproxy defined headers for security should immediately cease doing so untilupgraded to the fixed versions. Update Instructions: Run `sudo pro fix CVE-2024-45614` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: puma - 6.4.2-5ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-20 2024-09-20 https://ubuntu.com/security/notices/USN-7031-1 https://ubuntu.com/security/notices/USN-7031-2 CVE-2024-45614 Exposure of sensitive information due to incompatible policies issue existsin Pgpool-II. If a database user accesses a query cache, table dataunauthorized for the user may be retrieved. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-12 05:15:00 UTC CVE-2024-45624 Heap-based buffer overflow vulnerability in Assimp versions prior to 5.4.3allows a local attacker to execute arbitrary code by importing a speciallycrafted file into the product. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-18 04:15:00 UTC CVE-2024-45679 In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources leads toinfinite recursion and a stack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-06 20:15:00 UTC CVE-2024-4568 The endpoint /zabbix.php?action=export.valuemaps suffers from a Cross-SiteScripting vulnerability via the backurl parameter. This is caused by thereflection of user-supplied data without appropriate HTML escaping oroutput encoding. As a result, a JavaScript payload may be injected into theabove endpoint causing it to be executed within the context of the victim'sbrowser. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 07:15:00 UTC CVE-2024-45699 Zabbix server is vulnerable to a DoS vulnerability due to uncontrolledresource exhaustion. An attacker can send specially crafted requests to theserver, which will cause the server to allocate an excessive amount ofmemory and perform CPU-intensive decompression operations, ultimatelyleading to a service crash. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 07:15:00 UTC CVE-2024-45700 tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropyby calling rand without srand. The PRNG seed is always 1, and thus thesequence of challenges is always identical. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-06 05:15:00 UTC 2024-09-06 05:15:00 UTC https://ubuntu.com/security/notices/USN-7024-1 CVE-2024-45751 logiops through 0.3.4, in its default configuration, allows anyunprivileged user to configure its logid daemon via an unrestricted D-Busservice, including setting malicious keyboard macros. This allows forprivilege escalation with minimal user interaction. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-19 16:15:00 UTC CVE-2024-45752 A vulnerability was found in Performance Co-Pilot (PCP).  This flaw allowsan attacker to send specially crafted data to the system, which could causethe program to misbehave or crash. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-19 09:15:00 UTC CVE-2024-45769 A vulnerability was found in Performance Co-Pilot (PCP). This flaw can onlybe exploited if an attacker has access to a compromised PCP system account.The issue is related to the pmpost tool, which is used to log messages inthe system. Under certain conditions, it runs with high-level privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-19 09:15:00 UTC CVE-2024-45770 A flaw was found in grub2. A specially crafted JPEG file can cause the JPEGparser of grub2 to incorrectly check the bounds of its internal buffers,resulting in an out-of-bounds write. The possibility of overwritingsensitive information to bypass secure boot protections is not discarded. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45774 A flaw was found in grub2 where the grub_extcmd_dispatcher() function callsgrub_arg_list_alloc() to allocate memory for the grub's argument list.However, it fails to check in case the memory allocation fails. Once theallocation fails, a NULL point will be processed by the parse_option()function, leading grub to crash or, in some rare scenarios, corrupt the IVTdata. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45775 When reading the language .mo file in grub_mofile_open(), grub2 fails toverify an integer overflow when allocating its internal buffer. A crafted.mo file may lead the buffer size calculation to overflow, leading toout-of-bound reads and writes. This flaw allows an attacker to leaksensitive data or overwrite critical data, possibly circumventing secureboot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45776 A flaw was found in grub2. The calculation of the translation buffer whenreading a language .mo file in grub_gettext_getstr_from_position() mayoverflow, leading to a Out-of-bound write. This issue can be leveraged byan attacker to overwrite grub2's sensitive heap data, eventually leading tothe circumvention of secure boot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45777 A stack overflow flaw was found when reading a BFS file system. A craftedBFS filesystem may lead to an uncontrolled loop, causing grub2 to crash. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45778 An integer overflow flaw was found in the BFS file system driver in grub2.When reading a file with an indirect extent map, grub2 fails to validatethe number of extent entries to be read. A crafted or corrupted BFSfilesystem may cause an integer overflow during the file reading, leadingto a heap of bounds read. As a consequence, sensitive data may be leaked,or grub2 will crash. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45779 A flaw was found in grub2. When reading tar files, grub2 allocates aninternal buffer for the file name. However, it fails to properly verify theallocation against possible integer overflows. It's possible to cause theallocation length to overflow with a crafted tar file, leading to a heapout-of-bounds write. This flaw eventually allows an attacker to circumventsecure boot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45780 A flaw was found in grub2. When reading a symbolic link's name from a UFSfilesystem, grub2 fails to validate the string length taken as an input.The lack of validation may lead to a heap out-of-bounds write, causing dataintegrity issues and eventually allowing an attacker to circumvent secureboot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45781 A flaw was found in the HFS filesystem. When reading an HFS volume's nameat grub_fs_mount(), the HFS filesystem driver performs a strcpy() using theuser-provided volume name as input without properly validating the volumename's length. This issue may read to a heap-based out-of-bounds writer,impacting grub's sensitive data integrity and eventually leading to asecure boot protection bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45782 A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplusfilesystem driver doesn't properly set an ERRNO value. This issue may leadto a NULL pointer access. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2024-45783 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to version 7.0.7,rules using datasets with the non-functional / unimplemented "unset" optioncan trigger an assertion during traffic parsing, leading to denial ofservice. This issue is addressed in 7.0.7. As a workaround, use onlytrusted and well tested rulesets. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 19:15:00 UTC CVE-2024-45795 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to version 7.0.7, alogic error during fragment reassembly can lead to failed reassembly forvalid traffic. An attacker could craft packets to trigger thisbehavior.This issue has been addressed in 7.0.7. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 19:15:00 UTC CVE-2024-45796 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML,MathML and SVG. It has been discovered that malicious HTML using specialnesting techniques can bypass the depth checking added to DOMPurify inrecent releases. It was also possible to use Prototype Pollution to weakenthe depth check. This renders dompurify unable to avoid cross sitescripting (XSS) attacks. This issue has been addressed in versions 2.5.4and 3.1.3 of DOMPurify. All users are advised to upgrade. There are noknown workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-16 19:16:00 UTC CVE-2024-45801 In x86's APIC (Advanced Programmable Interrupt Controller) architecture,error conditions are reported in a status register. Furthermore, the OScan opt to receive an interrupt when a new error occurs.It is possible to configure the error interrupt with an illegal vector,which generates an error when an error interrupt is raised.This case causes Xen to recurse through vlapic_error(). The recursionitself is bounded; errors accumulate in the the status register and onlygenerate an interrupt when a new status bit becomes set.However, the lock protecting this state in Xen will try to be takenrecursively, and deadlock. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-25 11:15:00 UTC CVE-2024-45817 The hypervisor contains code to accelerate VGA memory accesses for HVMguests, when the (virtual) VGA is in "standard" mode. Locking involvedthere has an unusual discipline, leaving a lock acquired past thereturn from the function that acquired it. This behavior results in aproblem when emulating an instruction with two memory accesses, both ofwhich touch VGA memory (plus some further constraints which aren'trelevant here). When emulating the 2nd access, the lock that is alreadybeing held would be attempted to be re-acquired, resulting in adeadlock.This deadlock was already found when the code was first introduced, butwas analysed incorrectly and the fix was incomplete. Analysis in lightof the new finding cannot find a way to make the existing lockingdiscipline work.In staging, this logic has all been removed because it was discoveredto be accidentally disabled since Xen 4.7. Therefore, we are fixing thelocking problem by backporting the removal of most of the feature. Notethat even with the feature disabled, the lock would still be acquiredfor any accesses to the VGA MMIO region. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-19 12:15:00 UTC CVE-2024-45818 PVH guests have their ACPI tables constructed by the toolstack. Theconstruction involves building the tables in local memory, which arethen copied into guest memory. While actually used parts of the localmemory are filled in correctly, excess space that is being allocated isleft with its prior contents. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-19 12:15:00 UTC CVE-2024-45819 Issue summary: Checking excessively long DSA keys or parameters may be veryslow.Impact summary: Applications that use the functions EVP_PKEY_param_check()or EVP_PKEY_public_check() to check a DSA public key or DSA parameters mayexperience long delays. Where the key or parameters that are being checkedhave been obtained from an untrusted source this may lead to a Denial ofService.The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() performvarious checks on DSA parameters. Some of those computations take a longtimeif the modulus (`p` parameter) is too large.Trying to use a very large modulus is slow and OpenSSL will not allow usingpublic keys with a modulus which is over 10,000 bits in length forsignatureverification. However the key and parameter check functions do not limitthe modulus size when performing the checks.An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()and supplies a key or parameters obtained from an untrusted source could bevulnerable to a Denial of Service attack.These functions are not called by OpenSSL itself on untrusted DSA keys soonly applications that directly call these functions may be vulnerable.Also vulnerable are the OpenSSL pkey and pkeyparam command lineapplicationswhen using the `-check` option.The OpenSSL SSL/TLS implementation is not affected by this issue.The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Update Instructions: Run `sudo pro fix CVE-2024-4603` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.2.2-1ubuntu1 openssl - 3.2.2-1ubuntu1 openssl-provider-legacy - 3.2.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-05-16 16:15:00 UTC 2024-05-16 16:15:00 UTC https://ubuntu.com/security/notices/USN-6937-1 CVE-2024-4603 A buffer overflow in modsecurity v3.0.12 allows attackers to cause a Denialof Service (DoS) via a crafted input inserted into the name parameter.NOTE: this is disputed by the Supplier because it cannot be reproduced.Also, the product's documentation indicates that it is not guaranteed to beusable with very large values of SecRequestBodyNoFilesLimit (which arerequired by the claimed issue). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 16:15:00 UTC CVE-2024-46292 A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a remoteattacker to cause a denial of service via the coap_handle_request_put_blockfunction in src/coap_block.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 16:15:00 UTC CVE-2024-46304 Incorrect Default Permissions vulnerability in Apache Tomcat Connectorsallows local users to view and modify shared memory containing mod_jkconfiguration which may lead to information disclosure and/or denial ofservice.This issue affects Apache Tomcat Connectors: from 1.2.9-beta through1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPIredirector nor mod_jk on Windows is affected.Users are recommended to upgrade to version 1.2.50, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-23 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082713 CVE-2024-46544 Assimp v5.4.3 is vulnerable to Buffer Overflow via theMD5Importer::LoadMD5MeshFile function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-26 16:15:00 UTC CVE-2024-46632 In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronizedfiles (between the server and client) may become world writable or worldreadable. This is fixed in 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-16 02:15:00 UTC CVE-2024-46958 Redis is an open source, in-memory database that persists on disk. Anauthenticated user may use a specially crafted Lua script to manipulate thegarbage collector and potentially lead to remote code execution. Theproblem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround tomitigate the problem without patching the redis-server executable is toprevent users from executing Lua scripts. This can be done using ACL torestrict EVAL and EVALSHA commands. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-06 22:15:00 UTC 2025-01-06 22:15:00 UTC https://ubuntu.com/security/notices/USN-7321-1 https://ubuntu.com/security/notices/USN-7359-1 CVE-2024-46981 Rollup is a module bundler for JavaScript. Versions prior to 2.79.2,3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability whenbundling scripts with properties from `import.meta` (e.g.,`import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadgetcan lead to cross-site scripting (XSS) in web pages where scriptlessattacker-controlled HTML elements (e.g., an `img` tag with an unsanitized`name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 containa patch for the vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-23 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082712 CVE-2024-47068 XStream is a simple library to serialize objects to XML and back again.This vulnerability may allow a remote attacker to terminate the applicationwith a stack overflow error resulting in a denial of service only bymanipulating the processed input stream when XStream is configured to usethe BinaryStreamDriver. XStream 1.4.21 has been patched to detect themanipulation in the binary input stream causing the the stack overflow andraises an InputManipulationException instead. Users are advised to upgrade.Users unable to upgrade may catch the StackOverflowError in the client codecalling XStream if XStream is configured to use the BinaryStreamDriver. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-08 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274 CVE-2024-47072 Meshtastic is an open source, off-grid, decentralized, mesh network builtto run on affordable, low-power devices. Meshtastic firmware is an opensource firmware implementation for the broader project. The remote hardwaremodule of the firmware does not have proper checks to ensure a remotehardware control message was received should be considered valid. Thisissue has been addressed in release version 2.5.1. All users are advised toupgrade. There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-07 20:15:00 UTC CVE-2024-47079 Improper neutralization of input in Nagvis before version 1.9.47 which canlead to XSS Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-27 07:15:00 UTC CVE-2024-47090 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to version 7.0.7,missing initialization of the random seed for "thash" leads to datasetshaving predictable hash table behavior. This can lead to dataset fileloading to use excessive time to load, as well as runtime performanceissues during traffic handling. This issue has been addressed in 7.0.7. Asa workaround, avoid loading datasets from untrusted sources. Avoid datasetrules that track traffic in rules. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 19:15:00 UTC CVE-2024-47187 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to version 7.0.7,missing initialization of the random seed for "thash" leads to byte-rangetracking having predictable hash table behavior. This can lead to anattacker forcing lots of data into a single hash bucket, leading to severeperformance degradation. This issue has been addressed in 7.0.7. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 19:15:00 UTC CVE-2024-47188 In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack ofchecksum validation of supplied image_source URLs when configured toconvert images to a raw format for streaming. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-04 18:15:00 UTC CVE-2024-47211 An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. Itallows HTTP request smuggling by providing both a Content-Length header anda Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a"POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is"Webrick should not be used in production." Update Instructions: Run `sudo pro fix CVE-2024-47220` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-webrick - 1.8.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-22 01:15:00 UTC 2024-09-22 01:15:00 UTC https://github.com/ruby/webrick/issues/145 https://ubuntu.com/security/notices/USN-7057-1 https://ubuntu.com/security/notices/USN-7057-2 https://ubuntu.com/security/notices/USN-7840-1 CVE-2024-47220 Insufficient escaping of user-supplied data in mod_ssl in Apache HTTPServer 2.4.63 and earlier allows an untrusted SSL/TLS client to insertescape characters into log files in some configurations.In a logging configuration where CustomLog is used with "%{varname}x" or"%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, noescaping is performed by either mod_log_config or mod_ssl and unsanitizeddata provided by the client may appear in log files. Update Instructions: Run `sudo pro fix CVE-2024-47252` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.64-1ubuntu2 apache2-bin - 2.4.64-1ubuntu2 apache2-data - 2.4.64-1ubuntu2 apache2-suexec-custom - 2.4.64-1ubuntu2 apache2-suexec-pristine - 2.4.64-1ubuntu2 apache2-utils - 2.4.64-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 17:15:00 UTC 2025-07-10 17:15:00 UTC John Runyon https://ubuntu.com/security/notices/USN-7639-1 https://ubuntu.com/security/notices/USN-7639-2 CVE-2024-47252 Issue summary: Calling the OpenSSL API function SSL_free_buffers may causememory to be accessed that was previously freed in some situationsImpact summary: A use after free can have a range of potential consequencessuchas the corruption of valid data, crashes or execution of arbitrary code.However, only applications that directly call the SSL_free_buffers functionareaffected by this issue. Applications that do not call this function are notvulnerable. Our investigations indicate that this function is rarely usedbyapplications.The SSL_free_buffers function is used to free the internal OpenSSL bufferusedwhen processing an incoming record from the network. The call is onlyexpectedto succeed if the buffer is not currently in use. However, two scenarioshavebeen identified where the buffer is freed even when still in use.The first scenario occurs where a record header has been received from thenetwork and processed by OpenSSL, but the full record body has not yetarrived.In this case calling SSL_free_buffers will succeed even though a record hasonlybeen partially processed and the buffer is still in use.The second scenario occurs where a full record containing application datahasbeen received and processed by OpenSSL but the application has only readpart ofthis data. Again a call to SSL_free_buffers will succeed even though thebufferis still in use.While these scenarios could occur accidentally during normal operation amalicious attacker could attempt to engineer a stituation where thisoccurs.We are not aware of this issue being actively exploited.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2024-4741` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.2.2-1ubuntu1 openssl - 3.2.2-1ubuntu1 openssl-provider-legacy - 3.2.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-05-28 2024-05-28 William Ahern https://ubuntu.com/security/notices/USN-6937-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-4741 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Prior to version 7.0.7,invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled canlead to Suricata aborting with a panic. This issue has been addressed in7.0.7. One may disable ja4 as a workaround. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 20:15:00 UTC CVE-2024-47522 Netty is an asynchronous event-driven network application framework forrapid development of maintainable high performance protocol servers &clients. An unsafe reading of environment file could potentially cause adenial of service in Netty. When loaded on an Windows application, Nettyattempts to load a file that does not exist. If an attacker creates such alarge file, the Netty application crashes. This vulnerability is fixed in4.1.115. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-12 16:15:00 UTC CVE-2024-47535 syslog-ng is an enhanced log daemo. Prior to version 4.8.2,`tls_wildcard_match()` matches on certificates such as `foo.*.bar` althoughthat is not allowed. It is also possible to pass partial wildcards such as`foo.a*c.bar` which glib matches but should be avoided / invalidated. Thisissue could have an impact on TLS connections, such as in man-in-the-middlesituations. Version 4.8.2 contains a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-07 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104890 CVE-2024-47619 An improper array index validation vulnerability exists in the nowindowfunctionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can leadto an out-of-bounds write. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-13 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093043 CVE-2024-47796 util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalancedcomment string. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-04 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084191 CVE-2024-47855 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML,MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. Thisvulnerability is fixed in 2.5.0 and 3.1.3. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-11 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084983 CVE-2024-47875 Action Pack is a framework for handling and responding to web requests.Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1,and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller'sHTTP Token authentication. For applications using HTTP Token authenticationvia `authenticate_or_request_with_http_token` or similar, a carefullycrafted header may cause header parsing to take an unexpected amount oftime, possibly resulting in a DoS vulnerability. All users running anaffected release should either upgrade to versions 6.1.7.9, 7.0.8.5,7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may chooseto use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem,so Rails applications using Ruby 3.2 or newer are unaffected. Rails8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 20:15:00 UTC 2024-10-16 20:15:00 UTC https://ubuntu.com/security/notices/USN-7290-1 CVE-2024-47887 Action Text brings rich text content and editing to Rails. Starting inversion 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1,there is a possible ReDoS vulnerability in the`plain_text_for_blockquote_node helper` in Action Text. Carefully craftedtext can cause the `plain_text_for_blockquote_node` helper to take anunexpected amount of time, possibly resulting in a DoS vulnerability. Allusers running an affected release should either upgrade to versions6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patchimmediately. As a workaround, users can avoid calling`plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 hasmitigations for this problem, so Rails applications using Ruby 3.2 or newerare unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so isunaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 21:15:00 UTC 2024-10-16 21:15:00 UTC https://ubuntu.com/security/notices/USN-7290-1 CVE-2024-47888 Action Mailer is a framework for designing email service layers. Startingin version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and7.2.1.1, there is a possible ReDoS vulnerability in the block_format helperin Action Mailer. Carefully crafted text can cause the block_format helperto take an unexpected amount of time, possibly resulting in a DoSvulnerability. All users running an affected release should either upgradeto versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevantpatch immediately. As a workaround, users can avoid calling the`block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations forthis problem, so Rails applications using Ruby 3.2 or newer are unaffected.Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-16 21:15:00 UTC 2024-10-16 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376 https://ubuntu.com/security/notices/USN-7290-1 CVE-2024-47889 An issue was discovered in the AbuseFilter extension for MediaWiki before1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An APIcaller can match a filter condition against AbuseFilter logs even if thecaller is not authorized to view the log details for the filter. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-04 22:15:00 UTC CVE-2024-47913 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this isdisputed by multiple parties because this is intended behavior in PyTorchdistributed computing. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-29 21:15:00 UTC CVE-2024-48063 pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an outof bounds read in the domlsd() function of the ls.c file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-24 21:15:00 UTC CVE-2024-48208 An issue in radare2 v5.8.0 through v5.9.4 allows a local attacker to causea denial of service via the __bf_div function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-30 18:15:00 UTC CVE-2024-48241 An issue in assimp v.5.4.3 allows a local attacker to execute arbitrarycode via the CallbackToLogRedirector function within the Assimp library. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-24 21:15:00 UTC https://github.com/assimp/assimp/issues/5788 https://bugzilla.redhat.com/show_bug.cgi?id=2321643 CVE-2024-48423 A heap-buffer-overflow vulnerability has been identified in theOpenDDLParser::parseStructure function within the Assimp library,specifically during the processing of OpenGEX files. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-24 21:15:00 UTC https://github.com/assimp/assimp/issues/5787 https://bugzilla.redhat.com/show_bug.cgi?id=2321628 CVE-2024-48424 A segmentation fault (SEGV) was detected in theAssimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within theAssimp library during fuzz testing using AddressSanitizer. The crash occursdue to a read access violation at address 0x000000000460, which points tothe zero page, indicating a null or invalid pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-24 21:15:00 UTC https://github.com/assimp/assimp/issues/5791 https://bugzilla.redhat.com/show_bug.cgi?id=2321631 CVE-2024-48425 A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Executefunction in the Assimp library during fuzz testing with AddressSanitizer.The crash occurred due to a read access to an invalid memory address(0x1000c9714971). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-24 21:15:00 UTC https://github.com/assimp/assimp/issues/5789 CVE-2024-48426 A memory corruption vulnerability exists in the Shared String Table RecordParser implementation in xls2csv utility version 0.95. A specially craftedmalformed file can lead to a heap buffer overflow. An attacker can providea malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107168 CVE-2024-48877 A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3allows remote attackers to inject arbitrary web script or HTML into thelogin page via a username if userControl has been set to a non-defaultvalue that allows special HTML characters. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-09 23:15:00 UTC CVE-2024-48933 The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation,does not correctly verify valid signatures if the hash contains at leastfour leading 0 bytes and when the order of the elliptic curve's base pointis smaller than the hash, because of an _truncateToN anomaly. This leads tovalid signatures being rejected. Legitimate transactions or communicationsmay be incorrectly flagged as invalid. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-15 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085298 CVE-2024-48948 In neomutt and mutt, the To and Cc email headers are not validated bycryptographic signing which allows an attacker that intercepts a message tochange their value and include himself as a one of the recipients tocompromise message confidentiality. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-11-12 02:15:00 UTC 2024-11-12 02:15:00 UTC https://ubuntu.com/security/notices/USN-7204-1 CVE-2024-49393 In mutt and neomutt the In-Reply-To email header field is not protected bycryptographic signing which allows an attacker to reuse an unencrypted butsigned email message to impersonate the original sender. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-11-12 03:15:00 UTC 2024-11-12 03:15:00 UTC https://ubuntu.com/security/notices/USN-7204-1 CVE-2024-49394 In mutt and neomutt, PGP encryption does not use the --hidden-recipientmode which may leak the Bcc email header field by inferring from therecipients info. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-11-12 03:15:00 UTC CVE-2024-49395 grub2 allowed attackers with access to the grub shell to access files onthe encrypted disks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-13 15:15:00 UTC CVE-2024-49504 Out-of-bounds array write in Xpdf 4.05 and earlier, due to missing objecttype check in AcroForm field reference. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-05-15 21:15:00 UTC CVE-2024-4976 Werkzeug is a Web Server Gateway Interface web application library.Applications using `werkzeug.formparser.MultiPartParser` corresponding to aversion of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests(e.g. all flask applications) are vulnerable to a relatively simple buteffective resource exhaustion (denial of service) attack. A specificallycrafted form submission request can cause the parser to allocate and block3 to 8 times the upload size in main memory. There is no upper limit; asingle upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.Werkzeug version 3.0.6 fixes this issue. Update Instructions: Run `sudo pro fix CVE-2024-49767` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-werkzeug - 3.0.4-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-25 20:15:00 UTC 2024-10-25 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086063 https://ubuntu.com/security/notices/USN-7093-1 CVE-2024-49767 symfony/runtime is a module for the Symphony PHP framework which enablesdecoupling PHP applications from global state. When the`register_argv_argc` php directive is set to `on` , and users call any URLwith a special crafted query string, they are able to change theenvironment or debug mode used by the kernel when handling the request. Asof versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the`argv` values for non-SAPI PHP runtimes. All users are advised to upgrade.There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-06 21:15:00 UTC 2024-11-06 21:15:00 UTC https://ubuntu.com/security/notices/USN-7272-1 CVE-2024-50340 symfony/http-client is a module for the Symphony PHP framework whichprovides powerful methods to fetch HTTP resources synchronously orasynchronously. When using the `NoPrivateNetworkHttpClient`, some internalinformation is still leaking during host resolution, which leads topossible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the`NoPrivateNetworkHttpClient` now filters blocked IPs earlier to preventsuch leaks. All users are advised to upgrade. There are no knownworkarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-06 21:15:00 UTC 2024-11-06 21:15:00 UTC https://ubuntu.com/security/notices/USN-7272-1 CVE-2024-50342 symfony/validator is a module for the Symphony PHP framework which providestools to validate values. It is possible to trick a `Validator` configuredwith a regular expression using the `$` metacharacters, with an inputending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now usesthe `D` regex modifier to match the entire input. Users are advised toupgrade. There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-06 21:15:00 UTC 2024-11-06 21:15:00 UTC https://ubuntu.com/security/notices/USN-7272-1 CVE-2024-50343 symfony/http-foundation is a module for the Symphony PHP framework whichdefines an object-oriented layer for the HTTP specification. The `Request`class, does not parse URI with special characters the same way browsers do.As a result, an attacker can trick a validator relying on the `Request`class to redirect users to another domain. The `Request::create` methodsnow assert the URI does not contain invalid characters as defined byhttps://url.spec.whatwg.org/. This issue has been patched in versions5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no knownworkarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-06 21:15:00 UTC 2024-11-06 21:15:00 UTC https://ubuntu.com/security/notices/USN-7272-1 CVE-2024-50345 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSPcompilation in Apache Tomcat permits an RCE on case insensitive filesystems when the default servlet is enabled for write (non-defaultconfiguration).This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions mayalso be affected.Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98,which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-17 13:15:00 UTC 2024-12-17 13:15:00 UTC https://ubuntu.com/security/notices/USN-7705-1 CVE-2024-50379 Botan before 3.6.0, when certain LLVM versions are used, hascompiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cppin GHASH in AES-GCM. There is a branch instead of an XOR with carry. Thiswas observed for Clang in LLVM 15 on RISC-V. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-23 17:15:00 UTC 2024-10-23 17:15:00 UTC https://ubuntu.com/security/notices/USN-7586-1 CVE-2024-50382 Botan before 3.6.0, when certain GCC versions are used, has acompiler-induced secret-dependent operation in lib/utils/donna128.h indonna128 (used in Chacha-Poly1305 and x25519). An addition can be skippedif a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS,and GCC on x86-i386. (Only 32-bit processors can be affected.) Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-23 17:15:00 UTC 2024-10-23 17:15:00 UTC https://ubuntu.com/security/notices/USN-7586-1 CVE-2024-50383 An issue was discovered in libexpat before 2.6.4. There is a crash withinthe XML_ResumeParser function because XML_StopParser can stop/suspend anunstarted parser. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-27 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086134 https://ubuntu.com/security/notices/USN-7145-1 CVE-2024-50602 GSL (GNU Scientific Library) through 2.8 has an integer signedness error ingsl_siman_solve_many in siman/siman.c. When params.n_tries is negative,incorrect memory allocation occurs. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-27 22:15:00 UTC CVE-2024-50610 libsndfile through 1.2.2 has a reachable assertion, that may lead toapplication exit, in mpeg_l3_encode.c mpeg_l3_encoder_close. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-27 22:15:00 UTC https://github.com/libsndfile/libsndfile/issues/1034 CVE-2024-50613 TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, that maylead to application exit, in tinyxml2.cpp XMLUtil::GetCharacterRef. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-27 22:15:00 UTC CVE-2024-50614 TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit, thatmay lead to application exit, in tinyxml2.cpp XMLUtil::GetCharacterRef. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-27 22:15:00 UTC CVE-2024-50615 PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, whichallows the execution of arbitrary Python code embedded within .PYM files.Attackers can craft a malicious .PYM file containing a Python reverse shellpayload and exploit the function to achieve Remote Command Execution (RCE).This vulnerability arises because PyMOL treats .PYM files as Python scriptswithout properly validating or restricting the commands within the script,enabling attackers to run unauthorized commands in the context of the userrunning the application. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-11 23:15:00 UTC CVE-2024-50636 An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrarycode via a crafted DLL file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-15 15:15:00 UTC CVE-2024-50986 An issue in NetSurf v.3.11 allows a remote attacker to execute arbitrarycode via the dom_node_normalize function Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-03 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119918 CVE-2024-51317 Command Injection in Minidlna version v1.3.3 and before allows an attackerto execute arbitrary OS commands via a specially crafted minidlna.confconfiguration file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-08 18:15:00 UTC CVE-2024-51442 ZoneMinder is a free, open source closed-circuit television softwareapplication. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-basedSQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-31 18:15:00 UTC CVE-2024-51482 notion-go is a collection of libraries for supporting sign and verify OCIartifacts. Based on Notary Project specifications. The issue was identifiedduring Quarkslab's security audit on the Certificate Revocation List (CRL)based revocation check feature.After retrieving the CRL, notation-go attempts to update the CRL cacheusing the os.Rename method. However, this operation may fail due tooperating system-specific limitations, particularly when the source anddestination paths are on different mount points. This failure could lead toan unexpected program termination. In method `crl.(*FileCache).Set`, atemporary file is created in the OS dedicated area (like /tmp for, usually,Linux/Unix). The file is written and then it is tried to move it to thededicated `notation` cache directory thanks `os.Rename`. As specified in Godocumentation, OS specific restriction may apply. When used with Linux OS,it is relying on rename syscall from the libc and as per the documentation,moving a file to a different mountpoint raises an EXDEV error, interpretedas Cross device link not permitted error. Some Linux distribution, likeRedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint(usually /tmp) for temporary files. When using such OS, revocation checkbased on CRL will repeatedly crash notation. As a result the signatureverification process is aborted as process crashes. This issue has beenaddressed in version 1.3.0-rc.2 and all users are advised to upgrade. Thereare no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-13 22:15:00 UTC CVE-2024-51491 RediSearch is a Redis module that provides querying, secondary indexing,and full-text search for Redis. An authenticated redis user executingFT.SEARCH or FT.AGGREGATE with a specially crafted LIMIT command argument,or FT.SEARCH with a specially crafted KNN command argument, can trigger aninteger overflow, leading to heap overflow and potential remote codeexecution. This vulnerability is fixed in 2.6.24, 2.8.21, and 2.10.10.Avoid setting value of -1 or large values for configuration parametersMAXSEARCHRESULTS and MAXAGGREGATERESULTS, to avoid exploiting large LIMITarguments. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-08 16:15:00 UTC CVE-2024-51737 Redis is an open source, in-memory database that persists on disk. Anauthenticated with sufficient privileges may create a malformed ACLselector which, when accessed, triggers a server panic and subsequentdenial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-06 22:15:00 UTC 2025-01-06 22:15:00 UTC https://ubuntu.com/security/notices/USN-7321-1 https://ubuntu.com/security/notices/USN-7359-1 CVE-2024-51741 golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentationof the error behavior in `ParseWithClaims` can lead to situation whereusers are potentially not checking errors in the way they should be.Especially, if a token is both expired and invalid, the errors returned by`ParseWithClaims` return both error codes. If users only check for the`jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded`jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens.A fix has been back-ported with the error handling logic from the `v5`branch to the `v4` branch. In this logic, the `ParseWithClaims` functionwill immediately return in "dangerous" situations (e.g., an invalidsignature), limiting the combined errors only to situations where thesignature is valid, but further validation failed (e.g., if the signatureis valid, but is expired AND has the wrong audience). This fix is part ofthe 4.5.1 release. We are aware that this changes the behaviour of anestablished function and is not 100 % backwards compatible, so updating to4.5.1 might break your code. In case you cannot update to 4.5.0, pleasemake sure that you are properly checking for all errors ("dangerous" onesfirst), so that you are not running in the case detailed above. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-04 22:15:00 UTC CVE-2024-51744 A vulnerability in the `download_model_with_test_data` function of theonnx/onnx framework, version 1.16.0, allows for arbitrary file overwritedue to inadequate prevention of path traversal attacks in malicious tarfiles. This vulnerability enables attackers to overwrite any file on thesystem, potentially leading to remote code execution, deletion of system,personal, or application files, thus impacting the integrity andavailability of the system. The issue arises from the function's handlingof tar file extraction without performing security checks on the pathswithin the tar file, as demonstrated by the ability to overwrite the`/home/kali/.ssh/authorized_keys` file by specifying an absolute path inthe malicious tar file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-06 19:16:00 UTC CVE-2024-5187 Symphony process is a module for the Symphony PHP framework which executescommands in sub-processes. When consuming a persisted remember-me cookie,Symfony does not check if the username persisted in the database matchesthe username attached with the cookie, leading to authentication bypass.This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-13 17:15:00 UTC 2024-11-13 17:15:00 UTC https://ubuntu.com/security/notices/USN-7272-1 CVE-2024-51996 Git is a source code management tool. When cloning from a server (orfetching, or pushing), informational or error messages are transported fromthe remote Git process to the client via the so-called "sideband channel".These messages will be prefixed with "remote:" and printed directly to thestandard error output. Typically, this standard error output is connectedto a terminal that understands ANSI escape sequences, which Git did notprotect against. Most modern terminals support control sequences that canbe used by a malicious actor to hide and misrepresent information, or tomislead the user into executing untrusted scripts. As requested on thegit-security mailing list, the patches are under discussion on the publicmailing list. Users are advised to update as soon as possible. Users unableto upgrade should avoid recursive clones unless they are from trustedsources. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-15 18:15:00 UTC CVE-2024-52005 An integer overflow vulnerability exists in the OLE Document FileAllocation Table Parser functionality of catdoc 0.95. A specially craftedmalformed file can lead to heap-based memory corruption. An attacker canprovide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107168 CVE-2024-52035 The ObjectSerializationDecoder in Apache MINA uses Java’s nativedeserialization protocol to processincoming serialized data but lacks the necessary security checks anddefenses. This vulnerability allowsattackers to exploit the deserialization process by sending speciallycrafted malicious serialized data,potentially leading to remote code execution (RCE) attacks.This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will befixed by the releases 2.0.27, 2.1.10 and 2.2.4.It's also important to note that an application using MINA core librarywill only be affected if the IoBuffer#getObject() method is called, andthis specific method is potentially called when adding aProtocolCodecFilter instance using the ObjectSerializationCodecFactoryclass in the filter chain. If your application is specifically using thoseclasses, you have to upgrade to the latest version of MINA core library.Upgrading will  not be enough: you also need to explicitly allow theclasses the decoder will accept in the ObjectSerializationDecoder instance,using one of the three new methods: /**     * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@linkorg.apache.commons.io.FilenameUtils#wildcardMatch(String, String)FilenameUtils.wildcardMatch} */ public void accept(String... patterns)By default, the decoder will reject *all* classes that will be present inthe incoming data.Note: The FtpServer, SSHd and Vysper sub-project are not affected by thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-25 10:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091530 CVE-2024-52046 A sensitive data leakage vulnerability was identified in scikit-learn'sTfidfVectorizer, specifically in versions up to and including 1.4.1.post1,which was fixed in version 1.5.0. The vulnerability arises from theunexpected storage of all tokens present in the training data within the`stop_words_` attribute, rather than only storing the subset of tokensrequired for the TF-IDF technique to function. This behavior leads to thepotential leakage of sensitive information, as the `stop_words_` attributecould contain tokens that were meant to be discarded and not stored, suchas passwords or keys. The impact of this vulnerability varies based on thenature of the data being processed by the vectorizer. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-06 19:16:00 UTC CVE-2024-5206 Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat isconfigured to use a custom Jakarta Authentication (formerlyJASPIC) ServerAuthContext component which may throw an exception during theauthentication process without explicitly setting an HTTP status toindicate failure, the authentication may not fail, allowing the user tobypass the authentication process. There are no knownJakarta Authentication components that behave in this way.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other EOL versions may also beaffected.Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-18 12:15:00 UTC CVE-2024-52316 Incorrect object re-cycling and re-use vulnerability in ApacheTomcat. Incorrect recycling of the request and response used by HTTP/2requestscould lead to request and/or response mix-up between users.This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96,which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-18 12:15:00 UTC 2024-11-18 12:15:00 UTC https://ubuntu.com/security/notices/USN-7705-1 CVE-2024-52317 An improper array index validation vulnerability exists in thedetermineMinMax functionality of OFFIS DCMTK 3.6.8. A specially craftedDICOM file can lead to an out-of-bounds write. An attacker can provide amalicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-13 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093047 CVE-2024-52333 A script injection vulnerability was identified in the Tuned package. The`instance_create()` D-Bus function can be called by locally logged-in userswithout authentication. This flaw allows a local non-privileged user toexecute a D-Bus call with `script_pre` or `script_post` options that permitarbitrary scripts with their absolute paths to be passed. These user orattacker-controlled executable scripts or programs could then be executedby Tuned with root privileges that could allow attackers to local privilegeescalation. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 16:15:00 UTC CVE-2024-52336 A log spoofing flaw was found in the Tuned package due to impropersanitization of some API arguments. This flaw allows an attacker to pass acontrolled sequence of characters; newlines can be inserted into the log.Instead of the 'evil' the attacker could mimic a valid TuneD log line andtrick the administrator. The quotes '' are usually used in TuneD logsciting raw user input, so there will always be the ' character ending thespoofed input, and the administrator can easily overlook this. This loggedstring is later used in logging and in the output of utilities, forexample, `tuned-adm get_instances` or other third-party programs that useTuned's D-Bus interface for such operations. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 16:15:00 UTC CVE-2024-52337 The Nextcloud Desktop Client is a tool to synchronize files from NextcloudServer with your computer. The Desktop client did not stop with an errorbut allowed by-passing the signature validation, if a manipulated serversends an empty initial signature. It is recommended that the NextcloudDesktop client is upgraded to 3.14.2 or later. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-15 18:15:00 UTC CVE-2024-52510 Rclone is a command-line program to sync files and directories to and fromdifferent cloud storage providers. Insecure handling of symlinks with--links and --metadata in rclone while copying to local disk allowsunprivileged users to indirectly modify ownership and permissions onsymlink target files when a superuser or privileged process performs acopy. This vulnerability could enable privilege escalation and unauthorizedaccess to critical system files, compromising system integrity,confidentiality, and availability. This vulnerability is fixed in 1.68.2. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-15 18:15:00 UTC CVE-2024-52522 GNOME libsoup before 3.6.0 allows HTTP request smuggling in someconfigurations because '\0' characters at the end of header names areignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the sameas a "Transfer-Encoding: chunked" header. Update Instructions: Run `sudo pro fix CVE-2024-52530` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-8ubuntu1 libsoup-2.4-1 - 2.74.3-8ubuntu1 libsoup-gnome-2.4-1 - 2.74.3-8ubuntu1 libsoup2.4-common - 2.74.3-8ubuntu1 libsoup2.4-tests - 2.74.3-8ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-11 20:15:00 UTC 2024-11-11 20:15:00 UTC https://ubuntu.com/security/notices/USN-7127-1 https://ubuntu.com/security/notices/USN-7126-1 CVE-2024-52530 GNOME libsoup before 3.6.1 allows a buffer overflow in applications thatperform conversion to UTF-8 in soup_header_parse_param_list_strict. Thereis a plausible way to reach this remotely viasoup_message_headers_get_content_type (e.g., an application may want toretrieve the content type of a request or response). Update Instructions: Run `sudo pro fix CVE-2024-52531` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-8ubuntu1 libsoup-2.4-1 - 2.74.3-8ubuntu1 libsoup-gnome-2.4-1 - 2.74.3-8ubuntu1 libsoup2.4-common - 2.74.3-8ubuntu1 libsoup2.4-tests - 2.74.3-8ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-11 20:15:00 UTC 2024-11-11 20:15:00 UTC https://ubuntu.com/security/notices/USN-7127-1 https://ubuntu.com/security/notices/USN-7126-1 https://ubuntu.com/security/notices/USN-7565-1 CVE-2024-52531 GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.during the reading of certain patterns of WebSocket data from clients. Update Instructions: Run `sudo pro fix CVE-2024-52532` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-8ubuntu1 libsoup-2.4-1 - 2.74.3-8ubuntu1 libsoup-gnome-2.4-1 - 2.74.3-8ubuntu1 libsoup2.4-common - 2.74.3-8ubuntu1 libsoup2.4-tests - 2.74.3-8ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-11 20:15:00 UTC 2024-11-11 20:15:00 UTC https://ubuntu.com/security/notices/USN-7127-1 https://ubuntu.com/security/notices/USN-7126-1 https://ubuntu.com/security/notices/USN-7565-1 CVE-2024-52532 gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error andresultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient fora trailing '\0' character. Update Instructions: Run `sudo pro fix CVE-2024-52533` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.82.1-0ubuntu1 gir1.2-glib-2.0 - 2.82.1-0ubuntu1 girepository-tools - 2.82.1-0ubuntu1 libgirepository-2.0-0 - 2.82.1-0ubuntu1 libglib2.0-0t64 - 2.82.1-0ubuntu1 libglib2.0-bin - 2.82.1-0ubuntu1 libglib2.0-data - 2.82.1-0ubuntu1 libglib2.0-tests - 2.82.1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-11 23:15:00 UTC 2024-11-11 23:15:00 UTC https://ubuntu.com/security/notices/USN-7114-1 CVE-2024-52533 An issue was discovered in GitLab CE/EE affecting all versions startingfrom 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developeruser with `admin_compliance_framework` custom role may have been able tomodify the URL for a group namespace. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-11 07:15:00 UTC CVE-2024-5257 lxml_html_clean is a project for HTML cleaning functionalities copied from`lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does notproperly handle context-switching for special HTML tags such as `<svg>`,`<math>` and `<noscript>`. This behavior deviates from how web browsersparse and interpret such tags. Specifically, content in CSS comments isignored by lxml_html_clean but may be interpreted differently by webbrowsers, enabling malicious scripts to bypass the cleaning process. Thisvulnerability could lead to Cross-Site Scripting (XSS) attacks,compromising the security of users relying on lxml_html_clean in defaultconfiguration for sanitizing untrusted HTML content. Users employing theHTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0,which addresses this issue. As a temporary mitigation, users can configurelxml_html_clean with the following settings to prevent the exploitation ofthis vulnerability. Via `remove_tags`, one may specify tags to remove -their content is moved to their parents' tags. Via `kill_tags`, one mayspecify tags to be removed completely. Via `allow_tags`, one may restrictthe set of permissible tags, excluding context-switching tags like `<svg>`,`<math>` and `<noscript>`. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-19 22:15:00 UTC CVE-2024-52595 SimpleSAMLphp xml-common is a common classes for handling XML-structures.When loading an (untrusted) XML document, for example the SAMLResponse,it's possible to induce an XXE. This vulnerability is fixed in 1.19.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 17:15:00 UTC CVE-2024-52596 A cross-site scripting (XSS) vulnerability in the component/master/header.php of Ganglia-web v3.73 to v3.76 allows attackers toexecute arbitrary web scripts or HTML via a crafted payload injected intothe "tz" parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-19 21:15:00 UTC CVE-2024-52762 A cross-site scripting (XSS) vulnerability in the component/graph_all_periods.php of Ganglia-web v3.73 to v3.75 allows attackers toexecute arbitrary web scripts or HTML via a crafted payload injected intothe "g" parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-19 21:15:00 UTC CVE-2024-52763 LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. In affectedversions LAM does not properly sanitize configuration values, that are setvia `mainmanage.php` and `confmain.php`. This allows setting arbitraryconfig values and thus effectively bypassing `mitigation` ofCVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the mainconfig or server profiles are set via `mainmanage.php` and `confmain.php`.The values are written to `config.cfg` or `serverprofile.conf` in theformat of `settingsName: settingsValue` line-by-line.An attacker can smuggle arbitrary config values in a config file, byinserting a newline into certain config fields, followed by the value. Thisvulnerability has been addressed in version 9.0. All users are advised toupgrade. There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-17 22:15:00 UTC elisehdy CVE-2024-52792 Tornado is a Python web framework and asynchronous networking library. Thealgorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2sometimes has quadratic complexity, leading to excessive CPU consumptionwhen parsing maliciously-crafted cookie headers. This parsing occurs in theevent loop thread and may block the processing of other requests. Version6.4.2 fixes the issue. Update Instructions: Run `sudo pro fix CVE-2024-52804` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-tornado - 6.4.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-22 16:15:00 UTC 2024-11-22 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112 https://ubuntu.com/security/notices/USN-7150-1 CVE-2024-52804 SimpleSAMLphp SAML2 library is a PHP library for SAML2 relatedfunctionality. When loading an (untrusted) XML document, for example theSAMLResponse, it's possible to induce an XXE. This vulnerability is fixedin 4.6.14 and 5.0.0-alpha.18. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 17:15:00 UTC CVE-2024-52806 The ngtcp2 project is an effort to implement IETF QUIC protocol in C. Inaffected versions acks are not validated before being written to the qlogleading to a buffer overflow. In `ngtcp2_conn::conn_recv_pkt` for an ACK,there was new logic that got added to skip `conn_recv_ack` if an ack hasalready been processed in the payload. However, this causes us to also skip`ngtcp2_pkt_validate_ack`. The ack which was skipped still got written toqlog. The bug occurs in `ngtcp2_qlog::write_ack_frame`. It is now possibleto reach this code with an invalid ack, suppose `largest_ack=0` and`first_ack_range=15`. Subtracting `largest_ack - first_ack_range` will leadto an integer underflow which is 20 chars long. However, the ngtcp2 qlogcode assumes the number written is a signed integer and only accounts for19 characters of overhead (see `NGTCP2_QLOG_ACK_FRAME_RANGE_OVERHEAD`).Therefore, we overwrite the buffer causing a heap overflow. This is highpriority and could potentially impact many users if they enable qlog. qlogis disabled by default. Due to its overhead, it is most likely used fordebugging purpose, but the actual use is unknown. ngtcp2 v1.9.1 fixes thebug and users are advised to upgrade. Users unable to upgrade should notturn on qlog. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-25 19:15:00 UTC CVE-2024-52811 An issue was discovered in wolfSSL before 5.7.0. A safe-error attack viaRowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. WhenWOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECCkeys,such as in server-side TLS connections, the connection is halted if anyfault occurs. The success rate in a certain amount of connection requestscan be processed via an advanced technique for ECDSA key recovery. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 19:15:00 UTC CVE-2024-5288 iptraf-ng 1.2.1 has a stack-based buffer overflow. In src/ifaces.c, thestrcpy function consistently fails to control the size, and it isconsequently possible to overflow memory on the stack. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-12-16 22:15:00 UTC Massimiliano Ferraresi and Massimiliano Brolli https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090381 CVE-2024-52949 In the Linux kernel, the following vulnerability has been resolved:nfsd: release svc_expkey/svc_export with rcu_workThe last reference for `cache_head` can be reduced to zero in `c_show`and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,`svc_export_put` and `expkey_put` will be invoked, leading to twoissues:1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1Fix these issues by using `rcu_work` to help release`svc_expkey`/`svc_export`. This approach allows for an asynchronouscontext to invoke `path_put` and also facilitates the freeing of`uuid/exp/key` after an RCU grace period. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-27 14:15:00 UTC 2024-12-27 14:15:00 UTC https://ubuntu.com/security/notices/USN-7276-1 https://ubuntu.com/security/notices/USN-7277-1 https://ubuntu.com/security/notices/USN-7310-1 CVE-2024-53216 In the Linux kernel, the following vulnerability has been resolved:xen/netfront: fix crash when removing deviceWhen removing a netfront device directly after a suspend/resume cycleit might happen that the queues have not been setup again, causing acrash during the attempt to stop the queues another time.Fix that by checking the queues are existing before trying to stopthem.This is XSA-465 / CVE-2024-53240. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-24 10:15:00 UTC CVE-2024-53240 In the Linux kernel, the following vulnerability has been resolved:x86/xen: don't do PV iret hypercall through hypercall pageInstead of jumping to the Xen hypercall page for doing the irethypercall, directly code the required sequence in xen-asm.S.This is done in preparation of no longer using hypercall page at all,as it has shown to cause problems with speculation mitigations.This is part of XSA-466 / CVE-2024-53241. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-24 10:15:00 UTC CVE-2024-53241 Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultantXSS for untrusted input that contains HTML but does not directly containJavaScript), because document.currentScript lookup can be shadowed byattacker-injected HTML elements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-03 07:15:00 UTC CVE-2024-53382 A heap-buffer-overflow vulnerability was discovered in theSkipSpacesAndLineEnd function in Assimp v5.4.3. This issue occurs whenprocessing certain malformed MD5 model files, leading to an out-of-boundsread and potential application crash. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-21 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088187 CVE-2024-53425 While parsing certain malformed PLY files, PCL version 1.14.1 crashes dueto an uncaught std::out_of_range exception in PCLPointCloud2::at. Thisissue could potentially be exploited to cause a denial-of-service (DoS)attack when processing untrusted PLY files. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-21 18:15:00 UTC 2024-11-21 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088186 https://ubuntu.com/security/notices/USN-7227-1 CVE-2024-53432 An issue in the action_listcategories() function of Sangoma Asteriskv22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute apath traversal. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 18:15:00 UTC CVE-2024-53566 iperf v3.17.1 was discovered to contain a segmentation violation via theiperf_exchange_parameters() function. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-18 23:15:00 UTC 2024-12-18 23:15:00 UTC Leonid Krolle https://ubuntu.com/security/notices/USN-7970-1 CVE-2024-53580 An authenticated arbitrary file upload vulnerability in the Documentsmodule of SPIP v4.3.3 allows attackers to execute arbitrary code viauploading a crafted PDF file. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 19:15:00 UTC CVE-2024-53619 A cross-site scripting (XSS) vulnerability in the Article module of SPIPv4.3.3 allows authenticated attackers to execute arbitrary web scripts orHTML via injecting a crafted payload into the Title parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-26 19:15:00 UTC CVE-2024-53620 NVIDIA Unified Memory driver for Linux contains a vulnerability where anattacker could leak uninitialized memory. A successful exploit of thisvulnerability might lead to information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 04:15:00 UTC CVE-2024-53869 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thecuobjdump binary, where a user could cause an out-of-bounds read by passinga malformed ELF file to cuobjdump. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53870 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thenvdisasm binary, where a user could cause an out-of-bounds read by passinga malformed ELF file to nvdisasm. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53871 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thecuobjdump binary, where a user could cause an out-of-bounds read by passinga malformed ELF file to cuobjdump. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53872 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thecuobjdump binary, where a user could cause an out-of-bounds read by passinga malformed ELF file to cuobjdump. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53874 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thecuobjdump binary, where a user could cause an out-of-bounds read by passinga malformed ELF file to cuobjdump. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53875 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thenvdisasm binary, where a user could cause an out-of-bounds read by passinga malformed ELF file to nvdisasm. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53876 NVIDIA CUDA toolkit for all platforms contains a vulnerability in thenvdisasm binary, where a user could cause a NULL pointer exception bypassing a malformed ELF file to nvdisasm. A successful exploit of thisvulnerability might lead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53877 NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in thecuobjdump binary, where a user could cause a crash by passing a malformedELF file to cuobjdump. A successful exploit of this vulnerability mightlead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53878 NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in thecuobjdump binary, where a user could cause a crash by passing a malformedELF file to cuobjdump. A successful exploit of this vulnerability mightlead to a partial denial of service. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2024-53879 An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and4.2 before 4.2.17. The strip_tags() method and striptags template filterare subject to a potential denial-of-service attack via certain inputscontaining large sequences of nested incomplete HTML entities. Update Instructions: Run `sudo pro fix CVE-2024-53907` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.17-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-04 15:00:00 UTC 2024-12-04 15:00:00 UTC jiangniao https://ubuntu.com/security/notices/USN-7136-1 https://ubuntu.com/security/notices/USN-7136-2 CVE-2024-53907 In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invokeelisp-completion-at-point (for code completion) on untrusted Emacs Lispsource code can trigger unsafe Lisp macro expansion that allows attackersto execute arbitrary code. (This unsafe expansion also occurs if a userchooses to enable on-the-fly diagnosis that byte compiles untrusted EmacsLisp source code.) Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-27 15:15:00 UTC 2024-11-27 15:15:00 UTC https://ubuntu.com/security/notices/USN-8011-1 CVE-2024-53920 Nanopb is a small code-size Protocol Buffers implementation. When thecompile time option PB_ENABLE_MALLOC is enabled, the message contains atleast one field with FT_POINTER field type, custom stream callback is usedwith unknown stream length. and the pb_decode_ex() function is used withflag PB_DECODE_DELIMITED, then the pb_decode_ex() function does notautomatically call pb_release(), like is done for other failure cases. Thiscould lead to memory leak and potential denial-of-service. Thisvulnerability is fixed in 0.4.9.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 16:15:00 UTC CVE-2024-53984 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. There is a possible XSS vulnerability with certainconfigurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >=7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability withcertain configurations of Rails::HTML::Sanitizer may allow an attacker toinject content if HTML5 sanitization is enabled and the applicationdeveloper has overridden the sanitizer's allowed tags with both "math" and"style" elements or both both "svg" and "style" elements. Thisvulnerability is fixed in 1.6.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 22:15:00 UTC CVE-2024-53985 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. There is a possible XSS vulnerability with certainconfigurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >=7.1.0. A possible XSS vulnerability with certain configurations ofRails::HTML::Sanitizer may allow an attacker to inject content if HTML5sanitization is enabled and the application developer has overridden thesanitizer's allowed tags where the "math" and "style" elements are bothexplicitly allowed. This vulnerability is fixed in 1.6.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 22:15:00 UTC CVE-2024-53986 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. There is a possible XSS vulnerability with certainconfigurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >=7.1.0. A possible XSS vulnerability with certain configurations ofRails::HTML::Sanitizer may allow an attacker to inject content if HTML5sanitization is enabled and the application developer has overridden thesanitizer's allowed tags where the "style" element is explicitly allowedand the "svg" or "math" element is not allowed. This vulnerability is fixedin 1.6.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 22:15:00 UTC CVE-2024-53987 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. There is a possible XSS vulnerability with certainconfigurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >=7.1.0. A possible XSS vulnerability with certain configurations ofRails::HTML::Sanitizer may allow an attacker to inject content if HTML5sanitization is enabled and the application developer has overridden thesanitizer's allowed tags where the "math", "mtext", "table", and "style"elements are allowed and either either "mglyph" or "malignmark" areallowed. This vulnerability is fixed in 1.6.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 22:15:00 UTC CVE-2024-53988 rails-html-sanitizer is responsible for sanitizing HTML fragments in Railsapplications. There is a possible XSS vulnerability with certainconfigurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >=7.1.0. A possible XSS vulnerability with certain configurations ofRails::HTML::Sanitizer may allow an attacker to inject content if HTML5sanitization is enabled and the application developer has overridden thesanitizer's allowed tags for the the "noscript" element. This vulnerabilityis fixed in 1.6.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 21:15:00 UTC CVE-2024-53989 The AsyncHttpClient (AHC) library allows Java applications to easilyexecute HTTP requests and asynchronously process HTTP responses. Whenmaking any HTTP request, the automatically enabled and self-managedCookieStore (aka cookie jar) will silently replace explicitly definedCookies with any that have the same name from the cookie jar. For servicesthat operate with multiple users, this can result in one user's Cookiebeing used for another user's requests. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-02 18:15:00 UTC https://github.com/AsyncHttpClient/async-http-client/issues/1964 CVE-2024-53990 An integer underflow vulnerability exists in the OLE Document DIFAT Parserfunctionality of catdoc 0.95. A specially crafted malformed file can leadto heap-based memory corruption. An attacker can provide a malicious fileto trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107168 CVE-2024-54028 Action Pack is a framework for handling and responding to web requests.There is a possible Cross Site Scripting (XSS) vulnerability in the`content_security_policy` helper starting in version 5.2.0 of Action Packand prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applicationswhich set Content-Security-Policy (CSP) headers dynamically from untrusteduser input may be vulnerable to carefully crafted inputs being able toinject new directives into the CSP. This could lead to a bypass of the CSPand its protection against XSS and other attacks. Versions 7.0.8.7,7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applicationscan avoid setting CSP headers dynamically from untrusted input, or canvalidate/sanitize that input. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-10 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755 CVE-2024-54133 An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial ofservice via a crafted file to the tcpedit_dlt_getplugin function atsrc/tcpedit/plugins/dlt_utils.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 16:16:00 UTC CVE-2024-54192 readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-12-04 05:15:00 UTC CVE-2024-54661 Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access control forsome sockd.conf configurations involving socksmethod. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-17 18:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/dante/+bug/2093411 CVE-2024-54662 Uncontrolled Resource Consumption vulnerability in the examples webapplication provided with Apache Tomcat leads to denial of service.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98,which fixes the issue. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-12-17 13:15:00 UTC 2024-12-17 13:15:00 UTC https://ubuntu.com/security/notices/USN-7705-1 CVE-2024-54677 An issue was discovered in GitLab CE/EE affecting all versions startingfrom 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest userwith `admin_push_rules` permission may have been able to createproject-level deploy tokens. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-11 07:15:00 UTC CVE-2024-5470 OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via thecomponent OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-23 22:15:00 UTC https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4550 CVE-2024-55192 OpenImageIO v3.1.0.0dev was discovered to contain a segmentation violationvia the component /OpenImageIO/string_view.h. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-23 22:15:00 UTC https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4551 CVE-2024-55193 OpenImageIO v3.1.0.0dev was discovered to contain a heap overflow via thecomponent /OpenImageIO/fmath.h. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-23 22:15:00 UTC https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4552 CVE-2024-55194 An allocation-size-too-big bug in the component /imagebuf.cpp ofOpenImageIO v3.1.0.0dev may cause a Denial of Service (DoS) when theprogram to requests to allocate too much space. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-23 22:15:00 UTC https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/4553 CVE-2024-55195 Issue summary: Calling the OpenSSL API function SSL_select_next_proto withanempty supported client protocols buffer may cause a crash or memorycontents tobe sent to the peer.Impact summary: A buffer overread can have a range of potentialconsequencessuch as unexpected application beahviour or a crash. In particular thisissuecould result in up to 255 bytes of arbitrary private data from memory beingsentto the peer leading to a loss of confidentiality. However, onlyapplicationsthat directly call the SSL_select_next_proto function with a 0 length listofsupported client protocols are affected by this issue. This would normallyneverbe a valid scenario and is typically not under attacker control but mayoccur byaccident in the case of a configuration or programming error in the callingapplication.The OpenSSL API function SSL_select_next_proto is typically used by TLSapplications that support ALPN (Application Layer Protocol Negotiation) orNPN(Next Protocol Negotiation). NPN is older, was never standardised andis deprecated in favour of ALPN. We believe that ALPN is significantly morewidely deployed than NPN. The SSL_select_next_proto function accepts a listofprotocols from the server and a list of protocols from the client andreturnsthe first protocol that appears in the server list that also appears in theclient list. In the case of no overlap between the two lists it returns thefirst item in the client list. In either case it will signal whether anoverlapbetween the two lists was found. In the case where SSL_select_next_proto iscalled with a zero length client list it fails to notice this condition andreturns the memory immediately following the client list pointer (andreportsthat there was no overlap in the lists).This function is typically called from a server side application callbackforALPN or a client side application callback for NPN. In the case of ALPN thelistof protocols supplied by the client is guaranteed by libssl to never bezero inlength. The list of server protocols comes from the application and shouldnevernormally be expected to be of zero length. In this case if theSSL_select_next_proto function has been called as expected (with the listsupplied by the client passed in the client/client_len parameters), thentheapplication will not be vulnerable to this issue. If the application hasaccidentally been configured with a zero length server list, and hasaccidentally passed that zero length server list in the client/client_lenparameters, and has additionally failed to correctly handle a "no overlap"response (which would normally result in a handshake failure in ALPN) thenitwill be vulnerable to this problem.In the case of NPN, the protocol permits the client to opportunisticallyselecta protocol when there is no overlap. OpenSSL returns the first clientprotocolin the no overlap case in support of this. The list of client protocolscomesfrom the application and should never normally be expected to be of zerolength.However if the SSL_select_next_proto function is accidentally called with aclient_len of 0 then an invalid memory pointer will be returned instead. Iftheapplication uses this output as the opportunistic protocol then the loss ofconfidentiality will occur.This issue has been assessed as Low severity because applications are mostlikely to be vulnerable if they are using NPN instead of ALPN - but NPN isnotwidely used. It also requires an application configuration or programmingerror.Finally, this issue would not typically be under attacker control makingactiveexploitation unlikely.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases whentheybecome available. Update Instructions: Run `sudo pro fix CVE-2024-5535` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.2.2-1ubuntu2 openssl - 3.2.2-1ubuntu2 openssl-provider-legacy - 3.2.2-1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-06-27 11:15:00 UTC 2024-06-27 11:15:00 UTC Joseph Birr-Pixton https://ubuntu.com/security/notices/USN-6937-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-5535 An issue in termius before v.9.9.0 allows a local attacker to executearbitrary code via a crafted script to the DYLD_INSERT_LIBRARIES component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-15 23:15:00 UTC CVE-2024-55503 ColPack 1.0.10 through 9a7293a has a predictable temporary file (locatedunder /tmp with a name derived from an unseeded RNG). The impact can beoverwriting files or making ColPack graphing unavailable to other users. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-09 02:15:00 UTC CVE-2024-55566 Stack-based buffer overflow vulnerability exists in Linux Ratfor 1.06 andearlier. When the software processes a file which is specially crafted byan attacker, arbitrary code may be executed. As a result, the attacker mayobtain or alter information of the user environment or cause the userenvironment to become unusable. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-15 06:15:00 UTC CVE-2024-55577 Hugo is a static site generator. Starting in version 0.123.0 and prior toversion 0.139.4, some HTML attributes in Markdown in the internal templateslisted below not escaped in internal render hooks. Those whoa re impactedare Hugo users who do not trust their Markdown content files and are usingone or more of these templates: `_default/_markup/render-link.html` from`v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`;`_default/_markup/render-table.html` from `v0.134.0`; and/or`shortcodes/youtube.html` from `v0.125.0`. This issue is patched inv0.139.4. As a workaround, one may replace an affected component with userdefined templates or disable the internal templates. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-09 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089683 CVE-2024-55601 An issue was discovered in the Graphics::ColorNames package before 3.2.0for Perl. There is an ambiguity between modules and filenames that can leadto HTML injection by an attacker who can create a file in the currentworking directory. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-13 07:15:00 UTC CVE-2024-55918 [Improper input validation on generic SSO login] Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-17 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090188 CVE-2024-55919 An issue was discovered in FastNetMon Community Edition through 1.2.7. ThesFlow v5 plugin allows remote attackers to cause a denial of service(application crash) via a crafted packet that specifies many sFlow samples. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-15 03:15:00 UTC CVE-2024-56072 An issue was discovered in FastNetMon Community Edition through 1.2.7.Zero-length templates for Netflow v9 allow remote attackers to cause adenial of service (divide-by-zero error and application crash). Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-15 03:15:00 UTC CVE-2024-56073 notion-go is a collection of libraries for supporting sign and verify OCIartifacts. Based on Notary Project specifications. This issue wasidentified during Quarkslab's audit of the timestamp feature. During thetimestamp signature generation, the revocation status of the certificate(s)used to generate the timestamp signature was not verified. During timestampsignature generation, notation-go did not check the revocation status ofthe certificate chain used by the TSA. This oversight creates avulnerability that could be exploited through a Man-in-The-Middle attack.An attacker could potentially use a compromised, intermediate, or revokedleaf certificate to generate a malicious countersignature, which would thenbe accepted and stored by `notation`. This could lead to denial of servicescenarios, particularly in CI/CD environments during signature verificationprocesses because timestamp signature would fail due to the presence of arevoked certificate(s) potentially disrupting operations. This issue hasbeen addressed in release version 1.3.0-rc.2 and all users are advised toupgrade. There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-13 22:15:00 UTC CVE-2024-56138 A validation integrity issue was discovered in Fort through 1.6.4 before2.0.0. RPKI Relying Parties (such as Fort) are supposed to maintain abackup cache of the remote RPKI data. This can be employed as a fallback incase a new fetch fails or yields incorrect files. However, the productcurrently uses its cache merely as a bandwidth saving tool (becausefetching is performed through deltas). If a fetch fails midway or yieldsincorrect files, there is no viable fallback. This leads to incompleteroute origin validation data. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-18 05:15:00 UTC CVE-2024-56169 A validation integrity issue was discovered in Fort through 1.6.4 before2.0.0. RPKI manifests are listings of relevant files that clients aresupposed to verify. Assuming everything else is correct, the most recentversion of a manifest should be prioritized over other versions, to preventreplays, accidental or otherwise. Manifests contain the manifestNumber andthisUpdate fields, which can be used to gauge the relevance of a givenmanifest, when compared to other manifests. The former is a serial-likesequential number, and the latter is the date on which the manifest wascreated. However, the product does not compare the up-to-dateness of themost recently fetched manifest against the cached manifest. As such, it'sprone to a rollback to a previous version if it's served a valid outdatedmanifest. This leads to outdated route origin validation. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-18 05:15:00 UTC CVE-2024-56170 pyrage is a set of Python bindings for the rage file encryption library(age in Rust). `pyrage` uses the Rust `age` crate for its underlyingoperations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details ofGHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified inthis advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of`pyrage` before 1.2.0 lack plugin support and are therefore **notaffected**. An equivalent issue was fixed in [the reference Goimplementation of age](https://github.com/FiloSottile/age), see advisoryGHSA-32gq-x56h-299c. This issue has been addressed in version 1.2.3 and allusers are advised to update. There are no known workarounds for thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-19 23:15:00 UTC CVE-2024-56327 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in ApacheTomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versionsmay also be affected.The mitigation for CVE-2024-50379 was incomplete.Users running Tomcat on a case insensitive file system with the defaultservlet write enabled (readonly initialisationparameter set to the non-default value of false) may need additionalconfiguration to fully mitigate CVE-2024-50379 depending on which versionof Java they are using with Tomcat:- running on Java 8 or Java 11: the system property sun.io.useCanonCachesmust be explicitly set to false (it defaults to true)- running on Java 17: the system property sun.io.useCanonCaches, if set,must be set to false (it defaults to false)- running on Java 21 onwards: no further configuration is required (thesystem property and the problematic cache have been removed)Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checksthat sun.io.useCanonCaches is set appropriately before allowing the defaultservlet to be write enabled on a case insensitive file system. Tomcat willalso set sun.io.useCanonCaches to false by default where it can. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-20 16:15:00 UTC CVE-2024-56337 An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passedwhen performing IPv6 validation could lead to a potential denial-of-serviceattack. The undocumented and private functions clean_ipv6_address andis_valid_ipv6_address are vulnerable, as is thedjango.forms.GenericIPAddressField form field. (Thedjango.db.models.GenericIPAddressField model field is not affected.) Update Instructions: Run `sudo pro fix CVE-2024-56374` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.18-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 14:00:00 UTC 2025-01-14 14:00:00 UTC https://ubuntu.com/security/notices/USN-7205-1 https://ubuntu.com/security/notices/USN-7205-2 CVE-2024-56374 shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default/etc/subuid behavior (e.g., uid 100000 through 165535 for the first useraccount) that can realistically conflict with the uids of users defined onlocally administered networks, potentially leading to account takeover,e.g., by leveraging newuidmap for access to an NFS home directory (orsame-host resources in the case of remote logins by these local networkusers). NOTE: it may also be argued that system administrators should nothave assigned uids, within local networks, that are within the range thatcan occur in /etc/subuid. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-12-26 09:15:00 UTC https://github.com/shadow-maint/shadow/issues/1157 CVE-2024-56433 In the Linux kernel, the following vulnerability has been resolved:iommu/arm-smmu: Defer probe of clients after smmu device boundNull pointer dereference occurs due to a race between smmudriver probe and client driver probe, when of_dma_configure()for client is called after the iommu_device_register() for smmu driverprobe has executed but before the driver_bound() for smmu driverhas been called.Following is how the race occurs:T1:Smmu device probe T2: Client device probereally_probe()arm_smmu_device_probe()iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */driver_bound() klist_add_tail()When this null smmu pointer is dereferenced later inarm_smmu_probe_device, the device crashes.Fix this by deferring the probe of the client deviceuntil the smmu device has bound to the arm smmu driver.[will: Add comment] Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-27 15:15:00 UTC 2024-12-27 15:15:00 UTC https://ubuntu.com/security/notices/USN-7379-1 https://ubuntu.com/security/notices/USN-7380-1 https://ubuntu.com/security/notices/USN-7381-1 https://ubuntu.com/security/notices/USN-7382-1 https://ubuntu.com/security/notices/USN-7387-1 https://ubuntu.com/security/notices/USN-7388-1 https://ubuntu.com/security/notices/USN-7389-1 https://ubuntu.com/security/notices/USN-7390-1 https://ubuntu.com/security/notices/USN-7387-2 https://ubuntu.com/security/notices/USN-7387-3 https://ubuntu.com/security/notices/USN-7379-2 https://ubuntu.com/security/notices/USN-7407-1 https://ubuntu.com/security/notices/USN-7421-1 https://ubuntu.com/security/notices/USN-7449-1 https://ubuntu.com/security/notices/USN-7450-1 https://ubuntu.com/security/notices/USN-7451-1 https://ubuntu.com/security/notices/USN-7452-1 https://ubuntu.com/security/notices/USN-7453-1 https://ubuntu.com/security/notices/USN-7458-1 https://ubuntu.com/security/notices/USN-7459-1 https://ubuntu.com/security/notices/USN-7449-2 https://ubuntu.com/security/notices/USN-7459-2 https://ubuntu.com/security/notices/USN-7468-1 https://ubuntu.com/security/notices/USN-7523-1 https://ubuntu.com/security/notices/USN-7524-1 CVE-2024-56568 Use of Hardware Page Aggregation (HPA) and Stage-1 and/or Stage-2translation on Cortex-A77, Cortex-A78, Cortex-A78C, Cortex-A78AE,Cortex-A710, Cortex-X1, Cortex-X1C, Cortex-X2, Cortex-X3, Cortex-X4,Cortex-X925, Neoverse V1, Neoverse V2, Neoverse V3, Neoverse V3AE, NeoverseN2 may permit bypass of Stage-2 translation and/or GPT protection. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-10 14:30:00 UTC CVE-2024-5660 HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1,there is a heap-based buffer overflow in the hb_cairo_glyphs_from_bufferfunction. Update Instructions: Run `sudo pro fix CVE-2024-56732` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-harfbuzz-0.0 - 10.2.0-1 libharfbuzz-bin - 10.2.0-1 libharfbuzz-cairo0 - 10.2.0-1 libharfbuzz-gobject0 - 10.2.0-1 libharfbuzz-icu0 - 10.2.0-1 libharfbuzz-subset0 - 10.2.0-1 libharfbuzz0b - 10.2.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-27 20:15:00 UTC 2024-12-27 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091529 https://ubuntu.com/security/notices/USN-7214-1 CVE-2024-56732 GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow infs/hfs.c via crafted sblock data in an HFS filesystem. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-29 07:15:00 UTC CVE-2024-56737 GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithmfor grub_crypto_memcmp and thus allows side-channel attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-29 07:15:00 UTC CVE-2024-56738 Ghostty is a cross-platform terminal emulator. Ghostty, as allowed bydefault in 1.0.0, allows attackers to modify the window title via a certaincharacter escape sequence and then insert it back to the command line inthe user's terminal, e.g. when the user views a file containing themalicious sequence, which could allow the attacker to execute arbitrarycommands. This attack requires an attacker to send malicious escapesequences followed by convincing the user to physically press the "enter"key. Fixed in Ghostty v1.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-31 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091469 CVE-2024-56803 A flaw was found in the OpenJPEG project. A heap buffer overflow conditionmay be triggered when certain options are specified while using theopj_decompress utility. This can lead to an application crash or otherundefined behavior. Update Instructions: Run `sudo pro fix CVE-2024-56826` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.5.0-2ubuntu3 libopenjp2-tools - 2.5.0-2ubuntu3 libopenjpip-dec-server - 2.5.0-2ubuntu3 libopenjpip-viewer - 2.5.0-2ubuntu3 libopenjpip7 - 2.5.0-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 04:15:00 UTC 2025-01-09 04:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2335172 https://github.com/uclouvain/openjpeg/issues/1563 https://ubuntu.com/security/notices/USN-7223-1 https://ubuntu.com/security/notices/USN-7623-1 CVE-2024-56826 A flaw was found in the OpenJPEG project. A heap buffer overflow conditionmay be triggered when certain options are specified while using theopj_decompress utility. This can lead to an application crash or otherundefined behavior. Update Instructions: Run `sudo pro fix CVE-2024-56827` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.5.0-2ubuntu3 libopenjp2-tools - 2.5.0-2ubuntu3 libopenjpip-dec-server - 2.5.0-2ubuntu3 libopenjpip-viewer - 2.5.0-2ubuntu3 libopenjpip7 - 2.5.0-2ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-09 04:15:00 UTC 2025-01-09 04:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2335174 https://github.com/uclouvain/openjpeg/issues/1564 https://ubuntu.com/security/notices/USN-7223-1 https://ubuntu.com/security/notices/USN-7623-1 CVE-2024-56827 Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allowsremote authenticated users to upload a malicious file as an emailattachment, leading to the triggering of the XSS by visiting the SENTsession. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-03 19:15:00 UTC CVE-2024-57004 Buffer Overflow vulnerability in Proftpd commit 4017eff8 allows a remoteattacker to execute arbitrary code and can cause a Denial of Service (DoS)on the FTP service by sending a maliciously crafted message to the ProFTPDservice port. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-06 22:15:00 UTC CVE-2024-57392 Insecure Permissions vulnerability in asterisk v22 allows a remote attackerto execute arbitrary code via the action_createconfig function. NOTE: thisis disputed by the Supplier because the impact is limited to creating emptyfiles outside of the Asterisk product directory (aka directory traversal)and the attack can only be performed by a privileged user who has theability to manage the configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-05 22:15:00 UTC CVE-2024-57520 An issue in the chash_array component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57635 An issue in the itc_sample_row_check component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57636 An issue in the dfe_unit_gb_dependant component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57637 An issue in the dfe_body_copy component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57638 An issue in the dc_elt_size component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57639 An issue in the dc_add_int component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57640 An issue in the sqlexp component of openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57641 An issue in the dfe_inx_op_col_def_table component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57642 An issue in the box_deserialize_string component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57643 An issue in the itc_hash_compare component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57644 An issue in the qi_inst_state_free component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57645 An issue in the psiginfo component of openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57646 An issue in the row_insert_cast component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57647 An issue in the itc_set_param_row component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57648 An issue in the qst_vec_set component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57649 An issue in the qi_inst_state_free component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57650 An issue in the jp_add component of openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57651 An issue in the numeric_to_dv component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57652 An issue in the qst_vec_set_copy component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57653 An issue in the qst_vec_get_int64 component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57654 An issue in the dfe_n_in_order component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57655 An issue in the sqlc_add_distinct_node component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57656 An issue in the sqlg_vec_upd component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57657 An issue in the sql_tree_hash_1 component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57658 An issue in the sqlg_parallel_ts_seq component of openlinkvirtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service(DoS) via crafted SQL statements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57659 An issue in the sqlo_expand_jts component of openlink virtuoso-opensourcev7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57660 An issue in the sqlo_df component of openlink virtuoso-opensource v7.2.11allows attackers to cause a Denial of Service (DoS) via crafted SQLstatements. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-14 01:15:00 UTC CVE-2024-57661 A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. Whenloading a specially crafted JSON input, containing a large number of ’{’, astack exhaustion can be trigger, which could allow an attacker to cause aDenial of Service (DoS). This issue exists because of an incomplete fix forCVE-2023-1370. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-05 22:15:00 UTC CVE-2024-57699 Web::API 2.8 and earlier for Perl uses the rand() function as the defaultsource of entropy, which is not cryptographically secure, for cryptographicfunctions.Specifically Web::API uses the Data::Random library which specificallystates that it is "Useful mostly for test programs". Data::Random uses therand() function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-05 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102148 CVE-2024-57868 Net::Dropbox::API 1.9 and earlier for Perl uses the rand() function as thedefault source of entropy, which is not cryptographically secure, forcryptographic functions.Specifically Net::Dropbox::API uses the Data::Random library whichspecifically states that it is "Useful mostly for test programs".Data::Random uses the rand() function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-05 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102147 CVE-2024-58036 Mojolicious versions from 0.999922 for Perl uses a hard coded string, orthe application's class name, as an HMAC session cookie secret by default.These predictable default secrets can be exploited by an attacker to forgesession cookies.  An attacker who knows or guesses the secret could computevalid HMAC signatures for the session cookie, allowing them to tamper withor hijack another user’s session. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-03 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104648 CVE-2024-58134 Mojolicious versions from 7.28 for Perl will generate weak HMAC sessioncookie secrets via "mojo generate app" by defaultWhen creating a default app skeleton with the "mojo generate app" tool, aweak secret is written to the application's configuration file using theinsecure rand() function, and used for authenticating and protecting theintegrity of the application's sessions. This may allow an attacker tobrute force the application's session keys. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-03 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104633 CVE-2024-58135 A malicious TLS1.2 server can force a TLS1.3 client with downgradecapability to use a ciphersuite that it did not agree to and achieve asuccessful connection. This is because, aside from the extensions, theclient was skipping fully parsing the server hello.https://doi.org/10.46586/tches.v2024.i1.457-500 Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 19:15:00 UTC CVE-2024-5814 In netstat in BusyBox through 1.37.0, local users can launch of networkapplication with an argv[0] containing an ANSI terminal escape sequence,leading to a denial of service (terminal locked up) when netstat is used bya victim. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-23 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104009 https://bugs.busybox.net/show_bug.cgi?id=15922 CVE-2024-58251 A denial of service vulnerability was found in the 389-ds-base LDAP server.This issue may allow an authenticated user to cause a server denial ofservice while attempting to log in with a user with a malformed hash intheir password. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-18 10:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2292104 CVE-2024-5953 A vulnerability was found in Undertow, where the chunked response hangsafter the body was flushed. The response headers and body were sent but theclient would continue waiting as Undertow does not send the expected 0\r\ntermination of the chunked response. This results in uncontrolled resourceconsumption, leaving the server side to a denial of service attack. Thishappens only with Java 17 TLSv1.3 scenarios. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-08 21:15:00 UTC CVE-2024-5971 In function MatchDomainName(), input param str is treated as a NULLterminated string despite being user provided and unchecked. Specifically,the function X509_check_host() takes in a pointer and length to checkagainst, with no requirements that it be NULL terminated. If a caller wasattempting to do a name check on a non-NULL terminated buffer, the codewould read beyond the bounds of the input array until it found a NULLterminator.This issue affects wolfSSL: through 5.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-27 19:15:00 UTC CVE-2024-5991 Issue summary: Applications performing certificate name checks (e.g., TLSclients checking server certificates) may attempt to read an invalid memoryaddress resulting in abnormal termination of the application process.Impact summary: Abnormal termination of an application can a cause a denialofservice.Applications performing certificate name checks (e.g., TLS clients checkingserver certificates) may attempt to read an invalid memory address whencomparing the expected name with an `otherName` subject alternative name ofanX.509 certificate. This may result in an exception that terminates theapplication program.Note that basic certificate chain validation (signatures, dates, ...) isnotaffected, the denial of service can occur only when the application alsospecifies an expected DNS name, Email address or IP address.TLS servers rarely solicit client certificates, and even when they do, theygenerally don't perform a name check against a reference identifier(expectedidentity), but rather extract the presented identity after checking thecertificate chain. So TLS servers are generally not affected and theseverityof the issue is Moderate.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2024-6119` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.3.1-2ubuntu2 openssl - 3.3.1-2ubuntu2 openssl-provider-legacy - 3.3.1-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-03 2024-09-03 David Benjamin https://ubuntu.com/security/notices/USN-6986-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2024-6119 A vulnerability was found in Undertow, where URL-encoded request paths canbe mishandled during concurrent requests on the AJP listener. This issuearises because the same buffer is used to decode the paths for multiplerequests simultaneously, leading to incorrect path information beingprocessed. As a result, the server may attempt to access the wrong path,causing errors such as "404 Not Found" or other application failures. Thisflaw can potentially lead to a denial of service, as legitimate resourcesbecome inaccessible due to the path mix-up. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-20 15:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2293069 CVE-2024-6162 A flaw was found in the 389 Directory Server. This flaw allows anunauthenticated user to cause a systematic server crash while sending aspecific extended search request, leading to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-09 17:15:00 UTC CVE-2024-6237 Integer Underflow (Wrap or Wraparound) vulnerability in Renesasarm-trusted-firmware.An integer underflow in image range check calculations could lead tobypassing address restrictions and loading of images to unallowedaddresses. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-24 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074431 CVE-2024-6285 Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allowsLocal Execution of Code.When checking whether a new image invades/overlaps with a previously loadedimage the code neglects to consider a few cases. that could An attacker tobypass memory range restriction and overwrite an already loaded imagepartly or completely, which could result in code execution and bypass ofsecure boot. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-06-24 16:15:00 UTC CVE-2024-6287 In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroomcould lead to a global buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-04 06:15:00 UTC CVE-2024-6442 In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one bytebefore the string pointer if the string is empty. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-04 06:15:00 UTC CVE-2024-6443 No proper validation of the length of user input in olcp_ind_handler inzephyr/subsys/bluetooth/services/ots/ots_client.c. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-04 07:15:00 UTC CVE-2024-6444 A flaw was found in the virtio-net device in QEMU. When enabling the RSSfeature on the virtio-net network card, the indirections_table data withinRSS becomes controllable. Setting excessively large values may cause anindex out-of-bounds issue, potentially resulting in heap overflow access.This flaw allows a privileged user in the guest to crash the QEMU processon the host. Update Instructions: Run `sudo pro fix CVE-2024-6505` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:9.0.2+ds-4ubuntu2 qemu-block-supplemental - 1:9.0.2+ds-4ubuntu2 qemu-guest-agent - 1:9.0.2+ds-4ubuntu2 qemu-system - 1:9.0.2+ds-4ubuntu2 qemu-system-arm - 1:9.0.2+ds-4ubuntu2 qemu-system-common - 1:9.0.2+ds-4ubuntu2 qemu-system-data - 1:9.0.2+ds-4ubuntu2 qemu-system-gui - 1:9.0.2+ds-4ubuntu2 qemu-system-mips - 1:9.0.2+ds-4ubuntu2 qemu-system-misc - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-opengl - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-spice - 1:9.0.2+ds-4ubuntu2 qemu-system-ppc - 1:9.0.2+ds-4ubuntu2 qemu-system-riscv - 1:9.0.2+ds-4ubuntu2 qemu-system-s390x - 1:9.0.2+ds-4ubuntu2 qemu-system-sparc - 1:9.0.2+ds-4ubuntu2 qemu-system-x86 - 1:9.0.2+ds-4ubuntu2 qemu-system-x86-xen - 1:9.0.2+ds-4ubuntu2 qemu-system-xen - 1:9.0.2+ds-4ubuntu2 qemu-user - 1:9.0.2+ds-4ubuntu2 qemu-user-binfmt - 1:9.0.2+ds-4ubuntu2 qemu-utils - 1:9.0.2+ds-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-05 14:15:00 UTC 2024-07-05 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2295760 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075919 https://ubuntu.com/security/notices/USN-7744-1 CVE-2024-6505 A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI HostBus Adapter emulation. This issue can lead to a crash or VM escape. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-21 15:15:00 UTC 2024-10-21 15:15:00 UTC fabian Cyrille Chatras http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085299 https://bugzilla.redhat.com/show_bug.cgi?id=2292089 https://gitlab.com/qemu-project/qemu/-/issues/3090 https://ubuntu.com/security/notices/USN-8161-1 CVE-2024-6519 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')vulnerability in Renesas arm-trusted-firmware allows Local Execution ofCode. This vulnerability is associated with program fileshttps://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i...https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C.In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT"(5) or larger, this check does not halt the function. Immediately after(line 317) there will be an overflow in the buffer and the value of "dst"will be written to the area immediately after the buffer, which is"addr_loaded_cnt". This will allow an attacker to freely control the valueof "addr_loaded_cnt" and thus control the destination of the writeimmediately after (line 318). The write in line 318 will then be fullycontrolled by said attacker, with whichever address and whichever value("len") they desire. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-08 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076042 CVE-2024-6563 Buffer overflow in "rcar_dev_init" due to using due to using untrusteddata (rcar_image_number) as a loop counter before verifying it againstRCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-08 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076042 CVE-2024-6564 A flaw was found in the GTK library. Under certain conditions, it ispossible for a library to be injected into a GTK application from thecurrent working directory. Update Instructions: Run `sudo pro fix CVE-2024-6655` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-gtk-2.0 - 2.24.33-5ubuntu1 gtk2-engines-pixbuf - 2.24.33-5ubuntu1 libgail-common - 2.24.33-5ubuntu1 libgail18t64 - 2.24.33-5ubuntu1 libgtk2.0-0t64 - 2.24.33-5ubuntu1 libgtk2.0-bin - 2.24.33-5ubuntu1 libgtk2.0-common - 2.24.33-5ubuntu1 No subscription required gir1.2-gtk-3.0 - 3.24.43-1ubuntu1 gtk-3-examples - 3.24.43-1ubuntu1 libgail-3-0t64 - 3.24.43-1ubuntu1 libgtk-3-0t64 - 3.24.43-1ubuntu1 libgtk-3-bin - 3.24.43-1ubuntu1 libgtk-3-common - 3.24.43-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-11 2024-07-11 https://gitlab.gnome.org/GNOME/gtk/-/issues/6786 https://ubuntu.com/security/notices/USN-6899-1 CVE-2024-6655 Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers toachieve arbitrary file read. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 04:16:00 UTC CVE-2024-6781 Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticatedattackers to achieve remote code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 04:16:00 UTC CVE-2024-6782 Gunicorn version 21.2.0 does not properly validate the value of the'Transfer-Encoding' header as specified in the RFC standards, which leadsto the default fallback method of 'Content-Length,' making it vulnerable toTE.CL request smuggling. This vulnerability can lead to cache poisoning,data exposure, session manipulation, SSRF, XSS, DoS, data integritycompromise, security bypass, information leakage, and business logic abuse. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-20 10:15:00 UTC CVE-2024-6827 A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`.This issue may allow an attacker to trigger memory allocation failuresthrough certain means, such as restricting the heap space size or injectingfaults, causing a segmentation fault. This can cause an application crash,eventually leading to a denial of service. Update Instructions: Run `sudo pro fix CVE-2024-7006` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.5.1+git230720-4ubuntu4 libtiff-tools - 4.5.1+git230720-4ubuntu4 libtiff6 - 4.5.1+git230720-4ubuntu4 libtiffxx6 - 4.5.1+git230720-4ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-12 13:38:00 UTC 2024-08-12 13:38:00 UTC https://gitlab.com/libtiff/libtiff/-/issues/624 https://ubuntu.com/security/notices/USN-6997-1 https://ubuntu.com/security/notices/USN-6997-2 CVE-2024-7006 Unsanitized user-input in Calibre <= 7.15.0 allow attackers to performreflected cross-site scripting. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 04:16:00 UTC CVE-2024-7008 Unsanitized user-input in Calibre <= 7.15.0 allow users with permissions toperform full-text searches to achieve SQL injection on the SQLite database. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 04:16:00 UTC CVE-2024-7009 It's possible for a gRPC client communicating with a HTTP/2 proxy to poisonthe HPACK table between the proxy and the backend such that other clientssee failed requests. It's also possible to use this vulnerability to leakother clients HTTP header keys, but not values.This occurs because the error status for a misencoded header is not clearedbetween header reads, resulting in subsequent (incrementally indexed) addedheaders in the first request being poisoned until cleared from the HPACKtable.Please update to a fixed version of gRPC as soon as possible. This bug hasbeen fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3,1.65.4. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 11:16:00 UTC CVE-2024-7246 libcurl's ASN1 parser code has the `GTime2str()` function, used for parsinganASN.1 Generalized Time field. If given an syntactically incorrect field,theparser might end up using -1 for the length of the *time fraction*, leadingtoa `strlen()` getting performed on a pointer to a heap buffer area that isnot(purposely) null terminated.This flaw most likely leads to a crash, but can also lead to heap contentsgetting returned to the application when[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) isused. Update Instructions: Run `sudo pro fix CVE-2024-7264` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.9.1-2ubuntu1 libcurl3t64-gnutls - 8.9.1-2ubuntu1 libcurl4t64 - 8.9.1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-07-31 2024-07-31 Dov Murik https://ubuntu.com/security/notices/USN-6944-1 https://ubuntu.com/security/notices/USN-6944-2 CVE-2024-7264 An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitiveinformation may possibly be disclosed through the OpenStack stack abandoncommand with the hidden feature set to True and the CVE-2023-1625 fixapplied. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-02 21:16:00 UTC https://storyboard.openstack.org/#!/story/2011007 https://bugzilla.redhat.com/show_bug.cgi?id=2258810 CVE-2024-7319 A flaw was found in libnbd. The client did not always correctly verify theNBD server's certificate when using TLS to connect to an NBD server. Thisissue allows a man-in-the-middle attack on NBD traffic. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-05 14:15:00 UTC CVE-2024-7383 A flaw was found in the QEMU NBD Server. This vulnerability allows a denialof service (DoS) attack via improper synchronization during socket closurewhen a client keeps a socket open as the server is taken offline. Update Instructions: Run `sudo pro fix CVE-2024-7409` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 1:9.0.2+ds-4ubuntu2 qemu-block-supplemental - 1:9.0.2+ds-4ubuntu2 qemu-guest-agent - 1:9.0.2+ds-4ubuntu2 qemu-system - 1:9.0.2+ds-4ubuntu2 qemu-system-arm - 1:9.0.2+ds-4ubuntu2 qemu-system-common - 1:9.0.2+ds-4ubuntu2 qemu-system-data - 1:9.0.2+ds-4ubuntu2 qemu-system-gui - 1:9.0.2+ds-4ubuntu2 qemu-system-mips - 1:9.0.2+ds-4ubuntu2 qemu-system-misc - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-opengl - 1:9.0.2+ds-4ubuntu2 qemu-system-modules-spice - 1:9.0.2+ds-4ubuntu2 qemu-system-ppc - 1:9.0.2+ds-4ubuntu2 qemu-system-riscv - 1:9.0.2+ds-4ubuntu2 qemu-system-s390x - 1:9.0.2+ds-4ubuntu2 qemu-system-sparc - 1:9.0.2+ds-4ubuntu2 qemu-system-x86 - 1:9.0.2+ds-4ubuntu2 qemu-system-x86-xen - 1:9.0.2+ds-4ubuntu2 qemu-system-xen - 1:9.0.2+ds-4ubuntu2 qemu-user - 1:9.0.2+ds-4ubuntu2 qemu-user-binfmt - 1:9.0.2+ds-4ubuntu2 qemu-utils - 1:9.0.2+ds-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-05 14:15:00 UTC 2024-08-05 14:15:00 UTC fabian https://bugzilla.redhat.com/show_bug.cgi?id=2302487 https://ubuntu.com/security/notices/USN-7744-1 CVE-2024-7409 oFono QMI SMS Handling Out-Of-Bounds Read Information DisclosureVulnerability. This vulnerability allows local attackers to disclosesensitive information on affected installations of oFono. Authentication isnot required to exploit this vulnerability.The specific flaw exists within the processing of SMS message lists. Theissue results from the lack of proper validation of user-supplied data,which can result in a read past the end of an allocated buffer. An attackercan leverage this in conjunction with other vulnerabilities to executearbitrary code in the context of root. Was ZDI-CAN-23157. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-06 00:15:00 UTC CVE-2024-7537 A heap buffer overflow was found in the virtio-snd device in QEMU. Whenreading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb,the function did not check whether the iov can fit the data buffer. Thisissue can trigger an out-of-bounds write if the size of the virtio queueelement is equal to virtio_snd_pcm_status, which makes the available spacefor audio data zero. Update Instructions: Run `sudo pro fix CVE-2024-7730` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: qemu-block-extra - 9.0.2+ds-4ubuntu8 qemu-block-supplemental - 9.0.2+ds-4ubuntu8 qemu-guest-agent - 9.0.2+ds-4ubuntu8 qemu-system - 9.0.2+ds-4ubuntu8 qemu-system-arm - 9.0.2+ds-4ubuntu8 qemu-system-common - 9.0.2+ds-4ubuntu8 qemu-system-data - 9.0.2+ds-4ubuntu8 qemu-system-gui - 9.0.2+ds-4ubuntu8 qemu-system-mips - 9.0.2+ds-4ubuntu8 qemu-system-misc - 9.0.2+ds-4ubuntu8 qemu-system-modules-opengl - 9.0.2+ds-4ubuntu8 qemu-system-modules-spice - 9.0.2+ds-4ubuntu8 qemu-system-ppc - 9.0.2+ds-4ubuntu8 qemu-system-riscv - 9.0.2+ds-4ubuntu8 qemu-system-s390x - 9.0.2+ds-4ubuntu8 qemu-system-sparc - 9.0.2+ds-4ubuntu8 qemu-system-x86 - 9.0.2+ds-4ubuntu8 qemu-system-x86-xen - 9.0.2+ds-4ubuntu8 qemu-system-xen - 9.0.2+ds-4ubuntu8 qemu-user - 9.0.2+ds-4ubuntu8 qemu-user-binfmt - 9.0.2+ds-4ubuntu8 qemu-utils - 9.0.2+ds-4ubuntu8 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-15 2024-08-15 https://gitlab.com/qemu-project/qemu/-/issues/2427 https://ubuntu.com/security/notices/USN-7094-1 CVE-2024-7730 In Xpdf 4.05 (and earlier), a PDF object loop in a pattern resource leadsto infinite recursion and a stack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-15 20:15:00 UTC CVE-2024-7866 In Xpdf 4.05 (and earlier), very large coordinates in a page box can causean integer overflow and divide-by-zero. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-15 20:15:00 UTC CVE-2024-7867 In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream canlead to an uninitialized variable in the DCT decoder. The proof-of-conceptPDF file causes a segfault attempting to read from an invalid address. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-15 21:15:00 UTC CVE-2024-7868 An unprivileged context can trigger a datamemory-dependent prefetch engine to fetch the contents of a privilegedlocationand consume those contents as an address that is also dereferenced. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 15:15:00 UTC CVE-2024-7881 When using Arm Cortex-M Security Extensions (CMSE), Secure stackcontents can be leaked to Non-secure state via floating-point registerswhen a Secure to Non-secure function call is made that returns afloating-point value and when this is the first use of floating-pointsince entering Secure state. This allows an attacker to read a limitedquantity of Secure stack contents with an impact on confidentiality.This issue is specific to code generated using LLVM-based compilers. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-10-31 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2322994 CVE-2024-7883 A vulnerability was found in Undertow where the ProxyProtocolReadListenerreuses the same StringBuilder instance across multiple requests. This issueoccurs when the parseProxyProtocolV1 method processes multiple requests onthe same HTTP connection. As a result, different requests may share thesame StringBuilder instance, potentially leading to information leakagebetween requests or responses. In some cases, a value from a previousrequest or response may be erroneously reused, which could lead tounintended data exposure. This issue primarily results in errors andconnection termination but creates a risk of data leakage in multi-requestenvironments. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-08-21 14:15:00 UTC CVE-2024-7885 When curl is told to use the Certificate Status Request TLS extension,often referred to as OCSP stapling, to verify that the server certificateis valid, it might fail to detect some OCSP problems and instead wronglyconsider the response as fine. If the returned status reports anothererror than 'revoked' (like for example 'unauthorized') it is not treated asa bad certficate. Update Instructions: Run `sudo pro fix CVE-2024-8096` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.9.1-2ubuntu2 libcurl3t64-gnutls - 8.9.1-2ubuntu2 libcurl4t64 - 8.9.1-2ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-11 2024-09-11 Hiroki Kurosawa https://ubuntu.com/security/notices/USN-7012-1 CVE-2024-8096 A stack overflow vulnerability exists in the libexpat library due to theway it handles recursive entity expansion in XML documents. When parsing anXML document with deeply nested entity references, libexpat can be forcedto recurse indefinitely, exhausting the stack space and causing a crash.This issue could lead to denial of service (DoS) or, in some cases,exploitable memory corruption, depending on the environment and libraryusage. Update Instructions: Run `sudo pro fix CVE-2024-8176` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: expat - 2.7.1-1 libexpat1 - 2.7.1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-14 09:15:00 UTC 2025-03-14 09:15:00 UTC https://github.com/libexpat/libexpat/issues/893 https://bugzilla.redhat.com/show_bug.cgi?id=2310137 https://ubuntu.com/security/notices/USN-7424-1 CVE-2024-8176 The filepath.Walk and filepath.WalkDir functions are documented as notfollowing symbolic links, but both functions are susceptible to a TOCTOU(time of check/time of use) race condition where a portion of the pathbeing walked is replaced with a symbolic link while the walk is inprogress. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-06 16:15:00 UTC CVE-2024-8244 UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable tocode injection via the 3MF format reader (/plugins/ThreeMFReader.py). Thevulnerability arises from improper handling of the drop_to_buildplateproperty within 3MF files, which are ZIP archives containing the modeldata. When a 3MF file is loaded in Cura, the value of thedrop_to_buildplate property is passed to the Python eval() function withoutproper sanitization, allowing an attacker to execute arbitrary code bycrafting a malicious 3MF file. This vulnerability poses a significant riskas 3MF files are commonly shared via 3D model databases. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-03 10:15:00 UTC CVE-2024-8374 The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover allscenarios. In certain product versions, an authenticated user may cause aserver crash while modifying `userPassword` using malformed input. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-05 15:15:00 UTC CVE-2024-8445 A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-cryptodevices. The size for virtqueue_push as set in virtio_scsi_complete_req /virtio_blk_req_complete / virito_crypto_req_complete could be larger thanthe true size of the data which has been sent to guest. Oncevirtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it maycall the address_space_write function to write back the data. Someuninitialized data may exist in the bounce.buffer, leading to aninformation leak. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-20 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082406 https://bugzilla.redhat.com/show_bug.cgi?id=2313760 CVE-2024-8612 A flaw was found in Ansible, where sensitive information stored in AnsibleVault files can be exposed in plaintext during the execution of a playbook.This occurs when using tasks such as include_vars to load vaulted variableswithout setting the no_log: true parameter, resulting in sensitive databeing printed in the playbook output or logs. This can lead to theunintentional disclosure of secrets like passwords or API keys,compromising security and potentially allowing unauthorized access oractions. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-14 03:15:00 UTC CVE-2024-8775 A flaw was found in the freeimage library. Processing a crafted image cancause a buffer over-read of 1 byte in the read_iptc_profile function in theSource/Metadata/IPTC.cpp file because the size of the profile is not beingsanitized, causing a crash in the application linked to the library,resulting in a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-09-27 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082848 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082848 CVE-2024-9029 A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser'of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allowsattackers to execute arbitrary JavaScript in the user's browser via the'element' parameter, which is unsafely passed to the JavaScript 'eval'function. However, exploitation is limited to specific conditions where'opener' is correctly set. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-12-19 14:15:00 UTC CVE-2024-9101 phpLDAPadmin since at least version 1.2.0 through the latest version1.2.6.7 allows users to export elements from the LDAP directory into aComma-Separated Value (CSV) file, but it does not neutralize specialelements that could be interpreted as a command when the file is opened bya spreadsheet product. Thus, this could lead to CSV Formula Injection.NOTE: This vulnerability will not be addressed, the maintainer's positionis that it is not the intention of phpLDAPadmin to control what dataAdministrators can put in their LDAP database, nor filter it on export. Ubuntu 26.04 LTS Low Copyright (C) 2024 Canonical Ltd. 2024-12-19 14:15:00 UTC CVE-2024-9102 A flaw was found in Go. When FIPS mode is enabled on a system, containerruntimes may incorrectly handle certain file paths due to impropervalidation in the containers/common Go library. This flaw allows anattacker to exploit symbolic links and trick the system into mountingsensitive host directories inside a container. This issue also allowsattackers to access critical host files, bypassing the intended isolationbetween containers and the host system. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-01 19:15:00 UTC CVE-2024-9341 A vulnerability was found in the resteasy-netty4 library arising fromimproper handling of HTTP requests using smuggling techniques. When an HTTPsmuggling request with an ASCII control character is sent, it causes theNetty HttpObjectDecoder to transition into a BAD_MESSAGE state. As aresult, any subsequent legitimate requests on the same connection areignored, leading to client timeouts, which may impact systems using loadbalancers and expose them to risk. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-08 17:15:00 UTC 2024-10-08 17:15:00 UTC https://ubuntu.com/security/notices/USN-7351-1 https://ubuntu.com/security/notices/USN-7630-1 CVE-2024-9622 A flaw was found in the X.org server. Due to improperly tracked allocationsize in _XkbSetCompatMap, a local attacker may be able to trigger a bufferoverflow condition via a specially crafted payload, leading to denial ofservice or local privilege escalation in distributions where the X.orgserver is run with root privileges. Update Instructions: Run `sudo pro fix CVE-2024-9632` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.14-1ubuntu1 xorg-server-source - 2:21.1.14-1ubuntu1 xserver-common - 2:21.1.14-1ubuntu1 xserver-xephyr - 2:21.1.14-1ubuntu1 xserver-xorg-core - 2:21.1.14-1ubuntu1 xserver-xorg-legacy - 2:21.1.14-1ubuntu1 xvfb - 2:21.1.14-1ubuntu1 No subscription required xwayland - 2:24.1.4-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-10-29 15:00:00 UTC 2024-10-29 15:00:00 UTC Jan-Niklas Sohn working with Trend Micro Zero Day Initiative https://ubuntu.com/security/notices/USN-7085-1 https://ubuntu.com/security/notices/USN-7085-2 CVE-2024-9632 A flaw was found in Ansible. The ansible-core `user` module can allow anunprivileged user to silently create or replace the contents of any file onany system path and take ownership of it when a privileged user executesthe `user` module against the unprivileged user's home directory. If theunprivileged user has traversal permissions on the directory containing theexploited target file, they retain full control over the contents of thefile as its owner. Ubuntu 26.04 LTS Medium Copyright (C) 2024 Canonical Ltd. 2024-11-06 10:15:00 UTC CVE-2024-9902 Improper handling of overlap between the segmented reverse map table (RMP)and system management mode (SMM) memory could allow a privileged attackercorrupt or partially infer SMM memory resulting in loss of integrity orconfidentiality. Update Instructions: Run `sudo pro fix CVE-2025-0012` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20251202.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-0012 A use after free in the SEV firmware could allow a malicous hypervisor toactivate a migrated guest with the SINGLE_SOCKET policy on a differentsocket than the migration agent potentially resulting in loss of integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-0031 Improper access control within AMD SEV-SNP could allow an admin privilegedattacker to write to the RMP during SNP initialization, potentiallyresulting in a loss of SEV-SNP guest memory integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-14 15:16:00 UTC CVE-2025-0033 When batch jobs are executed by pgAgent, a script is created in a temporarydirectory and then executed. In versions of pgAgent prior to 4.2.3, aninsufficiently seeded random number generator is used when generating thedirectory name, leading to the possibility for a local attacker topre-create the directory and thus prevent pgAgent from executing jobs,disrupting scheduled tasks. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-07 20:15:00 UTC CVE-2025-0218 When the assert() function in the GNU C Library versions 2.13 to 2.40fails, it does not allocate enough space for the assertion failure messagestring and size information, which may lead to a buffer overflow if themessage string size aligns to page size. Update Instructions: Run `sudo pro fix CVE-2025-0395` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.41-1ubuntu1 libc-bin - 2.41-1ubuntu1 libc6 - 2.41-1ubuntu1 libc6-amd64 - 2.41-1ubuntu1 libc6-i386 - 2.41-1ubuntu1 libc6-x32 - 2.41-1ubuntu1 locales - 2.41-1ubuntu1 locales-all - 2.41-1ubuntu1 nscd - 2.41-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-22 13:15:00 UTC 2025-01-22 13:15:00 UTC https://sourceware.org/bugzilla/show_bug.cgi?id=32582 https://ubuntu.com/security/notices/USN-7259-1 https://ubuntu.com/security/notices/USN-7259-2 https://ubuntu.com/security/notices/USN-7259-3 CVE-2025-0395 Buildx is a Docker CLI plugin that extends build capabilities usingBuildKit.Cache backends support credentials by setting secrets directly as attributevalues in cache-to/cache-from configuration. When supplied as user input,these secure values may be inadvertently captured in OpenTelemetry tracesas part of the arguments and flags for the traced CLIcommand. OpenTelemetry traces are also saved in BuildKit daemon's historyrecords.This vulnerability does not impact secrets passed to the Github cachebackend via environment variables or registry authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-17 20:15:00 UTC CVE-2025-0495 A flaw was found in command/gpg. In some scenarios, hooks created by loadedmodules are not removed when the related module is unloaded. This flawallows an attacker to force grub2 to call the hooks once the module thatregistered it was unloaded, leading to a use-after-free vulnerability. Ifcorrectly exploited, this vulnerability may result in arbitrary codeexecution, eventually allowing the attacker to bypass secure bootprotections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0622 A flaw was found in grub2. During the network boot process, when trying tosearch for the configuration file, grub copies data from a user controlledenvironment variable into an internal buffer using the grub_strcpy()function. During this step, it fails to consider the environment variablelength when allocating the internal buffer, resulting in an out-of-boundswrite. If correctly exploited, this issue may result in remote codeexecution through the same network segment grub is searching for the bootinformation, which can be used to by-pass secure boot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0624 A flaw was found in grub2. When performing a symlink lookup, the grub's UFSmodule checks the inode's data size to allocate the internal buffer to readthe file content, however, it fails to check if the symlink data size hasoverflown. When this occurs, grub_malloc() may be called with a smallervalue than needed. When further reading the data from the disk into thebuffer, the grub_ufs_lookup_symlink() function will write past the end ofthe allocated size. An attack can leverage this by crafting a maliciousfilesystem, and as a result, it will corrupt data stored in the heap,allowing for arbitrary code execution used to by-pass secure bootmechanisms. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0677 A flaw was found in grub2. When reading data from a squash4 filesystem,grub's squash4 fs module uses user-controlled parameters from thefilesystem geometry to determine the internal buffer size, however, itimproperly checks for integer overflows. A maliciously crafted filesystemmay lead some of those buffer size calculations to overflow, causing it toperform a grub_malloc() operation with a smaller size than expected. As aresult, the direct_read() will perform a heap based out-of-bounds writeduring data reading. This flaw may be leveraged to corrupt grub's internalcritical data and may result in arbitrary code execution, by-passing secureboot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0678 A flaw was found in grub2. When performing a symlink lookup from a reiserfsfilesystem, grub's reiserfs fs module uses user-controlled parameters fromthe filesystem geometry to determine the internal buffer size, however, itimproperly checks for integer overflows. A maliciouly crafted filesystemmay lead some of those buffer size calculations to overflow, causing it toperform a grub_malloc() operation with a smaller size than expected. As aresult, the grub_reiserfs_read_symlink() will callgrub_reiserfs_read_real() with a overflown length parameter, leading to aheap based out-of-bounds write during data reading. This flaw may beleveraged to corrupt grub's internal critical data and can result inarbitrary code execution, by-passing secure boot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0684 A flaw was found in grub2. When reading data from a jfs filesystem, grub'sjfs filesystem module uses user-controlled parameters from the filesystemgeometry to determine the internal buffer size, however, it improperlychecks for integer overflows. A maliciouly crafted filesystem may lead someof those buffer size calculations to overflow, causing it to perform agrub_malloc() operation with a smaller size than expected. As a result, thegrub_jfs_lookup_symlink() function will write past the internal bufferlength during grub_jfs_read_file(). This issue can be leveraged to corruptgrub's internal critical data and may result in arbitrary code execution,by-passing secure boot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0685 A flaw was found in grub2. When performing a symlink lookup from a romfsfilesystem, grub's romfs filesystem module uses user-controlled parametersfrom the filesystem geometry to determine the internal buffer size,however, it improperly checks for integer overflows. A maliciously craftedfilesystem may lead some of those buffer size calculations to overflow,causing it to perform a grub_malloc() operation with a smaller size thanexpected. As a result, the grub_romfs_read_symlink() may causeout-of-bounds writes when the calling grub_disk_read() function. This issuemay be leveraged to corrupt grub's internal critical data and can result inarbitrary code execution by-passing secure boot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0686 When reading data from disk, the grub's UDF filesystem module utilizes theuser controlled data length metadata to allocate its internal buffers. Incertain scenarios, while iterating through disk sectors, it assumes theread size from the disk is always smaller than the allocated buffer sizewhich is not guaranteed. A crafted filesystem image may lead to aheap-based buffer overflow resulting in critical data to be corrupted,resulting in the risk of arbitrary code execution by-passing secure bootprotections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0689 The read command is used to read the keyboard input from the user, whilereads it keeps the input length in a 32-bit integer value which is furtherused to reallocate the line buffer to accept the next character. Duringthis process, with a line big enough it's possible to make this variable tooverflow leading to a out-of-bounds write in the heap based buffer. Thisflaw may be leveraged to corrupt grub's internal critical data and secureboot bypass is not discarded as consequence. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-0690 There exists a heap buffer overflow vulnerable in Abseil-cpp. The sizedconstructors, reserve(), and rehash() methods ofabsl::{flat,node}hash{set,map} did not impose an upper bound on their sizeargument. As a result, it was possible for a caller to pass a very largesize that would cause an integer overflow when computing the size of thecontainer's backing store, and a subsequent out-of-bounds memory write.Subsequent accesses to the container might also access out-of-boundsmemory. We recommend upgrading past commit5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Update Instructions: Run `sudo pro fix CVE-2025-0838` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libabsl20240722 - 20240722.0-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-21 15:15:00 UTC 2025-02-21 15:15:00 UTC Dmitry Vyukov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098903 https://ubuntu.com/security/notices/USN-7505-1 CVE-2025-0838 Orthanc server prior to version 1.5.8 does not enable basic authenticationby default when remote access is enabled. This could result in unauthorizedaccess by an attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-13 02:15:00 UTC CVE-2025-0896 os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix andWindows systems when the target path was a dangling symlink. On Unixsystems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. OnWindows, when the target path was a symlink to a nonexistent location,OpenFile would create a file in that location. OpenFile now always returnsan error when the O_CREATE and O_EXCL flags are both set and the targetpath is a symlink. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-11 18:15:00 UTC https://github.com/golang/go/issues/73702 CVE-2025-0913 The Python standard library functions `urllib.parse.urlsplit` and`urlparse` accepted domain names that included square brackets which isn'tvalid according to RFC 3986. Square brackets are only meant to be used asdelimiters for specifying IPv6 and IPvFuture hosts in URLs. This couldresult in differential parsing across the Python URL parser and otherspecification-compliant URL parsers. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-31 18:15:00 UTC 2025-01-31 18:15:00 UTC https://github.com/python/cpython/issues/105704 https://ubuntu.com/security/notices/USN-7280-1 https://ubuntu.com/security/notices/USN-7348-1 https://ubuntu.com/security/notices/USN-7348-2 https://ubuntu.com/security/notices/USN-7280-2 https://ubuntu.com/security/notices/USN-7280-3 CVE-2025-0938 A malicious client acting as the receiver of an rsync file transfer cantrigger an out of bounds read of a heap based buffer, via a negative arrayindex. Themaliciousrsync client requires at least read access to the remote rsync module inorder to trigger the issue. Update Instructions: Run `sudo pro fix CVE-2025-10158` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-11-18 15:16:00 UTC 2025-11-18 15:16:00 UTC Calum Hutton https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121442 https://ubuntu.com/security/notices/USN-8283-1 CVE-2025-10158 A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizerfilter (libavfilter/af_firequalizer.c) due to a missing check on the returnvalue of av_malloc_array() in the config_input() function. An attackercould exploit this by tricking a victim into processing a crafted mediafile with the Firequalizer filter enabled, causing the application todereference a NULL pointer and crash, leading to denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-16 2025-09-16 https://ubuntu.com/security/notices/USN-7830-1 CVE-2025-10256 When the module renders a Svg file that contains a <pattern> element, itmight end up rendering it recursively leading to stack overflow DoS Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117447 CVE-2025-10728 The module will parse a <pattern> node which is not a child of a structuralnode. The node will be deleted after creation but might be accessed laterleading to a use after free. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117445 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117446 CVE-2025-10729 A vulnerability was found in axboe fio up to 3.41. This affects thefunction str_buffer_pattern_cb of the file options.c. Performingmanipulation results in null pointer dereference. The attack must beinitiated from a local position. The exploit has been made public and couldbe used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-09-23 00:15:00 UTC CVE-2025-10823 A vulnerability was determined in axboe fio up to 3.41. This impacts thefunction __parse_jobs_ini of the file init.c. Executing manipulation canlead to use after free. The attack needs to be launched locally. Theexploit has been publicly disclosed and may be utilized. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-09-23 01:15:00 UTC CVE-2025-10824 A use-after-free vulnerability was found in libxslt while parsing xsl nodesthat may lead to the dereference of expired pointers and application crash. Update Instructions: Run `sudo pro fix CVE-2025-10911` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxslt1.1 - 1.1.43-0.3 xsltproc - 1.1.43-0.3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC https://gitlab.gnome.org/GNOME/libxslt/-/issues/144 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116447 https://bugzilla.redhat.com/show_bug.cgi?id=2397838 CVE-2025-10911 GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of HDR files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-27803. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116470 CVE-2025-10921 A flaw was found in REXML. A remote attacker could exploit inefficientregular expression (regex) parsing when processing hex numeric characterreferences (&#x...;) in XML documents. This could lead to a RegularExpression Denial of Service (ReDoS), impacting the availability of theaffected component. This issue is the result of an incomplete fix forCVE-2024-49761. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 14:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2398216 CVE-2025-10990 A weakness has been identified in Open Babel up to 3.1.1. This affects thefunction GAMESSOutputFormat::ReadMolecule of the file gamessformat.cpp.This manipulation causes use after free. It is possible to launch theattack on the local host. The exploit has been made available to the publicand could be exploited. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-10994 A security vulnerability has been detected in Open Babel up to 3.1.1. Thisvulnerability affects the functionzlib_stream::basic_unzip_streambuf::underflow in the library/src/zipstreamimpl.h. Such manipulation leads to memory corruption. Localaccess is required to approach this attack. The exploit has been disclosedpublicly and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-10995 A vulnerability was detected in Open Babel up to 3.1.1. This issue affectsthe function OBSmilesParser::ParseSmiles of the file/src/formats/smilesformat.cpp. Performing manipulation results inheap-based buffer overflow. The attack needs to be approached locally. Theexploit is now public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-10996 A flaw has been found in Open Babel up to 3.1.1. Impacted is the functionChemKinFormat::CheckSpecies of the file /src/formats/chemkinformat.cpp.Executing manipulation can lead to heap-based buffer overflow. The attackcan only be executed locally. The exploit has been published and may beused. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-10997 A vulnerability has been found in Open Babel up to 3.1.1. The affectedelement is the function ChemKinFormat::ReadReactionQualifierLines of thefile /src/formats/chemkinformat.cpp. The manipulation leads to null pointerdereference. The attack can only be performed from a local environment. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-10998 A vulnerability was found in Open Babel up to 3.1.1. The impacted elementis the function CacaoFormat::SetHilderbrandt of the file/src/formats/cacaoformat.cpp. The manipulation results in null pointerdereference. The attack is only possible with local access. The exploit hasbeen made public and could be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-10999 A vulnerability was determined in Open Babel up to 3.1.1. This affects thefunction PQSFormat::ReadMolecule of the file /src/formats/PQSformat.cpp.This manipulation causes null pointer dereference. The attack is restrictedto local execution. The exploit has been publicly disclosed and may beutilized. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 04:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116462 CVE-2025-11000 A security flaw has been discovered in OGRECave Ogre up to 14.4.1. Thisissue affects the function STBIImageCodec::encode of the file/ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp of the component ImageHandler. The manipulation results in heap-based buffer overflow. The attackis only possible with local access. The exploit has been released to thepublic and may be exploited. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 13:15:00 UTC CVE-2025-11014 A weakness has been identified in OGRECave Ogre up to 14.4.1. Impacted isthe function STBIImageCodec::encode of the file/ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp. This manipulation causesmismatched memory management routines. The attack is restricted to localexecution. The exploit has been made available to the public and could beexploited. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 14:15:00 UTC CVE-2025-11015 A vulnerability was detected in OGRECave Ogre up to 14.4.1. The impactedelement is the function Ogre::LogManager::stream of the file/ogre/OgreMain/src/OgreLogManager.cpp. Performing manipulation of theargument mDefaultLog results in null pointer dereference. The attack mustbe initiated from a local position. The exploit is now public and may beused. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 14:15:00 UTC CVE-2025-11017 A flaw was found in the cookie date handling logic of the libsoup HTTPlibrary, widely used by GNOME and other applications for web communication.When processing cookies with specially crafted expiration dates, thelibrary may perform an out-of-bounds memory read. This flaw could result inunintended disclosure of memory contents, potentially exposing sensitiveinformation from the process using libsoup. Update Instructions: Run `sudo pro fix CVE-2025-11021` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-3.0 - 3.6.5-3 libsoup-3.0-0 - 3.6.5-3 libsoup-3.0-common - 3.6.5-3 libsoup-3.0-tests - 3.6.5-3 No subscription required gir1.2-soup-2.4 - 2.74.3-10.1ubuntu4 libsoup-2.4-1 - 2.74.3-10.1ubuntu4 libsoup-gnome-2.4-1 - 2.74.3-10.1ubuntu4 libsoup2.4-common - 2.74.3-10.1ubuntu4 libsoup2.4-tests - 2.74.3-10.1ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 09:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116469 CVE-2025-11021 The Jetty URI parser has some key differences to other common parsers whenevaluating invalid or unusual URIs. Differential parsing of URIs in systemsusing multiple components may result in security by-pass. For example acomponent that enforces a black list may interpret the URIs differentlyfrom one that generates a response. At the very least, differential parsingmay divulge implementation details. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 10:15:00 UTC CVE-2025-11143 Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. Thevulnerability allows an attacker to execute malicious scripts (XSS) in theweb management application. The vulnerability is caused by improperhandling of GET inputs included in the URL in “/acng-report.html”. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-29 10:15:00 UTC CVE-2025-11146 Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. Thevulnerability allows malicious scripts (XSS) to be executed in“/html/<filename>.html”. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-29 10:15:00 UTC CVE-2025-11147 This affects all versions of the package node-static; all versions of thepackage @nubosoftware/node-static. The package fails to catch an exceptionwhen user input includes null bytes. This allows attackers to accesshttp://host/%00 and crash the server. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-30 11:37:00 UTC CVE-2025-11149 Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability isassociated with program files src/Special/OATHManage.Php.This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 01:15:00 UTC CVE-2025-11173 Improper Neutralization of Special Elements used in an Expression LanguageStatement ('Expression Language Injection') vulnerability in The WikimediaFoundation Mediawiki - DiscussionTools Extension allows Regular ExpressionExponential Blowup.This issue affects Mediawiki - DiscussionToolsExtension: 1.44, 1.43. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 20:16:00 UTC CVE-2025-11175 A flaw was found in grub2. Grub's dump command is not blocked when grub isin lockdown mode, which allows the user to read any memory information, andan attacker may leverage this in order to extract signatures, salts, andother sensitive information from the memory. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-1118 Issue summary: PBMAC1 parameters in PKCS#12 files are missing validationwhich can trigger a stack-based buffer overflow, invalid pointer or NULLpointer dereference during MAC verification.Impact summary: The stack buffer overflow or NULL pointer dereference maycause a crash leading to Denial of Service for an application that parsesuntrusted PKCS#12 files. The buffer overflow may also potentially enablecode execution depending on platform mitigations.When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2salt and keylength parameters from the file are used without validation.If the value of keylength exceeds the size of the fixed stack buffer usedfor the derived key (64 bytes), the key derivation will overflow thebuffer.The overflow length is attacker-controlled. Also, if the salt parameter isnot an OCTET STRING type this can lead to invalid or NULL pointerdereference.Exploiting this issue requires a user or application to processa maliciously crafted PKCS#12 file. It is uncommon to accept untrustedPKCS#12 files in applications as they are usually used to store privatekeys which are trusted by definition. For this reason the issue wasassessedas Moderate severity.The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, asPKCS#12 processing is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they donot support PBMAC1 in PKCS#12. Update Instructions: Run `sudo pro fix CVE-2025-11187` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Stanislav Fort and Petr Šimeček https://ubuntu.com/security/notices/USN-7980-1 CVE-2025-11187 When reading data from a hfs filesystem, grub's hfs filesystem module usesuser-controlled parameters from the filesystem metadata to calculate theinternal buffers size, however it misses to properly check for integeroverflows. A maliciouly crafted filesystem may lead some of those buffersize calculation to overflow, causing it to perform a grub_malloc()operation with a smaller size than expected. As a result thehfsplus_open_compressed_real() function will write past of the internalbuffer length. This flaw may be leveraged to corrupt grub's internalcritical data and may result in arbitrary code execution by-passing secureboot protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 18:00:00 UTC mkukri CVE-2025-1125 A vulnerability was determined in Open Asset Import Library Assimp 6.0.2.Affected is the function Q3DImporter::InternReadFile of the fileassimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocationof resources. The attack is restricted to local execution. The exploit hasbeen publicly disclosed and may be utilized. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-05 01:15:00 UTC https://github.com/assimp/assimp/issues/6356 CVE-2025-11274 A vulnerability was identified in Open Asset Import Library Assimp 6.0.2.Affected by this vulnerability is the function ODDLParser::getNextSeparatorin the libraryassimp/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h.Such manipulation leads to heap-based buffer overflow. The attack must becarried out locally. The exploit is publicly available and might be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-05 01:15:00 UTC https://github.com/assimp/assimp/issues/6357 CVE-2025-11275 A weakness has been identified in Open Asset Import Library Assimp 6.0.2.This affects the function Q3DImporter::InternReadFile of the fileassimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can leadto heap-based buffer overflow. The attack needs to be launched locally. Theexploit has been made available to the public and could be used forattacks. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-05 02:15:00 UTC https://github.com/assimp/assimp/issues/6358 CVE-2025-11277 NLnet Labs Unbound up to and including version 1.24.1 is vulnerable topossible domain hijack attacks. Promiscuous NS RRSets that complementpositive DNS replies in the authority section can be used to trickresolvers to update their delegation information for the zone. Usuallythese RRSets are used to update the resolver's knowledge of the zone's nameservers. A malicious actor can exploit the possible poisonous effect byinjecting NS RRSets (and possibly their respective address records) in areply. This could be done for example by trying to spoof a packet orfragmentation attacks. Unbound would then proceed to update the NS RRSetdata it already has since the new data has enough trust for it, i.e.,in-zone data for the delegation point. Unbound 1.24.1 includes a fix thatscrubs unsolicited NS RRSets (and their respective address records) fromreplies mitigating the possible poison effect. Unbound 1.24.2 includes anadditional fix that scrubs unsolicited NS RRSets (and their respectiveaddress records) from YXDOMAIN and non-referral nodata replies, furthermitigating the possible poison effect. Update Instructions: Run `sudo pro fix CVE-2025-11411` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu1 python3-unbound - 1.24.2-1ubuntu1 unbound - 1.24.2-1ubuntu1 unbound-anchor - 1.24.2-1ubuntu1 unbound-host - 1.24.2-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 13:15:00 UTC 2025-10-22 13:15:00 UTC Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan https://ubuntu.com/security/notices/USN-7855-1 https://ubuntu.com/security/notices/USN-7855-2 CVE-2025-11411 A vulnerability was found in GNU Binutils 2.43. It has been declared asproblematic. This vulnerability affects the function bfd_malloc of the filelibbfd.c of the component ld. The manipulation leads to memory leak. Theattack can be initiated remotely. The complexity of an attack is ratherhigh. The exploitation appears to be difficult. The exploit has beendisclosed to the public and may be used. It is recommended to apply a patchto fix this issue. The code maintainer explains: "I'm not going to commitsome of the leak fixes I've been working on to the 2.44 branch due toconcern that would destabilise ld. All of the reported leaks in thisbugzilla have been fixed on binutils master." Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-10 17:15:00 UTC CVE-2025-1150 A vulnerability was found in GNU Binutils 2.43. It has been rated asproblematic. This issue affects the function xmemdup of the file xmemdup.cof the component ld. The manipulation leads to memory leak. The attack maybe initiated remotely. The complexity of an attack is rather high. Theexploitation is known to be difficult. The exploit has been disclosed tothe public and may be used. It is recommended to apply a patch to fix thisissue. The code maintainer explains: "I'm not going to commit some of theleak fixes I've been working on to the 2.44 branch due to concern thatwould destabilise ld. All of the reported leaks in this bugzilla have beenfixed on binutils master." Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-10 17:15:00 UTC CVE-2025-1151 A data corruption vulnerability has been identified in the luksmeta utilitywhen used with the LUKS1 disk encryption format. An attacker with thenecessary permissions can exploit this flaw by writing a large amount ofmetadata to an encrypted device. The utility fails to correctly validatethe available space, causing the metadata to overwrite and corrupt theuser's encrypted data. This action leads to a permanent loss of the storedinformation. Devices using the LUKS formats other than LUKS1 are notaffected by this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-15 20:15:00 UTC CVE-2025-11568 MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to4.2.13 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-10 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117852 CVE-2025-11626 YAML::Syck versions before 1.36 for Perl has missing null-terminators whichcauses out-of-bounds read and potential information disclosureMissing null terminators in token.c leads to but-of-bounds read whichallows adjacent variable to be readThe issue is seen with complex YAML files with a hash of all keys and emptyvalues.  There is no indication that the issue leads to accessing memoryoutside that allocated to the module. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 01:15:00 UTC CVE-2025-11683 A flaw was found in the exsltFuncResultComp() function of libxslt, whichhandles EXSLT <func:result> elements during stylesheet parsing. Due toimproper type handling, the function may treat an XML document node as aregular XML element node, resulting in a type confusion. This can causeunexpected memory reads and potential crashes. While difficult to exploit,the flaw could lead to application instability or denial of service. Update Instructions: Run `sudo pro fix CVE-2025-11731` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libxslt1.1 - 1.1.43-0.3 xsltproc - 1.1.43-0.3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-10-14 06:15:00 UTC https://gitlab.gnome.org/GNOME/libxslt/-/issues/151 https://bugzilla.redhat.com/show_bug.cgi?id=2403688 CVE-2025-11731 In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap"entry, leads to infinite recursion and a stack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 22:15:00 UTC CVE-2025-11896 Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305Decrypt. This issue is hit specifically with a call to the functionwc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, onlyfrom direct calls from an application. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121196 CVE-2025-11931 The server previously verified the TLS 1.3 PSK binder using a non-constanttime method which could potentially leak information about the PSK binder Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121197 CVE-2025-11932 Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL5.8.2 and earlier on multiple platforms allows a remote unauthenticatedattacker to potentially cause a denial-of-service via a crafted ClientHellomessage with duplicate CKS extensions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121198 CVE-2025-11933 Improper input validation in the TLS 1.3 CertificateVerify signaturealgorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platformsallows for downgrading the signature algorithm used. For example when aclient sends ECDSA P521 as the supported signature algorithm the serverpreviously could respond as ECDSA P256 being the accepted signaturealgorithm and the connection would continue with using ECDSA P256, if theclient supports ECDSA P256. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121199 CVE-2025-11934 With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignorethe request for PFS (perfect forward secrecy) and the client would continueon with the connection using PSK without PFS. This happened when a serverresponded to a ClientHello containing psk_dhe_ke without a key_shareextension. The re-use of an authenticated PSK connection that on theclients side unexpectedly did not have PFS, reduces the security of theconnection. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121200 CVE-2025-11935 Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSLv5.8.2 on multiple platforms allows a remote unauthenticated attacker tocause a denial-of-service by sending a crafted ClientHello messagecontaining duplicate KeyShareEntry values for the same supported group,leading to excessive CPU and memory consumption during ClientHelloprocessing. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121202 CVE-2025-11936 pcap_ether_aton() is an auxiliary function in libpcap, it takes a stringargument and returns a fixed-size allocated buffer. The string argumentmust be a well-formed MAC-48 address in one of the supported formats, butthis requirement has been poorly documented. If an application calls thefunction with an argument that deviates from the expected format, thefunction can read data beyond the end of the provided string and write databeyond the end of the allocated buffer. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-31 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124381 CVE-2025-11961 Incorrect Permission Assignment for Critical Resource vulnerability in TheWikimedia Foundation Mediawiki - Lockdown Extension allows Privilege Abuse.Fixed in Mediawiki Core Action APIThis issue affects Mediawiki - LockdownExtension: from master before 1.42. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 07:15:00 UTC CVE-2025-12004 GitLab has remediated an issue in GitLab CE/EE affecting all versions from18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions, could have allowed an authenticated user to performserver-side request forgery against internal services by bypassingprotections in the Git repository import functionality. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2025-12073 When building nested elements using xml.dom.minidom methods such asappendChild() that have a dependency on _clear_id_cache() the algorithm isquadratic. Availability can be impacted when building excessively nesteddocuments. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 19:15:00 UTC 2025-12-03 19:15:00 UTC https://github.com/python/cpython/issues/142145 https://github.com/python/cpython/issues/142754 (regression) https://ubuntu.com/security/notices/USN-8018-1 https://ubuntu.com/security/notices/USN-8018-3 CVE-2025-12084 A mongoc_bulk_operation_t may read invalid memory if large options arepassed. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 22:15:00 UTC https://jira.mongodb.org/browse/CDRIVER-6112 (private) CVE-2025-12119 Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allowremote attackers to cause denial of service and read adjacent memory viauntrusted compressed input. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-28 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122026 CVE-2025-12183 A security vulnerability has been detected in Kamailio 5.5. Impacted is thefunction rve_destroy of the file src/core/rvalue.c of the componentConfiguration File Handler. The manipulation leads to heap-based bufferoverflow. The attack must be carried out locally. The exploit has beendisclosed publicly and may be used. There is ongoing doubt regarding thereal existence of this vulnerability. This attack requires manipulatingconfig files which might not be a realistic scenario in many cases. Thevendor was contacted early about this disclosure but did not respond in anyway. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 03:15:00 UTC CVE-2025-12204 A vulnerability was detected in Kamailio 5.5. The affected element is thefunction sr_push_yy_state of the file src/core/cfg.lex of the componentConfiguration File Handler. The manipulation results in use after free. Theattack must be initiated from a local position. The exploit is now publicand may be used. The real existence of this vulnerability is still doubtedat the moment. This attack requires manipulating config files which mightnot be a realistic scenario in many cases. The vendor was contacted earlyabout this disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 03:15:00 UTC CVE-2025-12205 A flaw has been found in Kamailio 5.5. The impacted element is the functionrve_is_constant of the file src/core/rvalue.c. This manipulation causesnull pointer dereference. The attack needs to be launched locally. Theexploit has been published and may be used. It is still unclear if thisvulnerability genuinely exists. This attack requires manipulating configfiles which might not be a realistic scenario in many cases. The vendor wascontacted early about this disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 03:15:00 UTC CVE-2025-12206 A vulnerability has been found in Kamailio 5.5. This affects the functionyyerror_at of the file src/core/cfg.y of the component Grammar RuleHandler. Such manipulation leads to null pointer dereference. The attackneeds to be performed locally. The exploit has been disclosed to the publicand may be used. The actual existence of this vulnerability is currently inquestion. This attack requires manipulating config files which might not bea realistic scenario in many cases. The vendor was contacted early aboutthis disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 03:15:00 UTC CVE-2025-12207 A flaw was found in FFmpeg’s TensorFlow backend within thelibavfilter/dnn_backend_tf.c source file. The issue occurs in thednn_execute_model_tf() function, where a task object is freed multipletimes in certain error-handling paths. This redundant memory deallocationcan lead to a double-free condition, potentially causing FFmpeg or anyapplication using it to crash when processing TensorFlow-based DNN models.This results in a denial-of-service scenario but does not allow arbitrarycode execution under normal conditions. Ubuntu 26.04 LTS Negligible Copyright (C) 2026 Canonical Ltd. 2026-02-18 21:16:00 UTC CVE-2025-12343 Allocation of Resources Without Limits or Throttling, Improper Validationof Specified Quantity in Input vulnerability in The Qt Company Qt onWindows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allowsExcessive Allocation.This issue affects users of the Text component in Qt Quick. Missingvalidation of the width and height in the <img> tag could cause anapplication to become unresponsive.This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5,from 6.9.0 through 6.10.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 20:16:00 UTC bruce CVE-2025-12385 A command injection flaw was found in the text editor Emacs. It could allowa remote, unauthenticated attacker to execute arbitrary shell commands on avulnerable system. Exploitation is possible by tricking users into visitinga specially crafted website or an HTTP URL with a redirect. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-12 15:15:00 UTC 2025-02-12 15:15:00 UTC https://ubuntu.com/security/notices/USN-8011-1 CVE-2025-1244 A specially-crafted file can cause libjxl's decoder to read pixel data fromuninitialized (but allocated) memory.This can be done by causing the decoder to reference an outside-image-boundarea in a subsequent patches. An incorrect optimization causes the decoderto omit populating those areas. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-11 16:15:00 UTC CVE-2025-12474 Academy Software Foundation OpenEXR EXR File Parsing Heap-based BufferOverflow Remote Code Execution Vulnerability. This vulnerability allowsremote attackers to execute arbitrary code on affected installations ofAcademy Software Foundation OpenEXR. User interaction is required toexploit this vulnerability in that the target must visit a malicious pageor open a malicious file.The specific flaw exists within the parsing of EXR files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-27946. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 22:15:00 UTC CVE-2025-12495 A flaw was found in the Undertow HTTP server core, which is used inWildFly, JBoss EAP, and other Java applications. The Undertow library failsto properly validate the Host header in incoming HTTP requests.As a result,requests containing malformed or malicious Host headers are processedwithout rejection, enabling attackers to poison caches, perform internalnetwork scans, or hijack user sessions. Update Instructions: Run `sudo pro fix CVE-2025-12543` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libundertow-java - 2.3.20-1ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-01-07 17:15:00 UTC 2026-01-07 17:15:00 UTC https://ubuntu.com/security/notices/USN-8144-1 CVE-2025-12543 GitLab has remediated an issue in GitLab EE affecting all versions from18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions could have allowed an authenticated user with certainpermissions to make unauthorized requests to internal network servicesthrough the GitLab server. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2025-12575 lighttpd1.4.80 incorrectly merged trailer fields into headers after httprequest parsing. This behavior can be exploited to conduct HTTP HeaderSmuggling attacks.Successful exploitation may allow an attacker to: * Bypass access control rules * Inject unsafe input into backend logic that trusts request headers * Execute HTTP Request Smuggling attacks under some conditionsThis issue affects lighttpd1.4.80 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-03 20:17:00 UTC CVE-2025-12642 The Linux Kernel lockdown mode for kernel versions starting on 6.12 andabove for Fedora Linux has the lockdown mode disabled without any warning.This may allow an attacker to gain access to sensitive information suchkernel memory mappings, I/O ports, BPF and kprobes. Additionally unsignedmodules can be loaded, leading to execution of untrusted code breakingbreaking any Secure Boot protection. This vulnerability affects only FedoraLinux. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 21:16:00 UTC CVE-2025-1272 A weakness has been identified in QuickJS up toeb2c89087def1829ed99630cb14b549d7a98408c. This affects the functionjs_array_buffer_slice of the file quickjs.c. This manipulation causesbuffer over-read. The attack is restricted to local execution. The exploithas been made available to the public and could be exploited. This productadopts a rolling release strategy to maintain continuous delivery Patchname: c6fe5a98fd3ef3b7064e6e0145dfebfe12449fea. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-05 19:15:00 UTC CVE-2025-12745 A flaw was discovered in libvirt in the XML file processing. Morespecifically, the parsing of user provided XML files was performed beforethe ACL checks. A malicious user with limited permissions could exploitthis flaw by submitting a specially crafted XML file, causing libvirt toallocate too much memory on the host. The excessive memory consumptioncould lead to a libvirt process crash on the host, resulting in adenial-of-service condition. Update Instructions: Run `sudo pro fix CVE-2025-12748` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-libvirt - 11.6.0-1ubuntu7 libvirt-clients - 11.6.0-1ubuntu7 libvirt-clients-qemu - 11.6.0-1ubuntu7 libvirt-common - 11.6.0-1ubuntu7 libvirt-daemon - 11.6.0-1ubuntu7 libvirt-daemon-common - 11.6.0-1ubuntu7 libvirt-daemon-config-network - 11.6.0-1ubuntu7 libvirt-daemon-config-nwfilter - 11.6.0-1ubuntu7 libvirt-daemon-driver-interface - 11.6.0-1ubuntu7 libvirt-daemon-driver-lxc - 11.6.0-1ubuntu7 libvirt-daemon-driver-network - 11.6.0-1ubuntu7 libvirt-daemon-driver-nodedev - 11.6.0-1ubuntu7 libvirt-daemon-driver-nwfilter - 11.6.0-1ubuntu7 libvirt-daemon-driver-qemu - 11.6.0-1ubuntu7 libvirt-daemon-driver-secret - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-disk - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-gluster - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-iscsi - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-iscsi-direct - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-logical - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-mpath - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-rbd - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-scsi - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-zfs - 11.6.0-1ubuntu7 libvirt-daemon-driver-vbox - 11.6.0-1ubuntu7 libvirt-daemon-driver-xen - 11.6.0-1ubuntu7 libvirt-daemon-lock - 11.6.0-1ubuntu7 libvirt-daemon-log - 11.6.0-1ubuntu7 libvirt-daemon-plugin-lockd - 11.6.0-1ubuntu7 libvirt-daemon-plugin-sanlock - 11.6.0-1ubuntu7 libvirt-daemon-system - 11.6.0-1ubuntu7 libvirt-daemon-system-systemd - 11.6.0-1ubuntu7 libvirt-daemon-system-sysv - 11.6.0-1ubuntu7 libvirt-l10n - 11.6.0-1ubuntu7 libvirt-login-shell - 11.6.0-1ubuntu7 libvirt-sanlock - 11.6.0-1ubuntu7 libvirt-ssh-proxy - 11.6.0-1ubuntu7 libvirt-wireshark - 11.6.0-1ubuntu7 libvirt0 - 11.6.0-1ubuntu7 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-11 20:15:00 UTC 2025-11-11 20:15:00 UTC Artem Mukhin and Святослав Терешин https://gitlab.com/libvirt/libvirt/-/issues/825 https://bugzilla.redhat.com/show_bug.cgi?id=2413801 https://ubuntu.com/security/notices/USN-7047-1 CVE-2025-12748 When passing data to the b64decode(), standard_b64decode(), andurlsafe_b64decode() functions in the "base64" module the characters "+/"will always be accepted, regardless of the value of "altchars" parameter,typically used to establish an "alternative base64 alphabet" such as theURL safe alphabet. This behavior matches what is recommended in earlierbase64 RFCs, but newer RFCs now recommend either dropping charactersoutside the specified base64 alphabet or raising an error. The old behaviorhas the possibility of causing data integrity issues.This behavior can only be insecure if your application uses an alternatebase64 alphabet (without "+/"). If your application does not use the"altchars" parameter or the urlsafe_b64decode() function, then yourapplication does not use an alternative base64 alphabet.The attached patches DOES NOT make the base64-decode behavior raise anerror, as this would be a change in behavior and break existing programs.Instead, the patch deprecates the behavior which will be replaced with thenewly recommended behavior in a future version of Python. Users arerecommended to mitigate by verifying user-controlled inputs match thebase64alphabet they are expecting or verify that their application would not beaffected if the b64decode() functions accepted "+" or "/" outside ofaltchars. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-21 20:16:00 UTC https://github.com/python/cpython/issues/125346 CVE-2025-12781 A vulnerability was recently discovered in the rpc.mountd daemon in thenfs-utils package for Linux, that allows a NFSv3 client to escalate theprivileges assigned to it in the /etc/exports file at mount time. Inparticular, it allows the client to access any subdirectory or subtree ofan exported directory, regardless of the set file permissions, andregardless of any 'root_squash' or 'all_squash' attributes that wouldnormally be expected to apply to that client. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 16:16:00 UTC CVE-2025-12801 Missing authorization in PostgreSQL CREATE STATISTICS command allows atable owner to achieve denial of service against other CREATE STATISTICSusers by creating in any schema. A later CREATE STATISTICS for the samename, from a user having the CREATE privilege, would then fail. Versionsbefore PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected. Update Instructions: Run `sudo pro fix CVE-2025-12817` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.1-1ubuntu1 libecpg6 - 18.1-1ubuntu1 libpgtypes3 - 18.1-1ubuntu1 libpq-oauth - 18.1-1ubuntu1 libpq5 - 18.1-1ubuntu1 postgresql-18 - 18.1-1ubuntu1 postgresql-18-jit - 18.1-1ubuntu1 postgresql-client-18 - 18.1-1ubuntu1 postgresql-plperl-18 - 18.1-1ubuntu1 postgresql-plpython3-18 - 18.1-1ubuntu1 postgresql-pltcl-18 - 18.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-13 13:15:00 UTC 2025-11-13 13:15:00 UTC Jelte Fennema-Nio https://ubuntu.com/security/notices/USN-7908-1 CVE-2025-12817 Integer wraparound in multiple PostgreSQL libpq client library functionsallows an application input provider or network peer to cause libpq toundersize an allocation and write out-of-bounds by hundreds of megabytes.This results in a segmentation fault for the application using libpq.Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 areaffected. Update Instructions: Run `sudo pro fix CVE-2025-12818` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.1-1ubuntu1 libecpg6 - 18.1-1ubuntu1 libpgtypes3 - 18.1-1ubuntu1 libpq-oauth - 18.1-1ubuntu1 libpq5 - 18.1-1ubuntu1 postgresql-18 - 18.1-1ubuntu1 postgresql-18-jit - 18.1-1ubuntu1 postgresql-client-18 - 18.1-1ubuntu1 postgresql-plperl-18 - 18.1-1ubuntu1 postgresql-plpython3-18 - 18.1-1ubuntu1 postgresql-pltcl-18 - 18.1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-13 13:15:00 UTC 2025-11-13 13:15:00 UTC Aleksey Solovev https://ubuntu.com/security/notices/USN-7908-1 CVE-2025-12818 Untrusted search path in auth_query connection handler in PgBouncer before1.25.1 allows an unauthenticated attacker to execute arbitrary SQL duringauthentication via a malicious search_path parameter in the StartupMessage. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 19:15:00 UTC CVE-2025-12819 Academy Software Foundation OpenEXR EXR File Parsing Heap-based BufferOverflow Remote Code Execution Vulnerability. This vulnerability allowsremote attackers to execute arbitrary code on affected installations ofAcademy Software Foundation OpenEXR. User interaction is required toexploit this vulnerability in that the target must visit a malicious pageor open a malicious file.The specific flaw exists within the parsing of EXR files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-27947. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 22:15:00 UTC CVE-2025-12839 Academy Software Foundation OpenEXR EXR File Parsing Heap-based BufferOverflow Remote Code Execution Vulnerability. This vulnerability allowsremote attackers to execute arbitrary code on affected installations ofAcademy Software Foundation OpenEXR. User interaction is required toexploit this vulnerability in that the target must visit a malicious pageor open a malicious file.The specific flaw exists within the parsing of EXR files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-27948. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 22:15:00 UTC CVE-2025-12840 A weakness has been identified in mruby 3.4.0. This vulnerability affectsthe function ary_fill_exec of the file mrbgems/mruby-array-ext/src/array.c.Executing a manipulation of the argument start/length can lead toout-of-bounds write. The attack needs to be launched locally. The exploithas been made available to the public and could be used for attacks. Thispatch is called 93619f06dd378db6766666b30c08978311c7ec94. It is bestpractice to apply a patch to resolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-07 21:15:00 UTC CVE-2025-12875 Vulnerability in X25519 constant-time cryptographic implementations due totiming side channels introduced by compiler optimizations and CPUarchitecture limitations, specifically with the Xtensa-based ESP32 chips.If targeting Xtensa it is recommended to use the low memory implementationsof X25519, which is now turned on as the default for Xtensa. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121204 CVE-2025-12888 With TLS 1.2 connections a client can use any digest, specifically a weakerdigest that is supported, rather than those in the CertificateRequest. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-22 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121205 CVE-2025-12889 A vulnerability has been found in mruby up to 3.4.0. This vulnerabilityaffects the function sort_cmp of the file src/array.c. Such manipulationleads to use after free. An attack has to be approached locally. Theexploit has been disclosed to the public and may be used. The name of thepatch is eb398971bfb43c38db3e04528b68ac9a7ce509bc. It is advisable toimplement a patch to correct this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-13 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120796 CVE-2025-13120 A flaw was found in libvirt. External inactive snapshots for shut-down VMsare incorrectly created as world-readable, making it possible forunprivileged users to inspect the guest OS contents. This results in aninformation disclosure vulnerability. Update Instructions: Run `sudo pro fix CVE-2025-13193` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss-libvirt - 11.6.0-1ubuntu7 libvirt-clients - 11.6.0-1ubuntu7 libvirt-clients-qemu - 11.6.0-1ubuntu7 libvirt-common - 11.6.0-1ubuntu7 libvirt-daemon - 11.6.0-1ubuntu7 libvirt-daemon-common - 11.6.0-1ubuntu7 libvirt-daemon-config-network - 11.6.0-1ubuntu7 libvirt-daemon-config-nwfilter - 11.6.0-1ubuntu7 libvirt-daemon-driver-interface - 11.6.0-1ubuntu7 libvirt-daemon-driver-lxc - 11.6.0-1ubuntu7 libvirt-daemon-driver-network - 11.6.0-1ubuntu7 libvirt-daemon-driver-nodedev - 11.6.0-1ubuntu7 libvirt-daemon-driver-nwfilter - 11.6.0-1ubuntu7 libvirt-daemon-driver-qemu - 11.6.0-1ubuntu7 libvirt-daemon-driver-secret - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-disk - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-gluster - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-iscsi - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-iscsi-direct - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-logical - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-mpath - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-rbd - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-scsi - 11.6.0-1ubuntu7 libvirt-daemon-driver-storage-zfs - 11.6.0-1ubuntu7 libvirt-daemon-driver-vbox - 11.6.0-1ubuntu7 libvirt-daemon-driver-xen - 11.6.0-1ubuntu7 libvirt-daemon-lock - 11.6.0-1ubuntu7 libvirt-daemon-log - 11.6.0-1ubuntu7 libvirt-daemon-plugin-lockd - 11.6.0-1ubuntu7 libvirt-daemon-plugin-sanlock - 11.6.0-1ubuntu7 libvirt-daemon-system - 11.6.0-1ubuntu7 libvirt-daemon-system-systemd - 11.6.0-1ubuntu7 libvirt-daemon-system-sysv - 11.6.0-1ubuntu7 libvirt-l10n - 11.6.0-1ubuntu7 libvirt-login-shell - 11.6.0-1ubuntu7 libvirt-sanlock - 11.6.0-1ubuntu7 libvirt-ssh-proxy - 11.6.0-1ubuntu7 libvirt-wireshark - 11.6.0-1ubuntu7 libvirt0 - 11.6.0-1ubuntu7 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-17 17:15:00 UTC 2025-11-17 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120119 https://ubuntu.com/security/notices/USN-7047-1 CVE-2025-13193 In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectlybeing derived solely from the initial vector and the AES-GCMauthentication tag of the key seed.This issue has been fixed in gokey version 0.2.0. This is a breakingchange. The fix has invalidated any passwords/secrets that were derivedfrom the seed file (using the -s option). Even if the input seed file staysthe same, version 0.2.0 gokey will generate different secrets.ImpactThis vulnerability impacts generated keys/secrets using a seed file as anentropy input (using the -s option). Keys/secrets generated just from themaster password (without the -s option) are not impacted. The confidentiality of the seed itself isalso not impacted (it is not required to regenerate the seed itself).Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: itwas expected that the whole seed would be used to generate keys (240bytes of entropy input), where in vulnerable versions only 28 bytes wasused * a malicious entity could have recovered all passwords, generatedfrom a particular seed, having only the seed file in possession withoutthe knowledge of the seed master passwordPatchesThe code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versionswill produce different passwords/secrets using seed files, as all seedentropy will be used now.System secret rotation guidanceIt is advised for users to regenerate passwords/secrets using the patchedversion of gokey (0.2.0 and above), and provision/rotate these secrets into respective systemsin place of the old secret. A specific rotation procedure issystem-dependent, but most common patterns are described below.Systems that do not require the old password/secret for rotationSuch systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets bysending a unique "magic" link to the user's email or phone. In suchcases users are advised to use this facility and input the newlygenerated password secret, when prompted by the system.Systems that require the old password/secret for rotationSuch systems usually have a modal password rotation window usually in the user settings section requiring the user to input theold and the new password sometimes with a confirmation. Togenerate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for theirrespective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation formSystems that allow multiple credentials for the same account to beprovisionedSuch systems usually require a secret or a cryptographickey as a credential for access, but allow several credentials at thesame time. One example is SSH: a particular user may have severalauthorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 orabove * provision the new secret/key/credential in addition to the existingcredential on the system * verify that the access or required system operation is still possiblewith the new secret/key/credential * revoke authorization for the existing/old credential from the systemCreditThis vulnerability was found by Théo Cusnir ( @mister_mimehttps://hackerone.com/mister_mime ) and responsibly disclosed throughCloudflare's bug bounty program. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-02 11:15:00 UTC CVE-2025-13353 An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2before 4.2.27.`FilteredRelation` is subject to SQL injection in column aliases, using asuitably crafted dictionary, with dictionary expansion, as the `**kwargs`passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Stackered for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2025-13372` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-02 14:00:00 UTC 2025-12-02 14:00:00 UTC Stackered https://ubuntu.com/security/notices/USN-7903-1 CVE-2025-13372 [RNP PKESK Session Keys Generated as All-Zero] Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121081 CVE-2025-13402 The "tarfile" module would still apply normalization of AREGTYPE (\x00)blocks to DIRTYPE, even while processing a multi-block member such asGNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tararchive being misinterpreted by the tarfile module compared to otherimplementations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 18:16:00 UTC CVE-2025-13462 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollutionin the _.unset and _.omit functions. An attacker can pass crafted pathswhich cause Lodash to delete methods from global prototypes.The issue permits deletion of properties but does not allow overwritingtheir original behavior.This issue is patched on 4.17.23 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-21 20:16:00 UTC CVE-2025-13465 body-parser 2.2.0 is vulnerable to denial of service due to inefficienthandling of URL-encoded bodies with very large numbers of parameters. Anattacker can send payloads containing thousands of parameters within thedefault 100KB request size limit, causing elevated CPU and memory usage.This can lead to service slowdown or partial outages under sustainedmalicious traffic.This issue is addressed in version 2.2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121417 CVE-2025-13466 In RNP version 0.18.0 a refactoring regression causes the symmetricsession key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always beingan all-zero byte array.Any data encrypted using public-key encryptionin this release can be decrypted trivially by supplying an all-zerosession key, fully compromising confidentiality.The vulnerability affects only public key encryption (PKESK packets).Passphrase-based encryption (SKESK packets) is not affected.Root cause: Vulnerable session key buffer used in PKESK packet generation.The defect was introduced in commit`7bd9a8dc356aae756b40755be76d36205b6b161a` where initializationlogic inside `encrypted_build_skesk()` only randomized the key for theSKESK path and omitted it for the PKESK path. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121081 CVE-2025-13470 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2before 4.2.28.The `django.contrib.auth.handlers.modwsgi.check_password()` function forauthentication via `mod_wsgi` allows remote attackers to enumerate usersvia a timing attack.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Stackered for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2025-13473` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 14:00:00 UTC 2026-02-03 14:00:00 UTC Stackered https://ubuntu.com/security/notices/USN-8009-1 CVE-2025-13473 Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denialof service Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 06:15:00 UTC CVE-2025-13499 A vulnerability has been found in GNU elfutils 0.192 and classified ascritical. This vulnerability affects the function __libdw_thread_tail inthe library libdw_alloc.c of the component eu-readelf. The manipulation ofthe argument w leads to memory corruption. The attack can be initiatedremotely. The complexity of an attack is rather high. The exploitationappears to be difficult. The exploit has been disclosed to the public andmay be used. The name of the patch is2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-16 15:15:00 UTC https://sourceware.org/bugzilla/show_bug.cgi?id=32650 CVE-2025-1352 A stack buffer overflow vulnerability exists in the buffer_get function ofduc, a disk management tool, where a condition can evaluate to true due tounderflow, allowing an out-of-bounds read. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 13:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122057 CVE-2025-13654 BPv7 dissector crash in Wireshark 4.6.0 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-26 12:15:00 UTC CVE-2025-13674 A vulnerability classified as problematic was found in GNU elfutils 0.192.This vulnerability affects the function elf_strptr in the library/libelf/elf_strptr.c of the component eu-strip. The manipulation leads todenial of service. It is possible to launch the attack on the local host.The complexity of an attack is rather high. The exploitation appears to bedifficult. The exploit has been disclosed to the public and may be used.The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It isrecommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-17 05:15:00 UTC https://sourceware.org/bugzilla/show_bug.cgi?id=32672 CVE-2025-1376 Multiple uses of uninitialized variables were found in libopensc that maylead to information disclosure or application crash. An attack requires acrafted USB device or smart card that would present the system withspecially crafted responses to the APDUs Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 13:16:00 UTC CVE-2025-13763 A vulnerability, which was classified as problematic, was found in radare25.9.9 33286. Affected is an unknown function in the library/libr/main/rasm2.c of the component rasm2. The manipulation leads to memorycorruption. An attack has to be approached locally. The exploit has beendisclosed to the public and may be used. Upgrading to version 6.0.0 is ableto address this issue. The patch is identified asc6c772d2eab692ce7ada5a4227afd50c355ad545. It is recommended to upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-17 06:15:00 UTC CVE-2025-1378 HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 08:15:00 UTC CVE-2025-13945 MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to4.4.11 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 08:15:00 UTC CVE-2025-13946 A critical vulnerability exists in the NLTK downloader component ofnltk/nltk, affecting all versions. The _unzip_iter function innltk/downloader.py uses zipfile.extractall() without performing pathvalidation or security checks. This allows attackers to craft malicious zippackages that, when downloaded and extracted by NLTK, can execute arbitrarycode. The vulnerability arises because NLTK assumes all downloaded packagesare trusted and extracts them without validation. If a malicious packagecontains Python files, such as __init__.py, these files are executedautomatically upon import, leading to remote code execution. This issue canresult in full system compromise, including file system access, networkaccess, and potential persistence mechanisms. Update Instructions: Run `sudo pro fix CVE-2025-14009` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-nltk - 3.9.2-1ubuntu0.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-02-18 18:24:00 UTC 2026-02-18 18:24:00 UTC https://ubuntu.com/security/notices/USN-8214-1 CVE-2025-14009 A flaw was found in ansible-collection-community-general. Thisvulnerability allows for information exposure (IE) of sensitivecredentials, specifically plaintext passwords, via verbose output whenrunning Ansible with debug modes. Attackers with access to logs couldretrieve these secrets and potentially compromise Keycloak accounts oradministrative access. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-04 10:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121951 CVE-2025-14010 A flaw was found in Dropbear. When running in multi-user mode andauthenticating users, the dropbear ssh server does the socket forwardingsrequested by the remote client as root,only switching to the logged-in user upon spawning a shell or performingsome operations like reading the user's files.With the recent ability of also using unix domain sockets as the forwardingdestination any user able to log in via ssh can connect to any unix socketwith the root's credentials, bypassing both file system restrictions andany SO_PEERCRED / SO_PASSCRED checks performed by the peer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-12 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123069 CVE-2025-14282 A directory traversal vulnerability exists in the CacheCleaner component ofRobocode version 1.9.3.6. The recursivelyDelete method fails to properlysanitize file paths, allowing attackers to traverse directories and deletearbitrary files on the system. This vulnerability can be exploited bysubmitting specially crafted inputs that manipulate the file path, leadingto potential unauthorized file deletions. https://robo-code.blogspot.com/ Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122289 CVE-2025-14306 An insecure temporary file creation vulnerability exists in the AutoExtractcomponent of Robocode version 1.9.3.6. The createTempFile method fails tosecurely create temporary files, allowing attackers to exploit raceconditions and potentially execute arbitrary code or overwrite criticalfiles. This vulnerability can be exploited by manipulating the temporaryfile creation process, leading to potential unauthorized actions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122289 CVE-2025-14307 An integer overflow vulnerability exists in the write method of the Bufferclass in Robocode version 1.9.3.6. The method fails to properly validatethe length of data being written, allowing attackers to cause an overflow,potentially leading to buffer overflows and arbitrary code execution. Thisvulnerability can be exploited by submitting specially crafted inputs thatmanipulate the data length, leading to potential unauthorized codeexecution. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122289 CVE-2025-14308 dr_flac, an audio decoder within the dr_libs toolset, contains an integeroverflow vulnerability flaw due to trusting the totalPCMFrameCount fieldfrom FLAC metadata before calculating buffer size, allowing an attackerwith a specially crafted file to perform DoS against programs using thetool. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-20 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126694 CVE-2025-14369 GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of JP2 files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-28248. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 22:15:00 UTC 2025-12-23 22:15:00 UTC https://ubuntu.com/security/notices/USN-8057-1 CVE-2025-14425 The ECDSA implementation of the Elliptic package generates incorrectsignatures if an interim value of 'k' (as computed based on step 3.2 ofRFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zerosand is susceptible to cryptanalysis, which can lead to secret key exposure.This happens, because the byte-length of 'k' is incorrectly computed,resulting in its getting truncated during the computation. Legitimatetransactions or communications will be broken as a result. Furthermore, dueto the nature of the fault, attackers could–under certain conditions–derivethe secret key, if they could get their hands on both a faulty signaturegenerated by a vulnerable version of Elliptic and a correct signature forthe same inputs.This issue affects all known versions of Elliptic (at the time of writing,versions less than or equal to 6.6.1). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125180 CVE-2025-14505 A flaw was found in glib. This vulnerability allows a heap buffer overflowand denial-of-service (DoS) via an integer overflow in GLib's GIO (GLibInput/Output) escape_byte_string() function when processing malicious fileor remote filesystem attribute values. Update Instructions: Run `sudo pro fix CVE-2025-14512` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.86.3-1 gir1.2-glib-2.0 - 2.86.3-1 girepository-tools - 2.86.3-1 libgirepository-2.0-0 - 2.86.3-1 libglib2.0-0t64 - 2.86.3-1 libglib2.0-bin - 2.86.3-1 libglib2.0-data - 2.86.3-1 libglib2.0-tests - 2.86.3-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122346 https://gitlab.gnome.org/GNOME/glib/-/issues/3845 https://bugzilla.redhat.com/show_bug.cgi?id=2421339 CVE-2025-14512 A flaw in libsoup’s HTTP header handling allows multiple Host: headers in arequest and returns the last occurrence for server-side processing. Commonfront proxies often honor the first Host: header, so this mismatch cancause vhost confusion where a proxy routes a request to one backend but thebackend interprets it as destined for another host. This discrepancyenables request-smuggling style attacks, cache poisoning, or bypassinghost-based access controls when an attacker supplies duplicate Hostheaders. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 13:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/472 https://bugzilla.redhat.com/show_bug.cgi?id=2421349 CVE-2025-14523 GitLab has remediated an issue in GitLab CE/EE affecting all versions from17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions could have allowed an authenticated user to performunauthorized actions on behalf of another user by injecting maliciouscontent into vulnerability code flow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2025-14560 A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. Affectedis the function read_audio_data of the file/whisper.cpp/examples/common-whisper.cpp. The manipulation results in useafter free. The attack requires a local approach. The exploit is now publicand may be used. The project was informed of the problem early through anissue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-12 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124796 CVE-2025-14569 An Uncontrolled Search Path Element vulnerability in the OpenSSL TLSbackend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a localattacker to load a rogue CA certificate as a trusted system authority via acrafted certificate file placed in the application's working directory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 14:16:00 UTC CVE-2025-14575 Insufficient validation of node IDs in Qt SVG module allows arbitraryQML/JavaScript code injection when loading malicious SVG files through theVectorImage component in Qt Quick. While QML execution is typically morerestricted than native code execution, this could still lead to denial ofservice, information disclosure, or other impacts depending on theapplication's privilege level and data access. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 13:16:00 UTC CVE-2025-14576 GitLab has remediated an issue in GitLab CE/EE affecting all versions from18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions could have allowed an authenticated user to performunauthorized operations by submitting GraphQL mutations through the GLQLAPI endpoint. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2025-14592 GitLab has remediated an issue in GitLab CE/EE affecting all versions from17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions could have allowed an authenticated user to view certainpipeline values by querying the API. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2025-14594 A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by thisissue is the function DcmByteString::makeDicomByteString of the filedcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulationresults in memory corruption. The attack can be launched remotely.Upgrading to version 3.7.0 can resolve this issue. The patch is identifiedas 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-13 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122926 CVE-2025-14607 Missing cryptographic key commitment in the AWS SDK for Ruby may allow auser with write access to the S3 bucket to introduce a new EDK thatdecrypts to different plaintext when the encrypted data key is stored in an"instruction file" instead of S3's metadata record.To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 orlater. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-17 21:15:00 UTC CVE-2025-14762 : Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legionof the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.This issue affects BC-JAVA: from 1.59 before 1.80.2, from 1.81 before1.81.1, from 1.82 before 1.84. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 10:16:00 UTC CVE-2025-14813 A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element isthe functionDcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequestin the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Thismanipulation causes null pointer dereference. The attack requires localaccess. Upgrading to version 3.7.0 is sufficient to resolve this issue.Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgradethe affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123584 CVE-2025-14841 A flaw was found in Nodemailer. This vulnerability allows a denial ofservice (DoS) via a crafted email address header that triggers infiniterecursion in the address parser. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 09:15:00 UTC CVE-2025-14874 A flaw was found in the 389-ds-base server. A heap buffer overflowvulnerability exists in the `schema_attr_enum_callback` function within the`schema.c` file. This occurs because the code incorrectly calculates thebuffer size by summing alias string lengths without accounting foradditional formatting characters. When a large number of aliases areprocessed, this oversight can lead to a heap overflow, potentially allowinga remote attacker to cause a Denial of Service (DoS) or achieve Remote CodeExecution (RCE). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-23 16:29:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2423624 CVE-2025-14905 NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of NSF Unidata NetCDF-C.User interaction is required to exploit this vulnerability in that thetarget must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of time units. The issueresults from the lack of proper validation of the length of user-supplieddata prior to copying it to a fixed-length stack-based buffer. An attackercan leverage this vulnerability to execute code in the context of thecurrent user. Was ZDI-CAN-27273. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123960 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123961 CVE-2025-14932 NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of NSF Unidata NetCDF-C. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of NC variables. The issueresults from the lack of proper validation of user-supplied data, which canresult in an integer overflow before allocating a buffer. An attacker canleverage this vulnerability to execute code in the context of the currentuser. Was ZDI-CAN-27266. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123960 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123961 CVE-2025-14933 NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of NSF Unidata NetCDF-C.User interaction is required to exploit this vulnerability in that thetarget must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of variable names. The issueresults from the lack of proper validation of the length of user-supplieddata prior to copying it to a fixed-length stack-based buffer. An attackercan leverage this vulnerability to execute code in the context of thecurrent user. Was ZDI-CAN-27267. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123960 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123961 CVE-2025-14934 NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of NSF Unidata NetCDF-C.User interaction is required to exploit this vulnerability in that thetarget must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of dimension names. The issueresults from the lack of proper validation of the length of user-supplieddata prior to copying it to a fixed-length heap-based buffer. An attackercan leverage this vulnerability to execute code in the context of thecurrent user. Was ZDI-CAN-27168. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123960 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123961 CVE-2025-14935 NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of NSF Unidata NetCDF-C.User interaction is required to exploit this vulnerability in that thetarget must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of attribute names. The issueresults from the lack of proper validation of the length of user-supplieddata prior to copying it to a fixed-length stack-based buffer. An attackercan leverage this vulnerability to execute code in the context of thecurrent user. Was ZDI-CAN-27269. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123960 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123961 CVE-2025-14936 A flaw was found in libnbd. A malicious actor could exploit this byconvincing libnbd to open a specially crafted Uniform Resource Identifier(URI). This vulnerability arises because non-standard hostnames startingwith '-o' are incorrectly interpreted as arguments to the Secure Shell(SSH) process, rather than as hostnames. This could lead to arbitrary codeexecution with the privileges of the user running libnbd. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-19 13:16:00 UTC CVE-2025-14946 A vulnerability was determined in WebAssembly Binaryen up to 125. Affectedby this issue is the function WasmBinaryReader::readExport of the filesrc/wasm/wasm-binary.cpp. This manipulation causes heap-based bufferoverflow. It is possible to launch the attack on the local host. Theexploit has been publicly disclosed and may be utilized. Patch name:4f52bff8c4075b5630422f902dd92a0af2c9f398. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-19 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123745 CVE-2025-14956 A vulnerability was identified in WebAssembly Binaryen up to 125. Thisaffects the functionIRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee ofthe file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Suchmanipulation of the argument Index leads to null pointer dereference. Localaccess is required to approach this attack. The exploit is publiclyavailable and might be used. The name of the patch is6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised toresolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-19 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123746 CVE-2025-14957 GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of PSP files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-28232. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 04:16:00 UTC 2026-01-23 04:16:00 UTC https://ubuntu.com/security/notices/USN-8057-1 CVE-2025-15059 FontForge SFD File Parsing Use-After-Free Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of FontForge. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of validating the existence of an object prior to performingoperations on the object. An attacker can leverage this vulnerability toexecute code in the context of the current user. Was ZDI-CAN-28564. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15269 FontForge SFD File Parsing Improper Validation of Array Index Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of FontForge. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of proper validation of user-supplied data, which can resultin a write past the end of an allocated array. An attacker can leveragethis vulnerability to execute code in the context of the current user. WasZDI-CAN-28563. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15270 FontForge SFD File Parsing Improper Validation of Array Index Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of FontForge. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of proper validation of user-supplied data, which can resultin a write past the end of an allocated array. An attacker can leveragethis vulnerability to execute code in the context of the current user. WasZDI-CAN-28562. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15271 FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of FontForge. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current user. WasZDI-CAN-28547. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15272 FontForge PFB File Parsing Stack-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of FontForge. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PFB files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a fixed-length stack-based buffer. An attacker canleverage this vulnerability to execute code in the context of the currentuser. Was ZDI-CAN-28546. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15273 FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of FontForge. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current user. WasZDI-CAN-28544. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15274 FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of FontForge. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current user. WasZDI-CAN-28543. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15275 FontForge SFD File Parsing Deserialization of Untrusted Data Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of FontForge. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of proper validation of user-supplied data, which can resultin deserialization of untrusted data. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-28198. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15276 FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of FontForge. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of scanlines within SGI files.The issue results from the lack of proper validation of the length ofuser-supplied data prior to copying it to a heap-based buffer. An attackercan leverage this vulnerability to execute code in the context of thecurrent process. Was ZDI-CAN-27920. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15277 FontForge GUtils XBM File Parsing Integer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of FontForge. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of pixels within XBM files. Theissue results from the lack of proper validation of user-supplied data,which can result in an integer overflow before allocating a buffer. Anattacker can leverage this vulnerability to execute code in the context ofthe current process. Was ZDI-CAN-27865. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15278 FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote CodeExecution Vulnerability. This vulnerability allows remote attackers toexecute arbitrary code on affected installations of FontForge. Userinteraction is required to exploit this vulnerability in that the targetmust visit a malicious page or open a malicious file.The specific flaw exists within the parsing of pixels within BMP files. Theissue results from the lack of proper validation of the length ofuser-supplied data prior to copying it to a heap-based buffer. An attackercan leverage this vulnerability to execute code in the context of thecurrent user. Was ZDI-CAN-27517. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15279 FontForge SFD File Parsing Use-After-Free Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of FontForge. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of SFD files. The issue resultsfrom the lack of validating the existence of an object prior to performingoperations on the object. An attacker can leverage this vulnerability toexecute code in the context of the current user. Was ZDI-CAN-28525. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124487 CVE-2025-15280 Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNUC Library version 2.0 to version 2.42 may cause the interface to returnuninitialized memory in the we_wordv member, which on subsequent calls towordfree may abort the process. Update Instructions: Run `sudo pro fix CVE-2025-15281` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.42-2ubuntu5 libc-bin - 2.42-2ubuntu5 libc-gconv-modules-extra - 2.42-2ubuntu5 libc6 - 2.42-2ubuntu5 libc6-amd64 - 2.42-2ubuntu5 libc6-i386 - 2.42-2ubuntu5 libc6-x32 - 2.42-2ubuntu5 locales - 2.42-2ubuntu5 locales-all - 2.42-2ubuntu5 nscd - 2.42-2ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 14:16:00 UTC 2026-01-20 14:16:00 UTC https://sourceware.org/bugzilla/show_bug.cgi?id=33814 https://ubuntu.com/security/notices/USN-8005-1 CVE-2025-15281 Improper Input Validation vulnerability in qs (parse modules) allows HTTPDoS.This issue affects qs: < 6.14.1.SummaryThe arrayLimit option in qs did not enforce limits for bracket notation(a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistencybug; arrayLimit should apply uniformly across all array notations.Note: The default parameterLimit of 1000 effectively mitigates the DoSscenario originally described. With default options, bracket notationcannot produce arrays larger than parameterLimit regardless of arrayLimit,because each a[]=valueconsumes one parameter slot. The severity has beenreduced accordingly.DetailsThe arrayLimit option only checked limits for indexed notation(a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).Vulnerable code (lib/parse.js:159-162):if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check}Working code (lib/parse.js:175):else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf;}The bracket notation handler at line 159 uses utils.combine([],leaf) without validating against options.arrayLimit, while indexed notationat line 175 checks index <= options.arrayLimit before creating arrays.PoCconst qs = require('qs');const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', {arrayLimit: 5 });console.log(result.a.length); // Output: 6 (should be max 5)Note on parameterLimit interaction: The original advisory's "DoSdemonstration" claimed a length of 10,000, but parameterLimit (default:1000) caps parsing to 1,000 parameters. With default options, the actualoutput is 1,000, not 10,000.ImpactConsistency bug in arrayLimit enforcement. With default parameterLimit, thepractical DoS risk is negligible since parameterLimit already caps thetotal number of parsed parameters (and thus array elements from bracketnotation). The risk increases only when parameterLimit is explicitly set toa very high value. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-29 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124315 CVE-2025-15284 A weakness has been identified in WebAssembly wabt up to 1.0.39. Thisvulnerability affects the function wabt::AST::InsertNode of the file/src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Thismanipulation causes memory corruption. It is possible to launch the attackon the local host. The exploit has been made available to the public andcould be used for attacks. Unfortunately, the project has no activemaintainer at the moment. In a reply to the issue report somebodyrecommended to the researcher to provide a PR himself. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-01 20:15:00 UTC CVE-2025-15411 A security vulnerability has been detected in WebAssembly wabt up to1.0.39. This issue affects the function wabt::Decompiler::VarName of thefile /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile.Such manipulation leads to out-of-bounds read. Local access is required toapproach this attack. The exploit has been disclosed publicly and may beused. Unfortunately, the project has no active maintainer at the moment. Ina reply to the issue report somebody recommended to the researcher toprovide a PR himself. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-01 21:15:00 UTC CVE-2025-15412 Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message withmaliciously crafted AEAD parameters can trigger a stack buffer overflow.Impact summary: A stack buffer overflow may lead to a crash, causing Denialof Service, or potentially remote code execution.When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers suchasAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters iscopied into a fixed-size stack buffer without verifying that its lengthfitsthe destination. An attacker can supply a crafted CMS message with anoversized IV, causing a stack-based out-of-bounds write before anyauthentication or tag verification occurs.Applications and services that parse untrusted CMS or PKCS#7 content usingAEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) arevulnerable.Because the overflow occurs prior to authentication, no valid key materialis required to trigger it. While exploitability to remote code executiondepends on platform and toolchain mitigations, the stack-based writeprimitive represents a severe risk.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the CMS implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.Impact summary: A stack buffer overflow may lead to a crash, causing Denialof Service, or potentially remote code execution.When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such asAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters iscopied into a fixed-size stack buffer without verifying that its lengthfitsthe destination. An attacker can supply a crafted CMS message with anoversized IV, causing a stack-based out-of-bounds write before anyauthentication or tag verification occurs.Applications and services that parse untrusted CMS or PKCS#7 content usingAEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.Because the overflow occurs prior to authentication, no valid key materialis required to trigger it. While exploitability to remote code executiondepends on platform and toolchain mitigations, the stack-based writeprimitive represents a severe risk.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the CMS implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-15467` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 CVE-2025-15467 Issue summary: If an application using the SSL_CIPHER_find() function ina QUIC protocol client or server receives an unknown cipher suite fromthe peer, a NULL dereference occurs.Impact summary: A NULL pointer dereference leads to abnormal termination ofthe running process causing Denial of Service.Some applications call SSL_CIPHER_find() from the client_hello_cb callbackon the cipher ID received from the peer. If this is done with an SSL objectimplementing the QUIC protocol, NULL pointer dereference will happen ifthe examined cipher ID is unknown or unsupported.As it is not very common to call this function in applications using theQUICprotocol and the worst outcome is Denial of Service, the issue was assessedas Low severity.The vulnerable code was introduced in the 3.2 version with the additionof the QUIC protocol support.The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,as the QUIC implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-15468` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 CVE-2025-15468 Issue summary: The 'openssl dgst' command-line tool silently truncatesinputdata to 16MB when using one-shot signing algorithms and reports successinsteadof an error.Impact summary: A user signing or verifying files larger than 16MB withone-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe theentirefile is authenticated while trailing data beyond 16MB remainsunauthenticated.When the 'openssl dgst' command is used with algorithms that only supportone-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), theinputis buffered with a 16MB limit. If the input exceeds this limit, the toolsilently truncates to the first 16MB and continues without signaling anerror,contrary to what the documentation states. This creates an integrity gapwheretrailing bytes can be modified without detection if both signing andverification are performed using the same affected codepath.The issue affects only the command-line tool behavior. Verifiers thatprocessthe full message using library APIs will reject the signature, so the riskprimarily affects workflows that both sign and verify with the affected'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' andlibrary users are unaffected.The FIPS modules in 3.5 and 3.6 are not affected by this issue, as thecommand-line tools are outside the OpenSSL FIPS module boundary.OpenSSL 3.5 and 3.6 are vulnerable to this issue.OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-15469` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 CVE-2025-15469 A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to2.5.0. This issue affects the function ConvertToRegularExpression of thefile src/OpenColorIO/FileRules.cpp. Performing a manipulation results inout-of-bounds read. The attack needs to be approached locally. The exploithas been made public and could be used. The patch is namedebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it isrecommended to deploy a patch. The fix was added to the 2.5.1 milestone. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-11 11:15:00 UTC CVE-2025-15506 MacOS version of Inkscape bundles a Python interpreter that inherits theTransparency, Consent, and Control (TCC) permissionsgranted by the user to the main application bundle. An attacker with localuser access caninvoke this interpreter with arbitrary commands or scripts, leveraging theapplication's previously granted TCC permissions to access user's files inprivacy-protected folders without triggering user prompts. Accessing otherresources beyond previously granted TCC permissions will prompt the userfor approval in the name of Inkscape, potentially disguising attacker'smalicious intent.This issue has been fixed in 1.4.3 version of Inkscape. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 15:16:00 UTC CVE-2025-15523 A security vulnerability has been detected in Mapnik up to 4.2.0. Thisissue affects the function mapnik::dbf_file::string_value of the fileplugins/input/shape/dbfile.cpp. Such manipulation leads to heap-basedbuffer overflow. The attack must be carried out locally. The exploit hasbeen disclosed publicly and may be used. The project was informed of theproblem early through an issue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-18 10:15:00 UTC CVE-2025-15537 A security vulnerability has been detected in Open Asset Import LibraryAssimp up to 6.0.2. Affected by this vulnerability is the functionAssimp::LWOImporter::FindUVChannels of the file/src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads touse after free. The attack needs to be performed locally. The exploit hasbeen disclosed publicly and may be used. This and similar defects aretracked and handled via issue #6128. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-18 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126072 CVE-2025-15538 A vulnerability has been found in Mapnik up to 4.2.0. This vulnerabilityaffects the function mapnik::detail::mod<...>::operator of the filesrc/value.cpp. The manipulation leads to divide by zero. The attack needsto be performed locally. The exploit has been disclosed to the public andmay be used. The project was informed of the problem early through an issuereport but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-07 22:16:00 UTC CVE-2025-15564 A vulnerability was found in ckolivas lrzip up to 0.651. This impacts thefunction lzma_decompress_buf of the file stream.c. Performing amanipulation results in use after free. Attacking locally is a requirement.The exploit has been made public and could be used. The project wasinformed of the problem early through an issue report but has not respondedyet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 14:16:00 UTC CVE-2025-15570 A security vulnerability has been detected in ckolivas lrzip up to 0.651.This vulnerability affects the function ucompthread of the file stream.c.Such manipulation leads to null pointer dereference. The attack can only beperformed from a local environment. The exploit has been disclosed publiclyand may be used. The project was informed of the problem early through anissue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 15:16:00 UTC CVE-2025-15571 Orthanc versions before 1.12.10 are affected by an authorisation logic flawin the application's HTTP Basic Authentication implementation.Successful exploitation could result in Privilege Escalation, potentiallyallowing full administrative access. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 23:16:00 UTC CVE-2025-15581 DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-sitescripting vulnerability that allows attackers to bypass attributesanitization by exploiting missing textarea rawtext element validation inthe SAFE_FOR_XML regex. Attackers can include closing rawtext tags like</textarea> in attribute values to break out of rawtext contexts andexecute JavaScript when sanitized output is placed inside rawtext elements.The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 18:16:00 UTC CVE-2025-15599 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Bootstrap allows Cross-SiteScripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-15 17:15:00 UTC CVE-2025-1647 When setting up interrupt remapping for legacy PCI(-X) devices,including PCI(-X) bridges, a lookup of the upstream bridge is required.This lookup, itself involving acquiring of a lock, is done in a contextwhere acquiring that lock is unsafe. This can lead to a deadlock. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-17 14:15:00 UTC CVE-2025-1713 Out-of-bounds Write vulnerability in radareorg radare2 allowsheap-based buffer over-read or buffer overflow.This issue affects radare2:before <5.9.9. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-28 04:15:00 UTC CVE-2025-1744 Data::Entropy for Perl 0.007 and earlier use the rand() function as thedefault source of entropy, which is not cryptographically secure, forcryptographic functions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 01:15:00 UTC CVE-2025-1860 Improper Restriction of Operations within the Bounds of a Memory Buffervulnerability in radareorg radare2 allows Overflow Buffers.This issueaffects radare2: before <5.9.9. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-03 09:15:00 UTC CVE-2025-1864 In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client canspecify a very large value for the HTTP/2 settings parameterSETTINGS_MAX_HEADER_LIST_SIZE.The Jetty HTTP/2 server does not perform validation on this setting, andtries to allocate a ByteBuffer of the specified capacity to encode HTTPresponses, likely resulting in OutOfMemoryError being thrown, or even theJVM process exiting. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-08 18:15:00 UTC CVE-2025-1948 A vulnerability in the PDF scanning processes of ClamAV could allow anunauthenticated, remote attacker to cause a buffer overflow condition,cause a denial of service (DoS) condition, or execute arbitrary code on anaffected device.This vulnerability exists because memory buffers are allocated incorrectlywhen PDF files are processed. An attacker could exploit this vulnerabilityby submitting a crafted PDF file to be scanned by ClamAV on an affecteddevice. A successful exploit could allow the attacker to trigger a bufferoverflow, likely resulting in the termination of the ClamAV scanningprocess and a DoS condition on the affected software. Although unproven,there is also a possibility that an attacker could leverage the bufferoverflow to execute arbitrary code with the privileges of the ClamAVprocess. Update Instructions: Run `sudo pro fix CVE-2025-20260` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: clamav - 1.4.3+dfsg-0ubuntu1 clamav-base - 1.4.3+dfsg-0ubuntu1 clamav-daemon - 1.4.3+dfsg-0ubuntu1 clamav-freshclam - 1.4.3+dfsg-0ubuntu1 clamav-milter - 1.4.3+dfsg-0ubuntu1 clamav-testfiles - 1.4.3+dfsg-0ubuntu1 clamdscan - 1.4.3+dfsg-0ubuntu1 libclamav12 - 1.4.3+dfsg-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-18 18:15:00 UTC 2025-06-18 18:15:00 UTC https://ubuntu.com/security/notices/USN-7615-1 https://ubuntu.com/security/notices/USN-7615-2 CVE-2025-20260 A vulnerability, which was classified as problematic, has been found inGeSHi up to 1.0.9.1. Affected by this issue is the function get_var of thefile /contrib/cssgen.php of the component CSS Handler. The manipulation ofthe argumentdefault-styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leadsto cross site scripting. The attack may be launched remotely. The exploithas been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-09 15:15:00 UTC https://github.com/GeSHi/geshi-1.0/issues/159 CVE-2025-2123 A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared ascritical. Affected by this vulnerability is the functiontorch.ops.profiler._call_end_callbacks_on_jit_fut of the component TupleHandler. The manipulation of the argument None leads to memory corruption.The attack can be launched remotely. The complexity of an attack is ratherhigh. The exploitation appears to be difficult. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-10 12:15:00 UTC CVE-2025-2148 A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated asproblematic. Affected by this issue is the function nnq_Sigmoid of thecomponent Quantized Sigmoid Module. The manipulation of the argumentscale/zero_point leads to improper initialization. The attack needs to beapproached locally. The complexity of an attack is rather high. Theexploitation is known to be difficult. The exploit has been disclosed tothe public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-10 13:15:00 UTC CVE-2025-2149 A vulnerability classified as critical was found in Open Asset ImportLibrary Assimp 5.4.3. This vulnerability affects the functionAssimp::GetNextLine in the library ParsingUtils.h of the component FileHandler. The manipulation leads to stack-based buffer overflow. The attackcan be initiated remotely. The exploit has been disclosed to the public andmay be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-10 13:15:00 UTC CVE-2025-2151 A vulnerability, which was classified as critical, has been found in OpenAsset Import Library Assimp 5.4.3. This issue affects the functionAssimp::BaseImporter::ConvertToUTF8 of the file BaseImporter.cpp of thecomponent File Handler. The manipulation leads to heap-based bufferoverflow. The attack may be initiated remotely. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-10 14:15:00 UTC https://github.com/assimp/assimp/issues/6027 CVE-2025-2152 A vulnerability, which was classified as critical, was found in HDF51.14.6. Affected is the function H5SM_delete of the file H5SM.c of thecomponent h5 File Handler. The manipulation leads to heap-based bufferoverflow. It is possible to launch the attack remotely. The complexity ofan attack is rather high. The exploitability is told to be difficult. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-10 14:15:00 UTC https://github.com/HDFGroup/hdf5/issues/5329 CVE-2025-2153 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.24 and prior to 7.1.6. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. Successful attacksof this vulnerability can result in unauthorized access to critical dataor complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1Base Score 5.5 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-21 21:15:00 UTC CVE-2025-21533 Vulnerability in the MySQL Connectors product of Oracle MySQL (component:Connector/Python). Supported versions that are affected are 9.1.0 andprior. Easily exploitable vulnerability allows high privileged attackerwith network access via multiple protocols to compromise MySQL Connectors.Successful attacks require human interaction from a person other than theattacker. Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data orall MySQL Connectors accessible data as well as unauthorized read accessto a subset of MySQL Connectors accessible data and unauthorized ability tocause a hang or frequently repeatable crash (complete DOS) of MySQLConnectors. CVSS 3.1 Base Score 6.4 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-21 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093881 CVE-2025-21548 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are Prior to7.0.24 and prior to 7.1.6. Easily exploitable vulnerability allows highprivileged attacker with logon to the infrastructure where Oracle VMVirtualBox executes to compromise Oracle VM VirtualBox. While thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products (scope change). Successful attacks of thisvulnerability can result in unauthorized creation, deletion ormodification access to critical data or all Oracle VM VirtualBox accessibledata as well as unauthorized read access to a subset of Oracle VMVirtualBox accessible data and unauthorized ability to cause a partialdenial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 BaseScore 7.3 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-21 21:15:00 UTC CVE-2025-21571 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Parser). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21574` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21574 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Parser). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21575` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21575 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21577` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21577 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Options). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21579` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21579 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DML). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21580` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21580 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21581` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21581 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DDL). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21584` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21584 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21585` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21585 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: JSSE). Supportedversions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26,17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; OracleGraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized creation, deletion ormodification access to critical data or all Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition accessible data as well asunauthorized access to critical data or complete access to all Oracle JavaSE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessibledata. Note: This vulnerability can be exploited by using APIs in thespecified Component, e.g., through a web service which supplies data to theAPIs. This vulnerability also applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. CVSS 3.1 Base Score7.4 (Confidentiality and Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2025-21587` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.28~3ea-1ubuntu1 openjdk-11-jdk - 11.0.28~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.28~3ea-1ubuntu1 openjdk-11-jre - 11.0.28~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.28~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.28~3ea-1ubuntu1 openjdk-11-source - 11.0.28~3ea-1ubuntu1 No subscription required openjdk-17-demo - 17.0.15+6-1 openjdk-17-jdk - 17.0.15+6-1 openjdk-17-jdk-headless - 17.0.15+6-1 openjdk-17-jre - 17.0.15+6-1 openjdk-17-jre-headless - 17.0.15+6-1 openjdk-17-jre-zero - 17.0.15+6-1 openjdk-17-source - 17.0.15+6-1 No subscription required openjdk-17-crac-demo - 17.0.15+6-0ubuntu1 openjdk-17-crac-jdk - 17.0.15+6-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.15+6-0ubuntu1 openjdk-17-crac-source - 17.0.15+6-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jdk - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-source - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-testsupport - 21.0.7+6.1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103900 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103899 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103898 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103897 https://ubuntu.com/security/notices/USN-7480-1 https://ubuntu.com/security/notices/USN-7481-1 https://ubuntu.com/security/notices/USN-7482-1 https://ubuntu.com/security/notices/USN-7483-1 https://ubuntu.com/security/notices/USN-7484-1 https://ubuntu.com/security/notices/USN-7531-1 https://ubuntu.com/security/notices/USN-7533-1 CVE-2025-21587 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DML). Supported versions that are affected are 8.4.0-8.4.4 and9.0.0-9.2.0. Easily exploitable vulnerability allows high privilegedattacker with network access via multiple protocols to compromise MySQLServer. Successful attacks of this vulnerability can result inunauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-21588` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-21588 Redis is an open source, in-memory database that persists on disk. Inversions starting at 2.6 and prior to 7.4.3, An unauthenticated client cancause unlimited growth of output buffers, until the server runs out ofmemory or is killed. By default, the Redis configuration does not limit theoutput buffer of normal clients (see client-output-buffer-limit).Therefore, the output buffer can grow unlimitedly over time. As a result,the service is exhausted and the memory is unavailable. When passwordauthentication is enabled on the Redis server, but no password is provided,the client can still cause the output buffer to grow from "NOAUTH"responses until the system will run out of memory. This issue has beenpatched in version 7.4.3. An additional workaround to mitigate this problemwithout patching the redis-server executable is to block access to preventunauthenticated users from connecting to Redis. This can be done indifferent ways. Either using network access control tools like firewalls,iptables, security groups, etc, or enabling TLS and requiring users toauthenticate using client side certificates. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-23 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104010 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104011 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104012 CVE-2025-21605 In the Linux kernel, the following vulnerability has been resolved:fs/netfs/read_collect: add to next->prev_donatedIf multiple subrequests donate data to the same "next" request(depending on the subrequest completion order), each of them wouldoverwrite the `prev_donated` field, causing data corruption and aBUG() crash ("Can't donate prior to front"). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 13:15:00 UTC CVE-2025-21988 In the Linux kernel, the following vulnerability has been resolved:Revert "smb: client: fix TCP timers deadlock after rmmod"This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801.Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock afterrmmod") is intended to fix a null-ptr-deref in LOCKDEP, which ismentioned as CVE-2024-54680, but is actually did not fix anything;The issue can be reproduced on top of it. [0]Also, it reverted the change by commit ef7134c7fc48 ("smb: client:Fix use-after-free of network namespace.") and introduced a realissue by reviving the kernel TCP socket.When a reconnect happens for a CIFS connection, the socket statetransitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync()in tcp_close() stops all timers for the socket.If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans.Usually, FIN can be retransmitted by the peer, but if the peer abortsthe connection, the issue comes into reality.I warned about this privately by pointing out the exact report [1],but the bogus fix was finally merged.So, we should not stop the timers to finally kill the connection onour side in that case, meaning we must not use a kernel socket forTCP whose sk->sk_net_refcnt is 0.The kernel socket does not have a reference to its netns to make itpossible to tear down netns without cleaning up every resource in it.For example, tunnel devices use a UDP socket internally, but we candestroy netns without removing such devices and let it completeduring exit. Otherwise, netns would be leaked when the last applicationdied.However, this is problematic for TCP sockets because TCP has timers toclose the connection gracefully even after the socket is close()d. Thelifetime of the socket and its netns is different from the lifetime ofthe underlying connection.If the socket user does not maintain the netns lifetime, the timer couldbe fired after the socket is close()d and its netns is freed up, resultingin use-after-free.Actually, we have seen so many similar issues and converted such socketsto have a reference to netns.That's why I converted the CIFS client socket to have a reference tonetns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scopeof CIFS and technically wrong in e9f2517a3e18, but **is in-scope and rightfix**.Regarding the LOCKDEP issue, we can prevent the module unload bybumping the module refcount when switching the LOCKDDEP key insock_lock_init_class_and_name(). [2]For a while, let's revert the bogus fix.Note that now we can use sk_net_refcnt_upgrade() for the socketconversion, but I'll do so later separately to make backport easy. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-16 15:16:00 UTC CVE-2025-22077 Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior toversions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choosethe boundary for a multipart/form-data request. It is known that the outputof `Math.random()` can be predicted if several of its generated values areknown. If there is a mechanism in an app that sends multipart requests toan attacker-controlled website, they can use this to leak the necessaryvalues. Therefore, an attacker can tamper with the requests going to thebackend APIs if certain conditions are met. This is fixed in versions5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requeststo attacker controlled servers. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-21 18:15:00 UTC CVE-2025-22150 CVE-2024-38820 ensured Locale-independent, lowercase conversion for boththe configured disallowedFields patterns and for request parameter names.However, there are still cases where it is possible to bypass thedisallowedFields checks.Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affectedMitigationUsers of affected versions should upgrade to the corresponding fixedversion.Affected version(s)Fix Version Availability 6.2.x 6.2.7OSS6.1.x 6.1.20OSS6.0.x 6.0.28 Commercial https://enterprise.spring.io/ 5.3.x 5.3.43 Commercial https://enterprise.spring.io/No further mitigation steps are necessary.Generally, we recommend using a dedicated model object with properties onlyfor data binding, or using constructor binding since constructor argumentsexplicitly declare what to bind together with turning off setter bindingthrough the declarativeBinding flag. See the Model Design section in thereference documentation.For setting binding, prefer the use of allowedFields (an explicit list)over disallowedFields.CreditThis issue was responsibly reported by the TERASOLUNA Framework DevelopmentTeam from NTT DATA Group Corporation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-16 20:15:00 UTC CVE-2025-22233 EndpointRequest.to() creates a matcher for null/** if the actuatorendpoint, for which the EndpointRequest has been created, is disabled ornot exposed.Your application may be affected by this if all the following conditionsare met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chainconfiguration * The endpoint which EndpointRequest references is disabled or notexposed via web * Your application handles requests to /null and this path needsprotectionYou are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and isexposed * Your application does not handle requests to /null or this path doesnot need protection Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-28 08:15:00 UTC CVE-2025-22235 Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRTvalues would panic when verifying that the key is well formed. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-28 02:15:00 UTC Philippe Antoine (Catena cyber) https://go.dev/issue/71216 CVE-2025-22865 Due to the usage of a variable time instruction in the assemblyimplementation of an internal function, a small number of bits of secretscalars are leaked on the ppc64le architecture. Due to the way thisfunction is used, we do not believe this leakage is enough to allowrecovery of the private key when P-256 is used in any well known protocols. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-06 17:15:00 UTC 2025-02-06 17:15:00 UTC https://ubuntu.com/security/notices/USN-7574-1 CVE-2025-22866 An attacker can pass a malicious malformed token which causes unexpectedmemory to be consumed during parsing. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-26 08:14:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098967 https://github.com/golang/go/issues/71490 CVE-2025-22868 SSH servers which implement file transfer protocols are vulnerable to adenial of service attack from clients which complete the key exchangeslowly, or not at all, causing pending content to be read into memory, butnever transmitted. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-26 08:14:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098968 CVE-2025-22869 Matching of hosts against proxy patterns can improperly treat an IPv6 zoneID as a hostname component. For example, when the NO_PROXY environmentvariable is set to "*.example.com", a request to "[::1%25.example.com]:80`will incorrectly match and not be proxied. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-12 19:15:00 UTC 2025-03-12 19:15:00 UTC https://ubuntu.com/security/notices/USN-7574-1 CVE-2025-22870 It was possible to improperly access the parent directory of an os.Root byopening a filename ending in "../". For example, Root.Open("../") wouldopen the parent directory of the Root. This escape only permits opening theparent directory itself, not ancestors of the parent or files containedwithin the parent. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-04 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104816 CVE-2025-22873 Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAnyunintentionally disabledpolicy validation. This only affected certificatechains which contain policy graphs, which are rather uncommon. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-11 17:15:00 UTC Krzysztof Skrzętnicki https://github.com/golang/go/issues/73612 CVE-2025-22874 FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain asegmentation violation via the component /libavcodec/jpeg2000dec.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 22:15:00 UTC 2025-02-18 22:15:00 UTC https://ubuntu.com/security/notices/USN-7538-1 CVE-2025-22921 EDK2 contains a vulnerability in BIOS where an attacker may cause “Improper Input Validation” by local access. Successful exploitation of thisvulnerability could alter control flow in unexpected ways, potentiallyallowing arbitrary command execution and impacting Confidentiality,Integrity, and Availability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC https://bugzilla.tianocore.org/show_bug.cgi?id=3857 CVE-2025-2296 FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow (andresultant heap-based buffer overflow) via crafted nameLen or valueLenvalues in data to the IPC socket. This occurs in ReadParams in fcgiapp.c. Update Instructions: Run `sudo pro fix CVE-2025-23016` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libfcgi-bin - 2.4.5-0.1 libfcgi0t64 - 2.4.5-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-10 12:15:00 UTC 2025-01-10 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092774 https://github.com/FastCGI-Archives/fcgi2/issues/67 https://ubuntu.com/security/notices/USN-7486-1 CVE-2025-23016 In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to2.4.63, an access control bypass by trusted clients is possible using TLS1.3 session resumption.Configurations are affected when mod_ssl is configured for multiple virtualhosts, with each restricted to a different set of trusted clientcertificates (for example with a different SSLCACertificateFile/Pathsetting). In such a case, a client trusted to access one virtual host maybe able to access another virtual host, if SSLStrictSNIVHostCheck is notenabled in either virtual host. Update Instructions: Run `sudo pro fix CVE-2025-23048` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.64-1ubuntu1 apache2-bin - 2.4.64-1ubuntu1 apache2-data - 2.4.64-1ubuntu1 apache2-suexec-custom - 2.4.64-1ubuntu1 apache2-suexec-pristine - 2.4.64-1ubuntu1 apache2-utils - 2.4.64-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 17:15:00 UTC 2025-07-10 17:15:00 UTC Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, and Juraj Somorovsky https://ubuntu.com/security/notices/USN-7639-1 https://ubuntu.com/security/notices/USN-7639-2 CVE-2025-23048 A vulnerability, which was classified as critical, was found in HDF51.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte ofthe component Scale-Offset Filter. The manipulation leads to heap-basedbuffer overflow. An attack has to be approached locally. The exploit hasbeen disclosed to the public and may be used. The vendor plans to fix thisissue in an upcoming release. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-14 21:15:00 UTC CVE-2025-2308 A vulnerability has been found in HDF5 1.14.6 and classified as critical.This vulnerability affects the function H5T__bit_copy of the component TypeConversion Logic. The manipulation leads to heap-based buffer overflow.Local access is required to approach this attack. The exploit has beendisclosed to the public and may be used. The vendor plans to fix this issuein an upcoming release. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-14 21:15:00 UTC CVE-2025-2309 A vulnerability was found in HDF5 1.14.6 and classified as critical. Thisissue affects the function H5MM_strndup of the component Metadata AttributeDecoder. The manipulation leads to heap-based buffer overflow. Attackinglocally is a requirement. The exploit has been disclosed to the public andmay be used. The vendor plans to fix this issue in an upcoming release. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-14 21:15:00 UTC CVE-2025-2310 Icinga Director is an Icinga config deployment tool. A Securityvulnerability has been found starting in version 1.0.0 and prior to 1.10.4and 1.11.4 on several director endpoints of REST API. To reproduce thisvulnerability an authenticated user with permission to access the Directoris required (plus api access with regard to the api endpoints). And eventhough some of these Icinga Director users are restricted from accessingcertain objects, are able to retrieve information related to them if theirname is known. This makes it possible to change the configuration of theseobjects by those Icinga Director users restricted from accessing them. Thisresults in further exploitation, data breaches and sensitive informationdisclosure. Affected endpoints include icingaweb2/director/service, if thehost name is left out of the query; icingaweb2/directore/notification;icingaweb2/director/serviceset; and icingaweb2/director/scheduled-downtime.In addition, the endpoint`icingaweb2/director/services?host=filteredHostName` returns a status code200 even though the services for the host is filtered. This in turn letsthe restricted user know that the host `filteredHostName` exists eventhough the user is restricted from accessing it. This could again resultin further exploitation of this information and data breaches. IcingaDirector has patches in versions 1.10.4 and 1.11.4. If upgrading is notfeasible, disable the director module for the users other than admin rolefor the time being. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-26 14:15:00 UTC https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3233-ggc5-m3qg CVE-2025-23203 KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering onthe web. KaTeX users who render untrusted mathematical expressions with`renderToString` could encounter malicious input using `\htmlData` thatruns arbitrary JavaScript, or generate invalid HTML. Users are advised toupgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable toupgrade should avoid use of or turn off the `trust` option, or set it toforbid `\htmlData` commands, forbid inputs containing the substring`"\\htmlData"` and sanitize HTML output from KaTeX. Update Instructions: Run `sudo pro fix CVE-2025-23207` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: fonts-katex - 0.16.10+~cs6.1.0-2ubuntu1 katex - 0.16.10+~cs6.1.0-2ubuntu1 libjs-katex - 0.16.10+~cs6.1.0-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-17 22:15:00 UTC 2025-01-17 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093446 https://ubuntu.com/security/notices/USN-7572-1 CVE-2025-23207 mitmproxy is a interactive TLS-capable intercepting HTTP proxy forpenetration testers and software developers and mitmweb is a web-basedinterface for mitmproxy. In mitmweb 11.1.1 and below, a malicious clientcan use mitmweb's proxy server (bound to `*:8080` by default) to accessmitmweb's internal API (bound to `127.0.0.1:8081` by default). In otherwords, while the cannot access the API directly, they can access the APIthrough the proxy. An attacker may be able to escalate this SSRF-styleaccess to remote code execution. The mitmproxy and mitmdump tools areunaffected. Only mitmweb is affected. This vulnerability has been fixed inmitmproxy 11.1.2 and above. Users are advised to upgrade. There are noknown workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-06 18:15:00 UTC CVE-2025-23217 NVIDIA GPU Display Driver for Linux contains a vulnerability which couldallow an unprivileged attacker to escalate permissions. A successfulexploit of this vulnerability might lead to code execution, denial ofservice, escalation of privileges, information disclosure, and datatampering. Update Instructions: Run `sudo pro fix CVE-2025-23244` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-535-server - 535.247.01-0ubuntu3 libnvidia-common-535-server - 535.247.01-0ubuntu3 libnvidia-compute-535-server - 535.247.01-0ubuntu3 libnvidia-decode-535-server - 535.247.01-0ubuntu3 libnvidia-encode-535-server - 535.247.01-0ubuntu3 libnvidia-extra-535-server - 535.247.01-0ubuntu3 libnvidia-fbc1-535-server - 535.247.01-0ubuntu3 libnvidia-gl-535-server - 535.247.01-0ubuntu3 nvidia-compute-utils-535-server - 535.247.01-0ubuntu3 nvidia-dkms-535-server - 535.247.01-0ubuntu3 nvidia-dkms-535-server-open - 535.247.01-0ubuntu3 nvidia-driver-535-server - 535.247.01-0ubuntu3 nvidia-driver-535-server-open - 535.247.01-0ubuntu3 nvidia-headless-535-server - 535.247.01-0ubuntu3 nvidia-headless-535-server-open - 535.247.01-0ubuntu3 nvidia-headless-no-dkms-535-server - 535.247.01-0ubuntu3 nvidia-headless-no-dkms-535-server-open - 535.247.01-0ubuntu3 nvidia-kernel-common-535-server - 535.247.01-0ubuntu3 nvidia-kernel-source-535-server - 535.247.01-0ubuntu3 nvidia-kernel-source-535-server-open - 535.247.01-0ubuntu3 nvidia-utils-535-server - 535.247.01-0ubuntu3 xserver-xorg-video-nvidia-535-server - 535.247.01-0ubuntu3 No subscription required libnvidia-cfg1-550-server - 550.163.01-0ubuntu1 libnvidia-common-550-server - 550.163.01-0ubuntu1 libnvidia-compute-550-server - 550.163.01-0ubuntu1 libnvidia-decode-550-server - 550.163.01-0ubuntu1 libnvidia-encode-550-server - 550.163.01-0ubuntu1 libnvidia-extra-550-server - 550.163.01-0ubuntu1 libnvidia-fbc1-550-server - 550.163.01-0ubuntu1 libnvidia-gl-550-server - 550.163.01-0ubuntu1 nvidia-compute-utils-550-server - 550.163.01-0ubuntu1 nvidia-dkms-550-server - 550.163.01-0ubuntu1 nvidia-dkms-550-server-open - 550.163.01-0ubuntu1 nvidia-driver-550-server - 550.163.01-0ubuntu1 nvidia-driver-550-server-open - 550.163.01-0ubuntu1 nvidia-headless-550-server - 550.163.01-0ubuntu1 nvidia-headless-550-server-open - 550.163.01-0ubuntu1 nvidia-headless-no-dkms-550-server - 550.163.01-0ubuntu1 nvidia-headless-no-dkms-550-server-open - 550.163.01-0ubuntu1 nvidia-kernel-common-550-server - 550.163.01-0ubuntu1 nvidia-kernel-source-550-server - 550.163.01-0ubuntu1 nvidia-kernel-source-550-server-open - 550.163.01-0ubuntu1 nvidia-utils-550-server - 550.163.01-0ubuntu1 xserver-xorg-video-nvidia-550-server - 550.163.01-0ubuntu1 No subscription required libnvidia-cfg1-570 - 570.133.07-0ubuntu2 libnvidia-common-570 - 570.133.07-0ubuntu2 libnvidia-compute-570 - 570.133.07-0ubuntu2 libnvidia-decode-570 - 570.133.07-0ubuntu2 libnvidia-encode-570 - 570.133.07-0ubuntu2 libnvidia-extra-570 - 570.133.07-0ubuntu2 libnvidia-fbc1-570 - 570.133.07-0ubuntu2 libnvidia-gl-570 - 570.133.07-0ubuntu2 nvidia-compute-utils-570 - 570.133.07-0ubuntu2 nvidia-dkms-570 - 570.133.07-0ubuntu2 nvidia-dkms-570-open - 570.133.07-0ubuntu2 nvidia-driver-570 - 570.133.07-0ubuntu2 nvidia-driver-570-open - 570.133.07-0ubuntu2 nvidia-headless-570 - 570.133.07-0ubuntu2 nvidia-headless-570-open - 570.133.07-0ubuntu2 nvidia-headless-no-dkms-570 - 570.133.07-0ubuntu2 nvidia-headless-no-dkms-570-open - 570.133.07-0ubuntu2 nvidia-kernel-common-570 - 570.133.07-0ubuntu2 nvidia-kernel-source-570 - 570.133.07-0ubuntu2 nvidia-kernel-source-570-open - 570.133.07-0ubuntu2 nvidia-utils-570 - 570.133.07-0ubuntu2 xserver-xorg-video-nvidia-570 - 570.133.07-0ubuntu2 No subscription required libnvidia-cfg1-570-server - 570.133.20-0ubuntu2 libnvidia-common-570-server - 570.133.20-0ubuntu2 libnvidia-compute-570-server - 570.133.20-0ubuntu2 libnvidia-decode-570-server - 570.133.20-0ubuntu2 libnvidia-encode-570-server - 570.133.20-0ubuntu2 libnvidia-extra-570-server - 570.133.20-0ubuntu2 libnvidia-fbc1-570-server - 570.133.20-0ubuntu2 libnvidia-gl-570-server - 570.133.20-0ubuntu2 nvidia-compute-utils-570-server - 570.133.20-0ubuntu2 nvidia-dkms-570-server - 570.133.20-0ubuntu2 nvidia-dkms-570-server-open - 570.133.20-0ubuntu2 nvidia-driver-570-server - 570.133.20-0ubuntu2 nvidia-driver-570-server-open - 570.133.20-0ubuntu2 nvidia-headless-570-server - 570.133.20-0ubuntu2 nvidia-headless-570-server-open - 570.133.20-0ubuntu2 nvidia-headless-no-dkms-570-server - 570.133.20-0ubuntu2 nvidia-headless-no-dkms-570-server-open - 570.133.20-0ubuntu2 nvidia-kernel-common-570-server - 570.133.20-0ubuntu2 nvidia-kernel-source-570-server - 570.133.20-0ubuntu2 nvidia-kernel-source-570-server-open - 570.133.20-0ubuntu2 nvidia-utils-570-server - 570.133.20-0ubuntu2 xserver-xorg-video-nvidia-570-server - 570.133.20-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-01 14:15:00 UTC CVE-2025-23244 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in thecuobjdump binary, where a failure to check the length of a buffer couldallow a user to cause the tool to crash or execute arbitrary code bypassing in a malformed ELF file. A successful exploit of this vulnerabilitymight lead to arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-27 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106734 CVE-2025-23247 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in thenvdisasm binary where a user may cause an out-of-bounds read by passing amalformed ELF file to nvdisasm. A successful exploit of this vulnerabilitymay lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23248 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in thecuobjdump binary where a user may cause an out-of-bounds read by passing amalformed ELF file to cuobjdump. A successful exploit of this vulnerabilitymay lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23255 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in thenvdisasm binary where a user may cause an out-of-bounds read by passing amalformed ELF file to nvdisasm. A successful exploit of this vulnerabilitymay lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23271 NVIDIA nvJPEG library contains a vulnerability where an attacker can causean out-of-bounds read by means of a specially crafted JPEG file. Asuccessful exploit of this vulnerability might lead to informationdisclosure or denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116335 CVE-2025-23272 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvJPEGwhere a local authenticated user may cause a divide by zero error bysubmitting a specially crafted JPEG file. A successful exploit of thisvulnerability may lead to denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23273 NVIDIA nvJPEG contains a vulnerability in jpeg encoding where a user maycause an out-of-bounds read by providing a maliciously crafted input imagewith dimensions that cause integer overflows in array index calculations. Asuccessful exploit of this vulnerability may lead to denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116335 CVE-2025-23274 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvJPEGwhere a local authenticated user may cause a GPU out-of-bounds write byproviding certain image dimensions. A successful exploit of thisvulnerability may lead to denial of service and information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23275 NVIDIA Display Driver for Linux contains a vulnerability where an attackercould cause a use-after-free. A successful exploit of this vulnerabilitymight lead to code execution, escalation of privileges, data tampering,denial of service, and information disclosure. Update Instructions: Run `sudo pro fix CVE-2025-23280` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.95.05-0ubuntu4 libnvidia-common-580 - 580.95.05-0ubuntu4 libnvidia-compute-580 - 580.95.05-0ubuntu4 libnvidia-decode-580 - 580.95.05-0ubuntu4 libnvidia-encode-580 - 580.95.05-0ubuntu4 libnvidia-extra-580 - 580.95.05-0ubuntu4 libnvidia-fbc1-580 - 580.95.05-0ubuntu4 libnvidia-gl-580 - 580.95.05-0ubuntu4 nvidia-compute-utils-580 - 580.95.05-0ubuntu4 nvidia-dkms-580 - 580.95.05-0ubuntu4 nvidia-dkms-580-open - 580.95.05-0ubuntu4 nvidia-driver-580 - 580.95.05-0ubuntu4 nvidia-driver-580-open - 580.95.05-0ubuntu4 nvidia-firmware-580-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580 - 580.95.05-0ubuntu4 nvidia-headless-580-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580 - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580-open - 580.95.05-0ubuntu4 nvidia-utils-580 - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580 - 580.95.05-0ubuntu4 No subscription required libnvidia-cfg1-580-server - 580.95.05-0ubuntu4 libnvidia-common-580-server - 580.95.05-0ubuntu4 libnvidia-compute-580-server - 580.95.05-0ubuntu4 libnvidia-decode-580-server - 580.95.05-0ubuntu4 libnvidia-encode-580-server - 580.95.05-0ubuntu4 libnvidia-extra-580-server - 580.95.05-0ubuntu4 libnvidia-fbc1-580-server - 580.95.05-0ubuntu4 libnvidia-gl-580-server - 580.95.05-0ubuntu4 nvidia-compute-utils-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-driver-580-server - 580.95.05-0ubuntu4 nvidia-driver-580-server-open - 580.95.05-0ubuntu4 nvidia-firmware-580-server-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580-server - 580.95.05-0ubuntu4 nvidia-headless-580-server-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server-open - 580.95.05-0ubuntu4 nvidia-utils-580-server - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580-server - 580.95.05-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-10 18:15:00 UTC CVE-2025-23280 NVIDIA Display Driver for Linux contains a vulnerability where an attackermight be able to use a race condition to escalate privileges. A successfulexploit of this vulnerability might lead to code execution, escalation ofprivileges, data tampering, denial of service, and information disclosure. Update Instructions: Run `sudo pro fix CVE-2025-23282` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.95.05-0ubuntu4 libnvidia-common-580 - 580.95.05-0ubuntu4 libnvidia-compute-580 - 580.95.05-0ubuntu4 libnvidia-decode-580 - 580.95.05-0ubuntu4 libnvidia-encode-580 - 580.95.05-0ubuntu4 libnvidia-extra-580 - 580.95.05-0ubuntu4 libnvidia-fbc1-580 - 580.95.05-0ubuntu4 libnvidia-gl-580 - 580.95.05-0ubuntu4 nvidia-compute-utils-580 - 580.95.05-0ubuntu4 nvidia-dkms-580 - 580.95.05-0ubuntu4 nvidia-dkms-580-open - 580.95.05-0ubuntu4 nvidia-driver-580 - 580.95.05-0ubuntu4 nvidia-driver-580-open - 580.95.05-0ubuntu4 nvidia-firmware-580-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580 - 580.95.05-0ubuntu4 nvidia-headless-580-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580 - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580-open - 580.95.05-0ubuntu4 nvidia-utils-580 - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580 - 580.95.05-0ubuntu4 No subscription required libnvidia-cfg1-580-server - 580.95.05-0ubuntu4 libnvidia-common-580-server - 580.95.05-0ubuntu4 libnvidia-compute-580-server - 580.95.05-0ubuntu4 libnvidia-decode-580-server - 580.95.05-0ubuntu4 libnvidia-encode-580-server - 580.95.05-0ubuntu4 libnvidia-extra-580-server - 580.95.05-0ubuntu4 libnvidia-fbc1-580-server - 580.95.05-0ubuntu4 libnvidia-gl-580-server - 580.95.05-0ubuntu4 nvidia-compute-utils-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-driver-580-server - 580.95.05-0ubuntu4 nvidia-driver-580-server-open - 580.95.05-0ubuntu4 nvidia-firmware-580-server-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580-server - 580.95.05-0ubuntu4 nvidia-headless-580-server-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server-open - 580.95.05-0ubuntu4 nvidia-utils-580-server - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580-server - 580.95.05-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-10 18:15:00 UTC CVE-2025-23282 NVIDIA Display Driver for Linux contains a vulnerability in the kerneldriver, where a user could cause a null pointer dereference by allocating aspecific memory resource. A successful exploit of this vulnerability mightlead to denial of service. Update Instructions: Run `sudo pro fix CVE-2025-23300` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.95.05-0ubuntu4 libnvidia-common-580 - 580.95.05-0ubuntu4 libnvidia-compute-580 - 580.95.05-0ubuntu4 libnvidia-decode-580 - 580.95.05-0ubuntu4 libnvidia-encode-580 - 580.95.05-0ubuntu4 libnvidia-extra-580 - 580.95.05-0ubuntu4 libnvidia-fbc1-580 - 580.95.05-0ubuntu4 libnvidia-gl-580 - 580.95.05-0ubuntu4 nvidia-compute-utils-580 - 580.95.05-0ubuntu4 nvidia-dkms-580 - 580.95.05-0ubuntu4 nvidia-dkms-580-open - 580.95.05-0ubuntu4 nvidia-driver-580 - 580.95.05-0ubuntu4 nvidia-driver-580-open - 580.95.05-0ubuntu4 nvidia-firmware-580-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580 - 580.95.05-0ubuntu4 nvidia-headless-580-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580 - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580-open - 580.95.05-0ubuntu4 nvidia-utils-580 - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580 - 580.95.05-0ubuntu4 No subscription required libnvidia-cfg1-580-server - 580.95.05-0ubuntu4 libnvidia-common-580-server - 580.95.05-0ubuntu4 libnvidia-compute-580-server - 580.95.05-0ubuntu4 libnvidia-decode-580-server - 580.95.05-0ubuntu4 libnvidia-encode-580-server - 580.95.05-0ubuntu4 libnvidia-extra-580-server - 580.95.05-0ubuntu4 libnvidia-fbc1-580-server - 580.95.05-0ubuntu4 libnvidia-gl-580-server - 580.95.05-0ubuntu4 nvidia-compute-utils-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-driver-580-server - 580.95.05-0ubuntu4 nvidia-driver-580-server-open - 580.95.05-0ubuntu4 nvidia-firmware-580-server-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580-server - 580.95.05-0ubuntu4 nvidia-headless-580-server-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server-open - 580.95.05-0ubuntu4 nvidia-utils-580-server - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580-server - 580.95.05-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-23 19:15:00 UTC CVE-2025-23300 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasmwhere an attacker may cause a heap-based buffer overflow by getting theuser to run nvdisasm on a malicious ELF file. A successful exploit of thisvulnerability may lead to arbitrary code execution at the privilege levelof the user running nvdisasm. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23308 NVIDIA Display Driver for Linux contains a vulnerability where an attackermight be able to trigger a null pointer dereference. A successful exploitof this vulnerability might lead to denial of service. Update Instructions: Run `sudo pro fix CVE-2025-23330` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.95.05-0ubuntu4 libnvidia-common-580 - 580.95.05-0ubuntu4 libnvidia-compute-580 - 580.95.05-0ubuntu4 libnvidia-decode-580 - 580.95.05-0ubuntu4 libnvidia-encode-580 - 580.95.05-0ubuntu4 libnvidia-extra-580 - 580.95.05-0ubuntu4 libnvidia-fbc1-580 - 580.95.05-0ubuntu4 libnvidia-gl-580 - 580.95.05-0ubuntu4 nvidia-compute-utils-580 - 580.95.05-0ubuntu4 nvidia-dkms-580 - 580.95.05-0ubuntu4 nvidia-dkms-580-open - 580.95.05-0ubuntu4 nvidia-driver-580 - 580.95.05-0ubuntu4 nvidia-driver-580-open - 580.95.05-0ubuntu4 nvidia-firmware-580-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580 - 580.95.05-0ubuntu4 nvidia-headless-580-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580 - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580-open - 580.95.05-0ubuntu4 nvidia-utils-580 - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580 - 580.95.05-0ubuntu4 No subscription required libnvidia-cfg1-580-server - 580.95.05-0ubuntu4 libnvidia-common-580-server - 580.95.05-0ubuntu4 libnvidia-compute-580-server - 580.95.05-0ubuntu4 libnvidia-decode-580-server - 580.95.05-0ubuntu4 libnvidia-encode-580-server - 580.95.05-0ubuntu4 libnvidia-extra-580-server - 580.95.05-0ubuntu4 libnvidia-fbc1-580-server - 580.95.05-0ubuntu4 libnvidia-gl-580-server - 580.95.05-0ubuntu4 nvidia-compute-utils-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-driver-580-server - 580.95.05-0ubuntu4 nvidia-driver-580-server-open - 580.95.05-0ubuntu4 nvidia-firmware-580-server-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580-server - 580.95.05-0ubuntu4 nvidia-headless-580-server-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server-open - 580.95.05-0ubuntu4 nvidia-utils-580-server - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580-server - 580.95.05-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-23 19:15:00 UTC CVE-2025-23330 NVIDIA Display Driver for Linux contains a vulnerability in a kernelmodule, where an attacker might be able to trigger a null pointerdeference. A successful exploit of this vulnerability might lead to denialof service. Update Instructions: Run `sudo pro fix CVE-2025-23332` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.95.05-0ubuntu4 libnvidia-common-580 - 580.95.05-0ubuntu4 libnvidia-compute-580 - 580.95.05-0ubuntu4 libnvidia-decode-580 - 580.95.05-0ubuntu4 libnvidia-encode-580 - 580.95.05-0ubuntu4 libnvidia-extra-580 - 580.95.05-0ubuntu4 libnvidia-fbc1-580 - 580.95.05-0ubuntu4 libnvidia-gl-580 - 580.95.05-0ubuntu4 nvidia-compute-utils-580 - 580.95.05-0ubuntu4 nvidia-dkms-580 - 580.95.05-0ubuntu4 nvidia-dkms-580-open - 580.95.05-0ubuntu4 nvidia-driver-580 - 580.95.05-0ubuntu4 nvidia-driver-580-open - 580.95.05-0ubuntu4 nvidia-firmware-580-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580 - 580.95.05-0ubuntu4 nvidia-headless-580-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580 - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580-open - 580.95.05-0ubuntu4 nvidia-utils-580 - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580 - 580.95.05-0ubuntu4 No subscription required libnvidia-cfg1-580-server - 580.95.05-0ubuntu4 libnvidia-common-580-server - 580.95.05-0ubuntu4 libnvidia-compute-580-server - 580.95.05-0ubuntu4 libnvidia-decode-580-server - 580.95.05-0ubuntu4 libnvidia-encode-580-server - 580.95.05-0ubuntu4 libnvidia-extra-580-server - 580.95.05-0ubuntu4 libnvidia-fbc1-580-server - 580.95.05-0ubuntu4 libnvidia-gl-580-server - 580.95.05-0ubuntu4 nvidia-compute-utils-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-driver-580-server - 580.95.05-0ubuntu4 nvidia-driver-580-server-open - 580.95.05-0ubuntu4 nvidia-firmware-580-server-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580-server - 580.95.05-0ubuntu4 nvidia-headless-580-server-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server-open - 580.95.05-0ubuntu4 nvidia-utils-580-server - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580-server - 580.95.05-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-23 19:15:00 UTC CVE-2025-23332 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in nvdisasmwhere a user may cause an out-of-bounds write by running nvdisasm on amalicious ELF file. A successful exploit of this vulnerability may lead todenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23338 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in cuobjdumpwhere an attacker may cause a stack-based buffer overflow by getting theuser to run cuobjdump on a malicious ELF file. A successful exploit of thisvulnerability may lead to arbitrary code execution at the privilege levelof the user runningcuobjdump. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23339 NVIDIA CUDA Toolkit for all platforms contains a vulnerability in thenvdisasm binary where a user may cause an out-of-bounds read by passing amalformed ELF file to nvdisasm. A successful exploit of this vulnerabilitymay lead to a partial denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23340 NVIDIA Display Driver for Windows and Linux contains a vulnerability in avideo decoder, where an attacker might cause an out-of-bounds read. Asuccessful exploit of this vulnerability might lead to informationdisclosure or denial of service. Update Instructions: Run `sudo pro fix CVE-2025-23345` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.95.05-0ubuntu4 libnvidia-common-580 - 580.95.05-0ubuntu4 libnvidia-compute-580 - 580.95.05-0ubuntu4 libnvidia-decode-580 - 580.95.05-0ubuntu4 libnvidia-encode-580 - 580.95.05-0ubuntu4 libnvidia-extra-580 - 580.95.05-0ubuntu4 libnvidia-fbc1-580 - 580.95.05-0ubuntu4 libnvidia-gl-580 - 580.95.05-0ubuntu4 nvidia-compute-utils-580 - 580.95.05-0ubuntu4 nvidia-dkms-580 - 580.95.05-0ubuntu4 nvidia-dkms-580-open - 580.95.05-0ubuntu4 nvidia-driver-580 - 580.95.05-0ubuntu4 nvidia-driver-580-open - 580.95.05-0ubuntu4 nvidia-firmware-580-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580 - 580.95.05-0ubuntu4 nvidia-headless-580-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580 - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580 - 580.95.05-0ubuntu4 nvidia-kernel-source-580-open - 580.95.05-0ubuntu4 nvidia-utils-580 - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580 - 580.95.05-0ubuntu4 No subscription required libnvidia-cfg1-580-server - 580.95.05-0ubuntu4 libnvidia-common-580-server - 580.95.05-0ubuntu4 libnvidia-compute-580-server - 580.95.05-0ubuntu4 libnvidia-decode-580-server - 580.95.05-0ubuntu4 libnvidia-encode-580-server - 580.95.05-0ubuntu4 libnvidia-extra-580-server - 580.95.05-0ubuntu4 libnvidia-fbc1-580-server - 580.95.05-0ubuntu4 libnvidia-gl-580-server - 580.95.05-0ubuntu4 nvidia-compute-utils-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server - 580.95.05-0ubuntu4 nvidia-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-driver-580-server - 580.95.05-0ubuntu4 nvidia-driver-580-server-open - 580.95.05-0ubuntu4 nvidia-firmware-580-server-580.95.05 - 580.95.05-0ubuntu4 nvidia-headless-580-server - 580.95.05-0ubuntu4 nvidia-headless-580-server-open - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server - 580.95.05-0ubuntu4 nvidia-headless-no-dkms-580-server-open - 580.95.05-0ubuntu4 nvidia-kernel-common-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server - 580.95.05-0ubuntu4 nvidia-kernel-source-580-server-open - 580.95.05-0ubuntu4 nvidia-utils-580-server - 580.95.05-0ubuntu4 xserver-xorg-video-nvidia-580-server - 580.95.05-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-23 19:15:00 UTC CVE-2025-23345 NVIDIA CUDA Toolkit contains a vulnerability in cuobjdump, where anunprivileged user can cause a NULL pointer dereference. A successfulexploit of this vulnerability may lead to a limited denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 14:15:00 UTC CVE-2025-23346 A Incorrect Default Permissions vulnerability in the openSUSE Tumbleweedpackage gerbera allows the service user gerbera to escalate to root.,Thisissue affects gerbera on openSUSE Tumbleweed before 2.5.0-1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 10:15:00 UTC CVE-2025-23386 A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSETumbleweed cyrus-imapd allows escalation from cyrus to root.This issueaffects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 16:15:00 UTC CVE-2025-23394 A vulnerability was found in DCMTK 3.6.9. It has been declared as critical.This vulnerability affects unknown code of the component dcmjpls JPEG-LSDecoder. The manipulation leads to memory corruption. The attack can beinitiated remotely. The exploit has been disclosed to the public and may beused. The name of the patch is 3239a7915. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-17 02:15:00 UTC CVE-2025-2357 A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has beendeclared as problematic. This vulnerability affects unknown code of thecomponent Web Interface. The manipulation of the argument cmd leads tocross site scripting. The attack can be initiated remotely. The exploit hasbeen disclosed to the public and may be used. The vendor was contactedearly about this disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-17 05:15:00 UTC CVE-2025-2361 A vulnerability was found in WebAssembly wabt 1.0.36 and classified ascritical. This issue affects the function wabt::interp::(anonymousnamespace)::BinaryReaderInterp::OnExport of the filewabt/src/interp/binary-reader-interp.cc of the component Malformed FileHandler. The manipulation leads to heap-based buffer overflow. The attackmay be initiated remotely. The exploit has been disclosed to the public andmay be used. It is recommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-17 08:15:00 UTC CVE-2025-2368 PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificatebased user login. In versions 0.6.12 and prior, the pam_pkcs11 modulesegfaults when a user presses ctrl-c/ctrl-d when they are asked for a PIN.When a user enters no PIN at all, `pam_get_pwd` will never initialize thepassword buffer pointer and as such `cleanse` will try to dereference anuninitialized pointer. On my system this pointer happens to have the value3 most of the time when running sudo and as such it will segfault. The mostlikely impact to a system affected by this issue is an availability impactdue to a daemon that uses PAM crashing. As of time of publication, a patchfor the issue is unavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-10 16:15:00 UTC CVE-2025-24031 # Active Storage allowed transformation methods potentially unsafeActive Storage attempts to prevent the use of potentially unsafe imagetransformation methods and parameters by default.The default allowed list contains three methods allow for the circumventionof the safe defaults which enables potential command injectionvulnerabilities in cases where arbitrary user supplied input is accepted asvalid transformation methods or parameters.Impact------This vulnerability impacts applications that use Active Storage with theimage_processing processing gem in addition to mini_magick as the imageprocessor.Vulnerable code will look something similar to this:```<%= image_tag blob.variant(params[:t] => params[:v]) %>```Where the transformation method or its arguments are untrusted arbitraryinput.All users running an affected release should either upgrade or use one ofthe workarounds immediately.Workarounds-----------Consuming user supplied input for image transformation methods or theirparameters is unsupported behavior and should be considered dangerous.Strict validation of user supplied methods and parameters should beperformedas well as having a strong [ImageMagick securitypolicy](https://imagemagick.org/script/security-policy.php) deployed.Credits-------Thank you [lio346](https://hackerone.com/lio346) for reporting this! Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 21:15:00 UTC CVE-2025-24293 The attack vector is a potential Denial of Service (DoS). The vulnerabilityis caused by an insufficient check on the length of a decompressed domainname within a DNS packet.An attacker can craft a malicious DNS packet containing a highly compresseddomain name. When the resolv library parses such a packet, the namedecompression process consumes a large amount of CPU resources, as thelibrary does not limit the resulting length of the name.This resource consumption can cause the application thread to becomeunresponsive, resulting in a Denial of Service condition. Update Instructions: Run `sudo pro fix CVE-2025-24294` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libruby3.3 - 3.3.8-2ubuntu2 ruby3.3 - 3.3.8-2ubuntu2 No subscription required bundler - 2.6.7-2ubuntu1 ruby-bundler - 2.6.7-2ubuntu1 ruby-rubygems - 3.6.7-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-12 04:15:00 UTC 2025-07-12 04:15:00 UTC https://ubuntu.com/security/notices/USN-7734-1 https://ubuntu.com/security/notices/USN-7735-1 CVE-2025-24294 In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation),there is an integer overflow for a large update size to resize() inkdb_log.c. An authenticated attacker can cause an out-of-bounds write andkadmind daemon crash. Update Instructions: Run `sudo pro fix CVE-2025-24528` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: krb5-admin-server - 1.21.3-4ubuntu2 krb5-gss-samples - 1.21.3-4ubuntu2 krb5-k5tls - 1.21.3-4ubuntu2 krb5-kdc - 1.21.3-4ubuntu2 krb5-kdc-ldap - 1.21.3-4ubuntu2 krb5-kpropd - 1.21.3-4ubuntu2 krb5-locales - 1.21.3-4ubuntu2 krb5-multidev - 1.21.3-4ubuntu2 krb5-otp - 1.21.3-4ubuntu2 krb5-pkinit - 1.21.3-4ubuntu2 krb5-user - 1.21.3-4ubuntu2 libgssapi-krb5-2 - 1.21.3-4ubuntu2 libgssrpc4t64 - 1.21.3-4ubuntu2 libk5crypto3 - 1.21.3-4ubuntu2 libkadm5clnt-mit12 - 1.21.3-4ubuntu2 libkadm5srv-mit12 - 1.21.3-4ubuntu2 libkdb5-10t64 - 1.21.3-4ubuntu2 libkrad0 - 1.21.3-4ubuntu2 libkrb5-3 - 1.21.3-4ubuntu2 libkrb5support0 - 1.21.3-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-31 2025-01-31 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094730 https://bugzilla.redhat.com/show_bug.cgi?id=2342796 https://ubuntu.com/security/notices/USN-7314-1 CVE-2025-24528 An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSSvulnerability has been discovered for the Insert tab. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-23 06:15:00 UTC CVE-2025-24529 An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSSvulnerability has been discovered for the check tables feature. A craftedtable or database name could be used for XSS. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-01-23 06:15:00 UTC CVE-2025-24530 eprosima Fast DDS is a C++ implementation of the DDS (Data DistributionService) standard of the OMG (Object Management Group). Prior to versions2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCAis not full chain validated, nor is the expiration date validated. Accesscontrol plugin validates only the S/MIME signature which causes an expiredPermissionsCA to be taken as valid. Even though this issue is responsiblefor allowing `governance/permissions` from an expired PermissionsCA andhaving the system crash when PermissionsCA is not self-signed and containsthe full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2,3.1.2, and 3.2.0 contain a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-11 16:15:00 UTC CVE-2025-24807 Path Equivalence: 'file.Name' (Internal Dot) leading to Remote CodeExecution and/or Information disclosure and/or malicious content added touploaded files via write enabled Default Servlet in Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versionsmay also be affected.If all of the following were true, a malicious user was able to viewsecurity sensitive files and/or inject content into those files:- writes enabled for the default servlet (disabled by default)- support for partial PUT (enabled by default)- a target URL for security sensitive uploads that was a sub-directory of atarget URL for public uploads- attacker knowledge of the names of security sensitive filesbeing uploaded- the security sensitive files also being uploaded via partial PUTIf all of the following were true, a malicious user was able toperform remote code execution:- writes enabled for the default servlet (disabled by default)- support for partial PUT (enabled by default)- application was using Tomcat's file based session persistence withthe default storage location- application included a library that may be leveraged in a deserializationattackUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99,which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2025-24813` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtomcat9-java - 9.0.70-2ubuntu2 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2025 Canonical Ltd. 2025-03-10 17:15:00 UTC 2025-03-10 17:15:00 UTC https://ubuntu.com/security/notices/USN-7525-1 https://ubuntu.com/security/notices/USN-7525-2 CVE-2025-24813 Improper access control for volatile memory containing boot code inUniversal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019,IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow anattacker to execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-10 21:16:00 UTC CVE-2025-24857 A flaw was found in the 389-ds-base LDAP Server. This issue occurs whenissuing a Modify DN LDAP operation through the ldap protocol, when thefunction return value is not tested and a NULL pointer is dereferenced. Ifa privileged user performs a ldap MODDN operation after a failed operation,it could lead to a Denial of Service (DoS) or system crash. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-18 17:15:00 UTC CVE-2025-2487 zx is a tool for writing better scripts. An attacker with control overenvironment variable values can inject unintended environment variablesinto `process.env`. This can lead to arbitrary command execution orunexpected behavior in applications that rely on environment variables forsecurity-sensitive operations. Applications that process untrusted inputand pass it through `dotenv.stringify` are particularly vulnerable. Thisissue has been patched in version 8.3.2. Users should immediately upgradeto this version to mitigate the vulnerability. If upgrading is notfeasible, users can mitigate the vulnerability by sanitizinguser-controlled environment variable values before passing them to`dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks invalues, or enforce strict validation of environment variables before usage. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-03 21:15:00 UTC CVE-2025-24959 crun is an open source OCI Container Runtime fully written in C. Inaffected versions A malicious container image could trick the krun handlerinto escaping the root filesystem, allowing file creation or modificationon the host. No special permissions are needed, only the ability for thecurrent user to write to the target file. The problem is fixed in crun 1.20and all users are advised to upgrade. There are no known workarounds forthis vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-19 17:15:00 UTC CVE-2025-24965 Netty, an asynchronous, event-driven network application framework, has avulnerability starting in version 4.1.91.Final and prior to version4.1.118.Final. When a special crafted packet is received via SslHandler itdoesn't correctly handle validation of such a packet in all cases which canlead to a native crash. Version 4.1.118.Final contains a patch. Asworkaround its possible to either disable the usage of the native SSLEngineor change the code manually. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-10 22:15:00 UTC CVE-2025-24970 Firebird is a relational database. Prior to snapshot versions 4.0.6.3183,5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is notset equal to 0. If connections stored in ExtConnPool are not verified forpresence and suitability of the CryptCallback interface is used whencreated versus what is available could result in a segfault in the serverprocess. Encrypted databases, accessed by execute statement on external,may be accessed later by an attachment missing a key to that database. In acase when execute statement are chained, segfault may happen. Additionally,the segfault may affect unencrypted databases. This issue has been patchedin snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and pointreleases 4.0.6 and 5.0.2. A workaround for this issue involves settingExtConnPoolSize equal to 0 in firebird.conf. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111322 CVE-2025-24975 nDPI through 4.12 has a potential stack-based buffer overflow inndpi_address_cache_restore in lib/ndpi_cache.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-03 06:15:00 UTC CVE-2025-25066 Rack provides an interface for developing web applications in Ruby. Priorto versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploitedby crafting input that includes newline characters to manipulate logentries. The supplied proof-of-concept demonstrates injecting maliciouscontent into logs. When a user provides the authorization credentials viaRack::Auth::Basic, if success, the username will be put inenv['REMOTE_USER'] and later be used by Rack::CommonLogger for loggingpurposes. The issue occurs when a server intentionally or unintentionallyallows a user creation with the username contain CRLF and white spacecharacters, or the server just want to log every login attempts. If anattacker enters a username with CRLF character, the logger will log themalicious username with CRLF characters into the logfile. Attackers canbreak log formats or insert fraudulent entries, potentially obscuring realactivity or injecting malicious data into log files. Versions 2.2.11,3.0.12, and 3.1.10 contain a fix. Update Instructions: Run `sudo pro fix CVE-2025-25184` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack - 3.1.16-0.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-02-12 17:15:00 UTC 2025-02-12 17:15:00 UTC Nhật Thái Đỗ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257 https://ubuntu.com/security/notices/USN-7366-1 https://ubuntu.com/security/notices/USN-7366-2 CVE-2025-25184 Netty, an asynchronous, event-driven network application framework, has avulnerability in versions up to and including 4.1.118.Final. An unsafereading of environment file could potentially cause a denial of service inNetty. When loaded on an Windows application, Netty attempts to load a filethat does not exist. If an attacker creates such a large file, the Nettyapplication crash. A similar issue was previously reported asCVE-2024-47535. This issue was fixed, but the fix was incomplete in thatnull-bytes were not counted against the input limit. Commitd1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-10 22:15:00 UTC CVE-2025-25193 CKEditor 5 is a modern JavaScript rich-text editor with an MVCarchitecture. During a recent internal audit, a Cross-Site Scripting (XSS)vulnerability was discovered in the CKEditor 5 real-time collaborationpackage. This vulnerability affects user markers, which represent users'positions within the document. It can lead to unauthorized JavaScript codeexecution, which might happen with a very specific editor and tokenendpoint configuration. This vulnerability affects only installations withReal-time collaborative editing enabled. The problem has been recognizedand patched. The fix is available in version 44.2.1 (and above). Users areadvised to upgrade. There are no known workarounds for this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-20 20:15:00 UTC CVE-2025-25299 Vega is a visualization grammar, a declarative format for creating, saving,and sharing interactive visualization designs. Prior to version 5.26.0 ofvega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can beused to call JavaScript functions, leading to cross-sitescripting.`vlSelectionTuples` calls multiple functions that can becontrolled by an attacker, including one call with an attacker-controlledargument. This can be used to call `Function()` with arbitrary JavaScriptand the resulting function can be called with `vlSelectionTuples` or usinga type coercion to call `toString` or `valueOf`. Version 5.26.0 of vega and5.4.2 of vega-selections fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-14 20:15:00 UTC CVE-2025-25304 Vulnerability in Best Practical Solutions, LLC's Request Tracker prior tov5.0.8, where the Triple DES (3DES) cryptographic algorithm is used toprotect emails sent with S/MIME encryption. Triple DES is consideredobsolete and insecure due to its susceptibility to birthday attacks, whichcould compromise the confidentiality of encrypted messages. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-05 12:15:00 UTC 2025-05-05 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104422 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104424 https://ubuntu.com/security/notices/USN-7692-1 CVE-2025-2545 Insufficient tracking and releasing of allocated used memory in libx264 gitmaster allows attackers to execute arbitrary code via creating a craftedAAC file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 22:15:00 UTC CVE-2025-25467 A buffer overflow in DCMTK git master v3.6.9+ DEV allows attackers to causea Denial of Service (DoS) via a crafted DCM file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 23:15:00 UTC CVE-2025-25472 FFmpeg git master before commit c08d30 was discovered to contain a memoryleak in the avformat_free_context function in libavutil/mem.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 23:15:00 UTC 2025-02-18 23:15:00 UTC https://ubuntu.com/security/notices/USN-7538-1 CVE-2025-25473 DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow via thecomponent /dcmimgle/diinpxt.h. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 23:15:00 UTC CVE-2025-25474 A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCMTKv3.6.9+ DEV allows attackers to cause a Denial of Service (DoS) via acrafted DICOM file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 23:15:00 UTC CVE-2025-25475 Out-of-bounds array write in Xpdf 4.05 and earlier, due to incorrectinteger overflow checking in the PostScript function interpreter code. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-20 21:15:00 UTC CVE-2025-2574 A vulnerability has been found in xmedcon 0.25.0 and classified asproblematic. Affected by this vulnerability is the function malloc of thecomponent DICOM File Handler. The manipulation leads to integer underflow.The attack can be launched remotely. Upgrading to version 0.25.1 is able toaddress this issue. It is recommended to upgrade the affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-21 05:15:00 UTC CVE-2025-2581 A vulnerability was found in WebAssembly wabt 1.0.36. It has been declaredas critical. This vulnerability affects the functionBinaryReaderInterp::GetReturnCallDropKeepCount of the filewabt/src/interp/binary-reader-interp.cc. The manipulation leads toheap-based buffer overflow. The attack can be initiated remotely. Thecomplexity of an attack is rather high. The exploitation appears to bedifficult. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-21 08:15:00 UTC CVE-2025-2584 A vulnerability has been found in Hercules Augeas 1.14.1 and classified asproblematic. This vulnerability affects the function re_case_expand of thefile src/fa.c. The manipulation of the argument re leads to null pointerdereference. Attacking locally is a requirement. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-21 12:15:00 UTC https://github.com/hercules-team/augeas/issues/852 CVE-2025-2588 A vulnerability classified as problematic was found in Open Asset ImportLibrary Assimp 5.4.3. This vulnerability affects the functionMDLImporter::InternReadFile_Quake1 of the filecode/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argumentskinwidth/skinheight leads to divide by zero. The attack can be initiatedremotely. The exploit has been disclosed to the public and may be used. Thepatch is identified as ab66a1674fcfac87aaba4c8b900b315ebc3e7dbd. It isrecommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-21 14:15:00 UTC https://github.com/assimp/assimp/issues/6009 CVE-2025-2591 A vulnerability, which was classified as critical, has been found in OpenAsset Import Library Assimp 5.4.3. This issue affects the functionCSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp.The manipulation leads to heap-based buffer overflow. The attack may beinitiated remotely. The exploit has been disclosed to the public and may beused. The patch is named 2690e354da0c681db000cfd892a55226788f2743. It isrecommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-21 14:15:00 UTC https://github.com/assimp/assimp/issues/6010 CVE-2025-2592 A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option isenabled. A machine-in-the-middle attack can be performed by a maliciousmachine impersonating a legit server. This issue occurs due to how OpenSSHmishandles error codes in specific conditions when verifying the host key.For an attack to be considered successful, the attacker needs to manage toexhaust the client's memory resource first, turning the attack complexityhigh. Update Instructions: Run `sudo pro fix CVE-2025-26465` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 9.9p1-3ubuntu3 openssh-client-gssapi - 9.9p1-3ubuntu3 openssh-server - 9.9p1-3ubuntu3 openssh-server-gssapi - 9.9p1-3ubuntu3 openssh-sftp-server - 9.9p1-3ubuntu3 openssh-tests - 9.9p1-3ubuntu3 ssh - 9.9p1-3ubuntu3 ssh-askpass-gnome - 9.9p1-3ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-18 2025-02-18 Qualys https://ubuntu.com/security/notices/USN-7270-1 https://ubuntu.com/security/notices/USN-7270-2 CVE-2025-26465 musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds writevulnerability when an attacker can trigger iconv conversion of untrustedEUC-KR text to UTF-8. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-14 04:15:00 UTC CVE-2025-26519 Cacti through 1.2.29 allows SQL injection in the template function inhost_templates.php via the graph_template parameter. NOTE: this issueexists because of an incomplete fix for CVE-2024-54146. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-12 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095721 CVE-2025-26520 A use-after-free flaw was found in X.Org and Xwayland. The root cursor isreferenced in the X server as a global variable. If a client frees the rootcursor, the internal reference points to freed memory and causes ause-after-free. Update Instructions: Run `sudo pro fix CVE-2025-26594` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26594 A buffer overflow flaw was found in X.Org and Xwayland. The code inXkbVModMaskText() allocates a fixed-sized buffer on the stack and copiesthe names of the virtual modifiers to that buffer. The code fails to checkthe bounds of the buffer and would copy the data regardless of the size. Update Instructions: Run `sudo pro fix CVE-2025-26595` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26595 A heap overflow flaw was found in X.Org and Xwayland. The computation ofthe length in XkbSizeKeySyms() differs from what is written inXkbWriteKeySyms(), which may lead to a heap-based buffer overflow. Update Instructions: Run `sudo pro fix CVE-2025-26596` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26596 A buffer overflow flaw was found in X.Org and Xwayland. IfXkbChangeTypesOfKey() is called with a 0 group, it will resize the keysymbols table to 0 but leave the key actions unchanged. If the samefunction is later called with a non-zero value of groups, this will cause abuffer overflow because the key actions are of the wrong size. Update Instructions: Run `sudo pro fix CVE-2025-26597` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26597 An out-of-bounds write flaw was found in X.Org and Xwayland. The functionGetBarrierDevice() searches for the pointer device based on its device IDand returns the matching value, or supposedly NULL, if no match was found.However, the code will return the last element of the list if no matchingdevice ID is found, which can lead to out-of-bounds memory access. Update Instructions: Run `sudo pro fix CVE-2025-26598` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26598 An access to an uninitialized pointer flaw was found in X.Org and Xwayland.The function compCheckRedirect() may fail if it cannot allocate the backingpixmap. In that case, compRedirectWindow() will return a BadAlloc errorwithout validating the window tree marked just before, which leaves thevalidated data partly initialized and the use of an uninitialized pointerlater. Update Instructions: Run `sudo pro fix CVE-2025-26599` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26599 A use-after-free flaw was found in X.Org and Xwayland. When a device isremoved while still frozen, the events queued for that device remain whilethe device is freed. Replaying the events will cause a use-after-free. Update Instructions: Run `sudo pro fix CVE-2025-26600` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26600 A use-after-free flaw was found in X.Org and Xwayland. When changing analarm, the values of the change mask are evaluated one after the other,changing the trigger values as requested, and eventually, SyncInitTrigger()is called. If one of the changes triggers an error, the function willreturn early, not adding the new sync object, possibly causing ause-after-free when the alarm eventually triggers. Update Instructions: Run `sudo pro fix CVE-2025-26601` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.16-1ubuntu1 xorg-server-source - 2:21.1.16-1ubuntu1 xserver-common - 2:21.1.16-1ubuntu1 xserver-xephyr - 2:21.1.16-1ubuntu1 xserver-xorg-core - 2:21.1.16-1ubuntu1 xserver-xorg-legacy - 2:21.1.16-1ubuntu1 xvfb - 2:21.1.16-1ubuntu1 No subscription required xwayland - 2:24.1.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 15:00:00 UTC 2025-02-25 15:00:00 UTC Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7299-1 https://ubuntu.com/security/notices/USN-7299-2 https://ubuntu.com/security/notices/USN-7299-3 https://ubuntu.com/security/notices/USN-7299-4 CVE-2025-26601 Vega is a visualization grammar, a declarative format for creating, saving,and sharing interactive visualization designs. In `vega` 5.30.0 and lowerand in `vega-functions` 5.15.0 and lower , it was possible to callJavaScript functions from the Vega expression language that were not meantto be supported. The issue is patched in `vega` `5.31.0` and`vega-functions` `5.16.0`. Some workarounds are available. Run `vega`without `vega.expressionInterpreter`. This mode is not the default as it isslower. Alternatively, using the interpreter described in CSP safe mode(Content Security Policy) prevents arbitrary Javascript from running, sousers of this mode are not affected by this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 14:15:00 UTC CVE-2025-26619 Out-of-bounds read in Windows Subsystem for Linux allows an authorizedattacker to elevate privileges locally. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-08 18:15:00 UTC CVE-2025-26675 An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and4.2 before 4.2.20. The django.utils.text.wrap() method and wordwraptemplate filter are subject to a potential denial-of-service attack whenused with very long strings. Update Instructions: Run `sudo pro fix CVE-2025-26699` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.18-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-06 13:00:00 UTC 2025-03-06 13:00:00 UTC https://ubuntu.com/security/notices/USN-7335-1 CVE-2025-26699 DOMPurify before 3.2.4 has an incorrect template literal regularexpression, sometimes leading to mutation cross-site scripting (mXSS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-14 09:15:00 UTC CVE-2025-26791 The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26allows a denial of service during parsing of a request with an invalid HTTPmethod. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-24 16:15:00 UTC CVE-2025-26803 Monero through 0.18.3.4 before ec74ff4 does not have response limits onHTTP server connections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-15 00:15:00 UTC CVE-2025-26819 An issue was discovered in Znuny before 7.1.5. When generating a supportbundle, not all passwords are masked. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-08 17:16:00 UTC CVE-2025-26847 OpenH264 is a free license codec library which supports H.264 encoding anddecoding. A vulnerability in the decoding functions of OpenH264 codeclibrary could allow a remote, unauthenticated attacker to trigger a heapoverflow. This vulnerability is due to a race condition between a SequenceParameter Set (SPS) memory allocation and a subsequent non InstantaneousDecoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memoryusage. An attacker could exploit this vulnerability by crafting a maliciousbitstream and tricking a victim user into processing an arbitrary videocontaining the malicious bistream. An exploit could allow the attacker tocause an unexpected crash in the victim's user decoding client and,possibly, perform arbitrary commands on the victim's host by abusing theheap overflow. This vulnerability affects OpenH264 2.5.0 and earlierreleases. Both Scalable Video Coding (SVC) mode and Advanced Video Coding(AVC) mode are affected by this vulnerability. OpenH264 software releases2.6.0 and later contained the fix for this vulnerability. Users are advisedto upgrade. There are no known workarounds for this vulnerability.### For more informationIf you have any questions or comments about this advisory:* [Open an issue incisco/openh264](https://github.com/cisco/openh264/issues)* Email Cisco Open Source Security([oss-security@cisco.com](mailto:oss-security@cisco.com)) and Cisco PSIRT([psirt@cisco.com](mailto:psirt@cisco.com))### Credits:* **Research:** Octavian Guzu and Andrew Calvano of Meta* **Fix ideation:** Philipp Hancke and Shyam Sadhwani of Meta* **Fix implementation:** Benzheng Zhang (@BenzhengZhang)* **Release engineering:** Benzheng Zhang (@BenzhengZhang) Update Instructions: Run `sudo pro fix CVE-2025-27091` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenh264-8 - 2.6.0+dfsg-1 libopenh264-cisco8 - 2.6.0+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-20 18:15:00 UTC Octavian Guzu and Andrew Calvano https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098470 CVE-2025-27091 Libmodsecurity is one component of the ModSecurity v3 project. The librarycodebase serves as an interface to ModSecurity Connectors taking in webtraffic and applying traditional ModSecurity processing. A bug that existsonly in Libmodsecurity3 version 3.0.13 means that, in 3.0.13,Libmodsecurity3 can't decode encoded HTML entities if they contains leadingzeroes. Version 3.0.14 contains a fix. No known workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098910 CVE-2025-27110 Rack is a modular Ruby web server interface. The Rack::Sendfile middlewarelogs unsanitised header values from the X-Sendfile-Type header. An attackercan exploit this by injecting escape sequences (such as newline characters)into the header, resulting in log injection. This vulnerability is fixed in2.2.12, 3.0.13, and 3.1.11. Update Instructions: Run `sudo pro fix CVE-2025-27111` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack - 3.1.16-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-04 16:15:00 UTC 2025-03-04 16:15:00 UTC Phạm Quang Minh http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546 https://ubuntu.com/security/notices/USN-7366-1 https://ubuntu.com/security/notices/USN-7366-2 CVE-2025-27111 Go JOSE provides an implementation of the Javascript Object Signing andEncryption set of standards in Go, including support for JSON WebEncryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT)standards. In versions on the 4.x branch prior to version 4.0.5, whenparsing compact JWS or JWE input, Go JOSE could use excessive memory. Thecode used strings.Split(token, ".") to split JWT tokens, which isvulnerable to excessive memory consumption when processing maliciouslycrafted tokens with a large number of `.` characters. An attacker couldexploit this by sending numerous malformed tokens, leading to memoryexhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As aworkaround, applications could pre-validate that payloads passed to Go JOSEdo not contain an excessive number of `.` characters. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-24 23:15:00 UTC CVE-2025-27144 Gradle is a build automation tool, and its native-platform tool providesJava bindings for native APIs. On Unix-like systems, the system temporarydirectory can be created with open permissions that allow multiple users tocreate and delete files within it. This library initialization could bevulnerable to a local privilege escalation from an attacker quicklydeleting and recreating files in the system temporary directory. Gradlebuilds that rely on versions of net.rubygrapefruit:native-platform prior to0.22-milestone-28 could be vulnerable to a local privilege escalation froman attacker quickly deleting and recreating files in the system temporarydirectory.In net.rubygrapefruit:native-platform prior to version 0.22-milestone-28,if the `Native.get(Class<>)` method was called, without calling`Native.init(File)` first, with a non-`null` argument used as working filepath, then the library would initialize itself using the system temporarydirectory and NativeLibraryLocator.java lines 68 through 78. Version0.22-milestone-28 has been released with changes that fix the problem.Initialization is now mandatory and no longer uses the system temporarydirectory, unless such a path is passed for initialization. The onlyworkaround for affected versions is to make sure to do a properinitialization, using a location that is safe.Gradle 8.12, only that exact version, had codepaths where theinitialization of the underlying native integration library took a defaultpath, relying on copying the binaries to the system temporary directory.Any execution of Gradle exposed this exploit. Users of Windows or modernversions of macOS are not vulnerable, nor are users of a Unix-likeoperating system with the "sticky" bit set or `noexec` on their systemtemporary directory vulnerable. This problem was fixed in Gradle 8.12.1.Gradle 8.13 release also upgrades to a version of the native library thatno longer has that bug. Some workarounds are available. On Unix-likeoperating systems, ensure that the "sticky" bit is set. This only allowsthe original user (or root) to delete a file. Mounting `/tmp` as `noexec`will prevent Gradle 8.12 from starting. Those who are are unable to changethe permissions of the system temporary directory can move the Javatemporary directory by setting the System Property java.io.tmpdir. The newpath needs to limit permissions to the build user only. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-25 21:15:00 UTC CVE-2025-27148 axios is a promise based HTTP client for the browser and node.js. The issueoccurs when passing absolute URLs rather than protocol-relative URLs toaxios. Even if ⁠baseURL is set, axios sends the request to the specifiedabsolute URL, potentially causing SSRF and credential leakage. This issueimpacts both server-side and client-side usage of axios. This issue isfixed in 1.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-07 16:15:00 UTC CVE-2025-27152 Spotipy is a lightweight Python library for the Spotify Web API. The`CacheHandler` class creates a cache file to store the auth token. Prior toversion 2.25.1, the file created has `rw-r--r--` (644) permissions bydefault, when it could be locked down to `rw-------` (600) permissions.This leads to overly broad exposure of the spotify auth token. If thistoken can be read by an attacker (another user on the machine, or a processrunning as another user), it can be used to perform administrative actionson the Spotify account, depending on the scope granted to the token.Version 2.25.1 tightens the cache file permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-02-27 14:15:00 UTC CVE-2025-27154 In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in theCGI library contains a potential Denial of Service (DoS) vulnerability. Themethod does not impose any limit on the length of the raw cookie value itprocesses. This oversight can lead to excessive resource consumption whenparsing extremely large cookies. Update Instructions: Run `sudo pro fix CVE-2025-27219` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libruby3.3 - 3.3.7-1ubuntu2 ruby3.3 - 3.3.7-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-04 00:15:00 UTC 2025-03-04 00:15:00 UTC https://ubuntu.com/security/notices/USN-7418-1 https://ubuntu.com/security/notices/USN-7442-1 CVE-2025-27219 In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial ofService (ReDoS) vulnerability exists in the Util#escapeElement method. Update Instructions: Run `sudo pro fix CVE-2025-27220` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libruby3.3 - 3.3.7-1ubuntu2 ruby3.3 - 3.3.7-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-04 00:15:00 UTC 2025-03-04 00:15:00 UTC https://ubuntu.com/security/notices/USN-7418-1 https://ubuntu.com/security/notices/USN-7442-1 CVE-2025-27220 In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join,URI#merge, URI#+) have an inadvertent leakage of authentication credentialsbecause userinfo is retained even after changing the host. Update Instructions: Run `sudo pro fix CVE-2025-27221` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libruby3.3 - 3.3.7-1ubuntu2 ruby3.3 - 3.3.7-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-04 00:15:00 UTC 2025-03-04 00:15:00 UTC https://ubuntu.com/security/notices/USN-7418-1 https://ubuntu.com/security/notices/USN-7442-1 CVE-2025-27221 The LDAP 'Bind password' value cannot be read after saving, but a SuperAdmin account can leak it by changing LDAP 'Host' to a rogue LDAP server.To mitigate this, the 'Bind password' value is now reset on 'Host' change. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448 CVE-2025-27231 An authenticated Zabbix Super Admin can exploit the oauth.authorize actionto read arbitrary files from the webserver leading to potentialconfidentiality loss. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-01 13:16:00 UTC CVE-2025-27232 Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.getparameters, allowing an attacker to inject unexpected arguments into thesmartctl command. This can be used to leak the NTLMv2 hash from a Windowssystem. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-12 11:15:00 UTC CVE-2025-27233 A regular Zabbix user can search other users in their user group via ZabbixAPI by select fields the user does not have access to view. This allowsdata-mining some field values the user does not have access to. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448 CVE-2025-27236 Due to a bug in Zabbix API, the hostprototype.get method lists all hostprototypes to users that do not have any user groups assigned to them. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-12 11:15:00 UTC CVE-2025-27238 Icinga Reporting is the central component for reporting relatedfunctionality in the monitoring web frontend and framework Icinga Web 2. Avulnerability present in versions 0.10.0 through 1.0.2 allows to set up atemplate that allows to embed arbitrary Javascript. This enables theattacker to act on behalf of the user, if the template is being previewed;and act on behalf of the headless browser, if a report using the templateis printed to PDF. This issue has been resolved in version 1.0.3 of IcingaReporting. As a workaround, review all templates and remove suspicioussettings. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-26 16:15:00 UTC https://github.com/Icinga/icingaweb2-module-reporting/security/advisories/GHSA-7qvq-54vm-r7hx CVE-2025-27406 graphql-ruby is a Ruby implementation of GraphQL. Starting in version1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14,2.2.17, and 2.3.21, loading a malicious schema definition in`GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`)can result in remote code execution. Any system which loads a schema byJSON from an untrusted source is vulnerable, including those that useGraphQL::Client to load external schemas via GraphQL introspection.Versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21contain a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-12 19:15:00 UTC CVE-2025-27407 Certain instructions need intercepting and emulating by Xen. In somecases Xen emulates the instruction by replaying it, using an executablestub. Some instructions may raise an exception, which is supposed to behandled gracefully. Certain replayed instructions have additional logicto set up and recover the changes to the arithmetic flags.For replayed instructions where the flags recovery logic is used, themetadata for exception handling was incorrect, preventing Xen fromhandling the the exception gracefully, treating it as fatal instead. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-16 09:15:00 UTC CVE-2025-27465 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are multiple issues related to the handling and accessing of guestmemory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-11 14:15:00 UTC CVE-2025-27466 A vulnerability, which was classified as critical, was found in Open AssetImport Library Assimp 5.4.3. This affects the functionAssimp::CSMImporter::InternReadFile of the filecode/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. Themanipulation leads to out-of-bounds write. It is possible to initiate theattack remotely. The exploit has been disclosed to the public and may beused. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 08:15:00 UTC https://github.com/assimp/assimp/issues/6011 CVE-2025-2750 A vulnerability has been found in Open Asset Import Library Assimp 5.4.3and classified as problematic. This vulnerability affects the functionAssimp::CSMImporter::InternReadFile of the filecode/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. Themanipulation of the argument na leads to out-of-bounds read. The attack canbe initiated remotely. The exploit has been disclosed to the public and maybe used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 08:15:00 UTC https://github.com/assimp/assimp/issues/6012 CVE-2025-2751 A vulnerability was found in Open Asset Import Library Assimp 5.4.3 andclassified as problematic. This issue affects the functionfast_atoreal_move in the library include/assimp/fast_atof.h of thecomponent CSM File Handler. The manipulation leads to out-of-bounds read.The attack may be initiated remotely. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 08:15:00 UTC https://github.com/assimp/assimp/issues/6013 CVE-2025-2752 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen classified as critical. Affected is the functionSceneCombiner::MergeScenes of the file code/AssetLib/LWS/LWSLoader.cpp ofthe component LWS File Handler. The manipulation leads to out-of-boundsread. It is possible to launch the attack remotely. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 09:15:00 UTC https://github.com/assimp/assimp/issues/6014 CVE-2025-2753 Memory Allocation with Excessive Size Value vulnerability in ApacheActiveMQ.During unmarshalling of OpenWire commands the size value of buffers was notproperly validated which could lead to excessive memory allocation and beexploited to cause a denial of service (DoS) by depleting process memory,thereby affecting applications and services that rely on the availabilityof the ActiveMQ broker when not using mutual TLS connections.This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 isnot affected.Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+,5.17.7, or 5.16.8 or which fixes the issue.Existing users may implement mutual TLS to mitigate the risk on affectedbrokers. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-07 09:15:00 UTC CVE-2025-27533 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen declared as critical. Affected by this vulnerability is the functionAssimp::AC3DImporter::ConvertObjectSection of the filecode/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. Themanipulation of the argument it leads to heap-based buffer overflow. Theattack can be launched remotely. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 09:15:00 UTC https://github.com/assimp/assimp/issues/6015 CVE-2025-2754 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen rated as critical. Affected by this issue is the functionAssimp::AC3DImporter::ConvertObjectSection of the filecode/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. Themanipulation of the argument src.entries leads to out-of-bounds read. Theattack may be launched remotely. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 09:15:00 UTC https://github.com/assimp/assimp/issues/6017 CVE-2025-2755 DBIx::Class::EncodedColumn use the rand() function, which is notcryptographically secure to salt password hashes.This vulnerability is associated with program fileslib/DBIx/Class/EncodedColumn/Digest.pm.This issue affects DBIx::Class::EncodedColumn until 0.00032. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-26 11:15:00 UTC CVE-2025-27551 DBIx::Class::EncodedColumn use the rand() function, which is notcryptographically secure to salt password hashes.This vulnerability is associated with program filesCrypt/Eksblowfish/Bcrypt.pm.This issue affects DBIx::Class::EncodedColumn until 0.00032. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-26 11:15:00 UTC CVE-2025-27552 Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.The FileObject API in Commons VFS has a 'resolveFile' method thattakes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that"an exception is thrown if the resolved file is not a descendent ofthe base file". However, when the path contains encoded ".."characters (for example, "%2E%2E/bar.txt"), it might return file objectsthat are nota descendent of the base file, without throwing an exception.This issue affects Apache Commons VFS: before 2.10.0.Users are recommended to upgrade to version 2.10.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-23 15:15:00 UTC Arnout Engelen CVE-2025-27553 A vulnerability classified as critical has been found in Open Asset ImportLibrary Assimp 5.4.3. This affects the functionAssimp::AC3DImporter::ConvertObjectSection of the filecode/AssetLib/AC/ACLoader.cpp of the component AC3D File Handler. Themanipulation of the argument tmp leads to heap-based buffer overflow. It ispossible to initiate the attack remotely. The exploit has been disclosed tothe public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 10:15:00 UTC https://github.com/assimp/assimp/issues/6018 CVE-2025-2756 A vulnerability classified as critical was found in Open Asset ImportLibrary Assimp 5.4.3. This vulnerability affects the functionAI_MD5_PARSE_STRING_IN_QUOTATION of the filecode/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. Themanipulation of the argument data leads to heap-based buffer overflow. Theattack can be initiated remotely. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-25 10:15:00 UTC https://github.com/assimp/assimp/issues/6019 CVE-2025-2757 Python JSON Logger is a JSON Formatter for Python Logging. Between 30December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCEthrough a missing dependency. This occurred because msgspec-python313-prewas deleted by the owner leaving the name open to being claimed by a thirdparty. If the package was claimed, it would allow them RCE on any PythonJSON Logger user who installed the development dependencies on Python 3.13(e.g. pip install python-json-logger[dev]). This issue has been resolvedwith 3.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-07 17:15:00 UTC CVE-2025-27607 Rack provides an interface for developing web applications in Ruby. Priorto versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve filesunder the specified `root:` even if `urls:` are provided, which may exposeother files under the specified `root:` unexpectedly. The vulnerabilityoccurs because `Rack::Static` does not properly sanitize user-suppliedpaths before serving files. Specifically, encoded path traversal sequencesare not correctly validated, allowing attackers to access files outside thedesignated static file directory. By exploiting this vulnerability, anattacker can gain access to all files under the specified `root:`directory, provided they are able to determine then path of the file.Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Othermitigations include removing usage of `Rack::Static`, or ensuring that`root:` points at a directory path which only contains files which shouldbe accessed publicly. It is likely that a CDN or similar static file serverwould also mitigate the issue. Update Instructions: Run `sudo pro fix CVE-2025-27610` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack - 3.1.16-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-10 23:15:00 UTC 2025-03-10 23:15:00 UTC Phạm Quang Minh https://ubuntu.com/security/notices/USN-7366-1 https://ubuntu.com/security/notices/USN-7366-2 CVE-2025-27610 The SimpleSAMLphp SAML2 library is a PHP library for SAML2 relatedfunctionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is asignature confusion attack in the HTTPRedirect binding. An attacker withany signed SAMLResponse via the HTTP-Redirect binding can cause theapplication to accept an unsigned message. Versions 4.17.0 and5.0.0-alpha.20 contain a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-11 19:15:00 UTC CVE-2025-27773 Babel is a compiler for writing next generation JavaScript. When usingversions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regularexpression named capturing groups, Babel will generate a polyfill for the`.replace` method that has quadratic complexity on some specificreplacement pattern strings (i.e. the second argument passed to`.replace`). Generated code is vulnerable if all the following conditionsare true: Using Babel to compile regular expression named capturing groups,using the `.replace` method on a regular expression that contains namedcapturing groups, and the code using untrusted strings as the secondargument of `.replace`. This problem has been fixed in `@babel/helpers` and`@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individualusers do not directly depend on `@babel/helpers`, and instead depend on`@babel/core` (which itself depends on `@babel/helpers`). Upgrading to`@babel/core` 7.26.10 is not required, but it guarantees use of a newenough `@babel/helpers` version. Note that just updating Babel dependenciesis not enough; one will also need to re-compile the code. No knownworkarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-11 20:15:00 UTC CVE-2025-27789 Vega is a visualization grammar, a declarative format for creating, saving,and sharing interactive visualization designs. In Vega prior to version5.32.0, corresponding to vega-functions prior to version 5.17.0, usersrunning Vega/Vega-lite JSON definitions could run unexpected JavaScriptcode when drawing graphs, unless the library was used with the`vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0fix the issue. As a workaround, use `vega` with expression interpreter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 14:15:00 UTC CVE-2025-27793 A bug in PSL validation logic in Apache HttpClient 5.4.x disables domainchecks, affecting cookie management and host name verification. Discoveredby the Apache HttpClient team. Fixed in the 5.4.3 release Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-24 12:15:00 UTC CVE-2025-27820 Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand()function as the default source of entropy, which is not cryptographicallysecure, for cryptographic functions.This issue affects operating systems where "/dev/urandom'" is unavailable.In that case, Crypt::CBC will fallback to use the insecure rand() function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-13 00:15:00 UTC CVE-2025-2814 A vulnerability, which was classified as problematic, was found in UPX upto 5.0.0. Affected is the function PackLinuxElf64::un_DT_INIT of the filesrc/p_lx_elf.cpp. The manipulation leads to heap-based buffer overflow. Itis possible to launch the attack on the local host. The exploit has beendisclosed to the public and may be used. The patch is identified ase0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 14:15:00 UTC CVE-2025-2849 A vulnerability was found in HDF5 up to 1.14.6. It has been declared asproblematic. Affected by this vulnerability is the function H5O_msg_flushof the file src/H5Omessage.c. The manipulation of the argument oh leads toheap-based buffer overflow. The attack needs to be approached locally. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 16:15:00 UTC CVE-2025-2912 A vulnerability was found in HDF5 up to 1.14.6. It has been rated ascritical. Affected by this issue is the function H5FL__blk_gc_list of thefile src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads touse after free. An attack has to be approached locally. The exploit hasbeen disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 17:15:00 UTC CVE-2025-2913 A vulnerability classified as problematic has been found in HDF5 up to1.14.6. This affects the function H5FS__sinfo_Srialize_Sct_cb of the filesrc/H5FScache.c. The manipulation of the argument sect leads to heap-basedbuffer overflow. Local access is required to approach this attack. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 17:15:00 UTC CVE-2025-2914 A vulnerability classified as problematic was found in HDF5 up to 1.14.6.This vulnerability affects the function H5F__accum_free of the filesrc/H5Faccum.c. The manipulation of the argument overlap_size leads toheap-based buffer overflow. Attacking locally is a requirement. The exploithas been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 17:15:00 UTC CVE-2025-2915 A vulnerability, which was classified as problematic, has been found inHDF5 up to 1.14.6. Affected by this issue is the functionH5F_addr_encode_len of the file src/H5Fint.c. The manipulation of theargument pp leads to heap-based buffer overflow. Attacking locally is arequirement. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 19:15:00 UTC CVE-2025-2923 A vulnerability, which was classified as problematic, was found in HDF5 upto 1.14.6. This affects the function H5HL__fl_deserialize of the filesrc/H5HLcache.c. The manipulation of the argument free_block leads toheap-based buffer overflow. It is possible to launch the attack on thelocal host. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 20:15:00 UTC CVE-2025-2924 A vulnerability has been found in HDF5 up to 1.14.6 and classified asproblematic. This vulnerability affects the function H5MM_realloc of thefile src/H5MM.c. The manipulation of the argument mem leads to double free.The attack needs to be approached locally. The exploit has been disclosedto the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 20:15:00 UTC CVE-2025-2925 A vulnerability was found in HDF5 up to 1.14.6 and classified asproblematic. This issue affects the function H5O__cache_chk_serialize ofthe file src/H5Ocache.c. The manipulation leads to null pointerdereference. An attack has to be approached locally. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 20:15:00 UTC CVE-2025-2926 spimsimulator spim v9.1.24 and before is vulnerable to Buffer Overflow inthe READ_SYSCALL and WRITE_SYSCALL system calls. The application verifiesthe legitimacy of the starting and ending addresses for memory read/writeoperations. By configuring the starting and ending addresses for memoryread/write to point to distinct memory segments within the virtual machine,it is possible to circumvent these checks. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-28 16:15:00 UTC CVE-2025-29364 spimsimulator spim v9.1.24 and before is vulnerable to Buffer Overflow inREAD_STRING_SYSCALL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-22 16:15:00 UTC CVE-2025-29365 In mupen64plus v2.6.0 there is an array overflow vulnerability in thewrite_rdram_regs and write_rdram_regs functions, which enables executingarbitrary commands on the host machine. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-22 16:15:00 UTC CVE-2025-29366 A vulnerability, which was classified as problematic, has been found inPyTorch 2.6.0+cu124. Affected by this issue is the functiontorch.mkldnn_max_pool2d. The manipulation leads to denial of service. Anattack has to be approached locally. The exploit has been disclosed to thepublic and may be used. The real existence of this vulnerability is stilldoubted at the moment. The security policy of the project warns to useunknown models which might establish malicious effects. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-30 16:15:00 UTC CVE-2025-2953 NetSurf 3.11 is vulnerable to Use After Free in dom_node_set_text_contentfunction. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-03 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119918 CVE-2025-29699 libvips is a demand-driven, horizontally threaded image processing library. The heifsave operation could incorrectly determine the presence of analpha channel in an input when it was not possible to determine the colourinterpretation, known internally within libvips as "multiband". Therearen't many ways to create a "multiband" input, but it is possible with awell-crafted TIFF image. If a "multiband" TIFF input image had 4 channelsand HEIF-based output was requested, this led to libvips creating a 3channel HEIF image without an alpha channel but then attempting to write 4channels of data. This caused a heap buffer overflow, which could crash theprocess. This vulnerability is fixed in 8.16.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-07 20:15:00 UTC CVE-2025-29769 Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 andprior to version 4.11 bundle an implementation of getty for the `tty`configuration directive that can bypass `/bin/login`, i.e., a user can login as any user without authentication. This issue has been patched inversion 4.11. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-29 23:16:00 UTC CVE-2025-29906 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. The AF_PACKET defrag optionis enabled by default and allows AF_PACKET to re-assemble fragmentedpackets before reaching Suricata. However the default packet size inSuricata is based on the network interface MTU which leads to Suricataseeing truncated packets. Upgrade to Suricata 7.0.9, which uses betterdefaults and adds warnings for user configurations that may lead to issues. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 20:15:00 UTC CVE-2025-29915 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. Datasets declared in ruleshave an option to specify the `hashsize` to use. This size setting isn'tproperly limited, so the hash table allocation can be large. Untrustedrules can lead to large memory allocations, potentially leading to denialof service due to resource starvation. This vulnerability is fixed in7.0.9. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 20:15:00 UTC CVE-2025-29916 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. The bytes setting in thedecode_base64 keyword is not properly limited. Due to this, signaturesusing the keyword and setting can cause large memory allocations of up to 4GiB per thread. This vulnerability is fixed in 7.0.9. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 21:15:00 UTC CVE-2025-29917 Suricata is a network Intrusion Detection System, Intrusion PreventionSystem and Network Security Monitoring engine. A PCRE rule can be writtenthat leads to an infinite loop when negated PCRE is used. Packet processingthread becomes stuck in infinite loop limiting visibility and availabilityin inline mode. This vulnerability is fixed in 7.0.9. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 21:15:00 UTC CVE-2025-29918 A bug within some AMD CPUs could allow a local admin-privileged attacker torun a SEV-SNP guest using stale TLB entries, potentially resulting in lossof data integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 19:15:00 UTC CVE-2025-29934 Improper access control in secure encrypted virtualization (SEV) couldallow a privileged attacker to write to the reverse map page (RMP) duringsecure nested paging (SNP) initialization, potentially resulting in a lossof guest memory confidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-29939 Write what were condition within AMD CPUs may allow an admin-privilegedattacker to modify the configuration of the CPU pipeline potentiallyresulting in the corruption of the stack pointer inside an SEV-SNP guest. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 16:15:00 UTC CVE-2025-29943 Insufficient or Incomplete Data Removal in Hardware Component in SEVfirmware doesn't fully flush IOMMU. This can potentially lead to a loss ofconfidentiality and integrity in guest memory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-29946 Improper access control in AMD Secure Encrypted Virtualization (SEV)firmware could allow a malicious hypervisor to bypass RMP protections,potentially resulting in a loss of SEV-SNP guest memory integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-29948 Improper Initialization within the AMD Secure Encrypted Virtualization(SEV) firmware can allow an admin privileged attacker to corrupt RMPcovered memory, potentially resulting in loss of guest memory integrity Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-29952 A vulnerability was found in PyTorch 2.6.0. It has been declared ascritical. Affected by this vulnerability is the functiontorch.nn.utils.rnn.pad_packed_sequence. The manipulation leads to memorycorruption. Local access is required to approach this attack. The exploithas been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 14:15:00 UTC CVE-2025-2998 A vulnerability was found in PyTorch 2.6.0. It has been rated as critical.Affected by this issue is the function torch.nn.utils.rnn.unpack_sequence.The manipulation leads to memory corruption. Attacking locally is arequirement. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 15:15:00 UTC CVE-2025-2999 A vulnerability classified as critical has been found in PyTorch 2.6.0.This affects the function torch.jit.script. The manipulation leads tomemory corruption. It is possible to launch the attack on the local host.The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 15:15:00 UTC CVE-2025-3000 A vulnerability classified as critical was found in PyTorch 2.6.0. Thisvulnerability affects the function torch.lstm_cell. The manipulation leadsto memory corruption. The attack needs to be approached locally. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 16:15:00 UTC CVE-2025-3001 Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7allows XSS via injection of crafted parameters in a search URL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-28 18:15:00 UTC 2025-05-28 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104422 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104424 https://ubuntu.com/security/notices/USN-7692-1 CVE-2025-30087 HTCondor 23.0.x before 23.0.22, 23.10.x before 23.10.22, 24.0.x before24.0.6, and 24.6.x before 24.6.1 allows authenticated attackers to bypassauthorization restrictions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 19:15:00 UTC CVE-2025-30093 A vulnerability, which was classified as problematic, has been found inKhronos Group glslang 15.1.0. Affected by this issue is the functionglslang::TIntermediate::isConversionAllowed of the fileglslang/MachineIndependent/Intermediate.cpp. The manipulation leads to nullpointer dereference. The attack needs to be approached locally. The exploithas been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 20:15:00 UTC CVE-2025-3010 A vulnerability classified as critical has been found in Open Asset ImportLibrary Assimp 5.4.3. This affects the functionAssimp::ASEImporter::BuildUniqueRepresentation of the filecode/AssetLib/ASE/ASELoader.cpp of the component ASE File Handler. Themanipulation of the argument mIndices leads to out-of-bounds read. It ispossible to initiate the attack remotely. The exploit has been disclosed tothe public and may be used. Upgrading to version 6.0 is able to addressthis issue. The patch is named 7c705fde418d68cca4e8eff56be01b2617b0d6fe. Itis recommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 21:15:00 UTC CVE-2025-3015 A vulnerability classified as problematic was found in Open Asset ImportLibrary Assimp 5.4.3. This vulnerability affects the functionAssimp::MDLImporter::ParseTextureColorData of the filecode/AssetLib/MDL/MDLMaterialLoader.cpp of the component MDL File Handler.The manipulation of the argument mWidth/mHeight leads to resourceconsumption. The attack can be initiated remotely. Upgrading to version 6.0is able to address this issue. The name of the patch is5d2a7482312db2e866439a8c05a07ce1e718bed1. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-31 21:15:00 UTC CVE-2025-3016 Jupyter Core is a package for the core common functionality of Jupyterprojects. When using Jupyter Core prior to version 5.8.0 on Windows, theshared `%PROGRAMDATA%` directory is searched for configuration files(`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users tocreate configuration files affecting other users. Only shared Windowssystems with multiple users and unprotected `%PROGRAMDATA%` are affected.Users should upgrade to Jupyter Core version 5.8.0 or later to receive apatch. Some other mitigations are available. As administrator, modify thepermissions on the `%PROGRAMDATA%` directory so it is not writable byunauthorized users; or as administrator, create the `%PROGRAMDATA%\jupyter`directory with appropriately restrictive permissions; or as user oradministrator, set the `%PROGRAMDATA%` environment variable to a directorywith appropriately restrictive permissions (e.g. controlled byadministrators _or_ the current user). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-03 17:15:00 UTC CVE-2025-30167 An attacker spoofing answers to ECS enabled requests sent out by theRecursor has a chance of success higher than non-ECS enabled queries.The updated version include various mitigations against spoofing attemptsof ECS enabled queries by chaining ECS enabled requests and enforcingstricter validation of the received answers.The most strict mitigation done when the new settingoutgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-21 13:15:00 UTC CVE-2025-30192 Erlang/OTP is a set of libraries for the Erlang programming language. Priorto versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEXinit message can result with high memory usage. Implementation does notverify RFC specified limits on algorithm names (64 characters) provided inKEX init message. Big KEX init packet may lead to inefficient processing ofthe error data. As a result, large amount of memory will be allocated forprocessing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, andOTP-25.3.2.19 fix the issue. Some workarounds are available. One may setoption `parallel_login` to `false` and/or reduce the `max_sessions` option. Update Instructions: Run `sudo pro fix CVE-2025-30211` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: erlang - 1:27.3+dfsg-1ubuntu1 erlang-asn1 - 1:27.3+dfsg-1ubuntu1 erlang-base - 1:27.3+dfsg-1ubuntu1 erlang-common-test - 1:27.3+dfsg-1ubuntu1 erlang-crypto - 1:27.3+dfsg-1ubuntu1 erlang-debugger - 1:27.3+dfsg-1ubuntu1 erlang-dialyzer - 1:27.3+dfsg-1ubuntu1 erlang-diameter - 1:27.3+dfsg-1ubuntu1 erlang-edoc - 1:27.3+dfsg-1ubuntu1 erlang-eldap - 1:27.3+dfsg-1ubuntu1 erlang-et - 1:27.3+dfsg-1ubuntu1 erlang-eunit - 1:27.3+dfsg-1ubuntu1 erlang-examples - 1:27.3+dfsg-1ubuntu1 erlang-ftp - 1:27.3+dfsg-1ubuntu1 erlang-inets - 1:27.3+dfsg-1ubuntu1 erlang-jinterface - 1:27.3+dfsg-1ubuntu1 erlang-megaco - 1:27.3+dfsg-1ubuntu1 erlang-mnesia - 1:27.3+dfsg-1ubuntu1 erlang-mode - 1:27.3+dfsg-1ubuntu1 erlang-nox - 1:27.3+dfsg-1ubuntu1 erlang-observer - 1:27.3+dfsg-1ubuntu1 erlang-odbc - 1:27.3+dfsg-1ubuntu1 erlang-os-mon - 1:27.3+dfsg-1ubuntu1 erlang-parsetools - 1:27.3+dfsg-1ubuntu1 erlang-public-key - 1:27.3+dfsg-1ubuntu1 erlang-reltool - 1:27.3+dfsg-1ubuntu1 erlang-runtime-tools - 1:27.3+dfsg-1ubuntu1 erlang-snmp - 1:27.3+dfsg-1ubuntu1 erlang-src - 1:27.3+dfsg-1ubuntu1 erlang-ssh - 1:27.3+dfsg-1ubuntu1 erlang-ssl - 1:27.3+dfsg-1ubuntu1 erlang-syntax-tools - 1:27.3+dfsg-1ubuntu1 erlang-tftp - 1:27.3+dfsg-1ubuntu1 erlang-tools - 1:27.3+dfsg-1ubuntu1 erlang-wx - 1:27.3+dfsg-1ubuntu1 erlang-x11 - 1:27.3+dfsg-1ubuntu1 erlang-xmerl - 1:27.3+dfsg-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-28 15:15:00 UTC 2025-03-28 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101713 https://ubuntu.com/security/notices/USN-7425-1 CVE-2025-30211 MyDumper is a MySQL Logical Backup Tool. The MySQL C client library(libmysqlclient) allows authenticated remote actors to read arbitrary filesfrom client systems via a crafted server response to LOAD LOCAL INFILEquery, leading to sensitive information disclosure when clients connect tountrusted MySQL servers without explicitly disabling the local infilecapability. Mydumper has the local infile option enabled by default anddoes not have an option to disable it. This can lead to an unexpectedarbitrary file read if the Mydumper tool connects to an untrusted server.This vulnerability is fixed in 0.18.2-8. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-01 15:16:00 UTC CVE-2025-30224 encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XMLstring copy and inline replacement of parts of a string (with relocation oflater data). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-21 07:15:00 UTC CVE-2025-30348 Corosync through 3.1.9, if encryption is disabled or the attacker knows theencryption key, has a stack-based buffer overflow inorf_token_endian_convert in exec/totemsrp.c via a large UDP packet. Update Instructions: Run `sudo pro fix CVE-2025-30472` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: corosync - 3.1.8-3ubuntu2 corosync-notifyd - 3.1.8-3ubuntu2 corosync-vqsim - 3.1.8-3ubuntu2 libcfg7 - 3.1.8-3ubuntu2 libcmap4 - 3.1.8-3ubuntu2 libcorosync-common4 - 3.1.8-3ubuntu2 libcpg4 - 3.1.8-3ubuntu2 libquorum5 - 3.1.8-3ubuntu2 libsam4 - 3.1.8-3ubuntu2 libvotequorum8 - 3.1.8-3ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-22 02:15:00 UTC 2025-03-22 02:15:00 UTC https://github.com/corosync/corosync/issues/778 https://ubuntu.com/security/notices/USN-7478-1 CVE-2025-30472 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inApache Commons VFS.The FtpFileObject class can throw an exception when a file is not found,revealing the original URI in its message, which may include a password.The fix is to mask the password in the exception messageThis issue affects Apache Commons VFS: before 2.10.0.Users are recommended to upgrade to version 2.10.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-23 15:15:00 UTC Marek Šunda https://issues.apache.org/jira/browse/VFS-169 CVE-2025-30474 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Replication). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7(Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2025-30681` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30681 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30682` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30682 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Replication). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30683` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30683 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Replication). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30684` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30684 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Replication). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30685` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30685 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30687` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30687 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30688` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30688 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30689` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30689 Vulnerability in Oracle Java SE (component: Compiler). Supported versionsthat are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK:21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticatedattacker with network access via multiple protocols to compromise OracleJava SE. Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SEaccessible data as well as unauthorized read access to a subset of OracleJava SE accessible data. Note: This vulnerability can be exploited by usingAPIs in the specified Component, e.g., through a web service which suppliesdata to the APIs. This vulnerability also applies to Java deployments,typically in clients running sandboxed Java Web Start applications orsandboxed Java applets, that load and run untrusted code (e.g., code thatcomes from the internet) and rely on the Java sandbox for security. CVSS3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2025-30691` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.28~3ea-1ubuntu1 openjdk-11-jdk - 11.0.28~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.28~3ea-1ubuntu1 openjdk-11-jre - 11.0.28~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.28~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.28~3ea-1ubuntu1 openjdk-11-source - 11.0.28~3ea-1ubuntu1 No subscription required openjdk-17-demo - 17.0.15+6-1 openjdk-17-jdk - 17.0.15+6-1 openjdk-17-jdk-headless - 17.0.15+6-1 openjdk-17-jre - 17.0.15+6-1 openjdk-17-jre-headless - 17.0.15+6-1 openjdk-17-jre-zero - 17.0.15+6-1 openjdk-17-source - 17.0.15+6-1 No subscription required openjdk-17-crac-demo - 17.0.15+6-0ubuntu1 openjdk-17-crac-jdk - 17.0.15+6-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.15+6-0ubuntu1 openjdk-17-crac-source - 17.0.15+6-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jdk - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-source - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-testsupport - 21.0.7+6.1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103900 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103899 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103898 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103897 https://ubuntu.com/security/notices/USN-7480-1 https://ubuntu.com/security/notices/USN-7481-1 https://ubuntu.com/security/notices/USN-7482-1 https://ubuntu.com/security/notices/USN-7483-1 https://ubuntu.com/security/notices/USN-7484-1 https://ubuntu.com/security/notices/USN-7531-1 https://ubuntu.com/security/notices/USN-7533-1 CVE-2025-30691 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server as well as unauthorized update,insert or delete access to some of MySQL Server accessible data. CVSS 3.1Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30693` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 https://ubuntu.com/security/notices/USN-7519-1 https://ubuntu.com/security/notices/USN-7548-1 CVE-2025-30693 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server as well as unauthorized update,insert or delete access to some of MySQL Server accessible data. CVSS 3.1Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30695` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30695 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: PS). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30696` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30696 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: 2D). Supportedversions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26,17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; OracleGraalVM Enterprise Edition: 20.3.17 and 21.3.13. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized update, insert or delete accessto some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data as well as unauthorized read access toa subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data and unauthorized ability to cause apartial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 5.6(Confidentiality, Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). Update Instructions: Run `sudo pro fix CVE-2025-30698` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.28~3ea-1ubuntu1 openjdk-11-jdk - 11.0.28~3ea-1ubuntu1 openjdk-11-jdk-headless - 11.0.28~3ea-1ubuntu1 openjdk-11-jre - 11.0.28~3ea-1ubuntu1 openjdk-11-jre-headless - 11.0.28~3ea-1ubuntu1 openjdk-11-jre-zero - 11.0.28~3ea-1ubuntu1 openjdk-11-source - 11.0.28~3ea-1ubuntu1 No subscription required openjdk-17-demo - 17.0.15+6-1 openjdk-17-jdk - 17.0.15+6-1 openjdk-17-jdk-headless - 17.0.15+6-1 openjdk-17-jre - 17.0.15+6-1 openjdk-17-jre-headless - 17.0.15+6-1 openjdk-17-jre-zero - 17.0.15+6-1 openjdk-17-source - 17.0.15+6-1 No subscription required openjdk-17-crac-demo - 17.0.15+6-0ubuntu1 openjdk-17-crac-jdk - 17.0.15+6-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.15+6-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.15+6-0ubuntu1 openjdk-17-crac-source - 17.0.15+6-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jdk - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-source - 21.0.7+6.1-0ubuntu1 openjdk-21-crac-testsupport - 21.0.7+6.1-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103900 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103899 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103898 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103897 https://ubuntu.com/security/notices/USN-7480-1 https://ubuntu.com/security/notices/USN-7481-1 https://ubuntu.com/security/notices/USN-7482-1 https://ubuntu.com/security/notices/USN-7483-1 https://ubuntu.com/security/notices/USN-7484-1 https://ubuntu.com/security/notices/USN-7531-1 https://ubuntu.com/security/notices/USN-7533-1 CVE-2025-30698 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Stored Procedure). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30699` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30699 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized update, insert or delete access to some of MySQLServer accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2025-30703` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30703 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Components Services). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploitvulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.4 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30704` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30704 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: PS). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30705` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:15:00 UTC 2025-04-15 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30705 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.6.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in unauthorizedcreation, deletion or modification access to critical data or all Oracle VMVirtualBox accessible data as well as unauthorized access to critical dataor complete access to all Oracle VM VirtualBox accessible data andunauthorized ability to cause a partial denial of service (partial DOS) ofOracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrityand Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC CVE-2025-30712 Vulnerability in the MySQL Connectors product of Oracle MySQL (component:Connector/Python). Supported versions that are affected are 9.0.0-9.2.0.Difficult to exploit vulnerability allows low privileged attacker withnetwork access via multiple protocols to compromise MySQL Connectors.Successful attacks require human interaction from a person other than theattacker. Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all MySQLConnectors accessible data. CVSS 3.1 Base Score 4.8 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103396 CVE-2025-30714 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Components Services). Supported versions that are affected are8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30715` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC 2025-04-15 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30715 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.6.Easily exploitable vulnerability allows low privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. Successful attacks of this vulnerability can resultin unauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of Oracle VM VirtualBox and unauthorized read access to asubset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.1(Confidentiality and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC CVE-2025-30719 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: UDF). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allowshigh privileged attacker with logon to the infrastructure where MySQLServer executes to compromise MySQL Server. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.0 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30721` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC 2025-04-15 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 CVE-2025-30721 Vulnerability in the MySQL Client product of Oracle MySQL (component:Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Client. Successful attacks of this vulnerability canresult in unauthorized access to critical data or complete access to allMySQL Client accessible data as well as unauthorized update, insert ordelete access to some of MySQL Client accessible data. CVSS 3.1 Base Score5.9 (Confidentiality and Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2025-30722` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC 2025-04-15 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103385 https://ubuntu.com/security/notices/USN-7479-1 https://ubuntu.com/security/notices/USN-7519-1 https://ubuntu.com/security/notices/USN-7548-1 CVE-2025-30722 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.6.Difficult to exploit vulnerability allows high privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of Oracle VM VirtualBox as well as unauthorized update,insert or delete access to some of Oracle VM VirtualBox accessible data and unauthorized read access to a subset of Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 21:16:00 UTC CVE-2025-30725 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: 2D). Supportedversions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27,17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in takeover of Oracle Java SE, Oracle GraalVM forJDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Update Instructions: Run `sudo pro fix CVE-2025-30749` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u462-ga~us1-0ubuntu1 openjdk-8-source - 8u462-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.28+6-1ubuntu1 openjdk-11-jdk - 11.0.28+6-1ubuntu1 openjdk-11-jdk-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre - 11.0.28+6-1ubuntu1 openjdk-11-jre-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre-zero - 11.0.28+6-1ubuntu1 openjdk-11-source - 11.0.28+6-1ubuntu1 No subscription required openjdk-17-demo - 17.0.16+8-1 openjdk-17-jdk - 17.0.16+8-1 openjdk-17-jdk-headless - 17.0.16+8-1 openjdk-17-jre - 17.0.16+8-1 openjdk-17-jre-headless - 17.0.16+8-1 openjdk-17-jre-zero - 17.0.16+8-1 openjdk-17-source - 17.0.16+8-1 No subscription required openjdk-17-crac-demo - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.16+8-0ubuntu1 openjdk-17-crac-source - 17.0.16+8-0ubuntu1 No subscription required openjdk-21-demo - 21.0.8+9-1 openjdk-21-jdk - 21.0.8+9-1 openjdk-21-jdk-headless - 21.0.8+9-1 openjdk-21-jre - 21.0.8+9-1 openjdk-21-jre-headless - 21.0.8+9-1 openjdk-21-jre-zero - 21.0.8+9-1 openjdk-21-source - 21.0.8+9-1 openjdk-21-testsupport - 21.0.8+9-1 No subscription required openjdk-21-crac-demo - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.8+9-0ubuntu1 openjdk-21-crac-source - 21.0.8+9-0ubuntu1 openjdk-21-crac-testsupport - 21.0.8+9-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7669-1 https://ubuntu.com/security/notices/USN-7668-1 https://ubuntu.com/security/notices/USN-7672-1 https://ubuntu.com/security/notices/USN-7673-1 https://ubuntu.com/security/notices/USN-7667-1 https://ubuntu.com/security/notices/USN-7674-1 https://ubuntu.com/security/notices/USN-7690-1 CVE-2025-30749 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: JSSE). Supportedversions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27,17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploitvulnerability allows unauthenticated attacker with network access via TLSto compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible dataas well as unauthorized read access to a subset of Oracle Java SE, OracleGraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note:This vulnerability applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. This vulnerability does notapply to Java deployments, typically in servers, that load and run onlytrusted code (e.g., code installed by an administrator). CVSS 3.1 BaseScore 4.8 (Confidentiality and Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2025-30754` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u462-ga~us1-0ubuntu1 openjdk-8-source - 8u462-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.28+6-1ubuntu1 openjdk-11-jdk - 11.0.28+6-1ubuntu1 openjdk-11-jdk-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre - 11.0.28+6-1ubuntu1 openjdk-11-jre-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre-zero - 11.0.28+6-1ubuntu1 openjdk-11-source - 11.0.28+6-1ubuntu1 No subscription required openjdk-17-demo - 17.0.16+8-1 openjdk-17-jdk - 17.0.16+8-1 openjdk-17-jdk-headless - 17.0.16+8-1 openjdk-17-jre - 17.0.16+8-1 openjdk-17-jre-headless - 17.0.16+8-1 openjdk-17-jre-zero - 17.0.16+8-1 openjdk-17-source - 17.0.16+8-1 No subscription required openjdk-17-crac-demo - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.16+8-0ubuntu1 openjdk-17-crac-source - 17.0.16+8-0ubuntu1 No subscription required openjdk-21-demo - 21.0.8+9-1 openjdk-21-jdk - 21.0.8+9-1 openjdk-21-jdk-headless - 21.0.8+9-1 openjdk-21-jre - 21.0.8+9-1 openjdk-21-jre-headless - 21.0.8+9-1 openjdk-21-jre-zero - 21.0.8+9-1 openjdk-21-source - 21.0.8+9-1 openjdk-21-testsupport - 21.0.8+9-1 No subscription required openjdk-21-crac-demo - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.8+9-0ubuntu1 openjdk-21-crac-source - 21.0.8+9-0ubuntu1 openjdk-21-crac-testsupport - 21.0.8+9-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7669-1 https://ubuntu.com/security/notices/USN-7668-1 https://ubuntu.com/security/notices/USN-7672-1 https://ubuntu.com/security/notices/USN-7673-1 https://ubuntu.com/security/notices/USN-7667-1 https://ubuntu.com/security/notices/USN-7674-1 https://ubuntu.com/security/notices/USN-7690-1 CVE-2025-30754 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Scripting). Supported versions thatare affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; OracleGraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorizedcreation, deletion or modification access to critical data or all OracleJava SE, Oracle GraalVM Enterprise Edition accessible data. Note: Thisvulnerability can be exploited by using APIs in the specified Component,e.g., through a web service which supplies data to the APIs. Thisvulnerability also applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2025-30761` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u462-ga~us1-0ubuntu1 openjdk-8-source - 8u462-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.28+6-1ubuntu1 openjdk-11-jdk - 11.0.28+6-1ubuntu1 openjdk-11-jdk-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre - 11.0.28+6-1ubuntu1 openjdk-11-jre-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre-zero - 11.0.28+6-1ubuntu1 openjdk-11-source - 11.0.28+6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 21:15:00 UTC 2025-07-15 21:15:00 UTC https://ubuntu.com/security/notices/USN-7667-1 https://ubuntu.com/security/notices/USN-7674-1 CVE-2025-30761 atop through 2.11.0 allows local users to cause a denial of service (e.g.,assertion failure and application exit) or possibly have unspecified otherimpact by running certain types of unprivileged processes while a differentuser runs atop. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-26 21:15:00 UTC CVE-2025-31160 A flaw was found in gnuplot. The plot3d_points() function may lead to asegmentation fault and cause a system crash. Update Instructions: Run `sudo pro fix CVE-2025-31176` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 15:16:00 UTC 2025-03-27 15:16:00 UTC ChenYiFan Liu https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-31176 gnuplot is affected by a heap buffer overflow at function utf8_copy_one. Update Instructions: Run `sudo pro fix CVE-2025-31177` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Negligible Copyright (C) 2025 Canonical Ltd. 2025-05-07 21:16:00 UTC 2025-05-07 21:16:00 UTC https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-31177 A flaw was found in gnuplot. The GetAnnotateString() function may lead to asegmentation fault and cause a system crash. Update Instructions: Run `sudo pro fix CVE-2025-31178` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 15:16:00 UTC 2025-03-27 15:16:00 UTC ChenYiFan Liu https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-31178 A flaw was found in gnuplot. The xstrftime() function may lead to asegmentation fault, causing a system crash. Update Instructions: Run `sudo pro fix CVE-2025-31179` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 15:16:00 UTC 2025-03-27 15:16:00 UTC ChenYiFan Liu https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-31179 A flaw was found in gnuplot. The CANVAS_text() function may lead to asegmentation fault and cause a system crash. Update Instructions: Run `sudo pro fix CVE-2025-31180` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 15:16:00 UTC 2025-03-27 15:16:00 UTC ChenYiFan Liu https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-31180 A flaw was found in gnuplot. The X11_graphics() function may lead to asegmentation fault and cause a system crash. Update Instructions: Run `sudo pro fix CVE-2025-31181` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-03-27 15:16:00 UTC 2025-03-27 15:16:00 UTC ChenYiFan Liu https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-31181 A vulnerability classified as problematic has been found in PyTorch 2.6.0.Affected is the function torch.jit.jit_module_from_flatbuffer. Themanipulation leads to memory corruption. Local access is required toapproach this attack. The exploit has been disclosed to the public and maybe used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 22:15:00 UTC CVE-2025-3121 A vulnerability classified as problematic was found in WebAssembly wabt1.0.36. Affected by this vulnerability is the functionBinaryReaderInterp::BeginFunctionBody of the filesrc/interp/binary-reader-interp.cc. The manipulation leads to null pointerdereference. The attack can be launched remotely. The complexity of anattack is rather high. The exploitation appears to be difficult. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 22:15:00 UTC CVE-2025-3122 A vulnerability, which was classified as problematic, has been found inPyTorch 2.6.0. This issue affects the functiontorch.cuda.memory.caching_allocator_delete of the filec10/cuda/CUDACachingAllocator.cpp. The manipulation leads to memorycorruption. An attack has to be approached locally. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-03 04:15:00 UTC CVE-2025-3136 Miniflux is a feed reader. Due to a weak Content Security Policy on the/proxy/* route, an attacker can bypass the CSP of the media proxy andexecute cross-site scripting when opening external images in a newtab/window. To mitigate the vulnerability, the CSP for the media proxy hasbeen changed from default-src 'self' to default-src 'none'; form-action'none'; sandbox;. This vulnerability is fixed in 2.2.7. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-03 18:15:00 UTC CVE-2025-31483 Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalidVerticesPerRow value in a PDF shading dictionary. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-02 23:15:00 UTC CVE-2025-3154 A vulnerability, which was classified as critical, has been found in OpenAsset Import Library Assimp 5.4.3. Affected by this issue is the functionAssimp::LWO::AnimResolver::UpdateAnimRangeSetup of the filecode/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler. Themanipulation leads to heap-based buffer overflow. It is possible to launchthe attack on the local host. The exploit has been disclosed to the publicand may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-03 14:15:00 UTC CVE-2025-3158 A vulnerability, which was classified as critical, was found in Open AssetImport Library Assimp 5.4.3. This affects the functionAssimp::ASE::Parser::ParseLV4MeshBonesVertices of the filecode/AssetLib/ASE/ASEParser.cpp of the component ASE File Handler. Themanipulation leads to heap-based buffer overflow. The attack needs to beapproached locally. The exploit has been disclosed to the public and may beused. The identifier of the patch ise8a6286542924e628e02749c4f5ac4f91fdae71b. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-03 14:15:00 UTC CVE-2025-3159 A vulnerability has been found in Open Asset Import Library Assimp 5.4.3and classified as problematic. This vulnerability affects the functionAssimp::SceneCombiner::AddNodeHashes of the filecode/Common/SceneCombiner.cpp of the component File Handler. Themanipulation leads to out-of-bounds read. An attack has to be approachedlocally. The exploit has been disclosed to the public and may be used. Thepatch is identified as a0993658f40d8e13ff5823990c30b43c82a5daf0. It isrecommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-03 15:15:00 UTC CVE-2025-3160 Improper Neutralization of Escape, Meta, or Control Sequences vulnerabilityin Apache Tomcat. For a subset of unlikely rewrite rule configurations, itwas possiblefor a specially crafted request to bypass some rewrite rules. If thoserewrite rules effectively enforced security constraints, thoseconstraints could be bypassed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version [FIXED_VERSION], which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-28 20:15:00 UTC 2025-04-28 20:15:00 UTC https://ubuntu.com/security/notices/USN-7705-1 CVE-2025-31651 Improper Input Validation vulnerability in Apache POI. The issue affectsthe parsing of OOXML format files like xlsx, docx and pptx. These fileformats are basically zip files and it is possible for malicious users toadd zip entries with duplicate names (including the path) in the zip. Inthis case, products reading the affected file could read different databecause 1 of the zip entries with the duplicate name is selected overanother but different products may choose a different zip entry.This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has acheck that throws an exception if zip entries with duplicate file names arefound in the input file.Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixesthe issue. Please read https://poi.apache.org/security.html forrecommendations about how to use the POI libraries securely. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-09 12:15:00 UTC CVE-2025-31672 A vulnerability, which was classified as critical, was found in Open AssetImport Library Assimp 5.4.3. Affected is the functionAssimp::MD2Importer::InternReadFile in the librarycode/AssetLib/MD2/MD2Loader.cpp of the component Malformed File Handler.The manipulation of the argument Name leads to stack-based buffer overflow.The attack needs to be approached locally. The exploit has been disclosedto the public and may be used. It is recommended to upgrade the affectedcomponent. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-04 02:15:00 UTC CVE-2025-3196 Finit provides fast init for Linux systems. Finit's urandom plugin has aheap buffer overwrite vulnerability at boot which leads to it overwritingother parts of the heap, possibly causing random instabilities andundefined behavior. The urandom plugin is enabled by default, so this bugaffects everyone using Finit 4.2 or later that do not explicitly disablethe plugin at build time. This bug is fixed in Finit 4.12. Those who cannotupgrade or backport the fix to urandom.c are strongly recommended todisable the plugin in the call to the `configure` script. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-06 17:16:00 UTC CVE-2025-32022 Redis is an open source, in-memory database that persists on disk. From 2.8to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use aspecially crafted string to trigger a stack/heap out of bounds write onhyperloglog operations, potentially leading to remote code execution. Thebug likely affects all Redis versions with hyperloglog operationsimplemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and6.2.19. An additional workaround to mitigate the problem without patchingthe redis-server executable is to prevent users from executing hyperloglogoperations. This can be done using ACL to restrict HLL commands. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-07 16:15:00 UTC 2025-07-07 16:15:00 UTC https://ubuntu.com/security/notices/USN-8120-1 CVE-2025-32023 A flaw was found in libsoup. The SoupWebsocketConnection may accept a largeWebSocket message, which may cause libsoup to allocate memory and lead to adenial of service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-03 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102067 https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 https://bugzilla.redhat.com/show_bug.cgi?id=2357066 CVE-2025-32049 Improper Encoding or Escaping of Output vulnerability in The WikimediaFoundation Mediawiki Core - Feed Utils allows WebView Injection.This issueaffects Mediawiki Core - Feed Utils: from 1.39 through 1.43. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-11 17:15:00 UTC CVE-2025-32072 In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length thatdepends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) andmemcpy(response+offset,*end,*rdlen) without a check for whether the sum of*end and *rdlen exceeds max. Consequently, *rdlen may be larger than theamount of remaining packet data in the current state of parsing. Values ofstack memory locations may be sent over the network in a response. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-05 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102193 CVE-2025-32366 Helm is a tool for managing Charts. A chart archive file can be crafted ina manner where it expands to be significantly larger uncompressed thancompressed (e.g., >800x difference). When Helm loads this specially craftedchart, memory can be exhausted causing the application to terminate. Thisissue has been resolved in Helm v3.17.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-09 23:15:00 UTC CVE-2025-32386 Helm is a package manager for Charts for Kubernetes. A JSON Schema filewithin a chart can be crafted with a deeply nested chain of references,leading to parser recursion that can exceed the stack size limit andtrigger a stack overflow. This issue has been resolved in Helm v3.17.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-09 23:15:00 UTC CVE-2025-32387 Rack is a modular Ruby web server interface. Prior to version 2.2.14, whenusing the `Rack::Session::Pool` middleware, simultaneous rack requests canrestore a deleted rack session, which allows the unauthenticated user tooccupy that session. Rack session middleware prepares the session at thebeginning of request, then saves is back to the store with possible changesapplied by host rack application. This way the session becomes to be asubject of race conditions in general sense over concurrent rack requests.When using the `Rack::Session::Pool` middleware, and provided the attackercan acquire a session cookie (already a major issue), the session may berestored if the attacker can trigger a long running request (within thatsame session) adjacent to the user logging out, in order to retain illicitaccess even after a user has attempted to logout. Version 2.2.14 contains apatch for the issue. Some other mitigations are available. Either ensurethe application invalidates sessions atomically by marking them as loggedout e.g., using a `logged_out` flag, instead of deleting them, and checkthis flag on every request to prevent reuse; or implement a custom sessionstore that tracks session invalidation timestamps and refuses to acceptsession data if the session was invalidated after the request began. Update Instructions: Run `sudo pro fix CVE-2025-32441` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack - 3.1.16-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-08 2025-05-08 https://ubuntu.com/security/notices/USN-7507-1 CVE-2025-32441 GraphicsMagick before 8e56520 has a heap-based buffer over-read inReadJXLImage in coders/jxl.c, related to an ImportViewPixelArea call. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-09 02:15:00 UTC CVE-2025-32460 A memory corruption vulnerability exists in the BMPv3 Image Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When loading aspecially crafted .bmp file, an integer overflow can be made to occur whencalculating the stride for decoding. Afterwards, this will cause aheap-based buffer to overflow when decoding the image which can lead toremote code execution. An attacker will need to convince the library toread a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-32468 Improper Preservation of Permissions vulnerability in Wikimedia FoundationMediaWiki. This vulnerability is associated with program filesincludes/actions/RevertAction.Php, includes/api/ApiFileRevert.Php.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 19:16:00 UTC CVE-2025-32696 Improper Preservation of Permissions vulnerability in Wikimedia FoundationMediaWiki. This vulnerability is associated with program filesincludes/editpage/IntroMessageBuilder.Php,includes/Permissions/PermissionManager.Php,includes/Permissions/RestrictionStore.Php.This issue affects MediaWiki: before 1.42.6, 1.43.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 19:16:00 UTC CVE-2025-32697 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki. This vulnerability is associated withprogram files includes/logging/LogPager.Php.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 19:16:00 UTC CVE-2025-32698 Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia FoundationParsoid.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1;Parsoid: before 0.16.5, 0.19.2, 0.20.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 19:16:00 UTC CVE-2025-32699 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation AbuseFilter. This vulnerability is associated withprogram files includes/Api/QueryAbuseLog.Php,includes/Pager/AbuseLogPager.Php, includes/Special/SpecialAbuseLog.Php,includes/View/AbuseFilterViewExamine.Php.This issue affects AbuseFilter: from >= 1.43.0 before 1.43.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 19:16:00 UTC CVE-2025-32700 In sshd in OpenSSH before 10.0, the DisableForwarding directive does notadhere to the documentation stating that it disables X11 and agentforwarding. Update Instructions: Run `sudo pro fix CVE-2025-32728` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:9.9p1-3ubuntu3.1 openssh-client-gssapi - 1:9.9p1-3ubuntu3.1 openssh-server - 1:9.9p1-3ubuntu3.1 openssh-server-gssapi - 1:9.9p1-3ubuntu3.1 openssh-sftp-server - 1:9.9p1-3ubuntu3.1 openssh-tests - 1:9.9p1-3ubuntu3.1 ssh - 1:9.9p1-3ubuntu3.1 ssh-askpass-gnome - 1:9.9p1-3ubuntu3.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 02:15:00 UTC 2025-04-10 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102603 https://ubuntu.com/security/notices/USN-7457-1 CVE-2025-32728 In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c canbe NULL or an empty string when the TC (Truncated) bit is set in a DNSresponse. This allows attackers to cause a denial of service (applicationcrash) or possibly execute arbitrary code, because those lookup values leadto incorrect length calculations and incorrect memcpy operations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 14:15:00 UTC CVE-2025-32743 OpenRazer is an open source driver and user-space daemon to control Razerdevice lighting and other features on GNU/Linux. By writing speciallycrafted data to the `matrix_custom_frame` file, an attacker can cause thecustom kernel driver to read more bytes than provided by user space. Thisdata will be written into the RGB arguments which will be sent to the USBdevice. This issue has been patched in v3.10.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 17:15:00 UTC CVE-2025-32776 An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerableto a potential denial-of-service (slow performance) when processing inputscontaining large sequences of incomplete HTML tags. The template filterstriptags is also vulnerable, because it is built on top of strip_tags(). Update Instructions: Run `sudo pro fix CVE-2025-32873` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:4.2.18-1ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-07 14:00:00 UTC 2025-05-07 14:00:00 UTC Elias Myllymäki https://ubuntu.com/security/notices/USN-7501-1 https://ubuntu.com/security/notices/USN-7501-2 CVE-2025-32873 The KDE Connect verification-code protocol before 2025-04-18 uses only 8characters and therefore allows brute-force attacks. This affects KDEConnect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDEConnect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnectbefore 59. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 05:16:00 UTC CVE-2025-32898 In KDE Connect before 1.33.0 on Android, a packet can be crafted thatcauses two paired devices to unpair. Specifically, it is an invaliddiscovery packet sent over broadcast UDP. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 05:16:00 UTC CVE-2025-32899 In the KDE Connect information-exchange protocol before 2025-04-18, apacket can be crafted to temporarily change the displayed information abouta device, because broadcast UDP is used. This affects KDE Connect before1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 06:16:00 UTC CVE-2025-32900 In KDE Connect before 1.33.0 on Android, malicious device IDs (sent viabroadcast UDP) could cause an application crash. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 05:17:00 UTC CVE-2025-32901 A flaw was found in libsoup. The implementation of HTTP range requests isvulnerable to a resource consumption attack. This flaw allows a maliciousclient to request the same range many times in a single HTTP request,causing the server to use large amounts of memory. This does not allow fora full denial of service. Update Instructions: Run `sudo pro fix CVE-2025-32907` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-10.1ubuntu4 libsoup-2.4-1 - 2.74.3-10.1ubuntu4 libsoup-gnome-2.4-1 - 2.74.3-10.1ubuntu4 libsoup2.4-common - 2.74.3-10.1ubuntu4 libsoup2.4-tests - 2.74.3-10.1ubuntu4 No subscription required gir1.2-soup-3.0 - 3.6.5-3 libsoup-3.0-0 - 3.6.5-3 libsoup-3.0-common - 3.6.5-3 libsoup-3.0-tests - 3.6.5-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-14 14:15:00 UTC 2025-04-14 14:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/428 https://bugzilla.redhat.com/show_bug.cgi?id=2359342 https://ubuntu.com/security/notices/USN-7643-1 CVE-2025-32907 A flaw was found in libsoup, where the soup_multipart_new_from_message()function is vulnerable to an out-of-bounds read. This flaw allows amalicious HTTP client to induce the libsoup server to read out of bounds. Update Instructions: Run `sudo pro fix CVE-2025-32914` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-3.0 - 3.6.5-2 libsoup-3.0-0 - 3.6.5-2 libsoup-3.0-common - 3.6.5-2 libsoup-3.0-tests - 3.6.5-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-14 15:15:00 UTC 2025-04-14 15:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/436 https://bugzilla.redhat.com/show_bug.cgi?id=2359358 https://ubuntu.com/security/notices/USN-7490-1 https://ubuntu.com/security/notices/USN-7490-3 https://ubuntu.com/security/notices/USN-7643-1 CVE-2025-32914 A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLSdue to incorrect ownership handling in the export logic of SubjectAlternative Name (SAN) entries containing an otherName. If the type-id OIDis invalid or malformed, GnuTLS will call asn1_delete_structure() on anASN.1 node it does not own, leading to a double-free condition when theparent function or caller later attempts to free the same structure.This vulnerability can be triggered using only public GnuTLS APIs and mayresult in denial of service or memory corruption, depending on allocatorbehavior. Update Instructions: Run `sudo pro fix CVE-2025-32988` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.9-3ubuntu1 libgnutls-dane0t64 - 3.8.9-3ubuntu1 libgnutls-openssl27t64 - 3.8.9-3ubuntu1 libgnutls30t64 - 3.8.9-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 08:15:00 UTC 2025-07-10 08:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2359622 https://ubuntu.com/security/notices/USN-7635-1 https://ubuntu.com/security/notices/USN-7742-1 CVE-2025-32988 A heap-buffer-overread vulnerability was found in GnuTLS in how it handlesthe Certificate Transparency (CT) Signed Certificate Timestamp (SCT)extension during X.509 certificate parsing. This flaw allows a malicioususer to create a certificate containing a malformed SCT extension (OID1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads tothe exposure of confidential information when GnuTLS verifies certificatesfrom certain websites when the certificate (SCT) is not checked correctly. Update Instructions: Run `sudo pro fix CVE-2025-32989` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.9-3ubuntu1 libgnutls-dane0t64 - 3.8.9-3ubuntu1 libgnutls-openssl27t64 - 3.8.9-3ubuntu1 libgnutls30t64 - 3.8.9-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 08:15:00 UTC 2025-07-10 08:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2359621 https://ubuntu.com/security/notices/USN-7635-1 CVE-2025-32989 A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS softwarein the template parsing logic within the certtool utility. When it readscertain settings from a template file, it allows an attacker to cause anout-of-bounds (OOB) NULL pointer write, resulting in memory corruption anda denial-of-service (DoS) that could potentially crash the system. Update Instructions: Run `sudo pro fix CVE-2025-32990` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.9-3ubuntu1 libgnutls-dane0t64 - 3.8.9-3ubuntu1 libgnutls-openssl27t64 - 3.8.9-3ubuntu1 libgnutls30t64 - 3.8.9-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 10:15:00 UTC 2025-07-10 10:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2359620 https://ubuntu.com/security/notices/USN-7635-1 https://ubuntu.com/security/notices/USN-7742-1 CVE-2025-32990 NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIAkernel module where an attacker could cause an integer overflow orwraparound. A successful exploit of this vulnerability might lead to codeexecution, escalation of privileges, data tampering, denial of service, orinformation disclosure. Update Instructions: Run `sudo pro fix CVE-2025-33219` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.126.09-0ubuntu2 libnvidia-common-580 - 580.126.09-0ubuntu2 libnvidia-compute-580 - 580.126.09-0ubuntu2 libnvidia-decode-580 - 580.126.09-0ubuntu2 libnvidia-encode-580 - 580.126.09-0ubuntu2 libnvidia-extra-580 - 580.126.09-0ubuntu2 libnvidia-fbc1-580 - 580.126.09-0ubuntu2 libnvidia-gl-580 - 580.126.09-0ubuntu2 nvidia-compute-utils-580 - 580.126.09-0ubuntu2 nvidia-dkms-580 - 580.126.09-0ubuntu2 nvidia-dkms-580-open - 580.126.09-0ubuntu2 nvidia-driver-580 - 580.126.09-0ubuntu2 nvidia-driver-580-open - 580.126.09-0ubuntu2 nvidia-firmware-580-580.82.07 - 580.126.09-0ubuntu2 nvidia-headless-580 - 580.126.09-0ubuntu2 nvidia-headless-580-open - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580 - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580-open - 580.126.09-0ubuntu2 nvidia-kernel-common-580 - 580.126.09-0ubuntu2 nvidia-kernel-source-580 - 580.126.09-0ubuntu2 nvidia-kernel-source-580-open - 580.126.09-0ubuntu2 nvidia-utils-580 - 580.126.09-0ubuntu2 xserver-xorg-video-nvidia-580 - 580.126.09-0ubuntu2 No subscription required libnvidia-cfg1-580-server - 580.126.09-0ubuntu2 libnvidia-common-580-server - 580.126.09-0ubuntu2 libnvidia-compute-580-server - 580.126.09-0ubuntu2 libnvidia-decode-580-server - 580.126.09-0ubuntu2 libnvidia-encode-580-server - 580.126.09-0ubuntu2 libnvidia-extra-580-server - 580.126.09-0ubuntu2 libnvidia-fbc1-580-server - 580.126.09-0ubuntu2 libnvidia-gl-580-server - 580.126.09-0ubuntu2 nvidia-compute-utils-580-server - 580.126.09-0ubuntu2 nvidia-dkms-580-server - 580.126.09-0ubuntu2 nvidia-dkms-580-server-open - 580.126.09-0ubuntu2 nvidia-driver-580-server - 580.126.09-0ubuntu2 nvidia-driver-580-server-open - 580.126.09-0ubuntu2 nvidia-firmware-580-server-580.82.07 - 580.126.09-0ubuntu2 nvidia-headless-580-server - 580.126.09-0ubuntu2 nvidia-headless-580-server-open - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580-server - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580-server-open - 580.126.09-0ubuntu2 nvidia-kernel-common-580-server - 580.126.09-0ubuntu2 nvidia-kernel-source-580-server - 580.126.09-0ubuntu2 nvidia-kernel-source-580-server-open - 580.126.09-0ubuntu2 nvidia-utils-580-server - 580.126.09-0ubuntu2 xserver-xorg-video-nvidia-580-server - 580.126.09-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 18:16:00 UTC CVE-2025-33219 NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager,where a malicious guest could cause heap memory access after the memory isfreed. A successful exploit of this vulnerability might lead to codeexecution, escalation of privileges, data tampering, denial of service, orinformation disclosure. Update Instructions: Run `sudo pro fix CVE-2025-33220` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnvidia-cfg1-580 - 580.126.09-0ubuntu2 libnvidia-common-580 - 580.126.09-0ubuntu2 libnvidia-compute-580 - 580.126.09-0ubuntu2 libnvidia-decode-580 - 580.126.09-0ubuntu2 libnvidia-encode-580 - 580.126.09-0ubuntu2 libnvidia-extra-580 - 580.126.09-0ubuntu2 libnvidia-fbc1-580 - 580.126.09-0ubuntu2 libnvidia-gl-580 - 580.126.09-0ubuntu2 nvidia-compute-utils-580 - 580.126.09-0ubuntu2 nvidia-dkms-580 - 580.126.09-0ubuntu2 nvidia-dkms-580-open - 580.126.09-0ubuntu2 nvidia-driver-580 - 580.126.09-0ubuntu2 nvidia-driver-580-open - 580.126.09-0ubuntu2 nvidia-firmware-580-580.82.07 - 580.126.09-0ubuntu2 nvidia-headless-580 - 580.126.09-0ubuntu2 nvidia-headless-580-open - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580 - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580-open - 580.126.09-0ubuntu2 nvidia-kernel-common-580 - 580.126.09-0ubuntu2 nvidia-kernel-source-580 - 580.126.09-0ubuntu2 nvidia-kernel-source-580-open - 580.126.09-0ubuntu2 nvidia-utils-580 - 580.126.09-0ubuntu2 xserver-xorg-video-nvidia-580 - 580.126.09-0ubuntu2 No subscription required libnvidia-cfg1-580-server - 580.126.09-0ubuntu2 libnvidia-common-580-server - 580.126.09-0ubuntu2 libnvidia-compute-580-server - 580.126.09-0ubuntu2 libnvidia-decode-580-server - 580.126.09-0ubuntu2 libnvidia-encode-580-server - 580.126.09-0ubuntu2 libnvidia-extra-580-server - 580.126.09-0ubuntu2 libnvidia-fbc1-580-server - 580.126.09-0ubuntu2 libnvidia-gl-580-server - 580.126.09-0ubuntu2 nvidia-compute-utils-580-server - 580.126.09-0ubuntu2 nvidia-dkms-580-server - 580.126.09-0ubuntu2 nvidia-dkms-580-server-open - 580.126.09-0ubuntu2 nvidia-driver-580-server - 580.126.09-0ubuntu2 nvidia-driver-580-server-open - 580.126.09-0ubuntu2 nvidia-firmware-580-server-580.82.07 - 580.126.09-0ubuntu2 nvidia-headless-580-server - 580.126.09-0ubuntu2 nvidia-headless-580-server-open - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580-server - 580.126.09-0ubuntu2 nvidia-headless-no-dkms-580-server-open - 580.126.09-0ubuntu2 nvidia-kernel-common-580-server - 580.126.09-0ubuntu2 nvidia-kernel-source-580-server - 580.126.09-0ubuntu2 nvidia-kernel-source-580-server-open - 580.126.09-0ubuntu2 nvidia-utils-580-server - 580.126.09-0ubuntu2 xserver-xorg-video-nvidia-580-server - 580.126.09-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 18:16:00 UTC CVE-2025-33220 NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe,where an attacker could cause an OS command injection by supplying amalicious string to the process_nsys_rep_cli.py script if the script isinvoked manually. A successful exploit of this vulnerability might lead tocode execution, escalation of privileges, data tampering, denial ofservice, and information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 18:16:00 UTC CVE-2025-33228 NVIDIA Nsight Visual Studio for Windows contains a vulnerability in NsightMonitor where an attacker can execute arbitrary code with the sameprivileges as the NVIDIA Nsight Visual Studio Edition Monitor application.A successful exploit of this vulnerability may lead to escalation ofprivileges, code execution, data tampering, denial of service, andinformation disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 18:16:00 UTC CVE-2025-33229 NVIDIA Nsight Systems for Linux contains a vulnerability in the .runinstaller, where an attacker could cause an OS command injection bysupplying a malicious string to the installation path. A successful exploitof this vulnerability might lead to escalation of privileges, codeexecution, data tampering, denial of service, and information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 18:16:00 UTC CVE-2025-33230 NVIDIA Nsight Systems for Windows contains a vulnerability in theapplication’s DLL loading mechanism where an attacker could cause anuncontrolled search path element by exploiting insecure DLL search paths. Asuccessful exploit of this vulnerability might lead to code execution,escalation of privileges, data tampering, denial of service and informationdisclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 18:16:00 UTC CVE-2025-33231 A flaw was found in GNUPlot. A segmentation fault viaIO_str_init_static_internal may jeopardize the environment. Update Instructions: Run `sudo pro fix CVE-2025-3359` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnuplot - 6.0.2+dfsg1-2ubuntu1 gnuplot-data - 6.0.2+dfsg1-2ubuntu1 gnuplot-nox - 6.0.2+dfsg1-2ubuntu1 gnuplot-qt - 6.0.2+dfsg1-2ubuntu1 gnuplot-x11 - 6.0.2+dfsg1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-07 13:15:00 UTC 2025-04-07 13:15:00 UTC https://ubuntu.com/security/notices/USN-7773-1 CVE-2025-3359 A vulnerability was found in Nothings stb up to f056911. It has beenclassified as problematic. Affected is the functionstbhw_build_tileset_from_image of the component Header Array Handler. Themanipulation of the argument w leads to out-of-bounds read. It is possibleto launch the attack remotely. This product is using a rolling release toprovide continious delivery. Therefore, no version details for affected norupdated releases are available. The vendor was contacted early about thisdisclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-08 04:15:00 UTC CVE-2025-3406 A vulnerability was found in Nothings stb up to f056911. It has beendeclared as critical. Affected by this vulnerability is the functionstbhw_build_tileset_from_image. The manipulation of the argumenth_count/v_count leads to out-of-bounds read. The attack can be launchedremotely. This product takes the approach of rolling releases to providecontinious delivery. Therefore, version details for affected and updatedreleases are not available. The vendor was contacted early about thisdisclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-08 04:15:00 UTC CVE-2025-3407 A vulnerability was found in Nothings stb up to f056911. It has been ratedas critical. Affected by this issue is the function stb_dupreplace. Themanipulation leads to integer overflow. The attack may be launchedremotely. Continious delivery with rolling releases is used by thisproduct. Therefore, no version details of affected nor updated releases areavailable. The vendor was contacted early about this disclosure but did notrespond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-08 04:15:00 UTC CVE-2025-3408 A vulnerability classified as critical has been found in Nothings stb up tof056911. This affects the function stb_include_string. The manipulation ofthe argument path_to_includes leads to stack-based buffer overflow. It ispossible to initiate the attack remotely. This product does not useversioning. This is why information about affected and unaffected releasesare unavailable. The vendor was contacted early about this disclosure butdid not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-08 05:15:00 UTC CVE-2025-3409 KissFFT versions prior to the fix commit 1b083165 contain an integeroverflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is32-bit. The nfft parameter is not validated before being used in a sizecalculation (sizeof(kiss_fft_cpx) * (nfft - 1)), which can wrap to a smallvalue when nfft is large. As a result, malloc() allocates an undersizedbuffer and the subsequent twiddle-factor initialization loop writes nfftelements, causing a heap buffer overflow. This vulnerability only affects32-bit architectures. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-01 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131147 CVE-2025-34297 Genymobile/scrcpy versions up to and including 3.3.3, prior to commit3e40b24, contain a buffer overflow vulnerability in thesc_device_msg_deserialize() function. A compromised device can send craftedmessages that cause out-of-bounds reads, which may result in memorycorruption or a denial-of-service condition. This vulnerability may allowfurther exploitation on the host system. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 22:15:00 UTC CVE-2025-34449 merbanan/rtl_433 versions up to and including 25.02 and prior to commit25e47f8 contain a stack-based buffer overflow vulnerability in the functionparse_rfraw() located in src/rfraw.c. When processing crafted orexcessively large raw RF input data, the application may write beyond thebounds of a stack buffer, resulting in memory corruption or a crash. Thisvulnerability can be exploited to cause a denial of service and, undercertain conditions, may be leveraged for further exploitation depending onthe execution environment and available mitigations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 22:15:00 UTC CVE-2025-34450 rofl0r/proxychains-ng versions up to and including 4.17 and prior to commitcc005b7 contain a stack-based buffer overflow vulnerability in the functionproxy_from_string() located in src/libproxychains.c. When parsing craftedproxy configuration entries containing overly long username or passwordfields, the application may write beyond the bounds of fixed-size stackbuffers, leading to memory corruption or crashes. This vulnerability mayallow denial of service and, under certain conditions, could be leveragedfor further exploitation depending on the execution environment and appliedmitigations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 22:15:00 UTC CVE-2025-34451 wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior tocommit 694c954, contain a stack-based buffer overflow vulnerability in thefunction kiss_rec_byte() located in src/kiss_frame.c. When processingcrafted KISS frames that reach the maximum allowed frame length(MAX_KISS_LEN), the function appends a terminating FEND byte withoutreserving sufficient space in the stack buffer. This results in anout-of-bounds write followed by an out-of-bounds read during the subsequentcall to kiss_unwrap(), leading to stack memory corruption or applicationcrashes. This vulnerability may allow remote unauthenticated attackers totrigger a denial-of-service condition. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-22 22:16:00 UTC CVE-2025-34457 wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior tocommit 3658a87, contain a reachable assertion vulnerability in the APRSMIC-E decoder function aprs_mic_e() located in src/decode_aprs.c. Whenprocessing a specially crafted AX.25 frame containing a MIC-E message withan empty or truncated comment field, the application triggers an unhandledassertion checking for a non-empty comment. This assertion failure causesimmediate process termination, allowing a remote, unauthenticated attackerto cause a denial of service by sending malformed APRS traffic. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-22 22:16:00 UTC CVE-2025-34458 libcoap versions up to and including 4.3.5, prior to commit 30db3ea,contain a stack-based buffer overflow in address resolution whenattacker-controlled hostname data is copied into a fixed 256-byte stackbuffer without proper bounds checking. A remote attacker can trigger acrash and potentially achieve remote code execution depending on compileroptions and runtime memory protections. Exploitation requires the proxylogic to be enabled (i.e., the proxy request handling code path in anapplication using libcoap). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124407 CVE-2025-34468 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesincludes/htmlform/fields/HTMLMultiSelectField.Php.This issue affects MediaWiki: before 1.39.12, 1.42.6, 1.43.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-10 19:16:00 UTC CVE-2025-3469 Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how itis used, may interpolate user-supplied input in a constraint violationmessage with Expression Language. This could allow an attacker to accesssensitive information or execute arbitrary Java code. Hibernate Validatoras of 6.2.0 and 7.0.0 no longer interpolates custom constraint violationmessages with Expression Language and strongly recommends not allowinguser-supplied input in constraint violation messages. CVE-2020-5245 andCVE-2025-4428 are examples of related, downstream vulnerabilities involvingExpression Language intepolation of user-supplied data. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-03 20:15:00 UTC CVE-2025-35036 There is a Heap-based Buffer Overflow vulnerability inQTextMarkdownImporter. This requires an incorrectly formatted markdown fileto be passed to QTextMarkdownImporter to trigger the overflow.This issueaffects Qt from 6.8.0 to 6.8.4. Versions up to 6.6.0 are known to beunaffected, and the fix is in 6.8.4 and later. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-11 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103022 CVE-2025-3512 A vulnerability, which was classified as critical, has been found in OpenAsset Import Library Assimp up to 5.4.3. This issue affects the functionaiString::Set in the library include/assimp/types.h of the component FileHandler. The manipulation leads to heap-based buffer overflow. It ispossible to launch the attack on the local host. The exploit has beendisclosed to the public and may be used. It is recommended to apply a patchto fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-14 03:15:00 UTC CVE-2025-3548 A vulnerability, which was classified as critical, was found in Open AssetImport Library Assimp 5.4.3. Affected is the functionAssimp::MD3Importer::ValidateSurfaceHeaderOffsets of the filecode/AssetLib/MD3/MD3Loader.cpp of the component File Handler. Themanipulation leads to heap-based buffer overflow. The attack needs to beapproached locally. The exploit has been disclosed to the public and may beused. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-14 03:15:00 UTC CVE-2025-3549 Versions of the package jquery-validation before 1.20.0 are vulnerable toCross-site Scripting (XSS) in the showLabel() function, which may takeinput from a user-controlled placeholder value. This value will populate amessage via $.validator.messages in a user localizable dictionary. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-15 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103445 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104134 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104135 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104136 CVE-2025-3573 A memory corruption vulnerability exists in the PCX Image Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When decoding theimage data from a specially crafted .pcx file, a heap-based buffer overflowcan occur which allows for remote code execution. An attacker will need toconvince the library to read a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-35984 A vulnerability, which was classified as problematic, was found in PyTorch2.6.0. Affected is the function torch.nn.functional.ctc_loss of the fileaten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial ofservice. An attack has to be approached locally. The exploit has beendisclosed to the public and may be used. The real existence of thisvulnerability is still doubted at the moment. The name of the patch is46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply apatch to fix this issue. The security policy of the project warns to useunknown models which might establish malicious effects. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-16 21:15:00 UTC CVE-2025-3730 EDK2 contains a vulnerability in BIOS where an attacker may cause“Protection Mechanism Failure” by local access. Successful exploitation ofthis vulnerability will lead to arbitrary code execution and impactConfidentiality, Integrity, and Availability. Update Instructions: Run `sudo pro fix CVE-2025-3770` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: efi-shell-aa64 - 2025.02-8ubuntu3 efi-shell-arm - 2025.02-8ubuntu3 efi-shell-ia32 - 2025.02-8ubuntu3 efi-shell-loongarch64 - 2025.02-8ubuntu3 efi-shell-riscv64 - 2025.02-8ubuntu3 efi-shell-x64 - 2025.02-8ubuntu3 ovmf - 2025.02-8ubuntu3 ovmf-ia32 - 2025.02-8ubuntu3 ovmf-inteltdx - 2025.02-8ubuntu3 qemu-efi-aarch64 - 2025.02-8ubuntu3 qemu-efi-arm - 2025.02-8ubuntu3 qemu-efi-loongarch64 - 2025.02-8ubuntu3 qemu-efi-riscv64 - 2025.02-8ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-07 01:15:00 UTC 2025-08-07 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110533 https://ubuntu.com/security/notices/USN-7894-1 CVE-2025-3770 A vulnerability, which was classified as critical, was found in webpyweb.py 0.70. Affected is the function PostgresDB._process_insert_query ofthe file web/db.py. The manipulation of the argument seqname leads to sqlinjection. It is possible to launch the attack remotely. The exploit hasbeen disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-19 20:15:00 UTC https://github.com/webpy/webpy/issues/806 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103780 CVE-2025-3818 A flaw was found in the mod_auth_openidc module for Apache httpd. This flawallows a remote, unauthenticated attacker to trigger a denial of service bysending an empty POST request when the OIDCPreservePost directive isenabled. The server crashes consistently, affecting availability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-29 12:15:00 UTC CVE-2025-3891 The configuration initialization tool in OpenVPN 3 Linux v20 through v24 onLinux allows a local attacker to use symlinks pointing at an arbitrarydirectory which will change the ownership and permissions of thatdestination directory. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-19 15:15:00 UTC CVE-2025-3908 User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48allows an unauthenticated attacker to enumerate Checkmk usernames. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 10:15:00 UTC CVE-2025-39665 In the Linux kernel, the following vulnerability has been resolved:ext4: guard against EA inode refcount underflow in xattr updatesyzkaller found a path where ext4_xattr_inode_update_ref() reads an EAinode refcount that is already <= 0 and then applies ref_change (often-1). That lets the refcount underflow and we proceed with a bogus value,triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117Make the invariant explicit: if the current refcount is non-positive,treat this as on-disk corruption, emit ext4_error_inode(), and fail theoperation with -EFSCORRUPTED instead of updating the refcount. Delete theWARN_ONCE() as negative refcounts are now impossible; keep error reportingin ext4_error_inode().This prevents the underflow and the follow-on orphan/cleanup churn. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-12 22:15:00 UTC CVE-2025-40190 A flaw was found in libsoup. When handling cookies, libsoup clientsmistakenly allow cookies to be set for public suffix domains if the domaincontains at least two components and includes an uppercase character. Thisbypasses public suffix protections and could allow a malicious website toset cookies for domains it does not own, potentially leading to integrityissues such as session fixation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-29 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104414 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104415 https://bugzilla.redhat.com/show_bug.cgi?id=2362651 https://gitlab.gnome.org/GNOME/libsoup/-/issues/443 CVE-2025-4035 Under certain circumstances, BIND is too lenient when accepting recordsfrom answers, allowing an attacker to inject forged data into the cache.This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through9.20.13-S1. Update Instructions: Run `sudo pro fix CVE-2025-40778` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.11-1ubuntu3 bind9-dnsutils - 1:9.20.11-1ubuntu3 bind9-host - 1:9.20.11-1ubuntu3 bind9-libs - 1:9.20.11-1ubuntu3 bind9-utils - 1:9.20.11-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 2025-10-22 Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan https://ubuntu.com/security/notices/USN-7836-1 https://ubuntu.com/security/notices/USN-7836-2 CVE-2025-40778 In specific circumstances, due to a weakness in the Pseudo Random NumberGenerator (PRNG) that is used, it is possible for an attacker to predictthe source port and query ID that BIND will use.This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through9.20.13-S1. Update Instructions: Run `sudo pro fix CVE-2025-40780` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.11-1ubuntu3 bind9-dnsutils - 1:9.20.11-1ubuntu3 bind9-host - 1:9.20.11-1ubuntu3 bind9-libs - 1:9.20.11-1ubuntu3 bind9-utils - 1:9.20.11-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 2025-10-22 Amit Klein and Omer Ben Simhon https://ubuntu.com/security/notices/USN-7836-1 https://ubuntu.com/security/notices/USN-7836-2 CVE-2025-40780 Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perlgenerates the cnonce insecurely.The cnonce (client nonce) is generated from an MD5 hash of the PID, theepoch time and the built-in rand function. The PID will come from a smallset of numbers, and the epoch time may be guessed, if it is not leaked fromthe HTTP Date header. The built-in rand function is unsuitable forcryptographic usage.According to RFC 2831, The cnonce-value is an opaque quoted string valueprovided by the client and used by both client and server to avoid chosenplaintext attacks, and to provide mutual authentication. The security ofthe implementation depends on a good choice. It is RECOMMENDED that it contain at least 64bits of entropy. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-07-16 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109406 CVE-2025-40918 Catalyst::Plugin::Session before version 0.44 for Perl generates sessionids insecurely.The session id is generated from a (usually SHA-1) hash of a simplecounter, the epoch time, the built-in rand function, the PID and thecurrent Catalyst context. This information is of low entropy. The PID willcome from a small set of numbers, and the epoch time may be guessed, if itis not leaked from the HTTP Date header. The built-in rand function isunsuitable for cryptographic usage.Predicable session ids could allow an attacker to gain access to systems. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-17 14:15:00 UTC CVE-2025-40924 CGI::Simple versions before 1.282 for Perl has a HTTP response splittingflawThis vulnerability is a confirmed HTTP response splitting flaw inCGI::Simple that allows HTTP response header injection, which can be usedfor reflected XSS or open redirect under certain conditions.Although some validation exists, it can be bypassed using URL-encodedvalues, allowing an attacker to inject untrusted content into the responsevia query parameters.As a result, an attacker can inject a line break (e.g. %0A) into theparameter value, causing the server to split the HTTP response and injectarbitrary headers or even an HTML/JavaScript body, leading to reflectedcross-site scripting (XSS), open redirect or other attacks.The issue documented in CVE-2010-4410https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix wasincomplete.ImpactBy injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server’s responseThat can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-29 01:15:00 UTC CVE-2025-40927 JSON::XS before version 4.04 for Perl has an integer buffer overflowcausing a segfault when parsing crafted JSON, enabling denial-of-serviceattacks or other unspecified impact Update Instructions: Run `sudo pro fix CVE-2025-40928` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libjson-xs-perl - 4.040-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-08 15:15:00 UTC 2025-09-08 15:15:00 UTC https://ubuntu.com/security/notices/USN-7750-1 CVE-2025-40928 Cpanel::JSON::XS before version 4.40 for Perl has an integer bufferoverflow causing a segfault when parsing crafted JSON, enablingdenial-of-service attacks or other unspecified impact Update Instructions: Run `sudo pro fix CVE-2025-40929` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libcpanel-json-xs-perl - 4.39-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-08 15:15:00 UTC 2025-09-08 15:15:00 UTC https://ubuntu.com/security/notices/USN-7749-1 CVE-2025-40929 Apache::Session::Generate::MD5 versions through 1.94 for Perl createinsecure session id.Apache::Session::Generate::MD5 generates session ids insecurely. Thedefault session id generator returns a MD5 hash seeded with the built-inrand() function, the epoch time, and the PID. The PID will come from asmall set of numbers, and the epoch time may be guessed, if it is notleaked from the HTTP Date header. The built-in rand function is unsuitablefor cryptographic usage. Predicable session ids could allow an attacker togain access to systems.Note that the libapache-session-perl package in some Debian-based Linuxdistributions may be patched to use Crypt::URandom. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 02:16:00 UTC CVE-2025-40931 Apache::SessionX versions through 2.01 for Perl create insecure session id.Apache::SessionX generates session ids insecurely. The default session idgenerator in Apache::SessionX::Generate::MD5 returns a MD5 hash seeded withthe built-in rand() function, the epoch time, and the PID. The PID willcome from a small set of numbers, and the epoch time may be guessed, if itis not leaked from the HTTP Date header. The built-in rand function isunsuitable for cryptographic usage. Predicable session ids could allow anattacker to gain access to systems. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930660 CVE-2025-40932 DescriptionIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x,an application is vulnerable to a reflected file download (RFD) attack whenit sets a “Content-Disposition” header with a non-ASCII charset, where thefilename attribute is derived from user-supplied input.Specifically, an application is vulnerable when all the following are true: * The header is prepared withorg.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String,Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with maliciouscommands by the attacker (see RFD paper reference for details).An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared withorg.springframework.http.ContentDisposition. * The filename is set via one of: *ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by theapplication. * The attacker cannot inject malicious content in the downloaded contentof the response.Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affectedMitigationUsers of affected versions should upgrade to the correspondingfixed version.Affected version(s)FixversionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercialhttps://enterprise.spring.io/ No further mitigation steps are necessary.CWE-113 in `Content-Disposition` handling in VMware Spring Frameworkversions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected FileDownload (RFD) attacks via unsanitized user input in`ContentDisposition.Builder#filename(String, Charset)` with non-ASCIIcharsets. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-12 22:15:00 UTC CVE-2025-41234 Spring Framework MVC applications can be vulnerable to a “Path TraversalVulnerability” when deployed on a non-compliant Servlet container.An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servletcontainer * the Servlet container does not reject suspicious sequenceshttps://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resourceshttps://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handlingWe have verified that applications deployed on Apache Tomcat or EclipseJetty are not vulnerable, as long as default security features are notdisabled in the configuration. Because we cannot check exploits against allServlet containers and configuration variants, we strongly recommendupgrading your application. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-18 09:15:00 UTC CVE-2025-41242 The Spring Framework annotation detection mechanism may not correctlyresolve annotations on methods within type hierarchies with a parameterizedsuper type with unbounded generics. This can be an issue if suchannotations are used for authorization decisions.Your application may be affected by this if you are using Spring Security's@EnableMethodSecurity feature.You are not affected by this if you are not using @EnableMethodSecurity orif you do not use security annotations on methods in generic superclassesor generic interfaces.This CVE is published in conjunction with CVE-2025-41248https://spring.io/security/cve-2025-41248 . Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-16 11:15:00 UTC CVE-2025-41249 STOMP over WebSocket applications may be vulnerable to a security bypassthat allows an attacker to send unauthorized messages.Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected.MitigationUsers of affected versions should upgrade to the correspondingfixed version.Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24Commercial https://enterprise.spring.io/ 6.0.xN/A Out of supporthttps://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercialhttps://enterprise.spring.io/ No further mitigation steps are necessary.CreditThis vulnerability was discovered and responsibly reported by JannisKaiser. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 15:15:00 UTC CVE-2025-41254 Improper Link Resolution Before File Access ('Link Following')vulnerability in QFileSystemEngine in the Qt corelib module on Windowswhich potentially allows Symlink Attacks and the use of Malicious Files.Issue originates from CVE-2024-38081. The vulnerability arises from the useof the GetTempPath API, which can be exploited by attackers to manipulatetemporary file paths, potentially leading to unauthorized access andprivilege escalation. The affected public API in the Qt Framework isQDir::tempPath() and anything that uses it, such as QStandardPaths withTempLocation, QTemporaryDir, and QTemporaryFile.This issue affects allversion of Qt up to and including 5.15.18, from 6.0.0 through 6.5.8, from6.6.0 through 6.8.1. It is fixed in Qt 5.15.19, Qt 6.5.9, Qt 6.8.2, 6.9.0 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-16 14:15:00 UTC CVE-2025-4211 A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated asproblematic. Affected by this issue is the function torch.cuda.nccl.reduceof the file torch/cuda/nccl.py. The manipulation leads to denial ofservice. It is possible to launch the attack on the local host. The exploithas been disclosed to the public and may be used. The patch is identifiedas 5827d2061dcb4acd05ac5f8e65d8693a481ba0f5. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-05 20:15:00 UTC CVE-2025-4287 An out-of-bounds read was addressed with improved input validation. Thisissue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously craftedweb content may disclose internal states of the app. Update Instructions: Run `sudo pro fix CVE-2025-43265` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.48.6-1ubuntu2 gir1.2-javascriptcoregtk-6.0 - 2.48.6-1ubuntu2 gir1.2-webkit-6.0 - 2.48.6-1ubuntu2 gir1.2-webkit2-4.1 - 2.48.6-1ubuntu2 libjavascriptcoregtk-4.0-bin - 2.48.6-1ubuntu2 libjavascriptcoregtk-4.1-0 - 2.48.6-1ubuntu2 libjavascriptcoregtk-6.0-1 - 2.48.6-1ubuntu2 libjavascriptcoregtk-bin - 2.48.6-1ubuntu2 libwebkit2gtk-4.1-0 - 2.48.6-1ubuntu2 libwebkitgtk-6.0-4 - 2.48.6-1ubuntu2 webkit2gtk-driver - 2.48.6-1ubuntu2 webkitgtk-webdriver - 2.48.6-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-30 00:15:00 UTC 2025-07-30 00:15:00 UTC https://ubuntu.com/security/notices/USN-7702-1 CVE-2025-43265 Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allowslocal users to escalate privileges to SYSTEM during an installation,because the temporary plugins directory is created under %WINDIR%\temp andunprivileged users can place a crafted executable file by winning a racecondition. This occurs because EW_CREATEDIR does not always set theCreateRestrictedDirectory error flag. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-17 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103524 CVE-2025-43715 Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and aSIGSEGV via deeply nested structures within the metadata (such asGTS_PDFEVersion) of a PDF document, e.g., a regular expression for a longpdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, andassociated functions in PDFDoc, with deep recursion in the regex executor(std::__detail::_Executor). Update Instructions: Run `sudo pro fix CVE-2025-43718` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-poppler-0.18 - 25.03.0-10 libpoppler-cpp2 - 25.03.0-10 libpoppler-glib8t64 - 25.03.0-10 libpoppler-qt5-1t64 - 25.03.0-10 libpoppler-qt6-3t64 - 25.03.0-10 libpoppler147 - 25.03.0-10 poppler-utils - 25.03.0-10 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-02 2025-10-02 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117046 https://ubuntu.com/security/notices/USN-7803-1 CVE-2025-43718 A flaw was found in systems utilizing LUKS-encrypted disks with GRUBconfigured for TPM-based auto-decryption. When GRUB is set to automaticallydecrypt disks using keys stored in the TPM, it reads the decryption keyinto system memory. If an attacker with physical access can corrupt theunderlying filesystem superblock, GRUB will fail to locate a validfilesystem and enter rescue mode. At this point, the disk is alreadydecrypted, and the decryption key remains loaded in system memory. Thisscenario may allow an attacker with physical access to access theunencrypted data without any further authentication, thereby compromisingdata confidentiality. Furthermore, the ability to force this state throughfilesystem corruption also presents a data integrity concern. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-09 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105108 CVE-2025-4382 Net::IMAP implements Internet Message Access Protocol (IMAP) clientfunctionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5,there is a possibility for denial of service by memory exhaustion whennet-imap reads server responses. At any time while the client is connected,a malicious server can send can send a "literal" byte count, which isautomatically read by the client's receiver thread. The response readerimmediately allocates memory for the number of bytes indicated by theserver response. This should not be an issue when securely connecting totrusted IMAP servers that are well-behaved. It can affect insecureconnections and buggy, untrusted, or compromised servers (for example,connecting to a user supplied hostname). This issue has been patched inversions 0.5.7, 0.4.20, 0.3.9, and 0.2.5. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-04-28 16:15:00 UTC CVE-2025-43857 An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6.Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be usedto set user preferences with arbitrary keys. When fetching user data viaGetUserData, these keys and values are retrieved and given as a whole toother function calls, which then might use these keys/values to affectpermissions or other settings. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-08 16:15:00 UTC CVE-2025-43926 Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service(memory consumption) via a crafted serialized payload (e.g., usings:1000000000), leading to a PHP Object Injection issue. Remote,unauthenticated attackers can trigger this by sending a maliciousserialized object, which forces excessive memory usage, rendering Adminer’sinterface unresponsive and causing a server-level DoS. While the server mayrecover after several minutes, multiple simultaneous requests can cause acomplete crash requiring manual intervention. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-43960 In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read in theFujifilm 0xf00c tag parser. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-21 00:15:00 UTC 2025-04-21 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103781 https://ubuntu.com/security/notices/USN-7485-1 CVE-2025-43961 In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp hasout-of-bounds reads for tag 0x412 processing, related to large w0 or w1values or the frac and mult calculations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-21 00:15:00 UTC 2025-04-21 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103781 https://ubuntu.com/security/notices/USN-7485-1 CVE-2025-43962 In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cppallows out-of-buffer access because split_col and split_row values are notchecked in 0x041f tag processing. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-21 00:15:00 UTC 2025-04-21 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103782 https://ubuntu.com/security/notices/USN-7485-1 CVE-2025-43963 In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct indecoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-21 00:15:00 UTC 2025-04-21 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103783 https://ubuntu.com/security/notices/USN-7485-1 CVE-2025-43964 OpenStack Ironic before 29.0.1 can write unintended files to a target nodedisk during image handling (if a deployment was performed via the API). Amalicious project assigned as a node owner can provide a path to any localfile (readable by ironic-conductor), which may then be written to thetarget node disk. This is difficult to exploit in practice, because a nodedeployed in this manner should never reach the ACTIVE state, but it stillrepresents a danger in environments running with non-default, insecureconfigurations such as with automated cleaning disabled. The fixed versionsare 24.1.3, 26.1.1, and 29.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-08 17:16:00 UTC https://bugs.launchpad.net/ironic/+bug/2107847 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104964 CVE-2025-44021 A privilege escalation from host to domain vulnerability was found in theFreeIPA project. The FreeIPA package fails to validate the uniqueness ofthe `krbCanonicalName` for the admin account by default, allowing users tocreate services with the same canonical name as the REALM admin. When asuccessful attack happens, the user can retrieve a Kerberos ticket in thename of this service, containing the admin@REALM credential. This flawallows an attacker to perform administrative tasks over the REALM, leadingto access to sensitive data and sensitive data exfiltration. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 14:15:00 UTC CVE-2025-4404 A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17.Impacted is an unknown function of the component Onion Service DescriptorHandler. Performing manipulation results in resource consumption. Theattack may be initiated remotely. The attack's complexity is rated as high.The exploitability is considered difficult. Upgrading to version 0.4.8.18and 0.4.9.3-alpha is recommended to address this issue. It is recommendedto upgrade the affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-18 14:15:00 UTC CVE-2025-4444 hdf5 v1.14.6 was discovered to contain a heap buffer overflow via theH5VM_memcpyvv function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-30 04:15:00 UTC CVE-2025-44904 hdf5 v1.14.6 was discovered to contain a heap buffer overflow via theH5Z__filter_scaleoffset function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-30 04:15:00 UTC CVE-2025-44905 jhead v3.08 was discovered to contain a heap-use-after-free via theProcessFile function at jhead.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-30 04:15:00 UTC CVE-2025-44906 Seafile versions 11.0.18-Pro, 12.0.10, and 12.0.10-Pro are vulnerable to astored Cross-Site Scripting (XSS) attack. An authenticated attacker canexploit this vulnerability by modifying their username to include amalicious XSS payload in notification and activities. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-15 20:15:00 UTC CVE-2025-45091 There is an issue in CPython when using `bytes.decode("unicode_escape",error="ignore|replace")`. If you are not using the "unicode_escape"encoding or an error handler your usage is not affected. To work-aroundthis issue you may stop using the error= handler and instead wrap thebytes.decode() call in a try-except catching the DecodeError. Update Instructions: Run `sudo pro fix CVE-2025-4516` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: idle-python3.14 - 3.14.0-1 libpython3.14 - 3.14.0-1 libpython3.14-minimal - 3.14.0-1 libpython3.14-stdlib - 3.14.0-1 libpython3.14-testsuite - 3.14.0-1 python3.14 - 3.14.0-1 python3.14-examples - 3.14.0-1 python3.14-full - 3.14.0-1 python3.14-gdbm - 3.14.0-1 python3.14-minimal - 3.14.0-1 python3.14-nopie - 3.14.0-1 python3.14-tk - 3.14.0-1 python3.14-venv - 3.14.0-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-15 14:15:00 UTC 2025-05-15 14:15:00 UTC https://github.com/python/cpython/issues/133767 https://ubuntu.com/security/notices/USN-7570-1 CVE-2025-4516 A HTML injection vulnerability exists in the file upload functionality ofCacti <= 1.2.29. When a file with an invalid format is uploaded, theapplication reflects the submitted filename back into an error popupwithout proper sanitization. As a result, attackers can inject arbitraryHTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. NOTE:Multiple third-parties including the maintainer have stated that theycannot reproduce this issue after 1.2.27. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-29 18:16:00 UTC CVE-2025-45160 A lack of signature verification in the bootloader of DENX SoftwareEngineering Das U-Boot (U-Boot) v1.1.3 allows attackers to install craftedfirmware files, leading to arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-05 19:15:00 UTC CVE-2025-45512 GNU Tar through 1.35 allows file overwrite via directory traversal incrafted TAR archives, with a certain two-step process. First, the victimmust extract an archive that contains a ../ symlink to a criticaldirectory. Second, the victim must extract an archive that contains acritical file, specified via a relative pathname that begins with thesymlink name and ends with that critical file's name. Here, the extractionfollows the symlink and overwrites the critical file. This bypasses theprotection mechanism of "Member name contains '..'" that would occur for asingle TAR archive that attempted to specify the critical file via a ../approach. For example, the first archive can contain "x ->../../../../../home/victim/.ssh" and the second archive can containx/authorized_keys. This can affect server applications that automaticallyextract any number of user-supplied TAR archives, and were relying on theblocking of traversal. This can also affect software installation processesin which "tar xf" is run more than once (e.g., when installing a packagecan automatically install two dependencies that are set up as untrustedtarballs instead of official packages). NOTE: the official GNU Tar manualhas an otherwise-empty directory for each "tar xf" in its Security Rules ofThumb; however, third-party advice leads users to run "tar xf" more thanonce into the same directory. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-11 17:15:00 UTC pfsmorigo CVE-2025-45582 An issue in NetSurf v3.11 causes the application to read uninitialized heapmemory when creating a dom_event structure. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-03 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119918 CVE-2025-45663 ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: theSupplier's perspective is "keysize is not something that is enforced bythis library. Currently more recent versions of OpenSSL are enforcing somekey sizes and those restrictions apply to the users of this gem also." Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-07 21:15:00 UTC CVE-2025-45765 poco v1.14.1-release was discovered to contain weak encryption. NOTE: thisissue has been disputed on the basis that key lengths are expected to beset by an application, not by this library. This dispute is subject toreview under CNA rules 4.1.4, 4.1.14, and other rules; the dispute taggingis not meant to recommend an outcome for this CVE Record. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-06 20:15:00 UTC CVE-2025-45766 jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue hasbeen disputed on the basis that key lengths are expected to be set by anapplication, not by this library. This dispute is subject to review underCNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meantto recommend an outcome for this CVE Record. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-31 20:15:00 UTC CVE-2025-45770 In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistance(p=2)produces incorrect results. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 15:16:00 UTC CVE-2025-46148 In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertionerror. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 15:16:00 UTC CVE-2025-46149 In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2dhas inconsistent results. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 15:16:00 UTC CVE-2025-46150 In PyTorch before 2.7.0, bitwise_right_shift produces incorrect output forcertain out-of-bounds values of the "other" argument. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 15:16:00 UTC CVE-2025-46152 PyTorch before 3.7.0 has a bernoulli_p decompose function indecompositions.py even though it lacks full consistency with the eager CPUimplementation, negatively affecting nn.Dropout1d, nn.Dropout2d, andnn.Dropout3d for fallback_random=True. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 15:16:00 UTC CVE-2025-46153 A heap-use-after free in the PdfTokenizer::ReadDictionary function ofpodofo v0.10.0 to v0.10.5 allows attackers to cause a Denial of Service(DoS) by supplying a crafted PDF file. NOTE: this is disputed by theSupplier because there is no available file to reproduce the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 19:15:00 UTC CVE-2025-46205 ADOdb is a PHP database class library that provides abstractions forperforming queries and managing databases. Prior to version 5.22.9,improper escaping of a query parameter may allow an attacker to executearbitrary SQL statements when the code using ADOdb connects to a PostgreSQLdatabase and calls pg_insert_id() with user-supplied data. This issue hasbeen patched in version 5.22.9. Update Instructions: Run `sudo pro fix CVE-2025-46337` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libphp-adodb - 5.22.9-0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-01 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104548 https://ubuntu.com/security/notices/USN-7530-1 CVE-2025-46337 A vulnerability exists in the inftrees.c component of the zlib library,which is bundled within the PointCloudLibrary (PCL). This issue may allowcontext-dependent attackers to cause undefined behavior by exploitingimproper pointer arithmetic.Since version 1.14.0, PCL by default uses a zlib installation from thesystem, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potentialvulnerability is only relevant if the PCL version is older than 1.14.0 orthe user specifically requests to not use the system zlib. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-14 18:15:00 UTC CVE-2025-4638 Uncontrolled Resource Consumption vulnerability in Apache CommonsConfiguration 1.x.There are a number of issues in Apache Commons Configuration 1.x that allowexcessive resource consumption when loading untrusted configurations orusing unexpected usage patterns. The Apache Commons Configuration team doesnot intend to fix these issues in 1.x. Apache Commons Configuration 1.x isstill safe to use in scenario's where you only load trusted configurations.Users that load untrusted configurations or give attackers control overusage patterns are recommended to upgrade to the 2.x version line, whichfixes these issues. Apache Commons Configuration 2.x is not a drop-inreplacement, but as it uses a separate Maven groupId and Java packagenamespace they can be loaded side-by-side, making it possible to do agradual migration. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-09 10:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105107 CVE-2025-46392 In tar in BusyBox through 1.37.0, a TAR archive can have filenames hiddenfrom a listing through the use of terminal escape sequences. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-23 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104008 https://bugs.busybox.net/show_bug.cgi?id=16018 CVE-2025-46394 Out-of-bounds Write vulnerability in PointCloudLibrary pcl allows OverflowBuffers. Since version 1.14.0, PCL by default uses a zlib installation fromthe system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potentialvulnerability is only relevant if the PCL version is older than 1.14.0 orthe user specifically requests to not use the system zlib. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-14 19:15:00 UTC CVE-2025-4640 A memory corruption vulnerability exists in the BMPv3 Palette Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When loading aspecially crafted .bmp file, an integer overflow can be made to occur whichwill cause a heap-based buffer to overflow when reading the palette fromthe image. These conditions can allow for remote code execution. Anattacker will need to convince the library to read a file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-46407 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-46411 A flaw was found in libsoup. When libsoup clients encounter an HTTPredirect, they mistakenly send the HTTP Authorization header to the newhost that the redirection points to. This allows the new host toimpersonate the user to the original host that issued the redirect. Update Instructions: Run `sudo pro fix CVE-2025-46421` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-10.1ubuntu1 libsoup-2.4-1 - 2.74.3-10.1ubuntu1 libsoup-gnome-2.4-1 - 2.74.3-10.1ubuntu1 libsoup2.4-common - 2.74.3-10.1ubuntu1 libsoup2.4-tests - 2.74.3-10.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-24 13:15:00 UTC 2025-04-24 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104054 https://gitlab.gnome.org/GNOME/libsoup/-/issues/439 https://bugzilla.redhat.com/show_bug.cgi?id=2361962 https://ubuntu.com/security/notices/USN-7490-1 https://ubuntu.com/security/notices/USN-7490-3 CVE-2025-46421 Versions of OpenPubkey library prior to 0.10.0 contained a vulnerabilitythat would allow a specially crafted JWS to bypass signature verification.As OPKSSH depends on the OpenPubkey library for authentication, thisvulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0and would allow an attacker to bypass OPKSSH authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-13 17:16:00 UTC CVE-2025-4658 Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies onhexoid to prevent guessing of filenames for untrusted executable content;however, hexoid is documented as not "cryptographically secure." (Also,there is a scenario in which only the last two characters of a hexoidstring need to be guessed, but this is not often relevant.) NOTE: this doesnot imply that, in a typical use case, attackers will be able to exploitany hexoid behavior to upload and execute their own content. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-26 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104246 CVE-2025-46653 Redis through 8.0.3 allows memory consumption via a multi-bulk commandcomposed of many bulks, sent by an authenticated user. This occurs becausethe server allocates memory for the command arguments of every bulk, evenwhen the command is skipped because of insufficient permissions. NOTE: thisis disputed by the Supplier because abuse of the commands network protocolis not a violation of the Redis Security Model. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-23 19:15:00 UTC CVE-2025-46686 quickjs-ng through 0.9.0 has a missing length check in JS_ReadString for astring, leading to a heap-based buffer overflow. QuickJS before 2025-04-26is also affected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-27 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 CVE-2025-46687 quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigIntfor a BigInt, leading to a heap-based buffer overflow. QuickJS before2025-04-26 is also affected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-04-27 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 CVE-2025-46688 Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCIservlet allows security constraint bypass of security constraints thatapply to the pathInfo component of a URI mapped to the CGI servlet.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105,which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-29 19:15:00 UTC 2025-05-29 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106821 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106820 https://ubuntu.com/security/notices/USN-7705-1 CVE-2025-46701 Erlang/OTP is a set of libraries for the Erlang programming language. Inversions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), andOTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEXhandshake hardening measures by allowing optional messages to be exchanged.This allows a Man-in-the-Middle attacker to inject these messages in aconnection during the handshake. This issue has been patched in versionsOTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (forOTP-25). Update Instructions: Run `sudo pro fix CVE-2025-46712` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: erlang - 1:27.3.4.1+dfsg-1 erlang-asn1 - 1:27.3.4.1+dfsg-1 erlang-base - 1:27.3.4.1+dfsg-1 erlang-common-test - 1:27.3.4.1+dfsg-1 erlang-crypto - 1:27.3.4.1+dfsg-1 erlang-debugger - 1:27.3.4.1+dfsg-1 erlang-dialyzer - 1:27.3.4.1+dfsg-1 erlang-diameter - 1:27.3.4.1+dfsg-1 erlang-edoc - 1:27.3.4.1+dfsg-1 erlang-eldap - 1:27.3.4.1+dfsg-1 erlang-et - 1:27.3.4.1+dfsg-1 erlang-eunit - 1:27.3.4.1+dfsg-1 erlang-examples - 1:27.3.4.1+dfsg-1 erlang-ftp - 1:27.3.4.1+dfsg-1 erlang-inets - 1:27.3.4.1+dfsg-1 erlang-jinterface - 1:27.3.4.1+dfsg-1 erlang-megaco - 1:27.3.4.1+dfsg-1 erlang-mnesia - 1:27.3.4.1+dfsg-1 erlang-mode - 1:27.3.4.1+dfsg-1 erlang-nox - 1:27.3.4.1+dfsg-1 erlang-observer - 1:27.3.4.1+dfsg-1 erlang-odbc - 1:27.3.4.1+dfsg-1 erlang-os-mon - 1:27.3.4.1+dfsg-1 erlang-parsetools - 1:27.3.4.1+dfsg-1 erlang-public-key - 1:27.3.4.1+dfsg-1 erlang-reltool - 1:27.3.4.1+dfsg-1 erlang-runtime-tools - 1:27.3.4.1+dfsg-1 erlang-snmp - 1:27.3.4.1+dfsg-1 erlang-src - 1:27.3.4.1+dfsg-1 erlang-ssh - 1:27.3.4.1+dfsg-1 erlang-ssl - 1:27.3.4.1+dfsg-1 erlang-syntax-tools - 1:27.3.4.1+dfsg-1 erlang-tftp - 1:27.3.4.1+dfsg-1 erlang-tools - 1:27.3.4.1+dfsg-1 erlang-wx - 1:27.3.4.1+dfsg-1 erlang-x11 - 1:27.3.4.1+dfsg-1 erlang-xmerl - 1:27.3.4.1+dfsg-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-05-08 20:15:00 UTC 2025-05-08 20:15:00 UTC Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104963 https://ubuntu.com/security/notices/USN-7656-1 CVE-2025-46712 sudo-rs is a memory safe implementation of sudo and su written in Rust.Prior to version 0.2.6, users with no (or very limited) sudo privileges candetermine whether files exists in folders that they otherwise cannot accessusing `sudo --list <pathname>`. Users with local access to a machine candiscover the existence/non-existence of certain files, revealingpotentially sensitive information in the file names. This information canalso be used in conjunction with other attacks. Version 0.2.6 fixes thevulnerability. Update Instructions: Run `sudo pro fix CVE-2025-46717` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: sudo-rs - 0.2.8-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-12 15:16:00 UTC CVE-2025-46717 sudo-rs is a memory safe implementation of sudo and su written in Rust.Prior to version 0.2.6, users with limited sudo privileges (e.g. executionof a single command) can list sudo privileges of other users using the `-U`flag. This vulnerability allows users with limited sudo privileges toenumerate the sudoers file, revealing sensitive information about otherusers' permissions. Attackers can collect information that can be used tomore targeted attacks. Systems where users either do not have sudoprivileges or have the ability to run all commands as root through sudo(the default configuration on most systems) are not affected by thisadvisory. Version 0.2.6 fixes the vulnerability. Update Instructions: Run `sudo pro fix CVE-2025-46718` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: sudo-rs - 0.2.8-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-12 15:16:00 UTC CVE-2025-46718 cpp-httplib is a C++ header-only HTTP/HTTPS server and client library.Prior to version 0.20.1, the library fails to enforce configured sizelimits on incoming request bodies when `Transfer-Encoding: chunked` is usedor when no `Content-Length` header is provided. A remote attacker can senda chunked request without the terminating zero-length chunk, causinguncontrolled memory allocation on the server. This leads to potentialexhaustion of system memory and results in a server crash orunresponsiveness. Version 0.20.1 fixes the issue by enforcing limits duringparsing. If the limit is exceeded at any point during reading, theconnection is terminated immediately. A short-term workaround through aReverse Proxy is available. If updating the library immediately is notfeasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the`cpp-httplib` application. Configure the proxy to enforce maximum requestbody size limits, thereby stopping excessively large requests before theyreach the vulnerable library code. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-06 01:15:00 UTC CVE-2025-46728 Proxy-Authorization and Proxy-Authenticate headers persisted oncross-origin redirects potentially leaking sensitive information. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-11 17:15:00 UTC 2025-06-11 17:15:00 UTC Takeshi Kaneko https://github.com/golang/go/issues/73816 https://ubuntu.com/security/notices/USN-7574-1 CVE-2025-4673 The go command may execute unexpected commands when operating in untrustedVCS repositories. This occurs when possibly dangerous VCS configuration ispresent in repositories. This can happen when a repository was fetched viaone VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial).Modules which are retrieved using the go command line, i.e. via "go get",are not affected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-29 22:15:00 UTC https://github.com/golang/go/issues/74380 CVE-2025-4674 Pgpool-II provided by PgPool Global Development Group contains anauthentication bypass by primary weakness vulnerability. if thevulnerability is exploited, an attacker may be able to log in to the systemas an arbitrary user, allowing them to read or tamper with data in thedatabase, and/or disable the database. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-19 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106119 CVE-2025-46801 A Use of Out-of-range Pointer Offset vulnerability in sslh leads to denialof service on some architectures.This issue affects sslh before 2.2.4. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 13:15:00 UTC CVE-2025-46806 A Allocation of Resources Without Limits or Throttling vulnerability insslh allows attackers to easily exhaust the file descriptors in sslh anddeny legitimate users service.This issue affects sslh before 2.2.4. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 12:15:00 UTC CVE-2025-46807 Redis is an open source, in-memory database that persists on disk. Versions8.2.1 and below allow an authenticated user to use a specially crafted Luascript to cause an integer overflow and potentially lead to remote codeexecution The problem exists in all versions of Redis with Lua scripting.This issue is fixed in version 8.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 18:15:00 UTC 2025-10-03 18:15:00 UTC https://ubuntu.com/security/notices/USN-7893-1 CVE-2025-46817 Redis is an open source, in-memory database that persists on disk. Versions8.2.1 and below allow an authenticated user to use a specially crafted Luascript to manipulate different LUA objects and potentially run their owncode in the context of another user. The problem exists in all versions ofRedis with LUA scripting. This issue is fixed in version 8.2.2. Aworkaround to mitigate the problem without patching the redis-serverexecutable is to prevent users from executing LUA scripts. This can be doneusing ACL to block a script by restricting both the EVAL and FUNCTIONcommand families. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 19:15:00 UTC 2025-10-03 19:15:00 UTC https://ubuntu.com/security/notices/USN-7893-1 CVE-2025-46818 Redis is an open source, in-memory database that persists on disk. Versions8.2.1 and below allow an authenticated user to use a specially crafted LUAscript to read out-of-bound data or crash the server and subsequent denialof service. The problem exists in all versions of Redis with Lua scripting.This issue is fixed in version 8.2.2. To workaround this issue withoutpatching the redis-server executable is to prevent users from executing Luascripts. This can be done using ACL to block a script by restricting boththe EVAL and FUNCTION command families. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 19:15:00 UTC 2025-10-03 19:15:00 UTC https://ubuntu.com/security/notices/USN-7893-1 CVE-2025-46819 net-tools is a collection of programs that form the base set of the NET-3networking distribution for the Linux operating system. Inn versions up toand including 2.10, the Linux network utilities (like ifconfig) from thenet-tools package do not properly validate the structure of /proc fileswhen showing interfaces. `get_name()` in `interface.c` copies interfacelabels from `/proc/net/dev` into a fixed 16-byte stack buffer withoutbounds checking, leading to possible arbitrary code execution or crash. Theknown attack path does not require privilege but also does not provideprivilege escalation in this scenario. A patch is available and expected tobe part of version 2.20. Update Instructions: Run `sudo pro fix CVE-2025-46836` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: net-tools - 2.10-1.3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-14 23:15:00 UTC 2025-05-14 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105806 https://ubuntu.com/security/notices/USN-7537-1 https://ubuntu.com/security/notices/USN-7537-2 CVE-2025-46836 A regular expression used by AngularJS'  linkyhttps://docs.angularjs.org/api/ngSanitize/filter/linky  filter to detectURLs in input text is vulnerable to super-linear runtime due tobacktracking. With a large carefully-crafted input, this can cause a Regular expression Denial of Service (ReDoS)https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS attack on the application.This issue affects all versions of AngularJS.Note:The AngularJS project is End-of-Life and will not receive any updates toaddress this issue. For more information see herehttps://docs.angularjs.org/misc/version-support-status . Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-19 14:15:00 UTC CVE-2025-4690 libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause a denialof service (var_set_leave_quiet assertion failure and application exit) viacrafted input data, such as data that triggers a call fromsrc/data/dictionary.c code into src/data/variable.c code. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-03 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104636 CVE-2025-47229 ping in iputils before 20250602 allows a denial of service (applicationerror or incorrect data collection) via a crafted ICMP Echo Reply packet,because of a signed 64-bit integer overflow in timestamp multiplication. Update Instructions: Run `sudo pro fix CVE-2025-47268` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: iputils-arping - 3:20240905-3ubuntu2 iputils-clockdiff - 3:20240905-3ubuntu2 iputils-ping - 3:20240905-3ubuntu2 iputils-tracepath - 3:20240905-3ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-05-05 14:15:00 UTC 2025-05-05 14:15:00 UTC Mohamed Maatallah http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104746 https://github.com/iputils/iputils/issues/584 https://bugzilla.suse.com/show_bug.cgi?id=1242300 https://ubuntu.com/security/notices/USN-7670-1 CVE-2025-47268 Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2,and 7.5.0, applications that use undici to implement a webhook-like systemare vulnerable. If the attacker set up a server with an invalidcertificate, and they can force the application to call the webhookrepeatedly, then they can cause a memory leak. This has been patched inversions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhookrepeatedly if the webhook fails. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-15 18:15:00 UTC CVE-2025-47279 Tornado is a Python web framework and asynchronous networking library. WhenTornado's ``multipart/form-data`` parser encounters certain errors, it logsa warning but continues trying to parse the remainder of the data. Thisallows remote attackers to generate an extremely high volume of logs,constituting a DoS attack. This DoS is compounded by the fact that thelogging subsystem is synchronous. All versions of Tornado prior to 6.5.0are affected. The vulnerable parser is enabled by default. Upgrade toTornado version 6.50 to receive a patch. As a workaround, risk can bemitigated by blocking `Content-Type: multipart/form-data` in a proxy. Update Instructions: Run `sudo pro fix CVE-2025-47287` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-tornado - 6.4.2-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-15 22:15:00 UTC 2025-05-15 22:15:00 UTC https://ubuntu.com/security/notices/USN-7547-1 CVE-2025-47287 containerd is an open-source container runtime. A bug was found in thecontainerd's CRI implementation where containerd, starting in version 2.0.1and prior to version 2.0.5, doesn't put usernamespaced containers under theKubernetes' cgroup hierarchy, therefore some Kubernetes limits are nothonored. This may cause a denial of service of the Kubernetes node. Thisbug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update tothese versions to resolve the issue. As a workaround, disableusernamespaced pods in Kubernetes temporarily. Update Instructions: Run `sudo pro fix CVE-2025-47291` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: containerd - 2.0.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-21 18:15:00 UTC CVE-2025-47291 Improper Limitation of a Pathname to a Restricted Directory ('PathTraversal') vulnerability in Erlang OTP (stdlib modules) allows AbsolutePath Traversal, File Manipulation. This vulnerability is associated withprogram files lib/stdlib/src/zip.erl and program routines zip:unzip/1,zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option ispassed.This issue affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 andOTP 26.2.5.13, corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and5.2.3.4. Update Instructions: Run `sudo pro fix CVE-2025-4748` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: erlang - 1:27.3.4.1+dfsg-1 erlang-asn1 - 1:27.3.4.1+dfsg-1 erlang-base - 1:27.3.4.1+dfsg-1 erlang-common-test - 1:27.3.4.1+dfsg-1 erlang-crypto - 1:27.3.4.1+dfsg-1 erlang-debugger - 1:27.3.4.1+dfsg-1 erlang-dialyzer - 1:27.3.4.1+dfsg-1 erlang-diameter - 1:27.3.4.1+dfsg-1 erlang-edoc - 1:27.3.4.1+dfsg-1 erlang-eldap - 1:27.3.4.1+dfsg-1 erlang-et - 1:27.3.4.1+dfsg-1 erlang-eunit - 1:27.3.4.1+dfsg-1 erlang-examples - 1:27.3.4.1+dfsg-1 erlang-ftp - 1:27.3.4.1+dfsg-1 erlang-inets - 1:27.3.4.1+dfsg-1 erlang-jinterface - 1:27.3.4.1+dfsg-1 erlang-megaco - 1:27.3.4.1+dfsg-1 erlang-mnesia - 1:27.3.4.1+dfsg-1 erlang-mode - 1:27.3.4.1+dfsg-1 erlang-nox - 1:27.3.4.1+dfsg-1 erlang-observer - 1:27.3.4.1+dfsg-1 erlang-odbc - 1:27.3.4.1+dfsg-1 erlang-os-mon - 1:27.3.4.1+dfsg-1 erlang-parsetools - 1:27.3.4.1+dfsg-1 erlang-public-key - 1:27.3.4.1+dfsg-1 erlang-reltool - 1:27.3.4.1+dfsg-1 erlang-runtime-tools - 1:27.3.4.1+dfsg-1 erlang-snmp - 1:27.3.4.1+dfsg-1 erlang-src - 1:27.3.4.1+dfsg-1 erlang-ssh - 1:27.3.4.1+dfsg-1 erlang-ssl - 1:27.3.4.1+dfsg-1 erlang-syntax-tools - 1:27.3.4.1+dfsg-1 erlang-tftp - 1:27.3.4.1+dfsg-1 erlang-tools - 1:27.3.4.1+dfsg-1 erlang-wx - 1:27.3.4.1+dfsg-1 erlang-x11 - 1:27.3.4.1+dfsg-1 erlang-xmerl - 1:27.3.4.1+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-16 11:15:00 UTC 2025-06-16 11:15:00 UTC Wander Nauta https://ubuntu.com/security/notices/USN-7656-1 CVE-2025-4748 There's a flaw in the nbdkit server when handling responses from itsplugins regarding the status of data blocks. If a client makes a specificrequest for a very large data range, and a plugin responds with an evenlarger single block, the nbdkit server can encounter a critical internalerror, leading to a denial-of-service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-09 06:15:00 UTC CVE-2025-47711 A flaw exists in the nbdkit "blocksize" filter that can be triggered by aspecific type of client request. When a client requests block statusinformation for a very large data range, exceeding a certain limit, itcauses an internal error in the nbdkit, leading to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-09 06:15:00 UTC CVE-2025-47712 Asterisk is an open-source private branch exchange (PBX). Prior to versions18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC3428) authentication do not get proper alignment. An authenticated attackercan spoof any user identity to send spam messages to the user with theirauthorization token. Abuse of this security issue allows authenticatedattackers to send fake chat messages can be spoofed to appear to come fromtrusted entities. Even administrators who follow Security best practicesand Security Considerations can be impacted. Therefore, abuse can lead tospam and enable social engineering, phishing and similar attacks. Versions18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14and 20.7-cert5 of certified-asterisk fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-22 17:15:00 UTC CVE-2025-47779 Asterisk is an open-source private branch exchange (PBX). Prior to versions18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14and 20.7-cert5 of certified-asterisk, trying to disallow shell commands tobe run via the Asterisk command line interface (CLI) by configuring`cli_permissions.conf` (e.g. with the config line `deny=!*`) does not workwhich could lead to a security risk. If an administrator running anAsterisk instance relies on the `cli_permissions.conf` file to work andexpects it to deny all attempts to execute shell commands, then this couldlead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 ofcertified-asterisk fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-22 17:15:00 UTC CVE-2025-47780 libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause aheap-based buffer overflow in inflate_read (called indirectly fromspv_read_xml_member) in zip-reader.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-10 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105106 CVE-2025-47814 libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause aheap-based buffer overflow in inflate_read (called indirectly fromzip_member_read_all) in zip-reader.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-10 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105105 CVE-2025-47815 libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause anspvxml-helpers.c spvxml_parse_attributes out-of-bounds read, related toextra content at the end of a document. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-10 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105104 CVE-2025-47816 If the PATH environment variable contains paths which are executables(rather than just directories), passing certain strings to LookPath ("",".", and ".."), can result in the binaries listed in the PATH beingunexpectedly returned. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-18 19:15:00 UTC CVE-2025-47906 Cancelling a query (e.g. by cancelling the context passed to one of thequery methods) during a call to the Scan method of the returned Rows canresult in unexpected results if other queries are being made in parallel.This can result in a race condition that may overwrite the expected resultswith those of another query, causing the call to Scan to return eitherunexpected results from the other query or an error. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-07 16:15:00 UTC CVE-2025-47907 When using http.CrossOriginProtection, the AddInsecureBypassPattern methodcan unexpectedly bypass more requests than intended. CrossOriginProtectionthen skips validation, but forwards the original request path, which may beserved by a different handler without the intended security protections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-22 21:15:00 UTC CVE-2025-47910 The html.Parse function in golang.org/x/net/html has quadratic parsingcomplexity when processing certain inputs, which can lead to denial ofservice (DoS) if an attacker provides specially crafted HTML content. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 18:16:00 UTC 2026-02-05 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127321 https://ubuntu.com/security/notices/USN-8089-1 https://ubuntu.com/security/notices/USN-8089-2 https://ubuntu.com/security/notices/USN-8089-3 CVE-2025-47911 The Parse function permits values other than IPv6 addresses to be includedin square brackets within the host component of a URL. RFC 3986 permitsIPv6 addresses to be included within the host component, enclosed withinsquare brackets. For example: "http://[::1]/". IPv4 addresses and hostnamesmust not appear within square brackets. Parse did not enforce thisrequirement. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-47912 SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed responsewill panic and cause early termination of the client process. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-13 22:15:00 UTC Jakub Ciolek, Nicola Murino https://go.dev/issue/75178 CVE-2025-47913 SSH Agent servers do not validate the size of messages when processing newidentity requests, which may cause the program to panic if the message ismalformed due to an out of bounds read. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-19 21:15:00 UTC CVE-2025-47914 Spotipy is a Python library for the Spotify Web API. As of commit4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using `pull_request_target` on`.github/workflows/integration_tests.yml` followed by the checking out thehead.sha of a forked PR can be exploited by attackers, since untrusted codecan be executed having full access to secrets (from the base repo). Byexploiting the vulnerability is possible to exfiltrate `GITHUB_TOKEN` andsecrets `SPOTIPY_CLIENT_ID`, `SPOTIPY_CLIENT_SECRET`. In particular`GITHUB_TOKEN` which can be used to completely overtake the repo since thetoken has content write privileges. The `pull_request_target` in GitHubActions is a major security concern—especially in publicrepositories—because it executes untrusted code from a PR, but with thecontext of the base repository, including access to its secrets. Commit9dfb7177b8d7bb98a5a6014f8e6436812a47576f reverted the change that causedthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-15 20:16:00 UTC CVE-2025-47928 A heap-based buffer overflow vulnerability exists in the RHS2000 parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted RHS2000 file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-48005 In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does notensure that a pathname is located under the current working directory.NOTE: the Supplier disputes the significance of this report because the"Uncontrolled data used in path expression" occurs "in a development helperscript which starts a local web server if needed and must be manuallystarted." Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-15 16:15:00 UTC CVE-2025-48050 jq is a command-line JSON processor. In versions up to and including 1.7.1,a heap-buffer-overflow is present in function `jv_string_vfmt` in thejq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c,line 1456 `void* p = malloc(sz);`. As of time of publication, no patchedversions are available. Update Instructions: Run `sudo pro fix CVE-2025-48060` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-3ubuntu1 libjq1 - 1.8.1-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-21 18:15:00 UTC 2025-05-21 18:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106288 https://ubuntu.com/security/notices/USN-7657-1 https://ubuntu.com/security/notices/USN-7657-2 CVE-2025-48060 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry.Version 3.3.2 is vulnerable to a heap-based buffer overflow during a readoperation due to bad pointer math when decompressing DWAA-packed scan-lineEXR files with a maliciously forged chunk. This is fixed in version 3.3.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-31 21:15:00 UTC CVE-2025-48072 CHMLib through 2bef8d0, as used in SumatraPDF and other products, has achm_lib.c _chm_decompress_block integer overflow. There is a resultantheap-based buffer overflow in _chm_fetch_bytes. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-04 13:15:00 UTC CVE-2025-48172 In libavif before 1.3.0, makeRoom in stream.c has an integer overflow andresultant buffer overflow in stream->offset+size. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-16 05:15:00 UTC CVE-2025-48174 In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integeroverflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes,and vRowBytes. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-16 05:15:00 UTC CVE-2025-48175 libpspp-core.a in GNU PSPP through 2.0.1 has an incorrect call fromfill_buffer (in data/encrypted-file.c) to the Gnulib rijndaelDecryptfunction, leading to a heap-based buffer over-read. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-16 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105918 CVE-2025-48188 Redis is an open source, in-memory database that persists on disk. Anunauthenticated connection can cause repeated IP protocol errors, leadingto client starvation and, ultimately, a denial of service. Thisvulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-07 16:15:00 UTC CVE-2025-48367 Django-Select2 is a Django integration for Select2. Prior to version 8.4.1,instances of HeavySelect2Mixin subclasses like theModelSelect2MultipleWidget and ModelSelect2Widget can leak secret accesstokens across requests. This can allow users to access restricted querysets and restricted data. This issue has been patched in version 8.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-27 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106747 CVE-2025-48383 tar-fs provides filesystem bindings for tar-stream. Versions prior to3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outsidethe specified dir with a specific tarball. This has been patched inversions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore optionto ignore non files/directories. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 20:15:00 UTC CVE-2025-48387 An out-of-bounds read vulnerability exists in the RLECodec::DecodeByStreamsfunctionality of Grassroot DICOM 3.024. A specially crafted DICOM file canlead to leaking heap data. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123589 CVE-2025-48429 Mismatched Memory Management Routines vulnerability in Apache Thrift c_gliblanguage bindings.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue.Description: Specially crafted requests can crash an c_glib-based Thriftserver with a clean but fatal "free(): invalid pointer" error message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2025-48431 An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and4.2 before 4.2.23. Internal HTTP response logging does not escaperequest.path, which allows remote attackers to potentially manipulate logoutput via crafted URLs. This may lead to log injection or forgery whenlogs are viewed in terminals or processed by external systems. Update Instructions: Run `sudo pro fix CVE-2025-48432` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.4-1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-04 14:00:00 UTC 2025-06-04 14:00:00 UTC https://ubuntu.com/security/notices/USN-7555-1 https://ubuntu.com/security/notices/USN-7555-2 https://ubuntu.com/security/notices/USN-7555-3 CVE-2025-48432 Missing Checks in certain functions related to RMP initialization can allowa local admin privileged attacker to cause misidentification of I/O memory,potentially resulting in a loss of guest memory integrity Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-48509 Insufficient Granularity of Access Control in SEV firmware can allow aprivileged attacker to create a SEV-ES Guest to attack SNP guest,potentially resulting in a loss of confidentiality. Update Instructions: Run `sudo pro fix CVE-2025-48514` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20251202.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-48514 Insufficient Granularity of Access Control in SEV firmware could allow aprivileged user with a malicious hypervisor to create a SEV-ES guest withan ASID in the range meant for SEV-SNP guests potentially resulting in apartial loss of confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-48517 Improper Access Control vulnerability in Apache Commons.A special BeanIntrospector class was added in version 1.9.2. This can beused to stop attackers from using the declared class property of Java enumobjects to get access to the classloader. However this protection was notenabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) nowdisallows declared class level property access by default.Releases 1.11.0 and 2.0.0-M2 address a potential security issue whenaccessing enum properties in an uncontrolled way. If an application usingCommons BeanUtils passes property paths from an external source directly tothe getProperty() method of PropertyUtilsBean, an attacker can access theenum’s class loader via the “declaredClass” property available on all Java“enum” objects. Accessing the enum’s “declaredClass” allows remoteattackers to access the ClassLoader and execute arbitrary code. The sameissue exists with PropertyUtilsBean.getNestedProperty().Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospectorsuppresses the “declaredClass” property. Note that this newBeanIntrospector is enabled by default, but you can disable it to regainthe old behavior; see section 2.5 of the user's guide and the unit tests.This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.xbefore 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-28 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106746 CVE-2025-48734 Uncontrolled Recursion vulnerability in Apache Commons Lang.This issue affects Apache Commons Lang: Startingwith commons-lang:commons-lang 2.0 to 2.6, and, fromorg.apache.commons:commons-lang3 3.0 before 3.18.0.The methods ClassUtils.getClass(...) can throw StackOverflowError on verylong inputs. Because an Error is usually not handled by applications andlibraries, aStackOverflowError could cause an application to stop.Users are recommended to upgrade to version 3.18.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-11 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109125 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109126 CVE-2025-48924 pycares is a Python module which provides an interface to c-ares. c-ares isa C library that performs DNS requests and name resolutions asynchronously.Prior to version 4.9.0, pycares is vulnerable to a use-after-free conditionthat occurs when a Channel object is garbage collected while DNS queriesare still pending. This results in a fatal Python error and interpretercrash. The vulnerability has been fixed in pycares 4.9.0 by implementing asafe channel destruction mechanism. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-20 20:15:00 UTC CVE-2025-48945 ping in iputils before 20250602 allows a denial of service (applicationerror in adaptive ping mode or incorrect data collection) via a craftedICMP Echo Reply packet, because a zero timestamp can lead to largeintermediate values that have an integer overflow when squared duringstatistics calculations. NOTE: this issue exists because of an incompletefix for CVE-2025-47268 (that fix was only about timestamp calculations, andit did not account for a specific scenario where the original timestamp inthe ICMP payload is zero). Update Instructions: Run `sudo pro fix CVE-2025-48964` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: iputils-arping - 3:20240905-3ubuntu2 iputils-clockdiff - 3:20240905-3ubuntu2 iputils-ping - 3:20240905-3ubuntu2 iputils-tracepath - 3:20240905-3ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-07-22 18:15:00 UTC 2025-07-22 18:15:00 UTC https://bugzilla.suse.com/show_bug.cgi?id=1243772 https://ubuntu.com/security/notices/USN-7670-1 CVE-2025-48964 Allocation of resources for multipart headers with insufficient limitsenabled a DoS vulnerability in Apache Commons FileUpload.This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from2.0.0-M1 before 2.0.0-M4.Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-16 15:15:00 UTC CVE-2025-48976 Allocation of Resources Without Limits or Throttling vulnerability inApache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-16 15:15:00 UTC CVE-2025-48988 Improper Resource Shutdown or Release vulnerability in Apache Tomcat madeTomcat vulnerable to the made you reset attack.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOLversions may also be affected.Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or9.0.108 which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-13 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111097 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111096 CVE-2025-48989 SignXML is an implementation of the W3C XML Signature standard in Python.When verifying signatures with X509 certificate validation turned off andHMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False,hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to apotential algorithm confusion attack. Unless the user explicitly limits theexpected signature algorithms using the`signxml.XMLVerifier.verify(expect_config=...)` setting, an attacker maysupply a signature unexpectedly signed with a key other than the providedHMAC key, using a different (asymmetric key) signature algorithm. Startingwith SignXML 4.0.4, specifying `hmac_key` causes the set of acceptedsignature algorithms to be restricted to HMAC only, if not alreadyrestricted by the user. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107195 CVE-2025-48994 SignXML is an implementation of the W3C XML Signature standard in Python.When verifying signatures with X509 certificate validation turned off andHMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False,hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to apotential timing attack. The verifier may leak information about thecorrect HMAC when comparing it with the user supplied hash, allowing usersto reconstruct the correct HMAC for any data. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 17:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107195 CVE-2025-48995 OpenSC is an open source smart card tools and middleware. Prior to version0.27.0, an attacker with physical access to the computer at the time useror administrator uses a token can cause a stack-buffer-overflow write inGET RESPONSE. The attack requires crafted USB device or smart card thatwould present the system with specially crafted responses to the APDUs.This issue has been patched in version 0.27.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 18:16:00 UTC CVE-2025-49010 In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in blockcipher padding removal allows an attacker to recover the plaintext whenPKCS#7 padding mode is used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-20 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108789 CVE-2025-49087 KDE Konsole before 25.04.2 allows remote code execution in a certainscenario. It supports loading URLs from the scheme handlers such as assh:// or telnet:// or rlogin:// URL. This can be executed regardless ofwhether the ssh, telnet, or rlogin binary is available. In this mode, thereis a code path where if that binary is not available, Konsole falls back tousing /bin/bash for the given arguments (i.e., the URL) provided. Thisallows an attacker to execute arbitrary code. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-11 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107672 CVE-2025-49091 setDeferredReply in networking.c in Valkey through 8.1.1 has an integerunderflow for prev->size - prev->used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 05:15:00 UTC 2025-06-02 05:15:00 UTC https://ubuntu.com/security/notices/USN-7893-1 CVE-2025-49112 Authentication Bypass Using an Alternate Path or Channel vulnerability inApache Tomcat.  When using PreResources or PostResources mounted other thanat the root of the web application, it was possible to access thoseresources via an unexpected path. That path was likely not to be protectedby the same security constraints as the expected path, allowing thosesecurity constraints to be bypassed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-16 15:15:00 UTC CVE-2025-49125 pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until42.7.7, when the PostgreSQL JDBC driver is configured with channel bindingset to required (default value is prefer), the driver would incorrectlyallow connections to proceed with authentication methods that do notsupport channel binding (such as password, MD5, GSS, or SSPIauthentication). This could allow a man-in-the-middle attacker to interceptconnections that users believed were protected by channel bindingrequirements. This vulnerability is fixed in 42.7.7. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-11 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107696 CVE-2025-49146 A flaw was found in the X Rendering extension's handling of animatedcursors. If a client provides no cursors, the server assumes at least oneis present, leading to an out-of-bounds read and potential crash. Update Instructions: Run `sudo pro fix CVE-2025-49175` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required xwayland - 2:24.1.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 2025-06-17 Nils Emmerich https://ubuntu.com/security/notices/USN-7573-1 https://ubuntu.com/security/notices/USN-7573-2 CVE-2025-49175 A flaw was found in the Big Requests extension. The request length ismultiplied by 4 before checking against the maximum allowed size,potentially causing an integer overflow and bypassing the size check. Update Instructions: Run `sudo pro fix CVE-2025-49176` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required xwayland - 2:24.1.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 2025-06-17 Nils Emmerich https://ubuntu.com/security/notices/USN-7573-1 https://ubuntu.com/security/notices/USN-7573-2 CVE-2025-49176 A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectModehandler does not validate the request length, allowing a client to readunintended memory from previous requests. Update Instructions: Run `sudo pro fix CVE-2025-49177` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required xwayland - 2:24.1.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 2025-06-17 Nils Emmerich https://ubuntu.com/security/notices/USN-7573-1 CVE-2025-49177 A flaw was found in the X server's request handling. Non-zero 'bytes toignore' in a client's request can cause the server to skip processinganother client's request, potentially leading to a denial of service. Update Instructions: Run `sudo pro fix CVE-2025-49178` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required xwayland - 2:24.1.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 2025-06-17 Nils Emmerich https://ubuntu.com/security/notices/USN-7573-1 https://ubuntu.com/security/notices/USN-7573-2 CVE-2025-49178 A flaw was found in the X Record extension. TheRecordSanityCheckRegisterClients function does not check for an integeroverflow when computing request length, which allows a client to bypasslength checks. Update Instructions: Run `sudo pro fix CVE-2025-49179` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required xwayland - 2:24.1.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 2025-06-17 Nils Emmerich https://ubuntu.com/security/notices/USN-7573-1 https://ubuntu.com/security/notices/USN-7573-2 CVE-2025-49179 A flaw was found in the RandR extension, where the RRChangeProviderPropertyfunction does not properly validate input. This issue leads to an integeroverflow when computing the total size to allocate. Update Instructions: Run `sudo pro fix CVE-2025-49180` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.18-1ubuntu1 xorg-server-source - 2:21.1.18-1ubuntu1 xserver-common - 2:21.1.18-1ubuntu1 xserver-xephyr - 2:21.1.18-1ubuntu1 xserver-xorg-core - 2:21.1.18-1ubuntu1 xserver-xorg-legacy - 2:21.1.18-1ubuntu1 xvfb - 2:21.1.18-1ubuntu1 No subscription required xwayland - 2:24.1.6-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 2025-06-17 Nils Emmerich https://ubuntu.com/security/notices/USN-7573-1 https://ubuntu.com/security/notices/USN-7573-2 CVE-2025-49180 billboard.js before 3.15.1 was discovered to contain a prototype pollutionvia the function generate, which could allow attackers to execute arbitrarycode or cause a Denial of Service (DoS) via injecting arbitrary properties. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-04 03:15:00 UTC CVE-2025-49223 A flaw was found in the cookie parsing logic of the libsoup HTTP library,used in GNOME applications and other software. The vulnerability ariseswhen processing the expiration date of cookies, where a specially craftedvalue can trigger an integer overflow. This may result in undefinedbehavior, allowing an attacker to bypass cookie expiration logic, causingpersistent or unintended cookie behavior. The issue stems from impropervalidation of large integer inputs during date arithmetic operations withinthe cookie parsing routines. Update Instructions: Run `sudo pro fix CVE-2025-4945` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-10.1ubuntu4 libsoup-2.4-1 - 2.74.3-10.1ubuntu4 libsoup-gnome-2.4-1 - 2.74.3-10.1ubuntu4 libsoup2.4-common - 2.74.3-10.1ubuntu4 libsoup2.4-tests - 2.74.3-10.1ubuntu4 No subscription required gir1.2-soup-3.0 - 3.6.5-3 libsoup-3.0-0 - 3.6.5-3 libsoup-3.0-common - 3.6.5-3 libsoup-3.0-tests - 3.6.5-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-19 17:15:00 UTC 2025-05-19 17:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/448 https://bugzilla.redhat.com/show_bug.cgi?id=2367175 https://ubuntu.com/security/notices/USN-7643-1 CVE-2025-4945 aerc before 93bec0d allows directory traversal in commands/msgview/open.gobecause of direct path concatenation of the name of an attachment part, Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 03:15:00 UTC CVE-2025-49466 A flaw was found in the soup_multipart_new_from_message() function of thelibsoup HTTP library, which is commonly used by GNOME and otherapplications to handle web communications. The issue occurs when thelibrary processes specially crafted multipart messages. Due to impropervalidation, an internal calculation can go wrong, leading to an integerunderflow. This can cause the program to access invalid memory and crash.As a result, any application or server using libsoup could be forced toexit unexpectedly, creating a denial-of-service (DoS) risk. Update Instructions: Run `sudo pro fix CVE-2025-4948` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-10.1ubuntu4 libsoup-2.4-1 - 2.74.3-10.1ubuntu4 libsoup-gnome-2.4-1 - 2.74.3-10.1ubuntu4 libsoup2.4-common - 2.74.3-10.1ubuntu4 libsoup2.4-tests - 2.74.3-10.1ubuntu4 No subscription required gir1.2-soup-3.0 - 3.6.5-3 libsoup-3.0-0 - 3.6.5-3 libsoup-3.0-common - 3.6.5-3 libsoup-3.0-tests - 3.6.5-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-19 16:15:00 UTC 2025-05-19 16:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/449 https://bugzilla.redhat.com/show_bug.cgi?id=2367183 https://ubuntu.com/security/notices/USN-7643-1 CVE-2025-4948 In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParserclass used by the repo command and the AmazonS3 class used to implement theexperimental amazons3 git transport protocol allowing to store git packfiles in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE)attacks when parsing XML files. This vulnerability can lead to informationdisclosure, denial of service, and other security issues. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-21 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106287 CVE-2025-4949 A flaw was found in Podman. In a Containerfile or Podman, data written toRUN --mount=type=bind mounts during the podman build is not discarded. Thisissue can lead to files created within the container appearing in thetemporary build context directory on the host, leaving the created filesaccessible. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-16 15:15:00 UTC CVE-2025-4953 PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. A stack-basedbuffer overflow exists in the Kprintf_HLE function of PCSX2 versions up to2.3.414. Opening a disc image that logs a specially crafted message mayallow a remote attacker to execute arbitrary code if the user enabled IOPConsole Logging. This vulnerability is fixed in 2.3.414. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-12 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107756 CVE-2025-49589 In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalidsignatures if hash computation fails and internal errors go unchecked,enabling LMS (Leighton-Micali Signature) forgery in a fault scenario.Specifically, unchecked return values in mbedtls_lms_verify allow anattacker (who can induce a hardware hash accelerator fault) to bypass LMSsignature verification by reusing stale stack data, resulting in acceptanceof an invalid signature. In mbedtls_lms_verify, the return values of theinternal Merkle tree functions create_merkle_leaf_value andcreate_merkle_internal_value are not checked. These functions return aninteger that indicates whether the call succeeded or not. If a failureoccurs, the output buffer (Tc_candidate_root_node) may remainuninitialized, and the result of the signature verification isunpredictable. When the software implementation of SHA-256 is used, thesefunctions will not fail. However, with hardware-accelerated hashing, anattacker could use fault injection against the accelerator to bypassverification. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-04 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108787 CVE-2025-49600 In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not checkthat the input buffer is at least 4 bytes before reading a 32-bit field,allowing a possible out-of-bounds read on truncated input. Specifically, anout-of-bounds read in mbedtls_lms_import_public_key allowscontext-dependent attackers to trigger a crash or limited adjacent-memorydisclosure by supplying a truncated LMS (Leighton-Micali Signature)public-key buffer under four bytes. An LMS public key starts with a 4-bytetype indicator. The function mbedtls_lms_import_public_key reads this typeindicator before validating the size of its input. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-04 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108788 CVE-2025-49601 A regular Zabbix user with no permission to the Monitoring -> Problems viewis still able to call the problem.view.refresh action and therefore stillretrieve a list of active problems. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-03 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117448 CVE-2025-49641 An authenticated Zabbix user (including Guest) is able to causedisproportionate CPU load on the webserver by sending specially craftedparameters to /imgstore.php, leading to potential denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-01 14:16:00 UTC CVE-2025-49643 Users with administrator access can create databases files outside thefiles area of the Fuseki server.This issue affects Apache Jena version up to 5.4.0.Users are recommended to upgrade to version 5.5.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-21 10:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110262 CVE-2025-49656 A vulnerability was found in the libsoup package. This flaw stems from itsfailure to correctly verify the termination of multipart HTTP messages.This can allow a remote attacker to send a specially crafted multipart HTTPbody, causing the libsoup-consuming server to read beyond its allocatedmemory boundaries (out-of-bounds read). Update Instructions: Run `sudo pro fix CVE-2025-4969` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-soup-2.4 - 2.74.3-10.1ubuntu4 libsoup-2.4-1 - 2.74.3-10.1ubuntu4 libsoup-gnome-2.4-1 - 2.74.3-10.1ubuntu4 libsoup2.4-common - 2.74.3-10.1ubuntu4 libsoup2.4-tests - 2.74.3-10.1ubuntu4 No subscription required gir1.2-soup-3.0 - 3.6.5-3 libsoup-3.0-0 - 3.6.5-3 libsoup-3.0-common - 3.6.5-3 libsoup-3.0-tests - 3.6.5-3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-21 06:16:00 UTC 2025-05-21 06:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/447 https://bugzilla.redhat.com/show_bug.cgi?id=2367552 https://ubuntu.com/security/notices/USN-7643-1 CVE-2025-4969 mtr through 0.95, in certain privileged contexts, mishandles execution of aprogram specified by the MTR_PACKET environment variable. NOTE: mtr onmacOS may often have Sudo rules, as an indirect consequence of Homebrew notinstalling setuid binaries. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-07-04 13:15:00 UTC https://github.com/Homebrew/homebrew-core/issues/35085 CVE-2025-49809 In some mod_ssl configurations on Apache HTTP Server versions through to2.4.63, an HTTP desynchronisation attack allows a man-in-the-middleattacker to hijack an HTTP session via a TLS upgrade.Only configurations using "SSLEngine optional" to enable TLS upgrades areaffected. Users are recommended to upgrade to version 2.4.64, which removessupport for TLS upgrade. Update Instructions: Run `sudo pro fix CVE-2025-49812` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.64-1ubuntu1 apache2-bin - 2.4.64-1ubuntu1 apache2-data - 2.4.64-1ubuntu1 apache2-suexec-custom - 2.4.64-1ubuntu1 apache2-suexec-pristine - 2.4.64-1ubuntu1 apache2-utils - 2.4.64-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 17:15:00 UTC 2025-07-10 17:15:00 UTC Robert Merget https://ubuntu.com/security/notices/USN-7639-1 https://ubuntu.com/security/notices/USN-7639-2 CVE-2025-49812 Asterisk is an open source private branch exchange and telephony toolkit.In versions up to and including 18.26.2, between 20.00.0 and 20.15.0,20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS andpossible RCE condition in `asterisk/res/res_stir_shaken /verification.c`that can be exploited when an attacker can set an arbitrary Identityheader, or STIR/SHAKEN is enabled, with verification set in the SIP profileassociated with the endpoint to be attacked. This is fixed in versions18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-01 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110317 CVE-2025-49832 Redis is an open source, in-memory database that persists on disk. Versions8.2.1 and below allow an authenticated user to use a specially crafted Luascript to manipulate the garbage collector, trigger a use-after-free andpotentially lead to remote code execution. The problem exists in allversions of Redis with Lua scripting. This issue is fixed in version 8.2.2.To workaround this issue without patching the redis-server executable is toprevent users from executing Lua scripts. This can be done using ACL torestrict EVAL and EVALSHA commands. Ubuntu 26.04 LTS High Copyright (C) 2025 Canonical Ltd. 2025-10-03 20:15:00 UTC 2025-10-03 20:15:00 UTC https://ubuntu.com/security/notices/USN-7824-1 https://ubuntu.com/security/notices/USN-7824-2 https://ubuntu.com/security/notices/USN-7824-3 https://ubuntu.com/security/notices/USN-7893-1 https://ubuntu.com/security/notices/USN-8169-1 CVE-2025-49844 llama.cpp is an inference of several LLM models in C/C++. Prior to versionb5662, an attacker‐supplied GGUF model vocabulary can trigger a bufferoverflow in llama.cpp’s vocabulary‐loading code. Specifically, the helper_try_copy in llama.cpp/src/vocab.cpp: llama_vocab::impl::token_to_piece()casts a very large size_t token length into an int32_t, causing the lengthcheck (if (length < (int32_t)size)) to be bypassed. As a result, memcpy isstill called with that oversized size, letting a malicious model overwritememory beyond the intended buffer. This can lead to arbitrary memorycorruption and potential code execution. This issue has been patched inversion b5662. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 20:15:00 UTC CVE-2025-49847 A vulnerability was found in GNU PSPP82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb. It has been declared asproblematic. This vulnerability affects the function calloc of the filepspp-convert.c. The manipulation of the argument -l leads to integeroverflow. Local access is required to approach this attack. The exploit hasbeen disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-20 22:15:00 UTC CVE-2025-5001 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 8u451-perf,11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. While the vulnerability is in OracleJava SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacksmay significantly impact additional products (scope change). Successfulattacks of this vulnerability can result in unauthorized access tocritical data or complete access to all Oracle Java SE, Oracle GraalVM forJDK, Oracle GraalVM Enterprise Edition accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 8.6(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2025-50059` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-11-demo - 11.0.28+6-1ubuntu1 openjdk-11-jdk - 11.0.28+6-1ubuntu1 openjdk-11-jdk-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre - 11.0.28+6-1ubuntu1 openjdk-11-jre-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre-zero - 11.0.28+6-1ubuntu1 openjdk-11-source - 11.0.28+6-1ubuntu1 No subscription required openjdk-17-demo - 17.0.16+8-1 openjdk-17-jdk - 17.0.16+8-1 openjdk-17-jdk-headless - 17.0.16+8-1 openjdk-17-jre - 17.0.16+8-1 openjdk-17-jre-headless - 17.0.16+8-1 openjdk-17-jre-zero - 17.0.16+8-1 openjdk-17-source - 17.0.16+8-1 No subscription required openjdk-17-crac-demo - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.16+8-0ubuntu1 openjdk-17-crac-source - 17.0.16+8-0ubuntu1 No subscription required openjdk-21-demo - 21.0.8+9-1 openjdk-21-jdk - 21.0.8+9-1 openjdk-21-jdk-headless - 21.0.8+9-1 openjdk-21-jre - 21.0.8+9-1 openjdk-21-jre-headless - 21.0.8+9-1 openjdk-21-jre-zero - 21.0.8+9-1 openjdk-21-source - 21.0.8+9-1 openjdk-21-testsupport - 21.0.8+9-1 No subscription required openjdk-21-crac-demo - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.8+9-0ubuntu1 openjdk-21-crac-source - 21.0.8+9-0ubuntu1 openjdk-21-crac-testsupport - 21.0.8+9-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7669-1 https://ubuntu.com/security/notices/USN-7668-1 https://ubuntu.com/security/notices/USN-7672-1 https://ubuntu.com/security/notices/USN-7673-1 https://ubuntu.com/security/notices/USN-7674-1 https://ubuntu.com/security/notices/USN-7690-1 CVE-2025-50059 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50077` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50077 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DML). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50078` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50078 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50079` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50079 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Stored Procedure). Supported versions that are affected are8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50080` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50080 Vulnerability in the MySQL Client product of Oracle MySQL (component:Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Difficult to exploit vulnerability allowshigh privileged attacker with network access via multiple protocols tocompromise MySQL Client. Successful attacks require human interaction froma person other than the attacker. Successful attacks of this vulnerabilitycan result in unauthorized update, insert or delete access to some ofMySQL Client accessible data as well as unauthorized read access to asubset of MySQL Client accessible data. CVSS 3.1 Base Score 3.1(Confidentiality and Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2025-50081` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50081 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50082` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50082 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50083` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50083 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50084` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50084 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server as well as unauthorized update,insert or delete access to some of MySQL Server accessible data. CVSS 3.1Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50085` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50085 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Components Services). Supported versions that are affected are8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50086` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50086 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized creation, deletion or modification access tocritical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2025-50087` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50087 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.41,8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50088` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.5-0ubuntu1 mysql-client - 8.4.5-0ubuntu1 mysql-client-core - 8.4.5-0ubuntu1 mysql-router - 8.4.5-0ubuntu1 mysql-server - 8.4.5-0ubuntu1 mysql-server-core - 8.4.5-0ubuntu1 mysql-source - 8.4.5-0ubuntu1 mysql-testsuite - 8.4.5-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC CVE-2025-50088 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50091` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50091 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50092` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50092 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DDL). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50093` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50093 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DDL). Supported versions that are affected are 8.0.42, 8.4.5 and9.3.0. Easily exploitable vulnerability allows high privileged attackerwith network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized abilityto cause a hang or frequently repeatable crash (complete DOS) of MySQLServer. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50094` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50094 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with logon to the infrastructure where MySQL Serverexecutes to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.4 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50096` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50096 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Security: Encryption). Supported versions that are affected are8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50097` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50097 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a partial denial of service(partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2025-50098` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50098 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50099` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50099 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Thread Pooling). Supported versions that are affected are8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Difficult to exploitvulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2(Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2025-50100` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50100 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50101` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50101 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50102` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50102 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DDL). Supported versions that are affected are 8.0.0-8.0.42,8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a partial denial of service(partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). Update Instructions: Run `sudo pro fix CVE-2025-50104` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.6-0ubuntu1 mysql-client - 8.4.6-0ubuntu1 mysql-client-core - 8.4.6-0ubuntu1 mysql-router - 8.4.6-0ubuntu1 mysql-server - 8.4.6-0ubuntu1 mysql-server-core - 8.4.6-0ubuntu1 mysql-source - 8.4.6-0ubuntu1 mysql-testsuite - 8.4.6-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7691-1 https://ubuntu.com/security/notices/USN-7691-2 CVE-2025-50104 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: 2D). Supportedversions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27,17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in takeover of Oracle Java SE, Oracle GraalVM forJDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can beexploited by using APIs in the specified Component, e.g., through a webservice which supplies data to the APIs. This vulnerability also applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Update Instructions: Run `sudo pro fix CVE-2025-50106` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk - 8u462-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u462-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u462-ga~us1-0ubuntu1 openjdk-8-source - 8u462-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.28+6-1ubuntu1 openjdk-11-jdk - 11.0.28+6-1ubuntu1 openjdk-11-jdk-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre - 11.0.28+6-1ubuntu1 openjdk-11-jre-headless - 11.0.28+6-1ubuntu1 openjdk-11-jre-zero - 11.0.28+6-1ubuntu1 openjdk-11-source - 11.0.28+6-1ubuntu1 No subscription required openjdk-17-demo - 17.0.16+8-1 openjdk-17-jdk - 17.0.16+8-1 openjdk-17-jdk-headless - 17.0.16+8-1 openjdk-17-jre - 17.0.16+8-1 openjdk-17-jre-headless - 17.0.16+8-1 openjdk-17-jre-zero - 17.0.16+8-1 openjdk-17-source - 17.0.16+8-1 No subscription required openjdk-17-crac-demo - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.16+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.16+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.16+8-0ubuntu1 openjdk-17-crac-source - 17.0.16+8-0ubuntu1 No subscription required openjdk-21-demo - 21.0.8+9-1 openjdk-21-jdk - 21.0.8+9-1 openjdk-21-jdk-headless - 21.0.8+9-1 openjdk-21-jre - 21.0.8+9-1 openjdk-21-jre-headless - 21.0.8+9-1 openjdk-21-jre-zero - 21.0.8+9-1 openjdk-21-source - 21.0.8+9-1 openjdk-21-testsupport - 21.0.8+9-1 No subscription required openjdk-21-crac-demo - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk - 21.0.8+9-0ubuntu1 openjdk-21-crac-jdk-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-headless - 21.0.8+9-0ubuntu1 openjdk-21-crac-jre-zero - 21.0.8+9-0ubuntu1 openjdk-21-crac-source - 21.0.8+9-0ubuntu1 openjdk-21-crac-testsupport - 21.0.8+9-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC 2025-07-15 20:15:00 UTC https://ubuntu.com/security/notices/USN-7669-1 https://ubuntu.com/security/notices/USN-7668-1 https://ubuntu.com/security/notices/USN-7672-1 https://ubuntu.com/security/notices/USN-7673-1 https://ubuntu.com/security/notices/USN-7667-1 https://ubuntu.com/security/notices/USN-7674-1 https://ubuntu.com/security/notices/USN-7690-1 CVE-2025-50106 A memory corruption vulnerability exists in the PCX Image Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When decoding theimage data from a specially crafted .tga file, a heap-based buffer overflowcan occur which allows for remote code execution. An attacker will need toconvince the library to read a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-50129 File access paths in configuration files uploaded by users withadministrator access are not validated.This issue affects Apache Jena version up to 5.4.0.Users are recommended to upgrade to version 5.5.0, which does not allowarbitrary configuration upload. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-21 10:15:00 UTC CVE-2025-50151 A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop listensfor RDP connections, an unauthenticated attacker can exhaust systemresources and repeatedly crash the process. There may be a resource leakafter many attacks, which will also result in gnome-remote-desktop nolonger being able to open files even after it is restarted via systemd. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-22 15:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2367717 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106527 CVE-2025-5024 An Insecure Direct Object Reference (IDOR) vulnerability was discovered inSOGo Webmail thru 5.6.0, allowing an authenticated user to send emails onbehalf of other users by manipulating a user-controlled identifier in theemail-sending request. The server fails to verify whether the authenticateduser is authorized to use the specified sender identity, resulting inunauthorized message delivery as another user. This can lead toimpersonation, phishing, or unauthorized communication within the system.NOTE: this is disputed by the Supplier because the only effective way toprevent this sender spoofing is on the SMTP server, not within a clientsuch as SOGo. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-04 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110604 CVE-2025-50340 An issue was discovered in matio 1.5.28. A heap-based memory corruption canoccur in Mat_VarCreateStruct() when the nfields value does not match theactual number of strings in the fields array. This leads to out-of-boundsreads and invalid memory frees during cleanup, potentially causing asegmentation fault or heap corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 20:16:00 UTC CVE-2025-50343 Cairo through 1.18.4, as used in Poppler through 25.08.0, has an"unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_finiin cairo-ft-font.c. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-04 17:15:00 UTC https://gitlab.freedesktop.org/poppler/poppler/-/issues/1591 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110606 CVE-2025-50422 A use-after-free vulnerability exists in the coap_delete_pdu_lkd functionwithin coap_pdu.c of the libcoap library. This issue occurs due to improperhandling of memory after the freeing of a PDU object, leading to potentialmemory corruption or the possibility of executing arbitrary code. NOTE:this is disputed by the Supplier because it only occurs when an applicationuses libcoap incorrectly. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-14 16:15:00 UTC CVE-2025-50518 Stack overflow vulnerability in eslint before 9.26.0 when serializingobjects with circular references in eslint/lib/shared/serialization.js. Theexploit is triggered via the RuleTester.run() method, which validates testcases and checks for duplicates. During validation, the internal functioncheckDuplicateTestCase() is called, which in turn uses the isSerializable()function for serialization checks. When a circular reference object ispassed in, isSerializable() enters infinite recursion, ultimately causing astack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-26 16:15:00 UTC CVE-2025-50537 igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause adenial of service (application crash) via a crafted IGMPv3 membershipreport packet with a malicious source address. Due to insufficientvalidation in the `recv_igmp()` function in src/igmpproxy.c, an invalidgroup record type can trigger a NULL pointer dereference when logging theaddress using `inet_fmtsrc()`. This vulnerability can be exploited bysending malformed multicast traffic to a host running igmpproxy, leading toa crash. igmpproxy is used in various embedded networking environments andconsumer-grade IoT devices (such as home routers and media gateways) tohandle multicast traffic for IPTV and other streaming services. Affecteddevices that rely on unpatched versions of igmpproxy may be vulnerable toremote denial-of-service attacks across a LAN . Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-19 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123741 CVE-2025-50681 FontForge v20230101 was discovered to contain a memory leak via thecomponent DlgCreate8. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-10-23 16:15:00 UTC CVE-2025-50949 Audiofile v0.3.7 was discovered to contain a NULL pointer dereference viathe ModuleState::setup function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-23 16:16:00 UTC CVE-2025-50950 FontForge v20230101 was discovered to contain a memory leak via theutf7toutf8_copy function at /fontforge/sfd.c. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-10-23 16:16:00 UTC CVE-2025-50951 openjpeg v 2.5.0 was discovered to contain a NULL pointer dereference viathe component /openjp2/dwt.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-07 15:15:00 UTC 2025-08-07 15:15:00 UTC https://github.com/uclouvain/openjpeg/issues/1505 https://ubuntu.com/security/notices/USN-7757-1 CVE-2025-50952 A heap-buffer-overflow vulnerability exists in the tcpliveplay utility ofthe tcpreplay-4.5.1. When a crafted pcap file is processed, the programincorrectly handles memory in the checksum calculation logic atdo_checksum_math_liveplay in tcpliveplay.c, leading to a possible denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-23 19:15:00 UTC CVE-2025-51005 Within tcpreplay's tcprewrite, a double free vulnerability has beenidentified in the dlt_linuxsll2_cleanup() function inplugins/dlt_linuxsll2/linuxsll2.c. This vulnerability is triggered whentcpedit_dlt_cleanup() indirectly invokes the cleanup routine multiple timeson the same memory region. By supplying a specifically crafted pcap file tothe tcprewrite binary, a local attacker can exploit this flaw to cause aDenial of Service (DoS) via memory corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-22 14:15:00 UTC CVE-2025-51006 In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21,<=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAMframes, for example by sending frames that are malformed or that should notbe sent in a particular stream state, therefore forcing the server toconsume resources such as CPU and memory.For example, a client can open a stream and then send WINDOW_UPDATE frameswith window size increment of 0, which is illegal.Per specificationhttps://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the servershould send a RST_STREAM frame.The client can now open another stream and send another bad WINDOW_UPDATE,therefore causing the server to consume more resources than necessary, asthis case does not exceed the max number of concurrent streams, yet theclient is able to create an enormous amount of streams in a short period oftime.The attack can be performed with other conditions (for example, a DATAframe for a closed stream) that cause the server to send a RST_STREAMframe.Links: *https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-20 20:15:00 UTC CVE-2025-5115 Path Traversal vulnerability inonnx.external_data_helper.save_external_data in ONNX 1.17.0 allowsattackers to overwrite arbitrary files by supplying craftedexternal_data.location paths containing traversal sequences, bypassingintended directory restrictions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-22 16:15:00 UTC CVE-2025-51480 A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackersto gain access to and compromise the whole infrastructure via injecting acrafted iframe. Note: Some users have stated that Pandoc by default canretrieve and parse untrusted HTML content which can enable SSRFvulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ canmitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’can also enable SSRF vulnerabilities, such as CVE-2022-35583 inwkhtmltopdf. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-11 14:15:00 UTC CVE-2025-51591 A vulnerability was found in Open Asset Import Library Assimp 5.4.3 andclassified as problematic. This issue affects the functionMDCImporter::ValidateSurfaceHeader of the fileassimp/code/AssetLib/MDC/MDCLoader.cpp. The manipulation of the argumentpcSurface2 leads to out-of-bounds read. Attacking locally is a requirement.The exploit has been disclosed to the public and may be used. The projectdecided to collect all Fuzzer bugs in a main-issue to address them in thefuture. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 03:15:00 UTC CVE-2025-5165 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen classified as problematic. Affected is the functionMDCImporter::InternReadFile of the fileassimp/code/AssetLib/MDC/MDCLoader.cpp of the component MDC File Parser.The manipulation of the argument pcVerts leads to out-of-bounds read. It ispossible to launch the attack on the local host. The exploit has beendisclosed to the public and may be used. The project decided to collect allFuzzer bugs in a main-issue to address them in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 04:15:00 UTC CVE-2025-5166 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen declared as problematic. Affected by this vulnerability is thefunction LWOImporter::GetS0 in the libraryassimp/code/AssetLib/LWO/LWOLoader.h. The manipulation of the argument outleads to out-of-bounds read. The attack needs to be approached locally. Theexploit has been disclosed to the public and may be used. The projectdecided to collect all Fuzzer bugs in a main-issue to address them in thefuture. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 04:15:00 UTC CVE-2025-5167 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen rated as problematic. Affected by this issue is the functionMDLImporter::ImportUVCoordinate_3DGS_MDL345 of the fileassimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argumentiIndex leads to out-of-bounds read. An attack has to be approached locally.The exploit has been disclosed to the public and may be used. The projectdecided to collect all Fuzzer bugs in a main-issue to address them in thefuture. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 04:15:00 UTC CVE-2025-5168 A vulnerability classified as problematic has been found in Open AssetImport Library Assimp 5.4.3. This affects the functionMDLImporter::InternReadFile_3DGS_MDL345 of the fileassimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation leads toout-of-bounds read. Local access is required to approach this attack. Theexploit has been disclosed to the public and may be used. The projectdecided to collect all Fuzzer bugs in a main-issue to address them in thefuture. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 05:15:00 UTC CVE-2025-5169 A vulnerability was found in Open Asset Import Library Assimp 5.4.3 andclassified as problematic. This issue affects the functionMDLImporter::InternReadFile_Quake1 of the fileassimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation leads toout-of-bounds read. It is possible to launch the attack on the local host.The exploit has been disclosed to the public and may be used. The projectdecided to collect all Fuzzer bugs in a main-issue to address them in thefuture. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 19:15:00 UTC CVE-2025-5200 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen classified as problematic. Affected is the functionLWOImporter::CountVertsAndFacesLWO2 of the fileassimp/code/AssetLib/LWO/LWOLoader.cpp. The manipulation leads toout-of-bounds read. The attack needs to be approached locally. The exploithas been disclosed to the public and may be used. The project decided tocollect all Fuzzer bugs in a main-issue to address them in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 19:15:00 UTC CVE-2025-5201 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen declared as problematic. Affected by this vulnerability is thefunction HL1MDLLoader::validate_header of the fileassimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leadsto out-of-bounds read. An attack has to be approached locally. The exploithas been disclosed to the public and may be used. The project decided tocollect all Fuzzer bugs in a main-issue to address them in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 20:15:00 UTC CVE-2025-5202 A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It hasbeen rated as problematic. Affected by this issue is the functionSkipSpaces in the library assimp/include/assimp/ParsingUtils.h. Themanipulation leads to out-of-bounds read. Local access is required toapproach this attack. The exploit has been disclosed to the public and maybe used. The project decided to collect all Fuzzer bugs in a main-issue toaddress them in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 20:15:00 UTC CVE-2025-5203 A vulnerability classified as problematic has been found in Open AssetImport Library Assimp 5.4.3. This affects the functionMDLImporter::ParseSkinLump_3DGS_MDL7 of the fileassimp/code/AssetLib/MDL/MDLMaterialLoader.cpp. The manipulation leads toout-of-bounds read. Attacking locally is a requirement. The exploit hasbeen disclosed to the public and may be used. The project decided tocollect all Fuzzer bugs in a main-issue to address them in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-05-26 21:15:00 UTC CVE-2025-5204 A buffer overflow vulnerability exists in libsndfile version 1.2.2 andpotentially earlier versions when processing malformed IRCAM audio files.The vulnerability occurs in the ircam_read_header function atsrc/ircam.c:164 during sample rate processing, leading to memory corruptionand potential code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-21 15:15:00 UTC https://github.com/libsndfile/libsndfile/issues/1082 CVE-2025-52194 A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x inthe customer.pl endpoint via the OTRSCustomerInterface parameter Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 20:16:00 UTC CVE-2025-52204 A stack buffer overflow was found in Internationl components for unicode(ICU ). While running the genrb binary, the 'subtag' struct overflowed atthe SRBRoot::addTag function. This issue may lead to memory corruption andlocal arbitrary code execution. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-05-27 21:15:00 UTC https://unicode-org.atlassian.net/browse/ICU-22957 https://bugzilla.redhat.com/show_bug.cgi?id=2368600 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106684 CVE-2025-5222 Cross-site scripting (XSS) vulnerability in the generate reportfunctionality in Rarlab WinRAR 7.11, allows attackers to disclose userinformation such as the computer username, generated report directory, andIP address. The generate report command includes archived file nameswithout validation in the HTML report, which allows potentially maliciousHTML tags to be injected into the report. User interaction is required.User must use the "generate report" functionality and open the report. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-12 17:15:00 UTC CVE-2025-52331 Concurrent Execution using Shared Resource with Improper Synchronization('Race Condition') vulnerability in Apache Tomcat when using the APR/Nativeconnector. This was particularly noticeable with client initiated closes ofHTTP/2 connections.This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version 9.0.107, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 19:15:00 UTC CVE-2025-52434 A memory corruption vulnerability exists in the WebP Image Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When loading aspecially crafted .webp animation an integer overflow can be made to occurwhen calculating the stride for decoding. Afterwards, this will cause aheap-based buffer to overflow when decoding the image which can lead toremote code execution. An attacker will need to convince the library toread a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-52456 An out-of-bounds read vulnerability exists in the Nex parsing functionalityof The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). Aspecially crafted .nex file can lead to an information leak. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-52461 For some unlikely configurations of multipart upload, an Integer Overflowvulnerability in Apache Tomcat could lead to a DoS via bypassing of sizelimits.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versionsmay also be affected.Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 19:15:00 UTC CVE-2025-52520 Improper bound check within AMD CPU microcode can allow a malicious guestto write to host memory, potentially resulting in loss of integrity. Update Instructions: Run `sudo pro fix CVE-2025-52534` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20251202.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-52534 Improper Prevention of Lock Bit Modification in SEV firmware could allow aprivileged attacker to downgrade firmware potentially resulting in a lossof integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-52536 llama.cpp is an inference of several LLM models in C/C++. Prior to versionb5721, there is a signed vs. unsigned integer overflow in llama.cpp'stokenizer implementation (llama_vocab::tokenize) (src/llama-vocab.cpp:3036)resulting in unintended behavior in tokens copying size comparison.Allowing heap-overflowing llama.cpp inferencing engine with carefullymanipulated text input during tokenization process. This issue has beenpatched in version b5721. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-24 04:15:00 UTC CVE-2025-52566 An integer overflow vulnerability exists in the GDF parsing functionalityof The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). Aspecially crafted GDF file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-52581 An out-of-bounds read vulnerability exists in theOverlay::GrabOverlayFromPixelData functionality of Grassroot DICOM 3.024. Aspecially crafted DICOM file can lead to an information leak. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123576 CVE-2025-52582 A flaw was found in GNU Coreutils. The sort utility's begfield() functionis vulnerable to a heap buffer under-read. The program may access memoryoutside the allocated buffer if a user runs a crafted command using thetraditional key format. A malicious input could lead to a crash or leaksensitive data. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-05-27 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733 https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 CVE-2025-5278 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. In version 0.21.0, when many http headers fields are passed in,the library does not limit the number of headers, and the memory associatedwith the headers will not be released when the connection is disconnected.This leads to potential exhaustion of system memory and results in a servercrash or unresponsiveness. Version 0.22.0 contains a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-26 15:15:00 UTC CVE-2025-52887 Incus is a system container and virtual machine manager. When using an ACLon a device connected to a bridge, Incus version 6.12 and 6.13 generatesnftables rules for local services (DHCP, DNS...) that partially bypasssecurity options `security.mac_filtering`, `security.ipv4_filtering` and`security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opensthe door for other attacks. A patch is available at commit2516fb19ad8428454cb4edfe70c0a5f0dc1da214. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-25 17:15:00 UTC CVE-2025-52889 Incus is a system container and virtual machine manager. When using an ACLon a device connected to a bridge, Incus versions 6.12 and 6.13generatesnftables rules that partially bypass security options`security.mac_filtering`, `security.ipv4_filtering` and`security.ipv6_filtering`. This can lead to ARP spoofing on the bridge andto fully spoof another VM/container on the same bridge. Commit254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-25 17:15:00 UTC CVE-2025-52890 ModSecurity is an open source, cross platform web application firewall(WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11,an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs isset to On or OnlyArgs, and the request type is application/xml, and atleast one XML tag is empty (eg <foo></foo>), then a segmentation faultoccurs. This issue has been patched in version 2.9.11. A workaroundinvolves setting SecParseXmlIntoArgs to Off. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-02 15:15:00 UTC CVE-2025-52891 A memory corruption vulnerability exists in the BMPv3 RLE Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When decompressingthe image data from a specially crafted .bmp file, a heap-based bufferoverflow can occur which allows for remote code execution. An attacker willneed to convince the library to read a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-52930 Improper Link Resolution Before File Access ('Link Following')vulnerability in yrutschle sslh.This issue affects sslh: before 2.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 10:15:00 UTC CVE-2025-52936 Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/opennurbsmodules). This vulnerability is associated with program files crc32.C.This vulnerability is only relevant if the PCL version is older than 1.14.0or the user specifically requests to not use the system zlib(WITH_SYSTEM_ZLIB=FALSE). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 10:15:00 UTC CVE-2025-52937 xdg-open in xdg-utils through 1.2.1 can send requests containingSameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-opencould be modified to, by default, associate x-scheme-handler/https with theexecution of a browser with command-line options that arrange for an emptycookie store, although this would add substantial complexity, and would notbe considered a desirable or expected behavior by all users.) NOTE: this isdisputed because integrations of xdg-open typically do not provideinformation about whether the xdg-open command and arguments were manuallyentered by a user, or whether they were the result of a navigation fromcontent in an untrusted origin. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 15:15:00 UTC CVE-2025-52968 jackson-core contains core low-level incremental ("streaming") parser andgenerator abstractions used by Jackson Data Processor. In versions prior to2.15.0, if a user parses an input file and it has deeply nested data,Jackson could end up throwing a StackoverflowError if the depth isparticularly large. jackson-core 2.15.0 contains a configurable limit forhow deep Jackson will traverse in an input document, defaulting to anallowable depth of 1000. jackson-core will throw aStreamConstraintsException if the limit is reached. jackson-databind alsobenefits from this change because it uses jackson-core to parse JSONinputs. As a workaround, users should avoid parsing input files fromuntrusted sources. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-25 17:15:00 UTC CVE-2025-52999 The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks tovarious other formats via Jinja templates. Versions of nbconvert up to andincluding 7.16.6 on Windows have a vulnerability in which converting anotebook containing SVG output to a PDF results in unauthorized codeexecution. Specifically, a third party can create a `inkscape.bat` filethat defines a Windows batch script, capable of arbitrary code execution.When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVGoutput to a PDF on a Windows platform from this directory, the`inkscape.bat` file is run unexpectedly. This issue has been patched inversion 7.17.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-17 21:16:00 UTC CVE-2025-53000 TrustedFirmware-M (aka Trusted Firmware for M profile Arm CPUs) before2.1.3 and 2.2.x before 2.2.1 lacks length validation during a firmwareupgrade. While processing a new image, the Firmware Upgrade (FWU) moduledoes not validate the length field of the Type-Length-Value (TLV) structurefor dependent components against the maximum allowed size. If the lengthspecified in the TLV exceeds the size of the buffer allocated on the stack,the FWU module will overwrite the buffer (and potentially other stack data)with the TLV's value content. An attacker could exploit this by crafting amalicious TLV entry in the unprotected section of the MCUBoot upgradeimage. By setting the length field to exceed the expected structure size,the attacker can manipulate the stack memory of the system during theupgrade process. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-30 20:15:00 UTC CVE-2025-53022 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in takeover of OracleVM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53024 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in unauthorized accessto critical data or complete access to all Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53025 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in unauthorized accessto critical data or complete access to all Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53026 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in takeover of OracleVM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53027 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in takeover of OracleVM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53028 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. Successful attacks of this vulnerability can resultin unauthorized read access to a subset of Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 2.3 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53029 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.1.10.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in unauthorized accessto critical data or complete access to all Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109373 CVE-2025-53030 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53040` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53040 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53042` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53042 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53044` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53044 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53045` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53045 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DML). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server as well as unauthorized update,insert or delete access to some of MySQL Server accessible data. CVSS 3.1Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53053` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53053 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server as well as unauthorized update,insert or delete access to some of MySQL Server accessible data. CVSS 3.1Base Score 5.5 (Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53054` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53054 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Security).Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf,11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8;Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized creation, deletion ormodification access to critical data or all Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition accessible data. Note: Thisvulnerability can be exploited by using APIs in the specified Component,e.g., through a web service which supplies data to the APIs. Thisvulnerability also applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2025-53057` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u472-ga-1 openjdk-8-jdk - 8u472-ga-1 openjdk-8-jdk-headless - 8u472-ga-1 openjdk-8-jre - 8u472-ga-1 openjdk-8-jre-headless - 8u472-ga-1 openjdk-8-jre-zero - 8u472-ga-1 openjdk-8-source - 8u472-ga-1 No subscription required openjdk-11-demo - 11.0.29+7-1ubuntu1 openjdk-11-jdk - 11.0.29+7-1ubuntu1 openjdk-11-jdk-headless - 11.0.29+7-1ubuntu1 openjdk-11-jre - 11.0.29+7-1ubuntu1 openjdk-11-jre-headless - 11.0.29+7-1ubuntu1 openjdk-11-jre-zero - 11.0.29+7-1ubuntu1 openjdk-11-source - 11.0.29+7-1ubuntu1 No subscription required openjdk-17-demo - 17.0.17+10-1 openjdk-17-jdk - 17.0.17+10-1 openjdk-17-jdk-headless - 17.0.17+10-1 openjdk-17-jre - 17.0.17+10-1 openjdk-17-jre-headless - 17.0.17+10-1 openjdk-17-jre-zero - 17.0.17+10-1 openjdk-17-source - 17.0.17+10-1 No subscription required openjdk-21-demo - 21.0.9+10-1 openjdk-21-jdk - 21.0.9+10-1 openjdk-21-jdk-headless - 21.0.9+10-1 openjdk-21-jre - 21.0.9+10-1 openjdk-21-jre-headless - 21.0.9+10-1 openjdk-21-jre-zero - 21.0.9+10-1 openjdk-21-source - 21.0.9+10-1 openjdk-21-testsupport - 21.0.9+10-1 No subscription required openjdk-25-demo - 25.0.1+8-1 openjdk-25-jdk - 25.0.1+8-1 openjdk-25-jdk-headless - 25.0.1+8-1 openjdk-25-jre - 25.0.1+8-1 openjdk-25-jre-headless - 25.0.1+8-1 openjdk-25-jre-zero - 25.0.1+8-1 openjdk-25-jvmci-jdk - 25.0.1+8-1 openjdk-25-source - 25.0.1+8-1 openjdk-25-testsupport - 25.0.1+8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7885-1 https://ubuntu.com/security/notices/USN-7884-1 https://ubuntu.com/security/notices/USN-7883-1 https://ubuntu.com/security/notices/USN-7881-1 https://ubuntu.com/security/notices/USN-7882-1 https://ubuntu.com/security/notices/USN-7900-1 https://ubuntu.com/security/notices/USN-7901-1 https://ubuntu.com/security/notices/USN-7902-1 CVE-2025-53057 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.43,8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53062` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53062 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: JAXP). Supportedversions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28,17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; OracleGraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerabilityallows unauthenticated attacker with network access via multiple protocolsto compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle JavaSE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessibledata. Note: This vulnerability can be exploited by using APIs in thespecified Component, e.g., through a web service which supplies data to theAPIs. This vulnerability also applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. CVSS 3.1 Base Score7.5 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Update Instructions: Run `sudo pro fix CVE-2025-53066` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u472-ga-1 openjdk-8-jdk - 8u472-ga-1 openjdk-8-jdk-headless - 8u472-ga-1 openjdk-8-jre - 8u472-ga-1 openjdk-8-jre-headless - 8u472-ga-1 openjdk-8-jre-zero - 8u472-ga-1 openjdk-8-source - 8u472-ga-1 No subscription required openjdk-11-demo - 11.0.29+7-1ubuntu1 openjdk-11-jdk - 11.0.29+7-1ubuntu1 openjdk-11-jdk-headless - 11.0.29+7-1ubuntu1 openjdk-11-jre - 11.0.29+7-1ubuntu1 openjdk-11-jre-headless - 11.0.29+7-1ubuntu1 openjdk-11-jre-zero - 11.0.29+7-1ubuntu1 openjdk-11-source - 11.0.29+7-1ubuntu1 No subscription required openjdk-17-demo - 17.0.17+10-1 openjdk-17-jdk - 17.0.17+10-1 openjdk-17-jdk-headless - 17.0.17+10-1 openjdk-17-jre - 17.0.17+10-1 openjdk-17-jre-headless - 17.0.17+10-1 openjdk-17-jre-zero - 17.0.17+10-1 openjdk-17-source - 17.0.17+10-1 No subscription required openjdk-21-demo - 21.0.9+10-1 openjdk-21-jdk - 21.0.9+10-1 openjdk-21-jdk-headless - 21.0.9+10-1 openjdk-21-jre - 21.0.9+10-1 openjdk-21-jre-headless - 21.0.9+10-1 openjdk-21-jre-zero - 21.0.9+10-1 openjdk-21-source - 21.0.9+10-1 openjdk-21-testsupport - 21.0.9+10-1 No subscription required openjdk-25-demo - 25.0.1+8 openjdk-25-jdk - 25.0.1+8 openjdk-25-jdk-headless - 25.0.1+8 openjdk-25-jre - 25.0.1+8 openjdk-25-jre-headless - 25.0.1+8 openjdk-25-jre-zero - 25.0.1+8 openjdk-25-jvmci-jdk - 25.0.1+8 openjdk-25-source - 25.0.1+8 openjdk-25-testsupport - 25.0.1+8 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7885-1 https://ubuntu.com/security/notices/USN-7884-1 https://ubuntu.com/security/notices/USN-7883-1 https://ubuntu.com/security/notices/USN-7881-1 https://ubuntu.com/security/notices/USN-7882-1 https://ubuntu.com/security/notices/USN-7900-1 https://ubuntu.com/security/notices/USN-7901-1 https://ubuntu.com/security/notices/USN-7902-1 CVE-2025-53066 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Components Services). Supported versions that are affected are8.0.0-8.0.43, 8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2025-53069` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.7-0ubuntu2 mysql-client - 8.4.7-0ubuntu2 mysql-client-core - 8.4.7-0ubuntu2 mysql-router - 8.4.7-0ubuntu2 mysql-server - 8.4.7-0ubuntu2 mysql-server-core - 8.4.7-0ubuntu2 mysql-source - 8.4.7-0ubuntu2 mysql-testsuite - 8.4.7-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7873-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2025-53069 Improper Input Validation vulnerability in Samsung Open Source rLottieallows Overread Buffers.This issue affects rLottie: V0.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-30 03:15:00 UTC CVE-2025-53076 A memory corruption vulnerability exists in the PSD RLE Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When decompressingthe image data from a specially crafted .psd file, a heap-based bufferoverflow can occur which allows for remote code execution. An attacker willneed to convince the library to read a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-53085 JUnit is a testing framework for Java and the JVM. From version 5.12.0 to5.13.1, JUnit's support for writing Open Test Reporting XML files can leakGit credentials. The impact depends on the level of the access tokenexposed through the OpenTestReportGeneratingListener. If these test reportsare published or stored anywhere public, then there is the possibility thata rouge attacker can steal the token and perform elevated actions byimpersonating the user or app. This issue as been patched in version5.13.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-01 18:15:00 UTC CVE-2025-53103 ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization ofExpression/Command Delimiters vulnerability in Apache Commons OGNL.This issue affects Apache Commons OGNL: all versions.When using the API Ognl.getValue​, the OGNL engine parses and evaluates theprovided expression with powerful capabilities, including accessing andinvoking related methods, etc. Although OgnlRuntime attempts to restrict certain dangerous classesand methods (such as java.lang.Runtime) through a blocklist, theserestrictions are not comprehensive.Attackers may be able to bypass the restrictions by leveraging classobjects that are not covered by the blocklist and potentially achievearbitrary code execution.As this project is retired, we do not plan to release a version that fixesthis issue. Users are recommended to find an alternative or restrict accessto the instance to trusted users.NOTE: This vulnerability only affects products that are no longer supportedby the maintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-18 20:15:00 UTC CVE-2025-53192 In Sipwise rtpengine before 13.4.1.1, an origin-validation error in theendpoint-learning logic of the media-relay core allows remote attackers toinject or intercept RTP/SRTP media streams via RTP packets (except when therelay is configured for strict source and learning disabled). Version13.4.1.1 fixes the heuristic mode by limiting exposure to the first fivepackets, and introduces a recrypt flag that fully prevents SRTP attackswhen both mitigations are enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-01 04:16:00 UTC CVE-2025-53399 Uncontrolled Resource Consumption vulnerability in Apache Tomcat if anHTTP/2 client did not acknowledge the initial settings frame that reducesthe maximum permitted concurrent streams.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 through 8.5.100. Other EOL versions may also beaffected.Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 20:15:00 UTC CVE-2025-53506 A memory corruption vulnerability exists in the PSD Image Decodingfunctionality of the SAIL Image Decoding Library v0.9.8. When loading aspecially crafted .psd file, an integer overflow can be made to occur whencalculating the stride for decoding. Afterwards, this will cause aheap-based buffer to overflow when decoding the image which can lead toremote code execution. An attacker will need to convince the library toread a file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 15:15:00 UTC CVE-2025-53510 A heap-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-53511 An integer overflow vulnerability exists in the ABF parsing functionalityof The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). Aspecially crafted ABF file can lead to arbitrary code execution. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-53518 LibHTP is a security-aware parser for the HTTP protocol and its relatedbits and pieces. In versions 0.5.50 and below, there is a traffic-inducedmemory leak that can starve the process of memory, leading to loss ofvisibility. To workaround this issue, set `suricata.yamlapp-layer.protocols.http.libhtp.default-config.lzma-enabled` to false. Thisissue is fixed in version 0.5.51. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-23 21:15:00 UTC 2025-07-23 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109838 https://ubuntu.com/security/notices/USN-7814-1 CVE-2025-53537 Suricata is a network IDS, IPS and NSM engine developed by the OISF (OpenInformation Security Foundation) and the Suricata community. In versions7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data onHTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss ofvisibility. Workarounds include disabling the HTTP/2 parser, and using asignature like drop http2 any any -> any any (frame:http2.hdr;byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte testtests the HTTP2 frame type DATA and the second tests the stream id 0. Thisis fixed in versions 7.0.11 and 8.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-22 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109806 CVE-2025-53538 A heap-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-53557 In Alinto SOPE SOGo 2.0.2 through 5.12.2,sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference andSOGo crash via a request in which a parameter in the query string is aduplicate of a parameter in the POST body. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-05 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108798 CVE-2025-53603 An out-of-bounds read vulnerability exists in theJPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. Aspecially crafted DICOM file can lead to an information leak. An attackercan provide a malicious file to trigger this vulnerability.The function`grayscale_convert` is called based of the value of the malicious DICOMfile specifying the intended interpretation of the image pixel data Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123587 CVE-2025-53618 An out-of-bounds read vulnerability exists in theJPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. Aspecially crafted DICOM file can lead to an information leak. An attackercan provide a malicious file to trigger this vulnerability.The function`null_convert` is called based of the value of the malicious DICOM filespecifying the intended interpretation of the image pixel data Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123587 CVE-2025-53619 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.20.1, cpp-httplib does not have a limit for a uniqueline, permitting an attacker to explore this to allocate memoryarbitrarily. This vulnerability is fixed in 0.20.1. NOTE: Thisvulnerability is related to CVE-2025-53629. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 20:15:00 UTC CVE-2025-53628 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.23.0, incoming requests using Transfer-Encoding:chunked in the header can allocate memory arbitrarily in the server,potentially leading to its exhaustion. This vulnerability is fixed in0.23.0. NOTE: This vulnerability is related to CVE-2025-53628. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 20:15:00 UTC CVE-2025-53629 llama.cpp is an inference of several LLM models in C/C++. Integer Overflowin the gguf_init_from_file_impl function in ggml/src/gguf.cpp can lead toHeap Out-of-Bounds Read/Write. This vulnerability is fixed in commit26a48ad699d50b6268900062661bd22f3e792579. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 20:15:00 UTC CVE-2025-53630 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.12.14, the Python parser is vulnerable to arequest smuggling vulnerability due to not parsing trailer sections of anHTTP request. If a pure Python version of aiohttp is installed (i.e.without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, thenan attacker may be able to execute a request smuggling attack to bypasscertain firewalls or proxy protections. Version 3.12.14 contains a patchfor this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-14 21:15:00 UTC CVE-2025-53643 Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core inApache Jackrabbit < 2.23.2 due to usage of an unsecured document build toload privileges.Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlierversions (up to 2.20.16) are not supported anymore, thus users shouldupdate to the respective supported version. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-14 10:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109335 CVE-2025-53689 A heap-based buffer overflow vulnerability exists in the ISHNE parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted ISHNE ECG annotations file can lead toarbitrary code execution. An attacker can provide a malicious file totrigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-53853 NGINX Open Source and NGINX Plus have a vulnerability in thengx_mail_smtp_module that might allow an unauthenticated attacker toover-read NGINX SMTP authentication process memory; as a result, the serverside may leak arbitrary bytes sent in a request to the authenticationserver. This issue happens during the NGINX SMTP authentication process andrequires the attacker to make preparations against the target system toextract the leaked data. The issue affects NGINX only if (1) it is builtwith the ngx_mail_smtp_module, (2) the smtp_auth directive is configuredwith method "none," and (3) the authentication server returns the"Auth-Wait" response header.Note: Software versions which have reached End of Technical Support (EoTS)are not evaluated. Update Instructions: Run `sudo pro fix CVE-2025-53859` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnginx-mod-http-geoip - 1.26.3-3ubuntu3 libnginx-mod-http-image-filter - 1.26.3-3ubuntu3 libnginx-mod-http-perl - 1.26.3-3ubuntu3 libnginx-mod-http-xslt-filter - 1.26.3-3ubuntu3 libnginx-mod-mail - 1.26.3-3ubuntu3 libnginx-mod-stream - 1.26.3-3ubuntu3 libnginx-mod-stream-geoip - 1.26.3-3ubuntu3 nginx - 1.26.3-3ubuntu3 nginx-common - 1.26.3-3ubuntu3 nginx-core - 1.26.3-3ubuntu3 nginx-extras - 1.26.3-3ubuntu3 nginx-full - 1.26.3-3ubuntu3 nginx-light - 1.26.3-3ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-15 2025-08-15 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138 https://ubuntu.com/security/notices/USN-7715-1 CVE-2025-53859 Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4allows a remote attacker to cause a denial of service via a deeply nestedJSON object supplied in a JWT claim set, because of uncontrolled recursion.NOTE: this is independent of the Gson 2.11.0 issue because the Connect2idproduct could have checked the JSON object nesting depth, regardless ofwhat limits (if any) were imposed by Gson. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-11 03:16:00 UTC CVE-2025-53864 Exiv2 is a C++ library and a command-line utility to read, write, deleteand modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds readwas found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read istriggered when Exiv2 is used to write metadata into a crafted image file.An attacker could potentially exploit the vulnerability to cause a denialof service by crashing Exiv2, if they can trick the victim into runningExiv2 on a crafted image file. Note that this bug is only triggered whenwriting the metadata, which is a less frequently used Exiv2 operation thanreading the metadata. The bug is fixed in version 0.28.6. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-29 15:15:00 UTC 2025-08-29 15:15:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112505 https://ubuntu.com/security/notices/USN-8103-1 CVE-2025-54080 ADOdb is a PHP database class library that provides abstractions forperforming queries and managing databases. In versions 5.22.9 and below,improper escaping of a query parameter may allow an attacker to executearbitrary SQL statements when the code using ADOdb connects to a sqlite3database and calls the metaColumns(), metaForeignKeys() or metaIndexes()methods with a crafted table name. This is fixed in version 5.22.10. Toworkaround this issue, only pass controlled data to metaColumns(),metaForeignKeys() and metaIndexes() method's $table parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-05 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110464 CVE-2025-54119 Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface)framework/toolkit, designed for building async web services in Python. Inversions 0.47.1 and below, when parsing a multi-part form with large files(greater than the default max spool size) starlette will block the mainthread to roll the file over to disk. This blocks the event thread whichmeans the application can't accept new connections. The UploadFile code hasa minor bug where instead of just checking for self._in_memory, the logicshould also check if the additional bytes will cause a rollover. Thevulnerability is fixed in version 0.47.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-21 20:15:00 UTC CVE-2025-54121 Thor before 1.4.0 can construct an unsafe shell command from library input.NOTE: this is disputed by the Supplier because "the method that was fixedcan only be used with arguments that are controlled by Thor, and there isno way an attacker can take control of those arguments." Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-20 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109679 CVE-2025-54314 In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy isused (for MSG_TRUNC in recv). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-03 02:15:00 UTC CVE-2025-54351 WordPress 3.5 through 6.8.2 allows remote attackers to guess titles ofprivate and draft posts via pingback.ping XML-RPC requests. NOTE: theSupplier is not changing this behavior. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-21 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109678 CVE-2025-54352 Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS)in the knack.introspection module. extract_full_summary_from_signatureemploys an inefficient regular expression pattern:"\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophicbacktracking when processing crafted docstrings containing a large volumeof whitespace without a terminating colon. An attacker who can control orinject docstring content into affected applications can trigger excessiveCPU consumption. This software is used by Azure CLI. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-20 03:15:00 UTC CVE-2025-54363 Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS)in the knack.introspection module. option_descriptions employs aninefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that issusceptible to catastrophic backtracking when processing crafted docstringscontaining a large volume of whitespace without a terminating colon. Anattacker who can control or inject docstring content into affectedapplications can trigger excessive CPU consumption. This software is usedby Azure CLI. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-20 03:15:00 UTC CVE-2025-54364 Moby is an open source container framework developed by Docker Inc. that isdistributed as Docker Engine, Mirantis Container Runtime, and various otherdownstream projects/products. In versions 28.2.0 through 28.3.2, when thefirewalld service is reloaded it removes all iptables rules including thosecreated by Docker. While Docker should automatically recreate these rules,versions before 28.3.3 fail to recreate the specific rules that blockexternal access to containers. This means that after a firewalld reload,containers with ports published to localhost (like 127.0.0.1:8080) becomeaccessible from remote machines that have network routing to the Dockerbridge, even though they should only be accessible from the host itself.The vulnerability only affects explicitly published ports - unpublishedports remain protected. This issue is fixed in version 28.3.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-30 14:15:00 UTC CVE-2025-54388 A heap-based buffer overflow vulnerability exists in the Nex parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted .nex file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54462 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8719 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 0: if (tag==0) { if (len!=1) fprintf(stderr,"Warning MFER tag0 incorrect length%i!=1\n",len); curPos += ifread(buf,1,len,hdr); } Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54480 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8744 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 3: else if (tag==3) { // character code char v[17]; // [1] if (len>16) fprintf(stderr,"Warning MFER tag2 incorrect length%i>16\n",len); curPos += ifread(&v,1,len,hdr); v[len] = 0;In this case, the overflowed buffer is the newly-declared `v` \[1\] insteadof `buf`. Since `v` is only 17 bytes large, much smaller values of `len`(even those encoded using a single octet) can trigger an overflow in thiscode path. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54481 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8751 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 4: else if (tag==4) { // SPR if (len>4) fprintf(stderr,"Warning MFER tag4 incorrect length%i>4\n",len); curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54482 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8759 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 5: else if (tag==5) //0x05: number of channels { uint16_t oldNS=hdr->NS; if (len>4) fprintf(stderr,"Warning MFER tag5 incorrect length%i>4\n",len); curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54483 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8779 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 6: else if (tag==6) // 0x06 "number of sequences" { // NRec if (len>4) fprintf(stderr,"Warning MFER tag6 incorrect length%i>4\n",len); curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54484 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8785 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 8: else if (tag==8) { if (len>2) fprintf(stderr,"Warning MFER tag8 incorrectlength %i>2\n",len); curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54485 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8824 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 11: else if (tag==11) //0x0B { // Fs if (len>6) fprintf(stderr,"Warning MFER tag11 incorrectlength %i>6\n",len); double fval; curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54486 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8842 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 12: else if (tag==12) //0x0C { // sampling resolution if (len>6) fprintf(stderr,"Warning MFER tag12 incorrectlength %i>6\n",len); val32 = 0; int8_t v8; curPos += ifread(&UnitCode,1,1,hdr); curPos += ifread(&v8,1,1,hdr); curPos += ifread(buf,1,len-2,hdr);In addition to values of `len` greater than 130 triggering a bufferoverflow, a value of `len` smaller than 2 will also trigger a bufferoverflow due to an integer underflow when computing `len-2` in this codepath. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54487 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8850 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 13: else if (tag==13) { if (len>8) fprintf(stderr,"Warning MFER tag13 incorrectlength %i>8\n",len); curPos += ifread(&buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54488 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 8970 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 63: else if (tag==63) { uint8_t tag2=255, len2=255; count = 0; while ((count<len) && !(FlagInfiniteLength && len2==0&& tag2==0)){ curPos += ifread(&tag2,1,1,hdr); curPos += ifread(&len2,1,1,hdr); if (VERBOSE_LEVEL==9) fprintf(stdout,"MFER: tag=%3i chan=%2i len=%-4itag2=%3i len2=%3i curPos=%i %licount=%4i\n",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count); if (FlagInfiniteLength && len2==0 && tag2==0)break; count += (2+len2); curPos += ifread(&buf,1,len2,hdr);Here, the number of bytes read is not the Data Length decoded from thecurrent frame in the file (`len`) but rather is a new length contained in asingle octet read from the same input file (`len2`). Despite this, astack-based buffer overflow condition can still occur, as the destinationbuffer is still `buf`, which has a size of only 128 bytes, while `len2` canbe as large as 255. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54489 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 9090 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 64: else if (tag==64) //0x40 { // preamble char tmp[256]; // [1] curPos += ifread(tmp,1,len,hdr);In this case, the overflowed buffer is the newly-declared `tmp` \[1\]instead of `buf`. While `tmp` is larger than `buf`, having a size of 256bytes, a stack overflow can still occur in cases where `len` is encodedusing multiple octets and is greater than 256. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54490 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 9191 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 65: else if (tag==65) //0x41: patient event { // event table curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54491 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 9141 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 67: else if (tag==67) //0x43: Sample skew { int skew=0; // [1] curPos += ifread(&skew, 1, len,hdr);In this case, the address of the newly-defined integer `skew` \[1\] isoverflowed instead of `buf`. This means a stack overflow can occur usingmuch smaller values of `len` in this code path. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54492 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 9184 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 131: else if (tag==131) //0x83 { // Patient Age if (len!=7) fprintf(stderr,"Warning MFER tag131incorrect length %i!=7\n",len); curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54493 A stack-based buffer overflow vulnerability exists in the MFER parsingfunctionality of The Biosig Project libbiosig 3.9.0 and Master Branch(35a819fa). A specially crafted MFER file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability.This vulnerability manifests on line 9205 of biosig.c on thecurrent master branch (35a819fa), when the Tag is 133: else if (tag==133) //0x85 { curPos += ifread(buf,1,len,hdr); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 14:15:00 UTC CVE-2025-54494 A transient execution vulnerability within AMD CPUs may allow a localuser-privileged attacker to leak data via the floating point divisor unit,potentially resulting in loss of confidentiality. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 16:16:00 UTC CVE-2025-54505 Improper isolation of shared resources on a system on a chip by a maliciouslocal attacker with high privileges could potentially lead to a partialloss of integrity. Update Instructions: Run `sudo pro fix CVE-2025-54514` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20251202.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 20:16:00 UTC CVE-2025-54514 Improper isolation of shared resources within the CPU operation cache onZen 2-based products could allow an attacker to corrupt instructionsexecuted at a different privilege level, potentially resulting in privilegeescalation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 05:16:00 UTC CVE-2025-54518 An issue was found in the private API function qDecodeDataUrl() in QtCore,which is used in QTextDocument and QNetworkReply, and, potentially, in usercode.If the function was called with malformed data, for example, an URL thatcontained a "charset" parameter that lacked a value (such as"data:charset,"), and Qt was built with assertions enabled, then it wouldhit an assertion, resulting in a denial of service(abort).This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. Thishas been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-02 09:15:00 UTC CVE-2025-5455 ModSecurity is an open source, cross platform web application firewall(WAF) engine for Apache, IIS and Nginx. In versions 2.9.11and below, an attacker can override the HTTP response’s Content-Type, whichcould lead to several issues depending on the HTTP scenario. For example,we have demonstrated the potential for XSS and arbitrary script source codedisclosure in the latest version of mod_security2. This issue is fixed inversion 2.9.12. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-06 00:15:00 UTC CVE-2025-54571 A vulnerability has been identified in the GRUB2 bootloader's networkmodule that poses an immediate Denial of Service (DoS) risk. This flaw is aUse-after-Free issue, caused because the net_set_vlan command is notproperly unregistered when the network module is unloaded from memory. Anattacker who can execute this command can force the system to access memorylocations that are no longer valid. Successful exploitation leads directlyto system instability, which can result in a complete crash and halt systemavailability Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120968 https://bugzilla.redhat.com/show_bug.cgi?id=2413813 CVE-2025-54770 A use-after-free vulnerability has been identified in the GNU GRUB (GrandUnified Bootloader). The flaw occurs because the file-closing processincorrectly retains a memory pointer, leaving an invalid reference to afile system structure. An attacker could exploit this vulnerability tocause grub to crash, leading to a Denial of Service. Possible dataintegrity or confidentiality compromise is not discarded. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120968 https://bugzilla.redhat.com/show_bug.cgi?id=2413823 CVE-2025-54771 tmp is a temporary file and directory creator for node.js. In versions0.2.3 and below, tmp is vulnerable to an arbitrary temporary file /directory write via symbolic link dir parameter. This is fixed in version0.2.4. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-07 01:15:00 UTC CVE-2025-54798 Let's Encrypt client and ACME library written in Go (Lego). In versions4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus thelego library and the lego cli as well) don't enforce HTTPS when talking toCAs as an ACME client. Unlike the http-01 challenge which solves an ACMEchallenge over unencrypted HTTP, the ACME protocol requires HTTPS when aclient communicates with the CA to performs ACME functions. However, thelibrary fails to enforce HTTPS both in the original discover URL(configured by the library user) and in the subsequent addresses returnedby the CAs in the directory and order objects. If users input HTTP URLs orCAs misconfigure endpoints, protocol operations occur over HTTP instead ofHTTPS. This compromises privacy by exposing request/response details likeaccount and request identifiers to network attackers. This was fixed inversion 4.25.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-07 01:15:00 UTC CVE-2025-54799 Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.When using HTMLLayout, logger names are not properly escaped when writingout to the HTML file.If untrusted data is used to retrieve the name of a logger, an attackercould theoretically inject HTML or Javascript in order to hide informationfrom logs or steal data from the user.In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading topotential XSSBecause logger names are generally constant strings, we assess the impactto users as LOWThis issue affects Apache Log4cxx: before 1.5.0.Users are recommended to upgrade to version 1.5.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-22 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879 CVE-2025-54812 Improper Output Neutralization for Logs vulnerability in Apache Log4cxx.When using JSONLayout, not all payload bytes are properly escaped. If anattacker-supplied message contains certain non-printable characters, thesewill be passed along in the message and written out as part of the JSONmessage. This may prevent applications that consume these logs fromcorrectly interpreting the information within them.This issue affects Apache Log4cxx: before 1.5.0.Users are recommended to upgrade to version 1.5.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-22 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111881 CVE-2025-54813 FPDI is a collection of PHP classes that facilitate reading pages fromexisting PDF documents and using them as templates in FPDF. In versions2.6.2 and below, any application that uses FPDI to process user-suppliedPDF files is at risk, causing a Denial of Service (DoS) vulnerability. Anattacker can upload a small, malicious PDF file that will cause theserver-side script to crash due to memory exhaustion. Repeated attacks canlead to sustained service unavailability. This issue is fixed in version2.6.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-06 00:15:00 UTC CVE-2025-54869 OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG from 2.5.1 through2.5.3, a call to opj_jp2_read_header may lead to OOB heap memory write whenthe data stream p_stream is too short and p_image is not initialized. Update Instructions: Run `sudo pro fix CVE-2025-54874` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.5.3-2.1 libopenjp2-tools - 2.5.3-2.1 libopenjpip-dec-server - 2.5.3-2.1 libopenjpip-viewer - 2.5.3-2.1 libopenjpip7 - 2.5.3-2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-05 15:15:00 UTC 2025-08-05 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110443 https://ubuntu.com/security/notices/USN-7757-1 CVE-2025-54874 The gh package before 1.5.0 for R delivers an HTTP response in a datastructure that includes the Authorization header from the correspondingHTTP request. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-03 18:15:00 UTC CVE-2025-54956 Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13through and including 3.2.1 on all platforms allows an attacker to carryout XML External Entity injection via a crafted XFA file inside of a PDF.An attacker may be able to read sensitive data or trigger maliciousrequests to internal resources or third-party servers. Note that thetika-parser-pdf-module is used as a dependency in several Tika packagesincluding at least: tika-parsers-standard-modules,tika-parsers-standard-package, tika-app, tika-grpc andtika-server-standard.Users are recommended to upgrade to version 3.2.2, which fixes this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-20 20:15:00 UTC john-breton CVE-2025-54988 Firebird is a relational database. Prior to versions 3.0.13, 4.0.6, and5.0.3, there is an XDR message parsing NULL pointer dereferencedenial-of-service vulnerability in Firebird. This specific flaw existswithin the parsing of xdr message from client. It leads to NULL pointerdereference and DoS. This issue has been patched in versions 3.0.13, 4.0.6,and 5.0.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-15 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111321 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111320 CVE-2025-54989 The YouDao plugin for StarDict, as used in stardict3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-04 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110370 CVE-2025-55014 A flaw in Node.js’s Permissions model allows attackers to bypass`--allow-fs-read` and `--allow-fs-write` restrictions using craftedrelative symlink paths. By chaining directories and symlinks, a scriptgranted access only to the current directory can escape the allowed pathand read sensitive files. This breaks the expected isolation guarantees andenables arbitrary file read/write, leading to potential system compromise.This vulnerability affects users of the permission model on Node.js v20,v22, v24, and v25. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2025-55130 A flaw in Node.js's buffer allocation logic can expose uninitialized memorywhen allocations are interrupted, when using the `vm` module with thetimeout option. Under specific timing conditions, buffers allocated with`Buffer.alloc` and other `TypedArray` instances like `Uint8Array` maycontain leftover data from previous operations, allowing in-process secretslike tokens or passwords to leak or causing data corruption. Whileexploitation typically requires precise timing or in-process codeexecution, it can become remotely exploitable when untrusted inputinfluences workload and timeouts, leading to potential confidentiality andintegrity impact. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2025-55131 A flaw in Node.js's permission model allows a file's access andmodification timestamps to be changed via `futimes()` even when the processhas only read permissions. Unlike `utimes()`, `futimes()` does not applythe expected write-permission checks, which means file metadata can bemodified in read-only directories. This behavior could be used to altertimestamps in ways that obscure activity, reducing the reliability of logs.This vulnerability affects users of the permission model on Node.js v20,v22, v24, and v25. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2025-55132 Netty is an asynchronous, event-driven network application framework. Priorto versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable toMadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol,that uses malformed HTTP/2 control frames in order to break the maxconcurrent streams limit - which results in resource exhaustion anddistributed denial of service. This issue has been patched in versions4.1.124.Final and 4.2.4.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-13 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111105 CVE-2025-55163 In KDE Skanpage before 25.08.0, an attempt at file overwrite can result inthe contents of the new file at the beginning followed by the partialcontents of the old file at the end, because of use of QIODevice::ReadWriteinstead of QODevice::WriteOnly. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-26 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121443 CVE-2025-55174 Active Record connects classes to relational database tables. Prior toversions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similarmethods may be logged without escaping. If this is directly to the terminalit may include unescaped ANSI sequences. This issue has been patched inversions 7.1.5.2, 7.2.2.2, and 8.0.2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-13 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111106 CVE-2025-55193 pypdf is a free and open-source pure-python PDF library. Prior to version6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted.This requires just reading the file if a series of FlateDecode filters isused on a malicious cross-reference stream. Other content streams areaffected on explicit access. This issue has been fixed in 6.0.0. If anupdate is not possible, a workaround involves including the fixed code frompypdf.filters.decompress into the existing filters file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-13 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111139 CVE-2025-55197 Improper link resolution before file access ('link following') in .NETallows an authorized attacker to elevate privileges locally. Update Instructions: Run `sudo pro fix CVE-2025-55247` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.0~rc2-0ubuntu1 aspnetcore-targeting-pack-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-apphost-pack-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-host-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-hostfxr-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-runtime-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-targeting-pack-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-sdk-10.0 - 10.0.100~rc2-0ubuntu1 dotnet-sdk-10.0-source-built-artifacts - 10.0.100~rc2-0ubuntu1 dotnet-sdk-aot-10.0 - 10.0.100~rc2-0ubuntu1 dotnet-templates-10.0 - 10.0.100~rc2-0ubuntu1 dotnet10 - 10.0.100-10.0.0~rc2-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-14 2025-10-14 https://ubuntu.com/security/notices/USN-7822-1 CVE-2025-55247 Exiv2 is a C++ library and a command-line utility to read, write, deleteand modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service wasfound in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profileparsing code in jpegBase::readMetadata() can cause Exiv2 to run for a longtime. The denial-of-service is triggered when Exiv2 is used to read themetadata of a crafted jpg image file. The bug is fixed in version 0.28.6. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-29 15:15:00 UTC 2025-08-29 15:15:00 UTC https://github.com/Exiv2/exiv2/issues/3333 https://ubuntu.com/security/notices/USN-8103-1 CVE-2025-55304 Inconsistent interpretation of http requests ('http request/responsesmuggling') in ASP.NET Core allows an authorized attacker to bypass asecurity feature over a network. Update Instructions: Run `sudo pro fix CVE-2025-55315` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.0~rc2-0ubuntu1 aspnetcore-targeting-pack-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-apphost-pack-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-host-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-hostfxr-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-runtime-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-targeting-pack-10.0 - 10.0.0~rc2-0ubuntu1 dotnet-sdk-10.0 - 10.0.100~rc2-0ubuntu1 dotnet-sdk-10.0-source-built-artifacts - 10.0.100~rc2-0ubuntu1 dotnet-sdk-aot-10.0 - 10.0.100~rc2-0ubuntu1 dotnet-templates-10.0 - 10.0.100~rc2-0ubuntu1 dotnet10 - 10.0.100-10.0.0~rc2-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-14 2025-10-14 https://ubuntu.com/security/notices/USN-7822-1 CVE-2025-55315 An issue in the component torch.linalg.lu of pytorch v2.8.0 allowsattackers to cause a Denial of Service (DoS) when performing a sliceoperation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 15:16:00 UTC CVE-2025-55551 pytorch v2.8.0 was discovered to display unexpected behavior when thecomponents torch.rot90 and torch.randn_like are used together. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55552 A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allowsattackers to cause a Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55553 pytorch v2.8.0 was discovered to contain an integer overflow in thecomponent torch.nan_to_num-.long(). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55554 TensorFlow v2.18.0 was discovered to output random results when compilingEmbedding, leading to unexpected behavior in the application. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55556 A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists oftorch.cummin and is compiled by Inductor, leading to a Denial of Service(DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55557 A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists oftorch.nn.Conv2d, torch.nn.functional.hardshrink, andtorch.Tensor.view-torch.mv() and is compiled by Inductor, leading to aDenial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55558 An issue was discovered TensorFlow v2.18.0. A Denial of Service (DoS)occurs when padding is set to 'valid' in tf.keras.layers.Conv2D. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55559 An issue in pytorch v2.7.0 can lead to a Denial of Service (DoS) when aPyTorch model consists of torch.Tensor.to_sparse() andtorch.Tensor.to_dense() and is compiled by Inductor. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 16:15:00 UTC CVE-2025-55560 Session Fixation vulnerability in Apache Tomcat via rewrite valve.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-13 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111099 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111098 CVE-2025-55668 Relative Path Traversal vulnerability in Apache Tomcat.The fix for bug 60013 introduced a regression where the rewritten URLwas normalized before it was decoded. This introduced the possibilitythat, for rewrite rules that rewrite query parameters to the URL, anattacker could manipulate the request URI to bypass securityconstraints including the protection for /WEB-INF/ and /META-INF/. If PUTrequests were also enabled then malicious files could be uploaded leadingto remote code execution. PUT requests are normally limited to trustedusers and it is considered unlikely that PUT requests would be enabled inconjunction with a rewrite that manipulated the URI.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions mayalso be affected.Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 orlater or 9.0.109 or later, which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 18:15:00 UTC CVE-2025-55752 An integer overflow in the case of failed ACME certificate renewal leads,after a number of failures (~30 days in default configurations), to thebackoff timer becoming 0. Attempts to renew the certificate then arerepeated without delays until it succeeds.This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.Users are recommended to upgrade to version 2.4.66, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2025-55753` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu1 apache2-bin - 2.4.66-2ubuntu1 apache2-data - 2.4.66-2ubuntu1 apache2-suexec-custom - 2.4.66-2ubuntu1 apache2-suexec-pristine - 2.4.66-2ubuntu1 apache2-utils - 2.4.66-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-05 11:15:00 UTC 2025-12-05 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121926 https://ubuntu.com/security/notices/USN-7968-1 CVE-2025-55753 Improper Neutralization of Escape, Meta, or Control Sequences vulnerabilityin Apache Tomcat.Tomcat did not escape ANSI escape sequences in log messages. If Tomcat wasrunning in a console on a Windows operating system, and the consolesupported ANSI escape sequences, it was possible for an attacker to use aspecially crafted URL to inject ANSI escape sequences to manipulate theconsole and the clipboard and attempt to trick an administrator intorunning an attacker controlled command. While no attack vector was found,it may have been possible to mount this attack on other operating systems.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions mayalso be affected.Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 orlater or 9.0.109 or later, which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 18:15:00 UTC CVE-2025-55754 Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest)allows a remote attacker to achieve remote code execution via a craftedHTTP request. This vulnerability is triggered during request processing andmay allow an attacker to corrupt heap memory, potentially leading to denialof service or arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-29 17:15:00 UTC CVE-2025-55763 A null pointer dereference occurs in the functionbreak_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformedEPUB document. Specifically, the function calls fz_html_split_flow() tosplit a FLOW_WORD node, but does not check if node->next is valid beforeaccessing node->next->overflow_wrap, resulting in a crash if the splitfails or returns a partial node chain. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-23 18:15:00 UTC CVE-2025-55780 Column handling crashes in Wireshark 4.4.0 to 4.4.6 and 4.2.0 to 4.2.12allows denial of service via packet injection or crafted capture file Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-04 11:15:00 UTC https://gitlab.com/wireshark/wireshark/-/issues/20509 CVE-2025-5601 Libsndfile <=1.2.2 contains a memory leak vulnerability in thempeg_l3_encoder_init() function within the mpeg_l3_encode.c file. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-14 15:15:00 UTC https://github.com/libsndfile/libsndfile/issues/1089 CVE-2025-56226 A vulnerability was found in Radare2 5.9.9. It has been rated asproblematic. This issue affects the function r_cons_is_breaked in thelibrary /libr/cons/cons.c of the component radiff2. The manipulation of theargument -T leads to memory corruption. It is possible to launch the attackon the local host. The complexity of an attack is rather high. Theexploitation is known to be difficult. The exploit has been disclosed tothe public and may be used. The real existence of this vulnerability isstill doubted at the moment. The identifier of the patch is5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply apatch to fix this issue. The documentation explains that the parameter -Tis experimental and "crashy". Further analysis has shown "the race is not areal problem unless you use asan". An additional warning regardingthreading support has been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 07:15:00 UTC CVE-2025-5641 A vulnerability classified as problematic has been found in Radare2 5.9.9.Affected is the function r_cons_pal_init in the library /libr/cons/pal.c ofthe component radiff2. The manipulation leads to memory corruption. Theattack needs to be approached locally. The complexity of an attack israther high. The exploitability is told to be difficult. The exploit hasbeen disclosed to the public and may be used. The real existence of thisvulnerability is still doubted at the moment. The patch is identified as5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply apatch to fix this issue. The documentation explains that the parameter -Tis experimental and "crashy". Further analysis has shown "the race is not areal problem unless you use asan". A new warning has been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 07:15:00 UTC CVE-2025-5642 A vulnerability classified as problematic was found in Radare2 5.9.9.Affected by this vulnerability is the function cons_stack_load in thelibrary /libr/cons/cons.c of the component radiff2. The manipulation of theargument -T leads to memory corruption. An attack has to be approachedlocally. The complexity of an attack is rather high. The exploitationappears to be difficult. The exploit has been disclosed to the public andmay be used. The real existence of this vulnerability is still doubted atthe moment. The patch is named 5705d99cc1f23f36f9a84aab26d1724010b97798. Itis recommended to apply a patch to fix this issue. The documentationexplains that the parameter -T is experimental and "crashy". Furtheranalysis has shown "the race is not a real problem unless you use asan". Anew warning has been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 07:15:00 UTC CVE-2025-5643 A vulnerability, which was classified as problematic, has been found inRadare2 5.9.9. Affected by this issue is the function r_cons_flush in thelibrary /libr/cons/cons.c of the component radiff2. The manipulation of theargument -T leads to use after free. Local access is required to approachthis attack. The complexity of an attack is rather high. The exploitationis known to be difficult. The exploit has been disclosed to the public andmay be used. The real existence of this vulnerability is still doubted atthe moment. The name of the patch is5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply apatch to fix this issue. The documentation explains that the parameter -Tis experimental and "crashy". Further analysis has shown "the race is not areal problem unless you use asan". A new warning has been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 07:15:00 UTC CVE-2025-5644 A vulnerability, which was classified as problematic, was found in Radare25.9.9. This affects the function r_cons_pal_init in the library/libr/cons/pal.c of the component radiff2. The manipulation of the argument-T leads to memory corruption. Attacking locally is a requirement. Thecomplexity of an attack is rather high. The exploitability is told to bedifficult. The exploit has been disclosed to the public and may be used.The real existence of this vulnerability is still doubted at the moment.The identifier of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. Itis recommended to apply a patch to fix this issue. The documentationexplains that the parameter -T is experimental and "crashy". Furtheranalysis has shown "the race is not a real problem unless you use asan". Anew warning has been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 08:15:00 UTC CVE-2025-5645 A vulnerability has been found in Radare2 5.9.9 and classified asproblematic. This vulnerability affects the function r_cons_rainbow_free inthe library /libr/cons/pal.c of the component radiff2. The manipulation ofthe argument -T leads to memory corruption. It is possible to launch theattack on the local host. The complexity of an attack is rather high. Theexploitation appears to be difficult. The exploit has been disclosed to thepublic and may be used. The real existence of this vulnerability is stilldoubted at the moment. The patch is identified as5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply apatch to fix this issue. The documentation explains that the parameter -Tis experimental and "crashy". Further analysis has shown "the race is not areal problem unless you use asan". A new warning has been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 08:15:00 UTC CVE-2025-5646 A vulnerability was found in Radare2 5.9.9 and classified as problematic.This issue affects the function r_cons_context_break_pop in the library/libr/cons/cons.c of the component radiff2. The manipulation of theargument -T leads to memory corruption. The attack needs to be approachedlocally. The complexity of an attack is rather high. The exploitation isknown to be difficult. The exploit has been disclosed to the public and maybe used. The real existence of this vulnerability is still doubted at themoment. The patch is named 5705d99cc1f23f36f9a84aab26d1724010b97798. It isrecommended to apply a patch to fix this issue. The documentation explainsthat the parameter -T is experimental and "crashy". Further analysis hasshown "the race is not a real problem unless you use asan". A new warninghas been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 09:15:00 UTC CVE-2025-5647 A vulnerability was found in Radare2 5.9.9. It has been classified asproblematic. Affected is the function r_cons_pal_init in the library/libr/cons/pal.c of the component radiff2. The manipulation of the argument-T leads to memory corruption. An attack has to be approached locally. Thecomplexity of an attack is rather high. The exploitability is told to bedifficult. The exploit has been disclosed to the public and may be used.The real existence of this vulnerability is still doubted at the moment.The name of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It isrecommended to apply a patch to fix this issue. The documentation explainsthat the parameter -T is experimental and "crashy". Further analysis hasshown "the race is not a real problem unless you use asan". A new warninghas been added. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 09:15:00 UTC CVE-2025-5648 When loading a specifically crafted ICNS format image file in QImage thenit will trigger a crash. This issue affects Qt from versions 6.3.0 through6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and6.9.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-05 06:15:00 UTC CVE-2025-5683 Kitware VTK (Visualization Toolkit) 9.5.0 is vulnerable to HeapUse-After-Free in vtkGLTFImporter::ImportActors. When processing GLTF fileswith invalid scene node references, the application accesses string membersof mesh objects that have been previously freed during actor importoperations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-30 19:16:00 UTC CVE-2025-57109 libsmb2 6.2+ is vulnerable to Buffer Overflow. When processing SMB2 chainedPDUs (NextCommand), libsmb2 repeatedly calls smb2_add_iovector() to appendto a fixed-size iovec array without checking the upper bound of v->niov(SMB2_MAX_VECTORS=256). An attacker can craft responses with many chainedPDUs to overflow v->niov and perform heap out-of-bounds writes, causingmemory corruption, crashes, and potentially arbitrary code execution. TheSMB2_OPLOCK_BREAK path bypasses message ID validation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-25 20:15:00 UTC CVE-2025-57632 Asterisk is an open source private branch exchange and telephony toolkit.Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request isreceived with an Authorization header that contains a realm that wasn't ina previous 401 response's WWW-Authenticate header, or an Authorizationheader with an incorrect realm was received without a previous 401 responsebeing sent, the get_authorization_header() function inres_pjsip_authenticator_digest will return a NULL. This wasn't beingchecked before attempting to get the digest algorithm from the header whichcauses a SEGV. This issue has been patched in versions 20.15.2, 21.10.2,and 22.5.2. There are no workarounds. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-28 16:15:00 UTC CVE-2025-57767 h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior toversion 4.3.0, an HTTP/2 request splitting vulnerability allows attackersto perform request smuggling attacks by injecting CRLF characters intoheaders. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1without properly validating header names/values, enabling attackers tomanipulate request boundaries and bypass security controls. This issue hasbeen patched in version 4.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-25 21:15:00 UTC CVE-2025-57804 nptd-rs is a tool for synchronizing your computer's clock, implementing theNTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusiveservers which allow non-NTS traffic are affected by a denial of servicevulnerability, where an attacker can induce a message storm between two NTPservers running ntpd-rs. Client-only configurations are not affected.Affected users are recommended to upgrade to version 1.6.2 as soon aspossible. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-29 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112511 CVE-2025-58066 Eventlet is a concurrent networking library for Python. Prior to version0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smugglingdue to improper handling of HTTP trailer sections. This vulnerability couldenable attackers to, bypass front-end security controls, launch targetedattacks against active site users, and poison web caches. This problem hasbeen patched in Eventlet 0.40.3 by dropping trailers which is a breakingchange if a backend behind eventlet.wsgi proxy requires trailers. Aworkaround involves not using eventlet.wsgi facing untrusted clients. Update Instructions: Run `sudo pro fix CVE-2025-58068` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-eventlet - 0.39.0-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-29 22:15:00 UTC 2025-08-29 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112515 https://bugs.launchpad.net/ubuntu/+source/python-eventlet/+bug/2125423 https://ubuntu.com/security/notices/USN-7772-1 CVE-2025-58068 Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI)enabled and mod_cgid (but not mod_cgi) passes the shell-escaped querystring to #exec cmd="..." directives.This issue affects Apache HTTP Server before 2.4.66.Users are recommended to upgrade to version 2.4.66, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2025-58098` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu1 apache2-bin - 2.4.66-2ubuntu1 apache2-data - 2.4.66-2ubuntu1 apache2-suexec-custom - 2.4.66-2ubuntu1 apache2-suexec-pristine - 2.4.66-2ubuntu1 apache2-utils - 2.4.66-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 14:15:00 UTC 2025-12-05 14:15:00 UTC Anthony Parfenov http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121926 https://ubuntu.com/security/notices/USN-7968-1 CVE-2025-58098 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are multiple issues related to the handling and accessing of guestmemory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-11 14:15:00 UTC CVE-2025-58142 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are multiple issues related to the handling and accessing of guestmemory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-11 14:15:00 UTC CVE-2025-58143 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are two issues related to the mapping of pages belonging to otherdomains: For one, an assertion is wrong there, where the case actuallyneeds handling. A NULL pointer de-reference could result on a releasebuild. This is CVE-2025-58144.And then the P2M lock isn't held until a page reference was actuallyobtained (or the attempt to do so has failed). Otherwise the page cannot only change type, but even ownership in between, thus allowingdomain boundaries to be violated. This is CVE-2025-58145. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-11 14:15:00 UTC CVE-2025-58144 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are two issues related to the mapping of pages belonging to otherdomains: For one, an assertion is wrong there, where the case actuallyneeds handling. A NULL pointer de-reference could result on a releasebuild. This is CVE-2025-58144.And then the P2M lock isn't held until a page reference was actuallyobtained (or the attempt to do so has failed). Otherwise the page cannot only change type, but even ownership in between, thus allowingdomain boundaries to be violated. This is CVE-2025-58145. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-11 14:15:00 UTC CVE-2025-58145 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]Some Viridian hypercalls can specify a mask of vCPU IDs as an input, inone of three formats. Xen has boundary checking bugs with all threeformats, which can cause out-of-bounds reads and writes while processingthe inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-31 12:15:00 UTC CVE-2025-58147 [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]Some Viridian hypercalls can specify a mask of vCPU IDs as an input, inone of three formats. Xen has boundary checking bugs with all threeformats, which can cause out-of-bounds reads and writes while processingthe inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-31 12:15:00 UTC CVE-2025-58148 When passing through PCI devices, the detach logic in libxl won't removeaccess permissions to any 64bit memory BARs the device might have. As aresult a domain can still have access any 64bit memory BAR when suchdevice is no longer assigned to the domain.For PV domains the permission leak allows the domain itself to map thememoryin the page-tables. For HVM it would require a compromised device model orstubdomain to map the leaked memory into the HVM domain p2m. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-31 12:15:00 UTC CVE-2025-58149 Shadow mode tracing code uses a set of per-CPU variables to avoidcumbersome parameter passing. Some of these variables are written towith guest controlled data, of guest controllable size. That size canbe larger than the variable, and bounding of the writes was missing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 16:16:00 UTC CVE-2025-58150 LDAP Account Manager (LAM) is a webfrontend for managing entries stored inan LDAP directory. LAM before 9.3 allows stored cross-site scripting in theProfile section via the profile name field, which renders untrusted inputas HTML and executes a supplied script (for example a script element). Anauthenticated user with permission to create or edit a profile can insert ascript payload into the profile name and have it executed when the profiledata is viewed in a browser. This issue is fixed in version 9.3. No knownworkarounds are mentioned. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-16 17:15:00 UTC CVE-2025-58174 SSH servers parsing GSSAPI authentication requests do not validate thenumber of mechanisms specified in the request, allowing an attacker tocause unbounded memory consumption. Update Instructions: Run `sudo pro fix CVE-2025-58181` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: google-guest-agent - 20250506.01-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-19 21:15:00 UTC 2025-11-19 21:15:00 UTC https://ubuntu.com/security/notices/USN-7956-1 CVE-2025-58181 tar.Reader does not set a maximum size on the number of sparse region datablocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archivecontaining a large number of sparse regions can cause a Reader to read anunbounded amount of data from the archive into memory. When reading from acompressed source, a small compressed input can result in largeallocations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-58183 Parsing a maliciously crafted DER payload could allocate large amounts ofmemory, causing memory exhaustion. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-58185 Despite HTTP headers having a default limit of 1MB, the number of cookiesthat can be parsed does not have a limit. By sending a lot of very smallcookies such as "a=;", an attacker can make an HTTP server allocate a largeamount of structs, causing large memory consumption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-58186 Due to the design of the name constraint checking algorithm, the processingtime of some inputs scale non-linearly with respect to the size of thecertificate. This affects programs which validate arbitrary certificatechains. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-58187 Validating certificate chains which contain DSA public keys can causeprograms to panic, due to a interface cast that assumes they implement theEqual method. This affects programs which validate arbitrary certificatechains. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-58188 When Conn.Handshake fails during ALPN negotiation the error containsattacker controlled information (the ALPN protocols sent by the client)which is not escaped. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-58189 The html.Parse function in golang.org/x/net/html has an infinite parsingloop when processing certain inputs, which can lead to denial of service(DoS) if an attacker provides specially crafted HTML content. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 18:16:00 UTC 2026-02-05 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127320 https://ubuntu.com/security/notices/USN-8089-1 https://ubuntu.com/security/notices/USN-8089-2 https://ubuntu.com/security/notices/USN-8089-3 CVE-2025-58190 Insertion of Sensitive Information Into Sent Data vulnerability inWordPress allows Retrieve Embedded Sensitive Data. The WordPress Coresecurity team is aware of the issue and is already working on a fix. Thisis a low-severity vulnerability. Contributor-level privileges required inorder to exploit it.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-23 18:15:00 UTC CVE-2025-58246 Improper permission check in ZooKeeper AdminServer lets authorized clientsto run snapshot and restore command with insufficient permissions.This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.Users are recommended to upgrade to version 3.9.4, which fixes the issue.The issue can be mitigated by disabling both commands (viaadmin.snapshot.enabled and admin.restore.enabled), disabling the wholeAdminServer interface (via admin.enableServer), or ensuring that the rootACL does not provide open permissions. (Note that ZooKeeper ACLs are notrecursive, so this does not impact operations on child nodes besidesnotifications from recursive watches.) Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 10:15:00 UTC CVE-2025-58457 Improper Neutralization of Input During Web Page Generation ('Cross-siteScripting') vulnerability in WordPress allows Stored XSS. WordPress coresecurity team is aware of the issue and working on a fix. This is lowseverity vulnerability that requires an attacker to have Author or higheruser privileges to execute the attack vector.This issue affects WordPress:from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3,from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6,from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10,from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13,from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17,from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20,from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26,from 4.7 through 4.7.30. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-23 19:15:00 UTC CVE-2025-58674 Axios is a promise based HTTP client for the browser and Node.js. WhenAxios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0runs on Node.js and is given a URL with the `data:` scheme, it does notperform HTTP. Instead, its Node http adapter decodes the entire payloadinto memory (`Buffer`/`Blob`) and returns a synthetic 200 response. Thispath ignores `maxContentLength` / `maxBodyLength` (which only protect HTTPresponses), so an attacker can supply a very large `data:` URI and causethe process to allocate unbounded memory and crash (DoS), even if thecaller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0contain a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-12 02:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114963 CVE-2025-58754 REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has aDoS vulnerability when parsing XML containing multiple XML declarations. Ifyou need to parse untrusted XMLs, you may be impacted to thesevulnerabilities. The REXML gem 3.4.2 or later include the patches to fixthese vulnerabilities. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-09-17 18:15:00 UTC Sofia Aberegg CVE-2025-58767 A vulnerability was found in ESAPI esapi-java-legacy and classified asproblematic. This issue affects the interface Encoder.encodeForSQL of theSQL Injection Defense. An attack leads to an improper neutralization ofspecial elements. The attack may be initiated remotely and an exploit hasbeen disclosed to the public. The project was contacted early about thisissue and handled it with an exceptional level of professionalism.Upgrading to version 2.7.0.0 is able to address this issue. Commit IDf75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature bydefault and any attempt to use it will trigger a warning. And commit IDe2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Javaclass documentation to warn about the risks. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-29 12:15:00 UTC 2025-06-29 12:15:00 UTC https://ubuntu.com/security/notices/USN-8181-1 CVE-2025-5878 Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Coreand Apache Jackrabbit JCR Commons.This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1;Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.Deployments that accept JNDI URIs for JCR lookup from untrusted usersallows them to inject malicious JNDI references, potentially leading toarbitrary code execution through deserialization of untrusted data.Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDIhas been disabled by default in 2.22.2. Users of this feature need toenable it explicitly and are adviced to review their use of JNDI URI forJCR lookup. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-08 09:15:00 UTC CVE-2025-58782 A vulnerability classified as critical has been found in GNU PSPP82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb. Affected is the functionparse_variables_option of the file utilities/pspp-convert.c. Themanipulation leads to out-of-bounds write. The attack needs to beapproached locally. The exploit has been disclosed to the public and may beused. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-09 22:15:00 UTC CVE-2025-5898 A vulnerability classified as critical was found in GNU PSPP82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb. Affected by this vulnerability isthe function parse_variables_option of the file utilities/pspp-convert.c.The manipulation leads to free of memory not on the heap. An attack has tobe approached locally. The exploit has been disclosed to the public and maybe used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-09 22:15:00 UTC CVE-2025-5899 Crafted delegations or IP fragments can poison cached delegations inRecursor. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 15:16:00 UTC CVE-2025-59023 Crafted delegations or IP fragments can poison cached delegations inRecursor. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 15:16:00 UTC CVE-2025-59024 An attacker can trigger an assertion failure by requesting crafted DNSrecords, waiting for them to be inserted into the records cache, then senda query with qtype set to ANY. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122196 CVE-2025-59029 An attacker can trigger the removal of cached records by sending a NOTIFYquery over TCP. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-09 16:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122197 CVE-2025-59030 If kdcproxy receives a request for a realm which does not have serveraddresses defined in its configuration, by default, it will query SRVrecords in the DNS zone matching the requested realm name. This creates aserver-side request forgery vulnerability, since an attacker could send arequest for a realm matching a DNS zone where they created SRV recordspointing to arbitrary ports and hostnames (which may resolve to loopback orinternal IP addresses). This vulnerability can be exploited to probeinternal network topology and firewall rules, perform port scanning, andexfiltrate data. Deployments wherethe "use_dns" setting is explicitly set to false are not affected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-12 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2393955 CVE-2025-59088 If an attacker causes kdcproxy to connect to an attacker-controlled KDCserver (e.g. through server-side request forgery), they can exploit thefact that kdcproxy does not enforce bounds on TCP response length toconduct a denial-of-service attack. While receiving the KDC's response,kdcproxy copies the entire buffered stream into a newbuffer on each recv() call, even when the transfer is incomplete, causingexcessive memory allocation and CPU usage. Additionally, kdcproxy acceptsincoming response chunks as long as the received data length is not exactlyequal to the length indicated in the responseheader, even when individual chunks or the total buffer exceed the maximumlength of a Kerberos message. This allows an attacker to send unboundeddata until the connection timeout is reached (approximately 12 seconds),exhausting server memory or CPU resources. Multiple concurrent requests cancause accept queue overflow, denying service to legitimate clients. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-12 17:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2393958 CVE-2025-59089 Suricata is a network IDS, IPS and NSM engine developed by the OISF (OpenInformation Security Foundation) and the Suricata community. Versions7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass whencrafted traffic sends multiple SYN packets with different sequence numberswithin the same flow tuple, which can cause Suricata to fail to pick up theTCP session. In IDS mode this can lead to a detection and logging bypass.In IPS mode this will lead to the flow getting blocked. This issue is fixedin versions 7.0.12 and 8.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 20:18:00 UTC CVE-2025-59147 Suricata is a network IDS, IPS and NSM engine developed by the OISF (OpenInformation Security Foundation) and the Suricata community. Versions 8.0.0and below incorrectly handle the entropy keyword when not anchored to a"sticky" buffer, which can lead to a segmentation fault. This issue isfixed in version 8.0.1. To workaround this issue, users can disable rulesusing the entropy keyword, or validate they are anchored to a stickybuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 20:18:00 UTC CVE-2025-59148 Suricata is a network IDS, IPS and NSM engine developed by the OISF (OpenInformation Security Foundation) and the Suricata community. In version8.0.0, rules using keyword ldap.responses.attribute_type (which is long)with transforms can lead to a stack buffer overflow during Suricata startupor during a rule reload. This issue is fixed in version 8.0.1. Toworkaround this issue, users can disable rules withldap.responses.attribute_type and transforms. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 20:18:00 UTC CVE-2025-59149 Suricata is a network IDS, IPS and NSM engine developed by the OISF (OpenInformation Security Foundation) and the Suricata community. Version8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentationfault when the decoded subjectaltname contains a NULL byte. This issue isfixed in version 8.0.1. To workaround this issue, disable rules using thetls.subjectaltname keyword. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 21:16:00 UTC CVE-2025-59150 tar-fs provides filesystem bindings for tar-stream. Versions prior to3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if thedestination directory is predictable with a specific tarball. This issuehas been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involvesusing the ignore option on non files/directories. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 18:15:00 UTC CVE-2025-59343 libexpat in Expat before 2.7.2 allows attackers to trigger large dynamicmemory allocations via a small document that is submitted for parsing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 08:16:00 UTC 2026-01-23 08:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115298 https://github.com/libexpat/libexpat/issues/1018 https://issues.oss-fuzz.com/issues/439133977 https://ubuntu.com/security/notices/USN-8022-1 CVE-2025-59375 A memory disclosure vulnerability exists in libcoap's OSCORE configurationparser in libcoap before release-4.3.5-patches. An out-of-bounds read mayoccur when parsing certain configuration values, allowing an attacker toinfer or read memory beyond string boundaries in the .rodata section. Thiscould potentially lead to information disclosure or denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-08 17:16:00 UTC CVE-2025-59391 Netty is an asynchronous, event-driven network application framework. Inversions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Nettycontains an SMTP command injection vulnerability due to insufficient inputvalidation for Carriage Return (\r) and Line Feed (\n) characters inuser-supplied parameters. The vulnerability exists inio.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters aredirectly concatenated into the SMTP command string without sanitization.When methods such as SmtpRequests.rcpt(recipient) are called with amalicious string containing CRLF sequences, attackers can inject arbitrarySMTP commands. Because the injected commands are sent from the server'strusted IP address, resulting emails will likely pass SPF and DKIMauthentication checks, making them appear legitimate. This allows remoteattackers who can control SMTP command parameters (such as emailrecipients) to forge arbitrary emails from the trusted server, potentiallyimpersonating executives and forging high-stakes corporate communications.This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. Noknown workarounds exist. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-15 16:15:00 UTC CVE-2025-59419 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to version 1.6.4, Authlib’s JWS verification accepts tokens thatdeclare unknown critical header parameters (crit), violating RFC 7515“must‑understand” semantics. An attacker can craft a signed token with acritical header (for example, bork or cnf) that strict verifiers reject butAuthlib accepts. In mixed‑language fleets, this enables split‑brainverification and can lead to policy bypass, replay, or privilegeescalation. This issue has been patched in version 1.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-22 18:15:00 UTC 2025-09-22 18:15:00 UTC https://ubuntu.com/security/notices/USN-8065-1 CVE-2025-59420 MapServer is a system for developing web-based GIS applications. Prior to8.4.1, the XML Filter Query directive PropertyName is vulnerably toBoolean-based SQL injection. It seems like expression checking is bypassedby introducing double quote characters in the PropertyName. Allowing tomanipulate backend database queries. This vulnerability is fixed in 8.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-19 20:15:00 UTC CVE-2025-59431 The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRFbecause the IP address value 017700000001 is improperly categorized asglobally routable via isPublic. NOTE: this issue exists because of anincomplete fix for CVE-2024-29415. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-16 06:16:00 UTC CVE-2025-59436 The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRFbecause the IP address value 0 is improperly categorized as globallyroutable via isPublic. NOTE: this issue exists because of an incomplete fixfor CVE-2024-29415. NOTE: in current versions of several applications,connection attempts to the IP address 0 (interpreted as 0.0.0.0) areblocked with error messages such as net::ERR_ADDRESS_INVALID. However, insome situations that depend on both application version and operatingsystem, connection attempts to 0 and 0.0.0.0 are considered connectionattempts to 127.0.0.1 (and, for this reason, a false value of isPublicwould be preferable). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-16 06:16:00 UTC CVE-2025-59437 A memory leak in Node.js’s OpenSSL integration occurs when converting`X.509` certificate fields to UTF-8 without freeing the allocated buffer.When applications call `socket.getPeerCertificate(true)`, each certificatefield leaks memory, allowing remote clients to trigger steady memory growththrough repeated TLS connections. Over time this can lead to resourceexhaustion and denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2025-59464 A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data cancause Node.js to crash by triggering an unhandled `TLSSocket` error`ECONNRESET`. Instead of safely closing the connection, the processcrashes, enabling a remote denial of service. This primarily affectsapplications that do not attach explicit error handlers to secure sockets,for example:```server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) })})``` Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2025-59465 We have identified a bug in Node.js error handling where "Maximum callstack size exceeded" errors become uncatchable when`async_hooks.createHook()` is enabled. Instead of reaching`process.on('uncaughtException')`, the process terminates, making the crashunrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or`async_hooks.createHook()` (v24, v22, v20) become vulnerable todenial-of-service crashes triggered by deep recursion under specificconditions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2025-59466 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 CVE-2025-59490 In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OScommand injection can occur in the Safe jail. It does not Localize _ duringrule evaluation. Thus, an administrator who can edit a rule evaluated bythe Safe jail can execute commands on the server. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-17 04:16:00 UTC CVE-2025-59518 Avahi is a system which facilitates service discovery on a local networkvia the mDNS/DNS-SD protocol suite. In versions up to and including0.9-rc2, the simple protocol server ignores the documented client limit andaccepts unlimited connections, allowing for easy local DoS. Although`CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and`client_new()` always appends the new client and increments `n_clients`.There is no check against the limit. When client cannot be accepted as aresult of maximal socket number of avahi-daemon, it logs unconditionallyerror per each connection. Unprivileged local users can exhaust daemonmemory and file descriptors, causing a denial of service system-wide formDNS/DNS-SD. Exhausting local file descriptors causes increased system loadcaused by logging errors of each of request. Overloading prevents glibccalls using nss-mdns plugins to resolve `*.local.` names and link-localaddresses. As of time of publication, no known patched versions areavailable, but a candidate fix is available in pull request 808, and someworkarounds are available. Simple clients are offered for nss-mdns packagefunctionality. It is not possible to disable the unix socket`/run/avahi-daemon/socket`, but resolution requests received via DBus arenot affected directly. Tools avahi-resolve, avahi-resolve-address andavahi-resolve-host-name are not affected, they use DBus interface. It ispossible to change permissions of unix socket after avahi-daemon isstarted. But avahi-daemon does not provide any configuration for it.Additional access restrictions like SELinux can also prevent unwanted toolsto access the socket and keep resolution working for trusted users. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 21:15:00 UTC CVE-2025-59529 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection incolumn aliases, when using a suitably crafted dictionary, with dictionaryexpansion, as the **kwargs passed to these methods (on MySQL and MariaDB). Update Instructions: Run `sudo pro fix CVE-2025-59681` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.4-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 14:00:00 UTC 2025-10-01 14:00:00 UTC https://ubuntu.com/security/notices/USN-7794-1 CVE-2025-59681 An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and5.2 before 5.2.7. The django.utils.archive.extract() function, used by the"startapp --template" and "startproject --template" commands, allowspartial directory traversal via an archive with file paths sharing a commonprefix with the target directory. Update Instructions: Run `sudo pro fix CVE-2025-59682` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.4-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-01 14:00:00 UTC 2025-10-01 14:00:00 UTC https://ubuntu.com/security/notices/USN-7794-1 CVE-2025-59682 NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2and earlier. The vulnerability was fixed in commit ff13abc on the masterbranch of the libmicrohttpd Git repository, after the v1.0.2 tag. Aspecially crafted packet sent by an attacker could cause adenial-of-service (DoS) condition. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-10 05:15:00 UTC CVE-2025-59777 Vega is a visualization grammar, a declarative format for creating, saving,and sharing interactive visualization designs. In Vega prior to version6.2.0, applications meeting 2 conditions are at risk of arbitraryJavaScript code execution, even if "safe mode" expressionInterpreter isused. They are vulnerable if they use `vega` in an application thatattaches `vega` library and a `vega.View` instance similar to the VegaEditor to the global `window` and if they allow user-defined Vega `JSON`definitions (vs JSON that was is only provided through source code).Patches are available in the following Vega applications. If using thelatest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression``6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). Ifusing Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` /`1.2.1` (if using AST evaluator mode). Some workarounds are available. Donot attach `vega` View instances to global variables, and do not attach`vega` to the global window. These practices of attaching the vega libraryand View instances may be convenient for debugging, but should not be usedin production or in any situation where vega/vega-lite definitions could beprovided by untrusted parties. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-13 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125183 CVE-2025-59840 jupyterlab is an extensible environment for interactive and reproduciblecomputing, based on the Jupyter Notebook Architecture. Prior to version4.4.8, links generated with LaTeX typesetters in Markdown files andMarkdown cells in JupyterLab and Jupyter Notebook did not include thenoopener attribute. This is deemed to have no impact on the defaultinstallations. Theoretically users of third-party LaTeX-renderingextensions could find themselves vulnerable to reverse tabnabbing attacksif links generated by those extensions included target=_blank (no suchextensions are known at time of writing) and they were to click on a linkgenerated in LaTeX (typically visibly different from other links). Thisissue has been patched in version 4.4.8. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-26 16:15:00 UTC CVE-2025-59842 There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler inthe QtNetwork module. This only affects HTTP/2 handling, HTTP handling isnot affected by this at all. This happens due to a race condition betweenhow QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses.This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-11 08:15:00 UTC CVE-2025-5991 When passing values outside of the expected range toQColorTransferGenericFunction it can cause a denial of service, forexample, this can happen when passing a specifically crafted ICC profile toQColorSpace::fromICCProfile.This issue affects Qt from 6.6.0 through 6.8.3,from 6.9.0 through 6.9.1. This is fixed in 6.8.4 and 6.9.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-11 07:15:00 UTC CVE-2025-5992 libvips is a demand-driven, horizontally threaded image processing library.For versions 8.17.1 and below, when libvips is compiled with support forPDF input via poppler, the pdfload operation is affected by a buffer readoverflow when parsing the header of a crafted PDF with a page that definesa width but not a height. Those using libvips compiled without support forPDF input are unaffected as well as thosewith support for PDF input viaPDFium. This issue is fixed in version 8.17.2. A workaround for thoseaffected is to block the VipsForeignLoadPdf operation viavips_operation_block_set, which is available in most language bindings, orto set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which willblock all untrusted loaders including PDF input via poppler. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-29 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117049 CVE-2025-59933 A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' hasbeen discovered in caching resolvers that support EDNS Client Subnet (ECS).Unbound is also vulnerable when compiled with ECS support, i.e.,'--enable-subnet', AND configured to send ECS information along withqueries to upstream name servers, i.e., at least one of the'send-client-subnet', 'client-subnet-zone' or'client-subnet-always-forward' options is used. Resolvers supporting ECSneed to segregate outgoing queries to accommodate for different outgoingECS information. This re-opens up resolvers to a birthday paradox attack(Rebirthday Attack) that tries to match the DNS transaction ID in order tocache non-ECS poisonous replies. Update Instructions: Run `sudo pro fix CVE-2025-5994` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.22.0-2ubuntu1 python3-unbound - 1.22.0-2ubuntu1 unbound - 1.22.0-2ubuntu1 unbound-anchor - 1.22.0-2ubuntu1 unbound-host - 1.22.0-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-17 2025-07-17 Xiang Li https://ubuntu.com/security/notices/USN-7666-1 CVE-2025-5994 nncp before 8.12.0 allows path traversal (for reading or writing) duringfreqing and file saving via a crafted path in packet data. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-24 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115848 CVE-2025-60020 A flaw was found in linux-pam. The module pam_namespace may use accessuser-controlled paths without proper protection, allowing local users toelevate their privileges to root via multiple symlink attacks and raceconditions. Update Instructions: Run `sudo pro fix CVE-2025-6020` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libpam-modules - 1.5.3-7ubuntu6 libpam-modules-bin - 1.5.3-7ubuntu6 libpam-runtime - 1.5.3-7ubuntu6 libpam0g - 1.5.3-7ubuntu6 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 10:00:00 UTC 2025-06-17 10:00:00 UTC Olivier BAL-PETRE https://ubuntu.com/security/notices/USN-7580-1 CVE-2025-6020 A flaw was found in Podman. The podman machine init command fails to verifythe TLS certificate when downloading the VM images from an OCI registry.This issue results in a Man In The Middle attack. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-24 14:15:00 UTC CVE-2025-6032 radare2 v.5.9.8 and before contains a memory leak in the function_load_relocations. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 20:15:00 UTC CVE-2025-60358 radare2 v5.9.8 and before contains a memory leak in the functionr_bin_object_new. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-17 14:15:00 UTC CVE-2025-60359 radare2 v5.9.8 and before contains a memory leak in the functionr2r_subprocess_init. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-17 14:15:00 UTC CVE-2025-60360 radare2 v5.9.8 and before contains a memory leak in the functionbochs_open. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-17 15:15:00 UTC CVE-2025-60361 UxPlay 1.72 contains a double free vulnerability in its RTSP requesthandling. A specially crafted RTSP TEARDOWN request can trigger multiplecalls to free() on the same memory address, potentially causing a Denial ofService. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-29 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124380 CVE-2025-60458 The html.parser.HTMLParser class had worse-case quadratic complexity whenprocessing certain crafted malformed inputs potentially leading toamplified denial-of-service. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 14:15:00 UTC 2025-06-17 14:15:00 UTC pfsmorigo (jython) https://github.com/python/cpython/issues/135462 https://ubuntu.com/security/notices/USN-7710-1 CVE-2025-6069 If the value passed to os.path.expandvars() is user-controlled aperformance degradation is possible when expanding environmentvariables. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-31 17:15:00 UTC 2025-10-31 17:15:00 UTC https://github.com/python/cpython/issues/136065 https://ubuntu.com/security/notices/USN-7886-1 https://ubuntu.com/security/notices/USN-7886-2 CVE-2025-6075 GeographicLib 2.5 is vulnerable to Buffer Overflow in GeoConvertDMS::InternalDecode. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 16:15:00 UTC CVE-2025-60751 phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS)vulnerabilities across various components. User-supplied input from$_REQUEST parameters is reflected in HTML output without proper encoding orsanitization in multiple locations including sequences.php, indexes.php,admin.php, and other unspecified files. An attacker can exploit thesevulnerabilities to execute arbitrary JavaScript in victims' browsers,potentially leading to session hijacking, credential theft, or othermalicious actions. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-20 15:17:00 UTC CVE-2025-60796 phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability indataexport.php at line 118. The application directly executes user-suppliedSQL queries from the $_REQUEST['query'] parameter without any sanitizationor parameterization via $data->conn->Execute($_REQUEST['query']). Anauthenticated attacker can exploit this vulnerability to execute arbitrarySQL commands, potentially leading to complete database compromise, datatheft, or privilege escalation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-20 15:17:00 UTC CVE-2025-60797 phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability indisplay.php at line 396. The application passes user-controlled input from$_REQUEST['query'] directly to the browseQuery function without propersanitization. An authenticated attacker can exploit this vulnerability toexecute arbitrary SQL commands through malicious query manipulation,potentially leading to complete database compromise. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-20 15:17:00 UTC CVE-2025-60798 phpPgAdmin 7.13.0 and earlier contains an incorrect access controlvulnerability in sql.php at lines 68-76. The application allowsunauthorized manipulation of session variables by accepting user-controlledparameters ('subject', 'server', 'database', 'queryid') without propervalidation or access control checks. Attackers can exploit this to storearbitrary SQL queries in $_SESSION['sqlquery'] by manipulating theseparameters, potentially leading to session poisoning, stored cross-sitescripting, or unauthorized access to sensitive session data. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-20 15:17:00 UTC CVE-2025-60799 BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0control bytes in the HTTP request-target (path/query), allowing the requestline to be split and attacker-controlled headers to be injected. Topreserve the HTTP/1.1 request-line shape METHOD SP request-target SPHTTP/1.1, a raw space (0x20) in the request-target must also be rejected(clients should use %20). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-10 20:15:00 UTC CVE-2025-60876 FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the opaque_info_detail function at ospf_opaque.c.This vulnerability allows attackers to cause a Denial of Service (DoS) viaa crafted LS Update packet. Update Instructions: Run `sudo pro fix CVE-2025-61099` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 19:16:00 UTC 2025-10-27 19:16:00 UTC https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61099 FRRouting/frr from v2.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the ospf_opaque_lsa_dump function at ospf_opaque.c.This vulnerability allows attackers to cause a Denial of Service (DoS)under specific malformed LSA conditions. Update Instructions: Run `sudo pro fix CVE-2025-61100` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 19:16:00 UTC 2025-10-27 19:16:00 UTC bruce https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61100 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_ext_link_rmt_itf_addr function atospf_ext.c. This vulnerability allows attackers to cause a Denial ofService (DoS) via a crafted OSPF packet. Update Instructions: Run `sudo pro fix CVE-2025-61101` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 20:15:00 UTC 2025-10-27 20:15:00 UTC bruce https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61101 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_ext_link_adj_sid function atospf_ext.c. This vulnerability allows attackers to cause a Denial ofService (DoS) via a crafted OSPF packet. Update Instructions: Run `sudo pro fix CVE-2025-61102` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 20:15:00 UTC 2025-10-27 20:15:00 UTC bruce https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61102 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_ext_link_lan_adj_sid function atospf_ext.c. This vulnerability allows attackers to cause a Denial ofService (DoS) via a crafted OSPF packet. Update Instructions: Run `sudo pro fix CVE-2025-61103` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 15:16:00 UTC 2025-10-28 15:16:00 UTC bruce http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119292 https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61103 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_unknown_tlv function at ospf_ext.c.This vulnerability allows attackers to cause a Denial of Service (DoS) viaa crafted OSPF packet. Update Instructions: Run `sudo pro fix CVE-2025-61104` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 15:16:00 UTC 2025-10-28 15:16:00 UTC bruce http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119292 https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61104 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_link_info function at ospf_ext.c. Thisvulnerability allows attackers to cause a Denial of Service (DoS) via acrafted OSPF packet. Update Instructions: Run `sudo pro fix CVE-2025-61105` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 20:15:00 UTC 2025-10-27 20:15:00 UTC bruce https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61105 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_ext_pref_pref_sid function atospf_ext.c. This vulnerability allows attackers to cause a Denial ofService (DoS) via a crafted OSPF packet. Update Instructions: Run `sudo pro fix CVE-2025-61106` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 15:16:00 UTC 2025-10-28 15:16:00 UTC bruce http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119292 https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61106 FRRouting/frr from v4.0 through v10.4.1 was discovered to contain a NULLpointer dereference via the show_vty_ext_pref_pref_sid function atospf_ext.c. This vulnerability allows attackers to cause a Denial ofService (DoS) via a crafted LSA Update packet. Update Instructions: Run `sudo pro fix CVE-2025-61107` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: frr - 10.5.1-1ubuntu2 frr-pythontools - 10.5.1-1ubuntu2 frr-rpki-rtrlib - 10.5.1-1ubuntu2 frr-snmp - 10.5.1-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 15:16:00 UTC 2025-10-28 15:16:00 UTC bruce http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119292 https://github.com/FRRouting/frr/issues/19471 https://ubuntu.com/security/notices/USN-8046-1 CVE-2025-61107 libtiff up to v4.7.1 was discovered to contain a NULL pointer dereferencevia the component libtiff/tif_open.c. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-23 19:22:00 UTC 2026-02-23 19:22:00 UTC iconstantin (tiff) https://gitlab.com/libtiff/libtiff/-/issues/737 https://ubuntu.com/security/notices/USN-8113-1 CVE-2025-61143 libtiff up to v4.7.1 was discovered to contain a stack overflow via thereadSeparateStripsIntoBuffer function. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-23 19:22:00 UTC 2026-02-23 19:22:00 UTC iconstantin (tiff) https://gitlab.com/libtiff/libtiff/-/issues/740 https://ubuntu.com/security/notices/USN-8113-1 CVE-2025-61144 libtiff up to v4.7.1 was discovered to contain a double free via thecomponent tools/tiffcrop.c. Update Instructions: Run `sudo pro fix CVE-2025-61145` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.7.0-3ubuntu3 libtiff-tools - 4.7.0-3ubuntu3 libtiff6 - 4.7.0-3ubuntu3 libtiffxx6 - 4.7.0-3ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-23 19:22:00 UTC https://gitlab.com/libtiff/libtiff/-/issues/736 CVE-2025-61145 saitoha libsixel until v1.8.7 was discovered to contain a memory leak viathe component malloc_stub.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-23 19:22:00 UTC CVE-2025-61146 strukturag libde265 commit d9fea9d wa discovered to contain a segmentationfault via the component decoder_context::compute_framedrop_table(). Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-23 20:28:00 UTC https://github.com/strukturag/libde265/issues/484 CVE-2025-61147 A vulnerability classified as critical has been found in Open Asset ImportLibrary Assimp up to 5.4.3. Affected is the functionAssimp::BVHLoader::ReadNodeChannels in the libraryassimp/code/AssetLib/BVH/BVHLoader.cpp. The manipulation of the argumentpNode leads to use after free. Attacking locally is a requirement. Theexploit has been disclosed to the public and may be used. The projectdecided to collect all Fuzzer bugs in a main-issue to address them in thefuture. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-16 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107935 CVE-2025-6119 A vulnerability classified as critical was found in Open Asset ImportLibrary Assimp up to 5.4.3. Affected by this vulnerability is the functionread_meshes in the libraryassimp/code/AssetLib/MDL/HalfLife/HL1MDLLoader.cpp. The manipulation leadsto heap-based buffer overflow. It is possible to launch the attack on thelocal host. The exploit has been disclosed to the public and may be used.The project decided to collect all Fuzzer bugs in a main-issue to addressthem in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-16 12:15:00 UTC CVE-2025-6120 Cross Site Scripting vulnerability in DokuWiki 2025-05-14a'Librarian'[56.1] allows a remote attacker to execute arbitrary code viathe q parameter Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-06 16:15:00 UTC CVE-2025-61224 A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 &Angular v18.0.0 allows attackers to execute arbitrary code in the contextof a user's browser via injecting a crafted payload. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-07 19:16:00 UTC CVE-2025-61261 URI is a module providing classes to handle Uniform Resource Identifiers.In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 andearlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby3.4 series), when using the + operator to combine URIs, sensitiveinformation like passwords from the original URI can be leaked, violatingRFC3986 and making applications vulnerable to credential exposure. This isa a bypass for the fix to CVE-2025-27221 that can expose user credentials.This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-30 21:15:00 UTC 2025-12-30 21:15:00 UTC https://ubuntu.com/security/notices/USN-8137-1 CVE-2025-61594 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/Rest/Handler/PageHTMLHandler.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61634 Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability isassociated with program filesincludes/FancyCaptcha/ApiFancyCaptchaReload.Php.This issue affects ConfirmEdit: *. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61635 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesincludes/htmlform/fields/HTMLButtonField.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61636 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js,resources/src/mediawiki.Page.Preview.Js.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61637 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki,Wikimedia Foundation Parsoid. This vulnerability is associated with programfiles includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1;Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61638 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki. This vulnerability is associated withprogram files includes/logging/ManualLogEntry.Php,includes/recentchanges/RecentChangeFactory.Php,includes/recentchanges/RecentChangeStore.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61639 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61640 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/api/ApiQueryAllPages.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61641 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesincludes/htmlform/CodexHTMLForm.Php,includes/htmlform/fields/HTMLButtonField.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61642 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program filesincludes/recentchanges/RecentChangeRCFeedNotifier.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61643 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js.This issue affects MediaWiki: from * before >fb856ce9cf121e046305116852cca4899ecb48ca. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 00:16:00 UTC CVE-2025-61644 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesincludes/pager/CodexTablePager.Php.This issue affects MediaWiki: from * before 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 01:15:00 UTC CVE-2025-61645 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program filesincludes/RecentChanges/EnhancedChangesList.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 01:15:00 UTC CVE-2025-61646 Vulnerability in Wikimedia Foundation DiscussionTools.This issue affectsDiscussionTools: from * before 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-61652 Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability isassociated with program files includes/ApiQueryExtracts.Php.This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-61653 Vulnerability in Wikimedia Foundation Thanks. This vulnerability isassociated with program files includes/ThanksQueryHelper.Php.This issue affects Thanks: from * before 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-61654 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.This vulnerability is associated with program filesincludes/ApiVisualEditorEdit.Php,modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js,modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js.This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-61655 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation VisualEditor.This vulnerability is associated with program filessrc/ce/ve.Ce.ClipboardHandler.Js.This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-61656 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. Thisvulnerability is associated with program filesresources/skins.Vector.Js/stickyHeader.Js.This issue affects Vector: from * before 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-61657 A vulnerability has been identified in the GRUB (Grand Unified Bootloader)component. This flaw occurs because the bootloader mishandles stringconversion when reading information from a USB device, allowing an attackerto exploit inconsistent length values. A local attacker can connect amaliciously configured USB device during the boot sequence to trigger thisissue. A successful exploitation may lead GRUB to crash, leading to aDenial of Service. Data corruption may be also possible, although given thecomplexity of the exploit the impact is most likely limited. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120968 https://bugzilla.redhat.com/show_bug.cgi?id=2413827 CVE-2025-61661 A Use-After-Free vulnerability has been discovered in GRUB's gettextmodule. This flaw stems from a programming error where the gettext commandremains registered in memory after its module is unloaded. An attacker canexploit this condition by invoking the orphaned command, causing theapplication to access a memory location that is no longer valid. Anattacker could exploit this vulnerability to cause grub to crash, leadingto a Denial of Service. Possible data integrity or confidentialitycompromise is not discarded. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120968 https://bugzilla.redhat.com/show_bug.cgi?id=2414683 CVE-2025-61662 A vulnerability has been identified in the GRUB2 bootloader's normalcommand that poses an immediate Denial of Service (DoS) risk. This flaw isa Use-after-Free issue, caused because the normal command is not properlyunregistered when the module is unloaded. An attacker who can execute thiscommand can force the system to access memory locations that are no longervalid. Successful exploitation leads directly to system instability, whichcan result in a complete crash and halt system availability. Impact on thedata integrity and confidentiality is also not discarded. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120968 https://bugzilla.redhat.com/show_bug.cgi?id=2414684 CVE-2025-61663 A vulnerability in the GRUB2 bootloader has been identified in the normalmodule. This flaw, a memory Use After Free issue, occurs because thenormal_exit command is not properly unregistered when its related module isunloaded. An attacker can exploit this condition by invoking the commandafter the module has been removed, causing the system to improperly accessa previously freed memory location. This leads to a system crash orpossible impacts in data confidentiality and integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120968 https://bugzilla.redhat.com/show_bug.cgi?id=2414685 CVE-2025-61664 Jupyter Server is the backend for Jupyter web applications. Injupyter_server versions through 2.17.0, the next query parameter in thelogin flow is insufficiently validated in`LoginFormHandler._redirect_safe()`, which allows redirects to arbitraryexternal domains via values such as `///example.com`. An attacker can use acrafted login URL to redirect users to a malicious site and facilitatephishing attacks. This issue is fixed in version 2.18.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2025-61669 The processing time for parsing some invalid inputs scales non-linearlywith respect to the size of the input. This affects programs which parseuntrusted PEM inputs. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-61723 The Reader.ReadResponse function constructs a response string throughrepeated string concatenation of lines. When the number of lines in aresponse is large, this can cause excessive CPU consumption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-61724 The ParseAddress function constructs domain-literal address componentsthrough repeated string concatenation. When parsing large domain-literalcomponents, this can cause excessive CPU consumption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-29 23:16:00 UTC CVE-2025-61725 The net/url package does not set a limit on the number of query parametersin a query. While the maximum size of query parameters in URLs is generallylimited by the maximum request header size, the net/http.Request.ParseFormmethod can parse large URL-encoded forms. Parsing a large form containingmany unique query parameters can cause excessive memory consumption. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 20:16:00 UTC CVE-2025-61726 An excluded subdomain constraint in a certificate chain does not restrictthe usage of wildcard SANs in the leaf certificate. For example aconstraint that excludes the subdomain test.example.com does not prevent aleaf certificate from claiming the SAN *.example.com. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 20:16:00 UTC CVE-2025-61727 archive/zip uses a super-linear file name indexing algorithm that isinvoked the first time a file in an archive is opened. This can lead to adenial of service when consuming a maliciously constructed ZIP archive. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 20:16:00 UTC CVE-2025-61728 Within HostnameError.Error(), when constructing an error string, there isno limit to the number of hosts that will be printed out. Furthermore, theerror string is constructed by repeated string concatenation, leading toquadratic runtime. Therefore, a certificate provided by a malicious actorcan result in excessive resource consumption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-02 19:15:00 UTC CVE-2025-61729 During the TLS 1.3 handshake if multiple messages are sent in records thatspan encryption level boundaries (for instance the Client Hello andEncrypted Extensions messages), the subsequent messages may be processedbefore the encryption level changes. This can cause some minor informationdisclosure if a network-local attacker can inject messages during thehandshake. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 20:16:00 UTC CVE-2025-61730 Building a malicious file with cmd/go can cause can cause a write to anattacker-controlled file with partial control of the file content. The"#cgo pkg-config:" directive in a Go source file provides command-linearguments to provide to the Go pkg-config command. An attacker can providea "--log-file" argument to this directive, causing pkg-config to write toan attacker-controlled location. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 20:16:00 UTC CVE-2025-61731 A discrepancy between how Go and C/C++ comments were parsed allowed forcode smuggling into the resulting cgo binary. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 04:15:00 UTC CVE-2025-61732 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 21.0.8 and 25;Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15.Difficult to exploit vulnerability allows unauthenticated attacker withnetwork access via multiple protocols to compromise Oracle Java SE, OracleGraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks ofthis vulnerability can result in unauthorized update, insert or deleteaccess to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data. Note: This vulnerability can beexploited by using APIs in the specified Component, e.g., through a webservice which supplies data to the APIs. This vulnerability also applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2025-61748` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-21-demo - 21.0.9+10-1 openjdk-21-jdk - 21.0.9+10-1 openjdk-21-jdk-headless - 21.0.9+10-1 openjdk-21-jre - 21.0.9+10-1 openjdk-21-jre-headless - 21.0.9+10-1 openjdk-21-jre-zero - 21.0.9+10-1 openjdk-21-source - 21.0.9+10-1 openjdk-21-testsupport - 21.0.9+10-1 No subscription required openjdk-25-demo - 25.0.1+8-1 openjdk-25-jdk - 25.0.1+8-1 openjdk-25-jdk-headless - 25.0.1+8-1 openjdk-25-jre - 25.0.1+8-1 openjdk-25-jre-headless - 25.0.1+8-1 openjdk-25-jre-zero - 25.0.1+8-1 openjdk-25-jvmci-jdk - 25.0.1+8-1 openjdk-25-source - 25.0.1+8-1 openjdk-25-testsupport - 25.0.1+8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC 2025-10-21 20:20:00 UTC https://ubuntu.com/security/notices/USN-7885-1 https://ubuntu.com/security/notices/USN-7884-1 https://ubuntu.com/security/notices/USN-7901-1 https://ubuntu.com/security/notices/USN-7902-1 CVE-2025-61748 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows low privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle VMVirtualBox accessible data. CVSS 3.1 Base Score 6.5 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-61759 Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS)attack due to a flaw in its brotli decompression implementation. Theprotection mechanism against decompression bombs fails to mitigate thebrotli variant, allowing remote servers to crash clients with less than80GB of available memory. This occurs because brotli can achieve extremelyhigh compression ratios for zero-filled data, leading to excessive memoryconsumption during decompression. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-31 00:15:00 UTC Rui Xi CVE-2025-6176 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Difficult to exploit vulnerability allows low privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. Successful attacks require humaninteraction from a person other than the attacker and while thevulnerability is in Oracle VM VirtualBox, attacks may significantly impactadditional products (scope change). Successful attacks of thisvulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 BaseScore 7.5 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-61760 python-socketio is a Python implementation of the Socket.IO realtime clientand server. A remote code execution vulnerability in python-socketioversions prior to 5.14.0 allows attackers to execute arbitrary Python codethrough malicious pickle deserialization in multi-server deployments onwhich the attacker previously gained access to the message queue that theservers use for internal communications. When Socket.IO servers areconfigured to use a message queue backend such as Redis for inter-servercommunication, messages sent between the servers are encoded using the`pickle` Python module. When a server receives one of these messagesthrough the message queue, it assumes it is trusted and immediatelydeserializes it. The vulnerability stems from deserialization of messagesusing Python's `pickle.loads()` function. Having previously obtained accessto the message queue, the attacker can send a python-socketio server acrafted pickle payload that executes arbitrary code during deserializationvia Python's `__reduce__` method. This vulnerability only affectsdeployments with a compromised message queue. The attack can lead to theattacker executing random code in the context of, and with the privilegesof a Socket.IO server process. Single-server systems that do not use amessage queue, and multi-server systems with a secure message queue are notvulnerable. In addition to making sure standard security practices arefollowed in the deployment of the message queue, users of thepython-socketio package can upgrade to version 5.14.0 or newer, whichremove the `pickle` module and use the much safer JSON encoding forinter-server messaging. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-06 16:15:00 UTC CVE-2025-61765 Bucket is a MediaWiki extension to store and retrieve structured data onarticles. Prior to version 1.0.0, infinite recursion can occur if a userqueries a bucket using the `!=` comparator. This will result in PHP's callstack limit exceeding, and/or increased memory consumption, potentiallyleading to a denial of service. Version 1.0.0 contains a patch for theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-06 17:16:00 UTC CVE-2025-61766 PyVista provides 3D plotting and mesh analysis through an interface for theVisualization Toolkit (VTK). Version 0.46.3 of the PyVista Project isvulnerable to remote code execution via dependency confusion. Two pieces ofcode use`--extra-index-url`. But when `--extra-index-url` is used, pipalways checks for the PyPI index first, and then the external index. Onepackage listed in the code is not published in PyPI. If an attackerpublishes a package with higher version in PyPI, the malicious code fromthe attacker controlled package may be pulled, leading to remote codeexecution and a supply chain attack. As of time of publication, a patchedversion is unavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-06 23:15:00 UTC CVE-2025-61774 Python Social Auth is a social authentication/registration mechanism. Inversions prior to 5.6.0, upon authentication, the user could be associatedby e-mail even if the `associate_by_email` pipeline was not included. Thiscould lead to account compromise when a third-party authentication servicedoes not validate provided e-mail addresses or doesn't require uniquee-mail addresses. Version 5.6.0 contains a patch. As a workaround, reviewthe authentication service policy on e-mail addresses; many will not allowexploiting this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-09 21:15:00 UTC CVE-2025-61783 Icinga DB Web provides a graphical interface for Icinga monitoring. Before1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use acustom variable in a filter that is either protected byicingadb/protect/variables or hidden by icingadb/denylist/variables, toguess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an errorif such a custom variable is used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 17:15:00 UTC CVE-2025-61789 Improper Resource Shutdown or Release vulnerability in Apache Tomcat.If an error occurred (including exceeding limits) during the processing ofa multipart upload, temporary copies of the uploaded parts written to discwere not cleaned up immediately but left for the garbage collection processto delete. Depending on JVM settings, application memory usage andapplication load, it was possible that space for the temporary copies ofuploaded parts would be filled faster than GC cleared it, leading to a DoS.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions mayalso be affected.Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 orlater or 9.0.110 or later which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 18:15:00 UTC CVE-2025-61795 Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allowsCSV Injection via ticket values when TSV export is used. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 19:16:00 UTC CVE-2025-61873 Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4through 2.15.0, filter expressions provided to the various /v1/objectsendpoints could access variables or objects that would otherwise beinaccessible for the user. This allows authenticated API users to learninformation that should be hidden from them, including global variables notpermitted by the variables permission and objects not permitted by thecorresponding objects/query permissions. The vulnerability is fixed inversions 2.15.1, 2.14.7, and 2.13.13. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 18:15:00 UTC CVE-2025-61907 Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1,2.14.7, and 2.13.13, when creating an invalid reference, such as areference to null, dereferencing results in a segmentation fault. This canbe used by any API user with access to an API endpoint that allowsspecifying a filter expression to crash the Icinga 2 daemon. A fix isincluded in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 18:15:00 UTC CVE-2025-61908 Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1,2.14.7, and 2.13.13, the safe-reload script (also used during systemctlreload icinga2) and logrotate configuration shipped with Icinga 2 read thePID of the main Icinga 2 process from a PID file writable by the daemonuser, but send the signal as the root user. This can allow the Icinga userto send signals to processes it would otherwise not permitted to. A fix isincluded in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 18:15:00 UTC CVE-2025-61909 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to version 1.6.5, Authlib’s JOSE implementation accepts unboundedJWS/JWT header and signature segments. A remote attacker can craft a tokenwhose base64url‑encoded header or signature spans hundreds of megabytes.During verification, Authlib decodes and parses the full input before it isrejected, driving CPU and memory consumption to hostile levels and enablingdenial of service. Version 1.6.5 patches the issue. Some temporaryworkarounds are available. Enforce input size limits before handing tokensto Authlib and/or use application-level throttling to reduce amplificationrisk. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-10 20:15:00 UTC 2025-10-10 20:15:00 UTC https://ubuntu.com/security/notices/USN-8065-1 CVE-2025-61920 Sinatra is a domain-specific language for creating web applications inRuby. In versions prior to 4.2.0, there is a denial of servicevulnerability in the `If-Match` and `If-None-Match` header parsingcomponent of Sinatra, if the `etag` method is used when constructing theresponse. Carefully crafted input can cause `If-Match` and `If-None-Match`header parsing in Sinatra to take an unexpected amount of time, possiblyresulting in a denial of service attack vector. This header is typicallyinvolved in generating the `ETag` header value. Any applications that usethe `etag` method when generating a response are impacted. Version 4.2.0fixes the issue. Update Instructions: Run `sudo pro fix CVE-2025-61921` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack-protection - 4.2.1-1 ruby-sinatra - 4.2.1-1 ruby-sinatra-contrib - 4.2.1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-10 20:15:00 UTC https://github.com/sinatra/sinatra/issues/2120 https://bugs.ruby-lang.org/issues/19104 CVE-2025-61921 In fetchmail before 6.5.6, the SMTP client can crash when authenticatingupon receiving a 334 status code in a malformed context. Update Instructions: Run `sudo pro fix CVE-2025-61962` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: fetchmail - 6.5.4-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-04 03:15:00 UTC 2025-10-04 03:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117136 https://ubuntu.com/security/notices/USN-7838-1 CVE-2025-61962 ssh in OpenSSH before 10.1 allows control characters in usernames thatoriginate from certain possibly untrusted sources, potentially leading tocode execution when a ProxyCommand is used. The untrusted sources are thecommand line and %-sequence expansion of a configuration file. (Aconfiguration file that provides a complete literal username is notcategorized as an untrusted source.) Update Instructions: Run `sudo pro fix CVE-2025-61984` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu1 openssh-client-gssapi - 1:10.2p1-2ubuntu1 openssh-server - 1:10.2p1-2ubuntu1 openssh-server-gssapi - 1:10.2p1-2ubuntu1 openssh-sftp-server - 1:10.2p1-2ubuntu1 openssh-tests - 1:10.2p1-2ubuntu1 ssh - 1:10.2p1-2ubuntu1 ssh-askpass-gnome - 1:10.2p1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-10-06 19:15:00 UTC 2025-10-06 19:15:00 UTC David Leadbeater http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117529 https://ubuntu.com/security/notices/USN-8090-1 https://ubuntu.com/security/notices/USN-8090-2 CVE-2025-61984 ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI,potentially leading to code execution when a ProxyCommand is used. Update Instructions: Run `sudo pro fix CVE-2025-61985` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu1 openssh-client-gssapi - 1:10.2p1-2ubuntu1 openssh-server - 1:10.2p1-2ubuntu1 openssh-server-gssapi - 1:10.2p1-2ubuntu1 openssh-sftp-server - 1:10.2p1-2ubuntu1 openssh-tests - 1:10.2p1-2ubuntu1 ssh - 1:10.2p1-2ubuntu1 ssh-askpass-gnome - 1:10.2p1-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-10-06 19:15:00 UTC 2025-10-06 19:15:00 UTC David Leadbeater http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117530 https://ubuntu.com/security/notices/USN-8090-1 https://ubuntu.com/security/notices/USN-8090-2 CVE-2025-61985 A flaw was found in the GIF parser of GdkPixbuf’s LZW decoder. When aninvalid symbol is encountered during decompression, the decoder sets thereported output size to the full buffer length rather than the actualnumber of written bytes. This logic error results in uninitialized sectionsof the buffer being included in the output, potentially leaking arbitrarymemory contents in the processed image. Update Instructions: Run `sudo pro fix CVE-2025-6199` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gdk-pixbuf-tests - 2.42.12+dfsg-4build1 gir1.2-gdkpixbuf-2.0 - 2.42.12+dfsg-4build1 libgdk-pixbuf-2.0-0 - 2.42.12+dfsg-4build1 libgdk-pixbuf2.0-bin - 2.42.12+dfsg-4build1 libgdk-pixbuf2.0-common - 2.42.12+dfsg-4build1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-17 15:15:00 UTC 2025-06-17 15:15:00 UTC https://ubuntu.com/security/notices/USN-7662-1 CVE-2025-6199 ImageMagick is an open source software suite for displaying, converting,and editing raster image files. In ImageMagick versions prior to 7.1.2-7and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoderon 32-bit systems. The vulnerability occurs in coders/bmp.c whencalculating the extent value by multiplying image columns by bits perpixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file withspecific dimensions can cause this multiplication to overflow and wrap tozero. The overflow check added to address CVE-2025-57803 is placed afterthe overflow occurs, making it ineffective. A specially crafted 58-byte BMPfile with width set to 536,870,912 and 32 bits per pixel can trigger thisoverflow, causing the bytes_per_line calculation to become zero. Thisvulnerability only affects 32-bit builds of ImageMagick where defaultresource limits for width, height, and area have been manually increasedbeyond their defaults. 64-bit systems with size_t of 8 bytes are notvulnerable, and systems using default ImageMagick resource limits are notvulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32. Update Instructions: Run `sudo pro fix CVE-2025-62171` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.8+dfsg1-1 imagemagick-7-common - 8:7.1.2.8+dfsg1-1 imagemagick-7.q16 - 8:7.1.2.8+dfsg1-1 imagemagick-7.q16hdri - 8:7.1.2.8+dfsg1-1 libimage-magick-perl - 8:7.1.2.8+dfsg1-1 libimage-magick-q16-perl - 8:7.1.2.8+dfsg1-1 libimage-magick-q16hdri-perl - 8:7.1.2.8+dfsg1-1 libmagick++-7-headers - 8:7.1.2.8+dfsg1-1 libmagick++-7.q16-5 - 8:7.1.2.8+dfsg1-1 libmagick++-7.q16hdri-5 - 8:7.1.2.8+dfsg1-1 libmagickcore-7-arch-config - 8:7.1.2.8+dfsg1-1 libmagickcore-7-headers - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16-10 - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16-10-extra - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16hdri-10 - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.8+dfsg1-1 libmagickwand-7-headers - 8:7.1.2.8+dfsg1-1 libmagickwand-7.q16-10 - 8:7.1.2.8+dfsg1-1 libmagickwand-7.q16hdri-10 - 8:7.1.2.8+dfsg1-1 perlmagick - 8:7.1.2.8+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-17 17:15:00 UTC 2025-10-17 17:15:00 UTC wooseokdotkim http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118340 https://ubuntu.com/security/notices/USN-7876-1 CVE-2025-62171 A flaw was found in the X.Org X server and Xwayland when processing X11Present extension notifications. Improper error handling duringnotification creation can leave dangling pointers that lead to ause-after-free condition. This can cause memory corruption or a crash,potentially allowing an attacker to execute arbitrary code or cause adenial of service. Update Instructions: Run `sudo pro fix CVE-2025-62229` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.21-1ubuntu1 xorg-server-source - 2:21.1.21-1ubuntu1 xserver-common - 2:21.1.21-1ubuntu1 xserver-xephyr - 2:21.1.21-1ubuntu1 xserver-xorg-core - 2:21.1.21-1ubuntu1 xserver-xorg-legacy - 2:21.1.21-1ubuntu1 xvfb - 2:21.1.21-1ubuntu1 No subscription required xwayland - 2:24.1.9-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 2025-10-28 Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7846-1 CVE-2025-62229 A flaw was discovered in the X.Org X server’s X Keyboard (Xkb) extensionwhen handling client resource cleanup. The software frees certain datastructures without properly detaching related resources, leading to ause-after-free condition. This can cause memory corruption or a crash whenaffected clients disconnect. Update Instructions: Run `sudo pro fix CVE-2025-62230` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.21-1ubuntu1 xorg-server-source - 2:21.1.21-1ubuntu1 xserver-common - 2:21.1.21-1ubuntu1 xserver-xephyr - 2:21.1.21-1ubuntu1 xserver-xorg-core - 2:21.1.21-1ubuntu1 xserver-xorg-legacy - 2:21.1.21-1ubuntu1 xvfb - 2:21.1.21-1ubuntu1 No subscription required xwayland - 2:24.1.9-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 2025-10-28 Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7846-1 CVE-2025-62230 A flaw was identified in the X.Org X server’s X Keyboard (Xkb) extensionwhere improper bounds checking in the XkbSetCompatMap() function can causean unsigned short overflow. If an attacker sends specially crafted inputdata, the value calculation may overflow, leading to memory corruption or acrash. Update Instructions: Run `sudo pro fix CVE-2025-62231` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: xnest - 2:21.1.21-1ubuntu1 xorg-server-source - 2:21.1.21-1ubuntu1 xserver-common - 2:21.1.21-1ubuntu1 xserver-xephyr - 2:21.1.21-1ubuntu1 xserver-xorg-core - 2:21.1.21-1ubuntu1 xserver-xorg-legacy - 2:21.1.21-1ubuntu1 xvfb - 2:21.1.21-1ubuntu1 No subscription required xwayland - 2:24.1.9-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 2025-10-28 Jan-Niklas Sohn https://ubuntu.com/security/notices/USN-7846-1 CVE-2025-62231 In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, amalicious EAP-MSCHAPv2 server can send a crafted message of size 6 through8, and cause an integer underflow that potentially results in a heap-basedbuffer overflow. Update Instructions: Run `sudo pro fix CVE-2025-62291` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.1-6ubuntu5 charon-systemd - 6.0.1-6ubuntu5 libcharon-extauth-plugins - 6.0.1-6ubuntu5 libcharon-extra-plugins - 6.0.1-6ubuntu5 libstrongswan - 6.0.1-6ubuntu5 libstrongswan-extra-plugins - 6.0.1-6ubuntu5 libstrongswan-standard-plugins - 6.0.1-6ubuntu5 strongswan - 6.0.1-6ubuntu5 strongswan-charon - 6.0.1-6ubuntu5 strongswan-libcharon - 6.0.1-6ubuntu5 strongswan-nm - 6.0.1-6ubuntu5 strongswan-pki - 6.0.1-6ubuntu5 strongswan-starter - 6.0.1-6ubuntu5 strongswan-swanctl - 6.0.1-6ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 12:00:00 UTC 2025-10-27 12:00:00 UTC Xu Biang https://ubuntu.com/security/notices/USN-7841-1 CVE-2025-62291 In quickjs, in js_print_object, when printing an array, the function firstfetches the array length and then loops over it. The issue is, printing avalue is not side-effect free. An attacker-defined callback could runduring js_print_value, during which the array could get resized andlen1 become out of bounds. This results in a use-after-free.A secondinstance occurs in the same function during printing of a map or setobjects. The code iterates over ms->records list, but once again, elementscould be removed from the list during js_print_value call. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62490 A Use-After-Free (UAF) vulnerability exists in the QuickJS engine'sstandard library when iterating over the global list of unhandled rejectedpromises (ts->rejected_promise_list). * The function js_std_promise_rejection_check attempts to iterate overthe rejected_promise_list to report unhandled rejections using a standardlist loop. * The reason for a promise rejection is processed inside the loop,including calling js_std_dump_error1(ctx, rp->reason). * If the promise rejection reason is an Error object that defines acustom property getter (e.g., via Object.defineProperty), this getter isexecuted during the error dumping process. * The malicious custom getter can execute JavaScript code that callscatch() on the same rejected promise being processed. * Calling catch() internally triggers js_std_promise_rejection_tracker,which then removes and frees the current promise entry(JSRejectedPromiseEntry) from the rejected_promise_list. * Since the list iteration continues using the now-freed memory pointer(el), the subsequent loop access results in a Use-After-Free condition. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62491 A vulnerability stemming from floating-point arithmetic precision errorsexists in the QuickJS engine's implementation ofTypedArray.prototype.indexOf() when a negative fromIndex argument issupplied. * The fromIndex argument (read as a double variable, $d$) is used tocalculate the starting position for the search. * If d is negative, the index is calculated relative to the end of thearray by adding the array's length (len) to d:$$d_{new} = d + \text{len}$$ * Due to the inherent limitations of floating-point arithmetic, if thenegative value $d$ is extremely small (e.g., $-1 \times 10^{-20}$), theaddition $d + \text{len}$ can result in a loss of precision, yielding anoutcome that is exactly equal to $\text{len}$. * The result is then converted to an integer index $k$: $k =\text{len}$. * The search function proceeds to read array elements starting fromindex $k$. Since valid indices are $0$ to $\text{len}-1$, starting the readat index $\text{len}$ is one element past the end of the array.This allows an attacker to cause an Out-of-Bounds Read of one elementimmediately following the buffer. While the scope of this read is small(one element), it can potentially lead to Information Disclosure ofadjacent memory contents, depending on the execution environment. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62492 A vulnerability exists in the QuickJS engine's BigInt string conversionlogic (js_bigint_to_string1) due to an incorrect calculation of therequired number of digits, which in turn leads to reading memory past theallocated BigInt structure. * The function determines the number of characters (n_digits) needed forthe string representation by calculating:$$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) /\text{log2\_radix}$$$$$$This formula is off-by-one in certain edge cases when calculating thenecessary memory limbs. For instance, a 127-bit BigInt using radix 32(where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$. * The maximum number of bits actually stored is $\text{n\_bits}=127$,which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$). * The conversion loop iterates $\text{n\_digits}=26$ times, attemptingto read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits. * In the final iterations of the loop, the code attempts to read datathat spans two limbs:Cc = (r->tab[pos] >> shift) | (r->tab[pos + 1] << (JS_LIMB_BITS - shift)); * Since the BigInt was only allocated two limbs, the read operation forr->tab[pos + 1] becomes an Out-of-Bounds Read when pos points to the lastvalid limb (e.g., $pos=1$).This vulnerability allows an attacker to cause the engine to read andprocess data from the memory immediately following the BigInt buffer. Thiscan lead to Information Disclosure of sensitive data stored on the heapadjacent to the BigInt object. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62493 A type confusion vulnerability exists in the handling of the stringaddition (+) operation within the QuickJS engine. * The code first checks if the left-hand operand is a string. * It then attempts to convert the right-hand operand to a primitivevalue using JS_ToPrimitiveFree. This conversion can trigger a callback(e.g., toString or valueOf). * During this callback, an attacker can modify the type of the left-handoperand in memory, changing it from a string to a different type (e.g., anobject or an array). * The code then proceeds to call JS_ConcatStringInPlace, which stilltreats the modified left-hand value as a string.This mismatch between the assumed type (string) and the actual type allowsan attacker to control the data structure being processed by theconcatenation logic, resulting in a type confusion condition. This can leadto out-of-bounds memory access, potentially resulting in memory corruptionand arbitrary code execution in the context of the QuickJS runtime. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62494 An integer overflow vulnerability exists in the QuickJS regular expressionengine (libregexp) due to an inconsistent representation of the bytecodebuffer size. * The regular expression bytecode is stored in a DynBuf structure, whichcorrectly uses a $\text{size}\_\text{t}$ (an unsigned type, typically64-bit) for its size member. * However, several functions, such as re_emit_op_u32 and other internalparsing routines, incorrectly cast or store this DynBuf$\text{size}\_\text{t}$ value into a signed int (typically 32-bit). * When a large or complex regular expression (such as those generated bya recursive pattern in a Proof-of-Concept) causes the bytecode size toexceed $2^{31}$ bytes (the maximum positive value for a signed 32-bitinteger), the size value wraps around, resulting in a negative integer whenstored in the int variable (Integer Overflow). * This negative value is subsequently used in offset calculations. Forexample, within functions like re_parse_disjunction, the negative size isused to compute an offset (pos) for patching a jump instruction. * This negative offset is then incorrectly added to the buffer pointer(s->byte\_code.buf + pos), leading to an out-of-bounds write on the firstline of the snippet below:put_u32(s->byte_code.buf + pos, len); Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62495 A vulnerability exists in the QuickJS engine's BigInt string parsing logic(js_bigint_from_string) when attempting to create a BigInt from a stringwith an excessively large number of digits.The function calculates the necessary number of bits (n_bits) required tostore the BigInt using the formula:$$\text{n\_bits} = (\text{n\_digits} \times 27 + 7) / 8 \quad (\text{forradix 10})$$ * For large input strings (e.g., $79,536,432$ digits or more for base10), the intermediate calculation $(\text{n\_digits} \times 27 + 7)$exceeds the maximum value of a standard signed 32-bit integer, resulting inan Integer Overflow. * The resulting n_bits value becomes unexpectedly small or even negativedue to this wrap-around. * This flawed n_bits is then used to compute n_limbs, the number ofmemory "limbs" needed for the BigInt object. Since n_bits is too small, thecalculated n_limbs is also significantly underestimated. * The function proceeds to allocate a JSBigInt object using thisunderestimated n_limbs. * When the function later attempts to write the actual BigInt data intothe allocated object, the small buffer size is quickly exceeded, leading toa Heap Out-of-Bounds Write as data is written past the end of the allocatedr->tab array. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-16 16:15:00 UTC CVE-2025-62496 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62587 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62588 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62589 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62590 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle VMVirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62591 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle VMVirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62592 ImageMagick is a software suite to create, edit, compose, or convert bitmapimages. ImageMagick versions prior to 7.1.2-8 are vulnerable todenial-of-service due to unsigned integer underflow and division-by-zero inthe CLAHEImage function. When tile width or height is zero, unsignedunderflow occurs in pointer arithmetic, leading to out-of-bounds memoryaccess, and division-by-zero causes immediate crashes. This issue has beenpatched in version 7.1.2-8. Update Instructions: Run `sudo pro fix CVE-2025-62594` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.8+dfsg1-1 imagemagick-7-common - 8:7.1.2.8+dfsg1-1 imagemagick-7.q16 - 8:7.1.2.8+dfsg1-1 imagemagick-7.q16hdri - 8:7.1.2.8+dfsg1-1 libimage-magick-perl - 8:7.1.2.8+dfsg1-1 libimage-magick-q16-perl - 8:7.1.2.8+dfsg1-1 libimage-magick-q16hdri-perl - 8:7.1.2.8+dfsg1-1 libmagick++-7-headers - 8:7.1.2.8+dfsg1-1 libmagick++-7.q16-5 - 8:7.1.2.8+dfsg1-1 libmagick++-7.q16hdri-5 - 8:7.1.2.8+dfsg1-1 libmagickcore-7-arch-config - 8:7.1.2.8+dfsg1-1 libmagickcore-7-headers - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16-10 - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16-10-extra - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16hdri-10 - 8:7.1.2.8+dfsg1-1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.8+dfsg1-1 libmagickwand-7-headers - 8:7.1.2.8+dfsg1-1 libmagickwand-7.q16-10 - 8:7.1.2.8+dfsg1-1 libmagickwand-7.q16hdri-10 - 8:7.1.2.8+dfsg1-1 perlmagick - 8:7.1.2.8+dfsg1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-27 20:15:00 UTC Youngmin Kim, Woojin Park, Youngin Won, Siyeon Han, and Shinyoung Won CVE-2025-62594 eprosima Fast DDS is a C++ implementation of the DDS (Data DistributionService) standard of the OMG (Object Management Group). Prior to 2.6.11,2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled,modifying the DATA Submessage within an SPDP packet sent by a publishercauses an Out-Of-Memory (OOM) condition, resulting in remote termination ofFast-DDS.If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATASubmessage — specifically by tampering with the length field inreadPropertySeq — are modified, an integer overflow occurs, leading to anOOM during the resize operation. This vulnerability is fixed in 2.6.11,2.14.6, 3.2.4, 3.3.1, and 3.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 18:16:00 UTC CVE-2025-62599 eprosima Fast DDS is a C++ implementation of the DDS (Data DistributionService) standard of the OMG (Object Management Group). Prior to 2.6.11,2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled,modifying the DATA Submessage within an SPDP packet sent by a publishercauses an Out-Of-Memory (OOM) condition, resulting in remote termination ofFast-DDS.If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATASubmessage — specifically by tampering with the length field inreadBinaryPropertySeq— are modified, an integer overflow occurs, leading toan OOM during the resize operation. This vulnerability is fixed in 2.6.11,2.14.6, 3.2.4, 3.3.1, and 3.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 19:16:00 UTC CVE-2025-62600 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode isenabled, modifying the DATA Submessage within anSPDP packet sent by a publisher causes a heap buffer overflow, resulting inremote termination of Fast-DDS. If the fieldsof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage —specifically by tampering with the `str_size`value read by `readString` (called from `readBinaryProperty`) — aremodified, a 32-bit integer overflow can occur, causing `std::vector::resize` to use an attacker-controlled size and quicklytrigger heap buffer overflow and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 20:15:00 UTC CVE-2025-62601 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode isenabled, modifying the DATA Submessage within anSPDP packet sent by a publisher causes a heap buffer overflow, resulting inremote termination of Fast-DDS. If the fieldsof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessageare tampered with — specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData`as the `length` parameter — the attacker-controlled `vecsize` can trigger a 32-bit integer overflow during the `length`calculation. That overflow can cause large allocation attempt that quickly leads to OOM, enabling a remotely-triggerabledenial-of-service and remote process termination.Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 20:15:00 UTC CVE-2025-62602 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). ParticipantGenericMessage is the DDS Security control-message containerthat carries not only the handshake but also ongoing security-control traffic after the handshake, such as crypto-tokenexchange, rekeying, re-authentication, and tokendelivery for newly appearing endpoints. On receive, the CDR parser isinvoked first and deserializes the `message_data` (i.e., the `DataHolderSeq`) via the `readParticipantGenericMessage →readDataHolderSeq` path. The `DataHolderSeq` is parsedsequentially: a sequence count (`uint32`), and for each DataHolder the`class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties(a name plus an octet-vector). The parser operates at a stateless level and does not know higher-layer state (for example,whether the handshake has already completed), so it fully unfolds the structure before distinguishing legitimate frommalformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimalstructural parsing to check identity and sequence numbers before discarding or processing a message; the currentimplementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, priorto versions 3.4.1, 3.3.1, and 2.6.11, this parsing behavior can trigger an out-of-memory condition and remotely terminatethe process. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 20:15:00 UTC CVE-2025-62603 aiomysql is a library for accessing a MySQL database from the asyncio.Prior to version 0.3.0, the client-side settings are not checked beforesending local files to MySQL server, which allows obtaining arbitrary filesfrom the client using a rogue server. It is possible to create a rogueMySQL server that emulates authorization, ignores client flags and requestsarbitrary files from the client by sending a LOAD_LOCAL instruction packet.This issue has been patched in version 0.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 20:15:00 UTC CVE-2025-62611 Improper handling of insufficient entropy in the AMD CPUs could allow alocal attacker to influence the values returned by the RDSEED instruction,potentially resulting in the consumption of insufficiently random values. Update Instructions: Run `sudo pro fix CVE-2025-62626` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: amd64-microcode - 3.20251202.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-21 19:16:00 UTC 2025-11-21 19:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120972 https://bugs.launchpad.net/bugs/2131562 https://ubuntu.com/security/notices/USN-8094-1 https://ubuntu.com/security/notices/USN-8094-2 https://ubuntu.com/security/notices/USN-8094-3 https://ubuntu.com/security/notices/USN-8094-4 https://ubuntu.com/security/notices/USN-8094-5 https://ubuntu.com/security/notices/USN-8152-1 CVE-2025-62626 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.12 and7.2.2. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 20:20:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118542 CVE-2025-62641 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWikiGlobalBlocking extension allows Stored XSS.This issue affects MediaWikiGlobalBlocking extension: 1.43, 1.44. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 21:15:00 UTC CVE-2025-62656 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation MediaWikiPageForms extension allows Stored XSS.This issue affects MediaWikiPageForms extension: 1.44. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 21:15:00 UTC CVE-2025-62657 Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection') vulnerability in The Wikimedia Foundation MediaWikiWatchAnalytics extension allows SQL Injection.This issue affects MediaWikiWatchAnalytics extension: 1.43, 1.44. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 21:15:00 UTC CVE-2025-62658 rplay through 3.3.2 allows attackers to cause a denial of service (SIGSEGVand daemon crash) or possibly have unspecified other impact. This occurs inmemcpy in the RPLAY_DATA case in rplay_unpack in librplay/rplay.c,potentially reachable via packet data with no authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-19 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118224 CVE-2025-62672 NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2and earlier. The vulnerability was fixed in commit ff13abc on the masterbranch of the libmicrohttpd Git repository, after the v1.0.2 tag. Aspecially crafted packet sent by an attacker could cause adenial-of-service (DoS) condition. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-10 05:15:00 UTC CVE-2025-62689 A vulnerability classified as critical was found in HDF5 up to 1.14.6.Affected by this vulnerability is the function H5C__reconstruct_cache_entryof the file H5Cimage.c. The manipulation leads to heap-based bufferoverflow. Attacking locally is a requirement. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-19 16:15:00 UTC CVE-2025-6269 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- LastModified Extension allows Stored XSS.This issue affects Mediawiki -LastModified Extension: from master before 1.39. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 18:15:00 UTC CVE-2025-62693 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- WikiLove Extension allows Stored XSS.This issue affects Mediawiki -WikiLove Extension: 1.39. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 05:15:00 UTC CVE-2025-62694 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- WikiLambda Extension allows Stored XSS.This issue affects Mediawiki -WikiLambda Extension: master. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 04:16:00 UTC CVE-2025-62695 Improper Neutralization of Special Elements used in a Command ('CommandInjection') vulnerability in The Wikimedia Foundation Mediawiki Foundation- Springboard Extension allows Command Injection.This issue affectsMediawiki Foundation - Springboard Extension: master. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 04:16:00 UTC CVE-2025-62696 Improper Neutralization of Special Elements in Output Used by a DownstreamComponent ('Injection') vulnerability in The Wikimedia Foundation Mediawiki- LanguageSelector Extension allows Code Injection.This issue affectsMediawiki - LanguageSelector Extension: from master before 1.39. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 20:15:00 UTC CVE-2025-62697 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- ExternalGuidance allows Stored XSS.This issue affects Mediawiki -ExternalGuidance: from master before 1.39. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 18:15:00 UTC CVE-2025-62698 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inThe Wikimedia Foundation Mediawiki - Translate Extension allowsFootprinting.Translate extension appears to use jobs to make edits to translation pages.This causes the CheckUser tool to log the wrong IP and User-Agent makingthese edits un-auditable via the CheckUser tool.This issue affectsMediawiki - Translate Extension: from master before 1.39. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 04:16:00 UTC CVE-2025-62699 A vulnerability, which was classified as critical, has been found in HDF5up to 1.14.6. Affected by this issue is the function H5FS__sect_find_nodeof the file H5FSsection.c. The manipulation leads to heap-based bufferoverflow. It is possible to launch the attack on the local host. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-19 17:15:00 UTC CVE-2025-6270 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- MultiBoilerplate Extensionmaste allows Stored XSS.This issue affectsMediawiki - MultiBoilerplate Extensionmaste: from master before 1.39. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-20 18:15:00 UTC CVE-2025-62700 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories:from master before 1.44. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 05:15:00 UTC CVE-2025-62701 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki- PageTriage Extension allows Stored XSS.This issue affects Mediawiki -PageTriage Extension: from master before 1.44. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-21 05:15:00 UTC CVE-2025-62702 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unboundedDEFLATE decompression. A very small ciphertext can expand into tens orhundreds of megabytes on decrypt, allowing an attacker who can supplydecryptable tokens to exhaust memory and CPU and cause denial of service.This issue has been patched in version 1.6.5. Workarounds for this issueinvolve rejecting or stripping zip=DEF for inbound JWEs at the applicationboundary, forking and add a bounded decompression guard viadecompressobj().decompress(data, MAX_SIZE)) and returning an error whenoutput exceeds a safe limit, or enforcing strict maximum token sizes andfail fast on oversized inputs; combine with rate limiting. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 22:15:00 UTC 2025-10-22 22:15:00 UTC https://ubuntu.com/security/notices/USN-8065-1 CVE-2025-62706 pypdf is a free and open-source pure-python PDF library. Prior to version6.1.3, an attacker who uses this vulnerability can craft a PDF which leadsto an infinite loop. This requires parsing the content stream of a pagewhich has an inline image using the DCTDecode filter. This has been fixedin pypdf version 6.1.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 22:15:00 UTC CVE-2025-62707 pypdf is a free and open-source pure-python PDF library. Prior to version6.1.3, an attacker who uses this vulnerability can craft a PDF which leadsto large memory usage. This requires parsing the content stream of a pageusing the LZWDecode filter. This has been fixed in pypdf version 6.1.3. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 22:15:00 UTC CVE-2025-62708 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.0 and 0.31.0, Axios does not correctly handle hostname normalizationwhen checking NO_PROXY rules. Requests to loopback addresses likelocalhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXYmatching and go through the configured proxy. This goes against whatdevelopers expect and lets attackers force requests through a proxy, evenif NO_PROXY is set up to protect loopback or internal services. This issueleads to the possibility of proxy bypass and SSRF vulnerabilities allowingattackers to reach sensitive loopback or internal services despite theconfigured protections. This vulnerability is fixed in 1.15.0 and 0.31.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2025-62718 Starlette is a lightweight ASGI framework/toolkit. Starting in version0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send acrafted HTTP Range header that triggers quadratic-time processing inStarlette's FileResponse Range parsing/merging logic. This enables CPUexhaustion per request, causing denial‑of‑service for endpoints servingfiles (e.g., StaticFiles or any use of FileResponse). This vulnerability isfixed in 0.49.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-28 21:15:00 UTC CVE-2025-62727 A vulnerability was found in WebAssembly wabt up to 1.0.37 and classifiedas problematic. This issue affects the function LogOpcode of the filesrc/binary-reader-objdump.cc. The manipulation leads to reachableassertion. Local access is required to approach this attack. The exploithas been disclosed to the public and may be used. The real existence ofthis vulnerability is still doubted at the moment. The code maintainerexplains that this issue might not affect "real world wasm programs". Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-19 19:15:00 UTC CVE-2025-6273 A vulnerability was found in WebAssembly wabt up to 1.0.37. It has beenclassified as problematic. Affected is the function OnDataCount of the filesrc/interp/binary-reader-interp.cc. The manipulation leads to resourceconsumption. Attacking locally is a requirement. The exploit has beendisclosed to the public and may be used. A similar issue reported duringthe same timeframe was disputed by the code maintainer because it might notaffect "real world wasm programs". Therefore, this entry might get disputedas well in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-19 19:15:00 UTC CVE-2025-6274 A vulnerability was found in WebAssembly wabt up to 1.0.37. It has beendeclared as problematic. Affected by this vulnerability is the functionGetFuncOffset of the file src/interp/binary-reader-interp.cc. Themanipulation leads to use after free. It is possible to launch the attackon the local host. The exploit has been disclosed to the public and may beused. A similar issue reported during the same timeframe was disputed bythe code maintainer because it might not affect "real world wasm programs".Therefore, this entry might get disputed as well in the future. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-19 20:15:00 UTC CVE-2025-6275 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflowexists in the Fast-DDS DATA_FRAG receive path. An unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packetwhere `fragmentSize` and `sampleSize` are crafted to violate internal assumptions. Due to a 4-byte alignment step duringfragment metadata initialization, the code writes past the end of the allocated payload buffer, causing immediate crash(DoS) and potentially enabling memory corruption (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 20:15:00 UTC CVE-2025-62799 An Improper Check for Unusual or Exceptional Conditions vulnerability inOpenSMTPD allows local users to crash OpenSMTPD.This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-20 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119840 CVE-2025-62875 It was discovered that dpkg-deb does not properly sanitize directorypermissions when extracting a control member into a temporary directory,which isdocumented as being a safe operation even on untrusted data. This mayresult in leaving temporary files behind on cleanup. Given automated andrepeated execution of dpkg-deb commands onadversarial .deb packages or with well compressible files, placedinside a directory with permissions not allowing removal by a non-rootuser, this can end up in a DoS scenario due to causing disk quotaexhaustion or disk full conditions. Update Instructions: Run `sudo pro fix CVE-2025-6297` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dpkg - 1.22.21ubuntu1 dselect - 1.22.21ubuntu1 libdpkg-perl - 1.22.21ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-07-01 17:15:00 UTC 2025-07-01 17:15:00 UTC https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/2122053 https://ubuntu.com/security/notices/USN-7768-1 CVE-2025-6297 AWStats 8.0 is vulnerable to Command Injection via the open function Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC Matei “Malˮ Bădănoiu, Matei Buzdea and Cătălin Ioviță https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131878 CVE-2025-63261 An issue was discovered in PyTorch v2.5 and v2.7.1. Omission ofprofiler.stop() can cause torch.profiler.profile (PythonTracer) to crash orhang during finalization, leading to a Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-12 21:15:00 UTC https://github.com/pytorch/pytorch/issues/156563 CVE-2025-63396 Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via thetheme parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-04 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121952 CVE-2025-63499 A NULL pointer dereference vulnerability was discovered in radare2 6.0.5and earlier within the load() function of bin_dyldcache.c. Processing acrafted file can cause a segmentation fault and crash the program. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-14 21:15:00 UTC https://github.com/radareorg/radare2/issues/24661 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120792 CVE-2025-63744 A NULL pointer dereference vulnerability was discovered in radare2 6.0.5and earlier within the info() function of bin_ne.c. A crafted binary inputcan trigger a segmentation fault, leading to a denial of service when thetool processes malformed data. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-14 21:15:00 UTC https://github.com/radareorg/radare2/issues/24660 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120793 CVE-2025-63745 A vulnerability was found in poco up to 1.14.1. It has been rated asproblematic. Affected by this issue is the function MultipartInputStream ofthe file Net/src/MultipartReader.cpp. The manipulation leads to nullpointer dereference. The attack needs to be approached locally. The exploithas been disclosed to the public and may be used. Upgrading to version1.14.2 is able to address this issue. The patch is identified as6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-21 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108157 CVE-2025-6375 eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability causedby integer overflow in the Time_t:: fraction() function. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 17:16:00 UTC CVE-2025-63829 Tinyproxy through 1.11.2 contains an integer overflow vulnerability in thestrip_return_port() function within src/reqs.c. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-26 17:15:00 UTC CVE-2025-63938 A NULL pointer dereference flaw was found in the GnuTLS software in_gnutls_figure_common_ciphersuite(). Update Instructions: Run `sudo pro fix CVE-2025-6395` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.9-3ubuntu1 libgnutls-dane0t64 - 3.8.9-3ubuntu1 libgnutls-openssl27t64 - 3.8.9-3ubuntu1 libgnutls30t64 - 3.8.9-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 16:15:00 UTC 2025-07-10 16:15:00 UTC Stefan Bühler https://ubuntu.com/security/notices/USN-7635-1 https://ubuntu.com/security/notices/USN-7742-1 CVE-2025-6395 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode isenabled, modifying the DATA Submessage within anSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition,resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATASubmessage are tampered with — specifically by tampering with the the `vecsize` value read by `readOctetVector` — a 32-bitinteger overflow can occur, causing `std::vector::resize` to request an attacker-controlled size and quickly trigger OOMand remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 20:15:00 UTC CVE-2025-64098 node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync:true } to read tar entry contents returns uninitialized memory contents iftar file was changed on disk to a smaller size while being read. Thisvulnerability is fixed in 7.5.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-30 18:15:00 UTC CVE-2025-64118 Dosage is a comic strip downloader and archiver. When downloading comicimages in versions 3.1 and below, Dosage constructs target file names fromdifferent aspects of the remote comic (page URL, image URL, page content,etc.). While the basename is properly stripped of directory-traversingcharacters, the file extension is taken from the HTTP Content-Type header.This allows a remote attacker (or a Man-in-the-Middle, if the comic isserved over HTTP) to write arbitrary files outside the target directory (ifadditional conditions are met). This issue is fixed in version 3.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-07 04:15:00 UTC CVE-2025-64184 Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. Thisvulnerability allows remote attackers to smuggle arbitrary HTTP requests onaffected installations of Ruby WEBrick. This issue is exploitable when theproduct is deployed behind an HTTP proxy that fulfills specific conditions.The specific flaw exists within the read_headers method. The issue resultsfrom the inconsistent parsing of terminators of HTTP headers. An attackercan leverage this vulnerability to smuggle arbitrary HTTP requests. WasZDI-CAN-21876. Update Instructions: Run `sudo pro fix CVE-2025-6442` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-webrick - 1.9.1-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-25 17:15:00 UTC 2025-06-25 17:15:00 UTC https://ubuntu.com/security/notices/USN-7709-1 https://ubuntu.com/security/notices/USN-7840-1 CVE-2025-6442 Fast DDS is a C++ implementation of the DDS (Data Distribution Service)standard of the OMG (Object Management Group). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerableOut-of-Memory (OOM) denial-of-service exists in Fast-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending atiny GAP packet with a huge gap range (`gapList.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()`into an unbounded loop that inserts millions of sequence numbers into `WriterProxy::changes_received_` (`std::set`), causingmulti-GB heap growth and process termination.No authentication is required beyond network reachability to the reader onthe DDS domain. In environments without an RSSlimit (non-ASan / unlimited), memory consumption was observed to rise to~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 20:15:00 UTC CVE-2025-64438 An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2before 4.2.27.Algorithmic complexity in`django.core.serializers.xml_serializer.getInnerText()` allows a remoteattacker to cause a potential denial-of-service attack triggering CPU andmemory exhaustion via specially crafted XML input processed by the XML`Deserializer`.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Seokchan Yoon for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2025-64460` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-02 14:00:00 UTC 2025-12-02 14:00:00 UTC Seokchan Yoon https://ubuntu.com/security/notices/USN-7903-1 CVE-2025-64460 calibre is an e-book manager. In versions 8.13.0 and prior, calibre doesnot validate filenames when handling binary assets in FB2 files, allowingan attacker to write arbitrary files on the filesystem when viewing orconverting a malicious FictionBook file. This can be leveraged to achievearbitrary code execution. This issue is fixed in version 8.14.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-08 00:15:00 UTC CVE-2025-64486 Symfony is a PHP framework for web and console applications and a set ofreusable PHP components. Symfony's HttpFoundation component defines anobject-oriented layer for the HTTP specification. Starting in version 2.0.0and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` classimproperly interprets some `PATH_INFO` in a way that leads to representingsome URLs with a path that doesn't start with a `/`. This can allowbypassing some access control rules that are built with this `/`-prefixassumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request`class now ensures that URL paths always start with a `/`. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-12 22:15:00 UTC CVE-2025-64500 Incus is a system container and virtual machine manager. An issue inversions prior to 6.0.6 and 6.19.0 affects any Incus user in an environmentwhere an unprivileged user may have root access to a container with anattached custom storage volume that has the `security.shifted` property setto `true` as well as access to the host as an unprivileged user. The mostcommon case for this would be systems using `incus-user` with the lessprivileged `incus` group to provide unprivileged users with an isolatedrestricted access to Incus. Such users may be able to create a customstorage volume with the necessary property (depending on kernel andfilesystem support) and can then write a setuid binary from within thecontainer which can be executed as an unprivileged user on the host to gainroot privileges. A patch for this issue is expected in versions 6.0.6 and6.19.0. As a workaround, permissions can be manually restricted until apatched version of Incus is deployed. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-10 22:15:00 UTC CVE-2025-64507 Pdfminer.six is a community maintained fork of the original PDFMiner, atool for extracting information from PDF documents. Prior to version20251107, pdfminer.six will execute arbitrary code from a malicious picklefile if provided with a malicious PDF file. The `CMapDB._load_data()`function in pdfminer.six uses `pickle.loads()` to deserialize pickle files.These pickle files are supposed to be part of the pdfminer.six distributionstored in the `cmap/` directory, but a malicious PDF can specify analternative directory and filename as long as the filename ends in`.pickle.gz`. A malicious, zipped pickle file can then contain code whichwill automatically execute when the PDF is processed. Version 20251107fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-10 22:15:00 UTC CVE-2025-64512 js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and3.14.2, it's possible for an attacker to modify the prototype of the resultof a parsed yaml document via prototype pollution (`__proto__`). All userswho parse untrusted yaml documents may be impacted. The problem is patchedin js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attackon the server by using `node --disable-proto=delete` or `deno` (in Deno,pollution protection is on by default). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-13 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120696 CVE-2025-64718 An out-of-bounds read vulnerability exists in the ABF parsing functionalityof The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). Aspecially crafted .abf file can lead to an information leak. An attackercan provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 15:16:00 UTC CVE-2025-64736 SingularityCE and SingularityPRO are open source container platforms. Priorto SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a userrelies on LSM restrictions to prevent malicious operations then, undercertain circumstances, an attacker can redirect the LSM label writeoperation so that it is ineffective. The attacker must cause the user torun a malicious container image that redirects the mount of /proc to thedestination of a shared mount, either known to be configured on the targetsystem, or that will be specified by the user when running the container.The attacker must also control the content of the shared mount, for examplethrough another malicious container which also binds it, or as a user withrelevant permissions on the host system it is bound from. Thisvulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and4.3.5. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-02 18:15:00 UTC CVE-2025-64750 A weakness has been identified in CodeMirror up to 5.65.20. Affected is anunknown function of the file mode/markdown/markdown.js of the componentMarkdown Mode. This manipulation causes inefficient regular expressioncomplexity. It is possible to initiate the attack remotely. The exploit hasbeen made available to the public and could be exploited. Upgrading toversion 6.0 is able to address this issue. You should upgrade the affectedcomponent. Not all code samples mentioned in the GitHub issue can be found.The repository mentions, that "CodeMirror 6 exists, and is [...] much moreactively maintained." Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-22 22:15:00 UTC CVE-2025-6493 A vulnerability was found in HTACG tidy-html5 5.8.0. It has been declaredas problematic. This vulnerability affects the function InsertNodeAsParentof the file src/parser.c. The manipulation leads to null pointerdereference. Local access is required to approach this attack. The exploithas been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 00:15:00 UTC Yifan Zhang https://github.com/htacg/tidy-html5/issues/1141 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108235 CVE-2025-6496 A vulnerability was found in HTACG tidy-html5 5.8.0. It has been rated asproblematic. This issue affects the function prvTidyParseNamespace of thefile src/parser.c. The manipulation leads to reachable assertion. Attackinglocally is a requirement. The exploit has been disclosed to the public andmay be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 01:15:00 UTC Yifan Zhang https://github.com/htacg/tidy-html5/issues/1142 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108234 CVE-2025-6497 A vulnerability classified as problematic has been found in HTACGtidy-html5 5.8.0. Affected is the function defaultAlloc of the filesrc/alloc.c. The manipulation leads to memory leak. It is possible tolaunch the attack on the local host. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 02:15:00 UTC Yifan Zhang https://github.com/htacg/tidy-html5/issues/1152 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108233 CVE-2025-6498 joserfc is a Python library that provides an implementation of several JSONObject Signing and Encryption (JOSE) standards. In versions from 1.3.3 tobefore 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeErrorexception messages are embedded with non-decoded JWT token parts and maycause Python logging to record an arbitrarily large, forged JWT payload. Insituations where a misconfigured — or entirely absent — production-gradeweb server sits in front of a Python web application, an attacker may beable to send arbitrarily large bearer tokens in the HTTP request headers.When this occurs, Python logging or diagnostic tools (e.g., Sentry) may endup processing extremely large log messages containing the full JWT headerduring the joserfc.jwt.decode() operation. The same behavior also appearswhen validating claims and signature payload sizes, as the library raisesjoserfc.errors.ExceededSizeError() with the full payload embedded in theexception message. Since the payload is already fully loaded into memory atthis stage, the library cannot prevent or reject it. This issue has beenpatched in versions 1.3.5 and 1.4.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-18 23:15:00 UTC CVE-2025-65015 OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokensor /v3/s3tokens request with a valid AWS Signature to provide Keystoneauthorization. Update Instructions: Run `sudo pro fix CVE-2025-65073` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: keystone - 2:28.0.0-0ubuntu2 keystone-common - 2:28.0.0-0ubuntu2 python3-keystone - 2:28.0.0-0ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-04 15:00:00 UTC 2025-11-04 15:00:00 UTC kay https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/2130629 (ubuntu) https://bugs.launchpad.net/bugs/2119646 (upstream) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120053 https://ubuntu.com/security/notices/USN-7857-1 https://ubuntu.com/security/notices/USN-7926-1 CVE-2025-65073 Improper Neutralization of Escape, Meta, or Control Sequences vulnerabilityin Apache HTTP Server through environment variables set via the Apacheconfiguration unexpectedly superseding variables calculated by the serverfor CGI programs.This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.Users are recommended to upgrade to version 2.4.66 which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2025-65082` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu1 apache2-bin - 2.4.66-2ubuntu1 apache2-data - 2.4.66-2ubuntu1 apache2-suexec-custom - 2.4.66-2ubuntu1 apache2-suexec-pristine - 2.4.66-2ubuntu1 apache2-utils - 2.4.66-2ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-05 11:15:00 UTC 2025-12-05 11:15:00 UTC Mattias Åsander http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121926 https://ubuntu.com/security/notices/USN-7968-1 CVE-2025-65082 Firebird is an open-source relational database management system. Inversions FB3 of the client library placed incorrect data length values intoXSQLDA fields when communicating with FB4 or higher servers, resulting inan information leak. This issue is fixed by upgrading to the FB4 client orhigher. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2025-65104 Apptainer is an open source container platform. In Apptainer versions lessthan 1.4.5, a container can disable two of the forms of the little used--security option, in particular the forms --security=apparmor:<profile>and --security=selinux:<label> which otherwise put restrictions onoperations that containers can do. The --security option has always beenmentioned in Apptainer documentation as being a feature for the root user,although these forms do also work for unprivileged users on systems wherethe corresponding feature is enabled. Apparmor is enabled by default onDebian-based distributions and SElinux is enabled by default on RHEL-baseddistributions, but on SUSE it depends on the distribution version. Thisvulnerability is fixed in 1.4.5. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-02 18:15:00 UTC CVE-2025-65105 Vega is a visualization grammar, a declarative format for creating, saving,and sharing interactive visualization designs. Prior to versions 6.1.2 and5.6.3, applications meeting two conditions are at risk of arbitraryJavaScript code execution, even if "safe mode" expressionInterpreter isused. First, they use `vega` in an application that attaches both `vega`library and a `vega.View` instance similar to the Vega Editor to the global`window`, or has any other satisfactory function gadgets in the globalscope. Second, they allow user-defined Vega `JSON` definitions (vs JSONthat was is only provided through source code). This vulnerability allowsfor DOM XSS, potentially stored, potentially reflected, depending on howthe library is being used. The vulnerability requires user interaction withthe page to trigger. An attacker can exploit this issue by tricking a userinto opening a malicious Vega specification. Successful exploitation allowsthe attacker to execute arbitrary JavaScript in the context of theapplication’s domain. This can lead to theft of sensitive information suchas authentication tokens, manipulation of data displayed to the user, orexecution of unauthorized actions on behalf of the victim. This exploitcompromises confidentiality and integrity of impacted applications.Patchedversions are available in `vega-selections@6.1.2` (requires ESM) for Vegav6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As aworkaround, do not attach `vega` or `vega.View` instances to globalvariables or the window as the editor used to do. This is adevelopment-only debugging practice that should not be used in anysituation where Vega/Vega-lite definitions can come from untrusted parties. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-05 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125184 CVE-2025-65110 A vulnerability has been found in HDF5 up to 1.14.6 and classified ascritical. This vulnerability affects the function H5F_addr_decode_len ofthe file /hdf5/src/H5Fint.c. The manipulation leads to heap-based bufferoverflow. An attack has to be approached locally. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 17:15:00 UTC CVE-2025-6516 A divide-by-zero in the encryption/decryption routines of GNU Recutils v1.9allows attackers to cause a Denial of Service (DoS) via inputting an emptyvalue as a password. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 18:15:00 UTC CVE-2025-65409 A stack overflow in the src/main.c component of GNU Unrtf v0.21.10 allowsattackers to cause a Denial of Service (DoS) via injecting a crafted inputinto the filename parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 17:15:00 UTC CVE-2025-65410 A NULL pointer dereference in the src/path.c component of GNU Unrtfv0.21.10 allows attackers to cause a Denial of Service (DoS) via injectinga crafted payload into the search_path parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 18:15:00 UTC CVE-2025-65411 An issue was discovered in allauth-django before 65.13.0. IdP: marking auser as is_active=False after having handed tokens for that user while theaccount was still active had no effect. Fixed the access/refresh tokens arenow rejected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-15 14:15:00 UTC CVE-2025-65430 An issue was discovered in allauth-django before 65.13.0. Both Okta andNetIQ were using preferred_username as the identifier for third-partyprovider accounts. That value may be mutable and should therefore beavoided for authorization decisions. The providers are now using subinstead. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-15 14:15:00 UTC CVE-2025-65431 Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofingby Improper Validation. This vulnerability is associated with program fileslib/to-buffer.Js.This issue affects pbkdf2: from 3.0.10 through 3.1.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108283 CVE-2025-6545 Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofingby Improper Validation.This issue affects pbkdf2: <=3.1.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-23 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108282 CVE-2025-6547 NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allowsremote attackers to cause a denial of service via a crafted DTLS/TLSconnection that triggers BIO_get_data() to return NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65493 NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.cin OISM libcoap 4.3.5 allows remote attackers to cause a denial of servicevia a crafted X.509 certificate that causes sk_GENERAL_NAME_value() toreturn NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65494 Integer signedness error in tls_verify_call_back() in src/coap_openssl.c inOISM libcoap 4.3.5 allows remote attackers to cause a denial of service viaa crafted TLS certificate that causes i2d_X509() to return -1 and bemisused as a malloc() size parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65495 NULL pointer dereference in coap_dtls_generate_cookie() insrc/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause adenial of service via a crafted DTLS handshake that triggersSSL_get_SSL_CTX() to return NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65496 NULL pointer dereference in coap_dtls_generate_cookie() insrc/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause adenial of service via a crafted DTLS handshake that triggersSSL_get_SSL_CTX() to return NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65497 NULL pointer dereference in coap_dtls_generate_cookie() insrc/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause adenial of service via a crafted DTLS handshake that triggersSSL_get_SSL_CTX() to return NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65498 Array index error in tls_verify_call_back() in src/coap_openssl.c in OISMlibcoap 4.3.5 allows remote attackers to cause a denial of service via acrafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx()to return -1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65499 NULL pointer dereference in coap_dtls_generate_cookie() insrc/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause adenial of service via a crafted DTLS handshake that triggersSSL_get_SSL_CTX() to return NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65500 Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5allows remote attackers to cause a denial of service via a DTLS handshakewhere SSL_get_app_data() returns NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-24 14:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121415 CVE-2025-65501 ZoneMinder v1.36.34 is vulnerable to Command Injection inweb/views/image.php. The application passes unsanitized user input directlyto the exec() function. NOTE: this is disputed by the Supplier becausethere is no unsanitized user input to web/views/image.php. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 16:22:00 UTC CVE-2025-65791 An integer overflow in the psdParser::ReadImageData function of FreeImagev3.18.0 and before allows attackers to cause a Denial of Service (DoS) viasupplying a crafted PSD file. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-10 16:16:00 UTC CVE-2025-65803 An issue in sd command v1.0.0 and before allows attackers to escalateprivileges to root via a crafted command. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-10 16:16:00 UTC CVE-2025-65807 An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause aDenial of Service (DoS) via a crafted input. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 16:16:00 UTC CVE-2025-65865 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/specials/pagers/BlockListPager.Php.This issue affects MediaWiki: >= 1.42.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6589 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki. This vulnerability is associated withprogram files includes/htmlform/fields/HTMLUserTextField.Php.This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1,1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6590 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/api/ApiFeedContributions.Php.This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6591 Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability isassociated with program files includes/auth/AuthManager.Php.This issue affects AbuseFilter: fromfe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6592 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/user/User.Php.This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2,1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6593 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js.This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2,1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6594 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia FoundationMultimediaViewer.This issue affects MultimediaViewer: from * before1.39.13, 1.42.7, 1.43.2, 1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6595 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation Vector. Thisvulnerability is associated with program filesresources/skins.Vector.Js/portlets.Js,resources/skins.Vector.Legacy.Js/portlets.Js.This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6596 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/auth/AuthManager.Php.This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2,1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6597 An Improper Neutralization of Argument Delimiters in a Command ('ArgumentInjection') vulnerability allows local users ton perform arbitrary unmountsvia smb4k mount helper Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122381 CVE-2025-66002 An External Control of File Name or Path vulnerability in smb4k allowslocal users to perform a local root exploit via smb4k mounthelper if theycan access and control the contents of a Samba shareThis issue affectssmb4k: from ? before 4.0.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 15:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122381 CVE-2025-66003 A Path Traversal vulnerability in usbmuxd allows local users to escalate tothe service user.This issue affects usbmuxd: before3ded00c9985a5108cfc7591a309f9a23d57a8cba. Update Instructions: Run `sudo pro fix CVE-2025-66004` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: usbmuxd - 1.1.1-6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 2025-12-11 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122507 https://bugzilla.opensuse.org/show_bug.cgi?id=1254302 https://github.com/libimobiledevice/usbmuxd/issues/272 https://ubuntu.com/security/notices/USN-7929-1 CVE-2025-66004 pypdf is a free and open-source pure-python PDF library. Prior to version6.4.0, an attacker who uses this vulnerability can craft a PDF which leadsto a memory usage of up to 1 GB per stream. This requires parsing thecontent stream of a page using the LZWDecode filter. This issue has beenpatched in version 6.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-26 00:15:00 UTC CVE-2025-66019 fontTools is a library for manipulating fonts, written in Python. Inversions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -mfontTools.varLib) script has an arbitrary file write vulnerability thatleads to remote code execution when a malicious .designspace file isprocessed. The vulnerability affects the main() code path offontTools.varLib, used by the fonttools varLib CLI and any code thatinvokes fontTools.varLib.main(). This issue has been patched in version4.60.2. Update Instructions: Run `sudo pro fix CVE-2025-66034` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: fonttools - 4.57.0-3ubuntu1 python3-fonttools - 4.57.0-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-29 01:16:00 UTC 2025-11-29 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121605 https://ubuntu.com/security/notices/USN-7917-1 CVE-2025-66034 Angular is a development platform for building mobile and desktop webapplications using TypeScript/JavaScript and other languages. Prior toversions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage viaprotocol-relative URLs in angular HTTP clients. The vulnerability is aCredential Leak by App Logic that leads to the unauthorized disclosure ofthe Cross-Site Request Forgery (XSRF) token to an attacker-controlleddomain. Angular's HttpClient has a built-in XSRF protection mechanism thatworks by checking if a request URL starts with a protocol (http:// orhttps://) to determine if it is cross-origin. If the URL starts withprotocol-relative URL (//), it is incorrectly treated as a same-originrequest, and the XSRF token is automatically added to the X-XSRF-TOKENheader. This issue has been patched in versions 19.2.16, 20.3.14, and21.0.1. A workaround for this issue involves avoiding usingprotocol-relative URLs (URLs starting with //) in HttpClient requests. Allbackend communication URLs should be hardcoded as relative paths (startingwith a single /) or fully qualified, trusted absolute URLs. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-26 23:15:00 UTC CVE-2025-66035 OpenSC is an open source smart card tools and middleware. Prior to version0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causesOpenSC to perform an out-of-bounds heap read in the X.509/SPKI handlingpath. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates azero-length buffer and then reads one byte past the end of that allocation.This issue has been patched in version 0.27.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 18:16:00 UTC CVE-2025-66037 OpenSC is an open source smart card tools and middleware. Prior to version0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a giventag. In compact-TLV, a single byte encodes the tag (high nibble) and valuelength (low nibble). With a 1-byte buffer {0x0A}, the encoded elementclaims tag=0 and length=10 but no value bytes follow. Callingsc_compacttlv_find_tag with search tag 0x00 returns a pointer equal tobuf+1 and outlen=10 without verifying that the claimed value length fitswithin the remaining buffer. In cases where the sc_compacttlv_find_tag isprovided untrusted data (such as being read from cards/files), attackersmay be able to influence it to return out-of-bounds pointers leading todownstream memory corruption when subsequent code tries to dereference thepointer. This issue has been patched in version 0.27.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 18:16:00 UTC CVE-2025-66038 Spotipy is a Python library for the Spotify Web API. Prior to version2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuthcallback server that allows for JavaScript injection through theunsanitized error parameter. Attackers can execute arbitrary JavaScript inthe user's browser during OAuth authentication. This issue has been patchedin version 2.25.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-27 00:15:00 UTC CVE-2025-66040 Several stack-based buffer overflow vulnerabilities exists in the MFERparsing functionality of The Biosig Project libbiosig 3.9.1. A speciallycrafted MFER file can lead to arbitrary code execution. An attacker canprovide a malicious file to trigger these vulnerabilities.When Tag is 3 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 17:15:00 UTC CVE-2025-66043 Several stack-based buffer overflow vulnerabilities exists in the MFERparsing functionality of The Biosig Project libbiosig 3.9.1. A speciallycrafted MFER file can lead to arbitrary code execution. An attacker canprovide a malicious file to trigger these vulnerabilities.When Tag is 64 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 17:15:00 UTC CVE-2025-66044 Several stack-based buffer overflow vulnerabilities exists in the MFERparsing functionality of The Biosig Project libbiosig 3.9.1. A speciallycrafted MFER file can lead to arbitrary code execution. An attacker canprovide a malicious file to trigger these vulnerabilities.When Tag is 65 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 17:15:00 UTC CVE-2025-66045 Several stack-based buffer overflow vulnerabilities exists in the MFERparsing functionality of The Biosig Project libbiosig 3.9.1. A speciallycrafted MFER file can lead to arbitrary code execution. An attacker canprovide a malicious file to trigger these vulnerabilities.When Tag is 67 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 17:15:00 UTC CVE-2025-66046 Several stack-based buffer overflow vulnerabilities exists in the MFERparsing functionality of The Biosig Project libbiosig 3.9.1. A speciallycrafted MFER file can lead to arbitrary code execution. An attacker canprovide a malicious file to trigger these vulnerabilities.When Tag is 131 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 17:15:00 UTC CVE-2025-66047 Several stack-based buffer overflow vulnerabilities exists in the MFERparsing functionality of The Biosig Project libbiosig 3.9.1. A speciallycrafted MFER file can lead to arbitrary code execution. An attacker canprovide a malicious file to trigger these vulnerabilities.When Tag is 133 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 17:15:00 UTC CVE-2025-66048 WARNING:Users of 6.x should upgrade to 6.2.4 or later as the fix was missed inprevious 6.x releases.See the  following for more details:https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046Original Report:Apache ActiveMQ does not properly validate the remaining length field whichmay lead to an overflow during the decoding of malformed packets. When thisinteger overflow occurs, ActiveMQ may incorrectly compute the totalRemaining Length and subsequently misinterpret the payload as multiple MQTTcontrol packets which makes the broker susceptible to unexpected behaviorwhen interacting with non-compliant clients. This behavior violates theMQTT v3.1.1 specification, which restricts Remaining Length to a maximum of4 bytes. The scenario occurs on established connections after theauthentication process. Brokers that are not enabling mqtt transportconnectors are not impacted.This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and6.2.0Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, whichfixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 09:15:00 UTC CVE-2025-66168 Issue summary: A TLS 1.3 connection using certificate compression can beforced to allocate a large buffer before decompression without checkingagainst the configured certificate size limit.Impact summary: An attacker can cause per-connection memory allocations ofup to approximately 22 MiB and extra CPU work, potentially leading toservice degradation or resource exhaustion (Denial of Service).In affected configurations, the peer-supplied uncompressed certificatelength from a CompressedCertificate message is used to grow a heap bufferprior to decompression. This length is not bounded by the max_cert_listsetting, which otherwise constrains certificate message sizes. An attackercan exploit this to cause large per-connection allocations followed byhandshake failure. No memory corruption or information disclosure occurs.This issue only affects builds where TLS 1.3 certificate compression iscompiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compressionalgorithm (brotli, zlib, or zstd) is available, and where the compressionextension is negotiated. Both clients receiving a serverCompressedCertificateand servers in mutual TLS scenarios receiving a clientCompressedCertificateare affected. Servers that do not request client certificates are notvulnerable to client-initiated attacks.Users can mitigate this issue by settingSSL_OP_NO_RX_CERTIFICATE_COMPRESSIONto disable receiving compressed certificates.The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,as the TLS implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-66199` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Tomas Dulka and Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 CVE-2025-66199 mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability inApache HTTP Server. Users with access to use the RequestHeader directive inhtaccess can cause some CGI scripts to run under an unexpected userid.This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.Users are recommended to upgrade to version 2.4.66, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2025-66200` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu1 apache2-bin - 2.4.66-2ubuntu1 apache2-data - 2.4.66-2ubuntu1 apache2-suexec-custom - 2.4.66-2ubuntu1 apache2-suexec-pristine - 2.4.66-2ubuntu1 apache2-utils - 2.4.66-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 11:15:00 UTC 2025-12-05 11:15:00 UTC Mattias Åsander http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121926 https://ubuntu.com/security/notices/USN-7968-1 CVE-2025-66200 OpenSC is an open source smart card tools and middleware. Prior to version0.27.0, an attacker with physical access to the computer at the time useror administrator uses a token can cause a stack-buffer-overflow WRITE incard-oberthur. The attack requires crafted USB device or smart card thatwould present the system with specially crafted responses to the APDUs.This issue has been patched in version 0.27.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 18:16:00 UTC CVE-2025-66215 An API design flaw in WebKitGTK and WPE WebKit allows untrusted web contentto unexpectedly perform IP connections, DNS lookups, and HTTP requests.Applications expect to use theWebPage::send-request signal handler to approve or reject all networkrequests. However, certain types of HTTP requests bypass this signalhandler. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 13:16:00 UTC https://bugs.webkit.org/show_bug.cgi?id=259787 CVE-2025-66286 In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiBcan lead to dozens of seconds of processing time. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-11-28 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121543 https://github.com/libexpat/libexpat/issues/1076 CVE-2025-66382 Angular is a development platform for building mobile and desktop webapplications using TypeScript/JavaScript and other languages. Prior to21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS)vulnerability has been identified in the Angular Template Compiler. Itoccurs because the compiler's internal security schema is incomplete,allowing attackers to bypass Angular's built-in security sanitization.Specifically, the schema fails to classify certain URL-holding attributes(e.g., those that could contain javascript: URLs) as requiring strict URLsecurity, enabling the injection of malicious scripts. This vulnerabilityis fixed in 21.0.2, 20.3.15, and 19.2.17. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-01 23:15:00 UTC CVE-2025-66412 urllib3 is a user-friendly HTTP client library for Python. Starting inversion 1.24 and prior to 2.6.0, the number of links in the decompressionchain was unbounded allowing a malicious server to insert a virtuallyunlimited number of compression steps leading to high CPU usage and massivememory allocation for the decompressed data. This vulnerability is fixed in2.6.0. Update Instructions: Run `sudo pro fix CVE-2025-66418` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-urllib3 - 2.5.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 16:15:00 UTC 2025-12-05 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122030 https://ubuntu.com/security/notices/USN-7927-1 https://ubuntu.com/security/notices/USN-8010-1 CVE-2025-66418 In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel(in RSA and CBC/ECB decryption) that only occurs with LLVM'sselect-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 20:16:00 UTC CVE-2025-66442 Rhino is an open-source implementation of JavaScript written entirely inJava. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed anattacker controlled float poing number into the toFixed() function, itmight lead to high CPU consumption and a potential Denial of Service. Smallnumbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr >DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to aridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and1.7.14.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-03 20:16:00 UTC CVE-2025-66453 urllib3 is a user-friendly HTTP client library for Python. Starting inversion 1.0 and prior to 2.6.0, the Streaming API improperly handles highlycompressed data. urllib3's streaming API is designed for the efficienthandling of large HTTP responses by reading the content in chunks, ratherthan loading the entire response body into memory at once. When streaming acompressed response, urllib3 can perform decoding or decompression based onthe HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). Thelibrary must read compressed data from the network and decompress it untilthe requested chunk size is met. Any resulting decompressed data thatexceeds the requested amount is held in an internal buffer for the nextread operation. The decompression logic could cause urllib3 to fully decodea small amount of highly compressed data in a single operation. This canresult in excessive resource consumption (high CPU usage and massive memoryallocation for the decompressed data. Update Instructions: Run `sudo pro fix CVE-2025-66471` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-urllib3 - 2.5.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 17:16:00 UTC 2025-12-05 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122029 https://ubuntu.com/security/notices/USN-7927-1 https://ubuntu.com/security/notices/USN-7927-2 https://ubuntu.com/security/notices/USN-7927-3 CVE-2025-66471 Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module(2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platformsallows an attacker to carry out XML External Entity injection via a craftedXFA file inside of a PDF.This CVE covers the same vulnerability as in CVE-2025-54988. However, thisCVE expands the scope of affected packages in two ways.First, while the entrypoint for the vulnerability was thetika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability andits fix were in tika-core. Users who upgraded the tika-parser-pdf-modulebut did not upgrade tika-core to >= 3.2.2 would still be vulnerable.Second, the original report failed to mention that in the 1.x Tikareleases, the PDFParser was in the "org.apache.tika:tika-parsers" module. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-04 17:15:00 UTC john-breton http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121954 CVE-2025-66516 yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing ofthe output buffer in Java-based decompressor implementations in lz4-java1.10.0 and earlier allows remote attackers to read previous buffer contentsvia crafted compressed input. In applications where the output buffer isreused without being cleared, this may lead to disclosure of sensitivedata. JNI-based implementations are not affected. This vulnerability isfixed in 1.10.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122026 CVE-2025-66566 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTPheaders to influence server-visible metadata, logging, and authorizationdecisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT,LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap viaread_headers() in httplib.h (headers.emplace), then the server laterappends its own internal metadata using the same header names inServer::process_request without erasing duplicates. BecauseRequest::get_header_value returns the first entry for a header key (id ==0) and the client-supplied headers are parsed before server-insertedheaders, downstream code that uses these header names may inadvertently useattacker-controlled values. Affected files/locations: cpp-httplib/httplib.h(read_headers, Server::process_request, Request::get_header_value,get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip,nginx_access_logger, nginx_error_logger). Attack surface:attacker-controlled HTTP headers in incoming requests flow into theRequest.headers multimap and into logging code that reads forwardedheaders, enabling IP spoofing, log poisoning, and authorization bypass viaheader shadowing. This vulnerability is fixed in 0.27.0. Ubuntu 26.04 LTS High Copyright (C) 2025 Canonical Ltd. 2025-12-05 19:15:00 UTC 2025-12-05 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122027 https://ubuntu.com/security/notices/USN-7962-1 CVE-2025-66570 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTPheaders to influence server-visible metadata, logging, and authorizationdecisions. An attacker can supply X-Forwarded-For or X-Real-IP headerswhich get accepted unconditionally by get_client_ip() in docker/main.cc,causing access and error logs (nginx_access_logger / nginx_error_logger) torecord spoofed client IPs (log poisoning / audit evasion). Thisvulnerability is fixed in 0.27.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-05 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122027 CVE-2025-66577 Improper Input Validation vulnerability.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.The following versions were EOL at the time the CVE was created but areknown to be affected: 8.5.0 through 8.5.100. Older EOL versions are notaffected.Tomcat did not validate that the host name provided via the SNIextension was the same as the host name provided in the HTTP host headerfield. If Tomcat was configured with more than one virtual host and theTLS configuration for one of those hosts did not require clientcertificate authentication but another one did, it was possible for aclient to bypass the client certificate authentication by sendingdifferent host names in the SNI extension and the HTTP host header field.The vulnerability only applies if client certificate authentication isonly enforced at the Connector. It does not apply if client certificateauthentication is enforced at the web application.Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 orlater or 9.0.113 or later, which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-17 19:21:00 UTC CVE-2025-66614 vega-functions provides function implementations for the Vega expressionlanguage. Prior to version 6.1.1, for sites that allow users to supplyuntrusted user input, malicious use of an internal function (not part ofthe public API) could be used to run unintentional javascript (XSS). Thisissue is fixed in vega-functions `6.1.1`. There is no workaround besidesupgrading. Using `vega.expressionInterpreter` as described in CSP safe modedoes not prevent this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-05 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125185 CVE-2025-66648 An issue was discovered in function d_unqualified_name in filecp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial ofservice via crafted PE file. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-29 17:15:00 UTC CVE-2025-66861 A buffer overflow vulnerability in function gnu_special in file cplus-dem.cin BinUtils 2.26 allows attackers to cause a denial of service via craftedPE file. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-29 17:15:00 UTC CVE-2025-66862 An issue was discovered in function d_discriminator in file cp-demangle.cin BinUtils 2.26 allows attackers to cause a denial of service via craftedPE file. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-29 17:15:00 UTC CVE-2025-66863 An issue was discovered in function d_print_comp_inner in filecp-demangle.c in BinUtils 2.26 allows attackers to cause a denial ofservice via crafted PE file. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-29 17:15:00 UTC CVE-2025-66864 An issue was discovered in function d_print_comp_inner in filecp-demangle.c in BinUtils 2.26 allows attackers to cause a denial ofservice via crafted PE file. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-29 17:15:00 UTC CVE-2025-66865 An issue was discovered in function d_abi_tags in file cp-demangle.c inBinUtils 2.26 allows attackers to cause a denial of service via crafted PEfile. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-12-29 17:15:00 UTC CVE-2025-66866 eProsima Fast-DDS v3.3 was discovered to contain improper validation forticket revocation, resulting in insecure communications and connections. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 16:16:00 UTC CVE-2025-67108 A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match indocopt_private.h) when merging occurrence counters (e.g., default LONG_MAX+ first user "-v/--verbose") can cause counter wrap (negative/unboundedsemantics) and lead to logic/policy bypass in applications that rely onoccurrence-based limits, rate-gating, or safety toggles. In hardened builds(e.g., UBSan or -ftrapv), the overflow may also result in process abort(DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 16:15:00 UTC CVE-2025-67125 gpsd before commit dc966aa contains a heap-based out-of-bounds writevulnerability in the drivers/driver_nmea2000.c file. The hnd_129540function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View)packets, fails to validate the user-supplied satellite count against thesize of the skyview array (184 elements). This allows an attacker to writebeyond the bounds of the array by providing a satellite count up to 255,leading to memory corruption, Denial of Service (DoS), and potentiallyarbitrary code execution. Update Instructions: Run `sudo pro fix CVE-2025-67268` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gpsd - 3.27-1.1ubuntu1 gpsd-clients - 3.27-1.1ubuntu1 gpsd-tools - 3.27-1.1ubuntu1 libgps32 - 3.27-1.1ubuntu1 libqgpsmm32 - 3.27-1.1ubuntu1 python3-gps - 3.27-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-02 16:17:00 UTC 2026-01-02 16:17:00 UTC https://ubuntu.com/security/notices/USN-7948-1 CVE-2025-67268 An integer underflow vulnerability exists in the `nextstate()` function in`gpsd/packet.c` of gpsd versions prior to commit`ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet,the payload length is calculated using `lexer->length = (size_t)c - 4`without checking if the input byte `c` is less than 4. This results in anunsigned integer underflow, setting `lexer->length` to a very large value(near `SIZE_MAX`). The parser then enters a loop attempting to consume thismassive number of bytes, causing 100% CPU utilization and a Denial ofService (DoS) condition. Update Instructions: Run `sudo pro fix CVE-2025-67269` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gpsd - 3.27-1.1ubuntu1 gpsd-clients - 3.27-1.1ubuntu1 gpsd-tools - 3.27-1.1ubuntu1 libgps32 - 3.27-1.1ubuntu1 libqgpsmm32 - 3.27-1.1ubuntu1 python3-gps - 3.27-1.1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-02 16:17:00 UTC 2026-01-02 16:17:00 UTC https://ubuntu.com/security/notices/USN-7948-1 CVE-2025-67269 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesincludes/CommentFormatter/CommentParser.Php.This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3,1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67475 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program filesincludes/Import/ImportableOldRevisionImporter.Php.This issue affects MediaWiki: from * before 1.44.3, 1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67476 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.This issue affects MediaWiki: from * before 1.44.3, 1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67477 Vulnerability in Wikimedia Foundation CheckUser. This vulnerability isassociated with program files includes/Mail/UserMailer.Php.This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67478 Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite.This vulnerability is associated with program filesincludes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php.This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite:from * before 1.39.14, 1.43.4, 1.44.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67479 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/Api/ApiQueryRevisionsBase.Php.This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3,1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67480 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js.This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3,1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67481 Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundationluasandbox. This vulnerability is associated with program filesincludes/Engines/LuaCommon/lualib/mwInit.Lua, library.C.This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3,1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67482 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.This vulnerability is associated with program filesresources/src/mediawiki.Page.Preview.Js.This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67483 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/Api/ApiFormatXml.Php.This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3,1.45.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 02:16:00 UTC CVE-2025-67484 The CNI portmap plugin allows containers to emulate opening a host port,forwarding that traffic to the container. Versions 1.6.0 through 1.8.0inadvertently forward all traffic with the same destination port as thehost port when the portmap plugin is configured with the nftables backend,thus ignoring the destination IP. This includes traffic not intended forthe node itself, i.e. traffic to containers hosted on the node. Containersthat request HostPort forwarding can intercept all traffic destined forthat port. This requires that the portmap plugin be explicitly configuredto use the nftables backend. This issue is fixed in version 1.9.0. Toworkaround, configure the portmap plugin to use the iptables backend. Itdoes not have this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-10 00:16:00 UTC CVE-2025-67499 A vulnerability, which was classified as problematic, has been found inHDF5 1.14.6. Affected by this issue is the function H5O__mtime_new_encodeof the file src/H5Omtime.c. The manipulation leads to heap-based bufferoverflow. Attacking locally is a requirement. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-06-27 03:15:00 UTC CVE-2025-6750 A Improper Authorization vulnerability in Foomuuri llows arbitrary users toinfluence the firewall configuration.This issue affects Foomuuri: from ?before 0.31. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 15:15:00 UTC CVE-2025-67603 Exposure of Sensitive System Information to an Unauthorized Control Spherevulnerability in 10up Eight Day Week Print Workfloweight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.Thisissue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-24 13:16:00 UTC CVE-2025-67621 Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treatredirect_url as safe when url.Parse(...).IsAbs() is false, enablingphishing flows after login. Protocol-relative URLs like //ikotaslabs.comhave an empty scheme and pass that check, allowing post-login redirects toattacker-controlled sites. This issue is fixed in version 2.2.15. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-11 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122583 CVE-2025-67713 Netty is an asynchronous, event-driven network application framework. Inversions prior to 4.1.129.Final and 4.2.8.Final, the`io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection withthe request URI when constructing a request. This leads to requestsmuggling when `HttpRequestEncoder` is used without proper sanitization ofthe URI. Any application / framework using `HttpRequestEncoder` can besubject to be abused to perform request smuggling using CRLF injection.Versions 4.1.129.Final and 4.2.8.Final fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 01:15:00 UTC CVE-2025-67735 Composer is a dependency manager for PHP. In versions on the 2.x branchprior to 2.2.26 and 2.9.3, attackers controlling remote sources thatComposer downloads from might in some way inject ANSI control characters inthe terminal output of various Composer commands, causing mangled outputand potentially leading to confusion or DoS of the terminal application.There is no proven exploit and this has thus a low severity but we stillpublish a CVE as it has potential for abuse, and we want to be on the safeside informing users that they should upgrade. Versions 2.2.26 and 2.9.3contain a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 16:15:00 UTC CVE-2025-67746 PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. In versions2.5.377 and below, an unchecked offset and size used in a memcpy operationinside PCSX2's CDVD SCMD 0x91 and SCMD 0x8F handlers allow a speciallycrafted disc image or ELF to cause an out-of-bounds read from emulatormemory. Because the offset and size is controlled through MG header fields,a specially crafted ELF can read data beyond the bounds of mg_buffer andhave it reflected back into emulated memory. This issue is fixed in version2.5.378. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-12 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122861 CVE-2025-67749 A Improper Neutralization of Argument Delimiters vulnerability in Foomuurican lead to integrity loss of the firewall configuration or furtherunspecified impact by manipulating the JSON configuration passed to `nft`.This issue affects Foomuuri: from ? before 0.31. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 16:15:00 UTC CVE-2025-67858 Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior,Skipdata length is not bounds-checked, so a user-provided skipdata callbackcan make cs_disasm/cs_disasm_iter memcpy more than 24 bytes intocs_insn.bytes, causing a heap buffer overflow in the disassembly path.Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-17 22:16:00 UTC CVE-2025-67873 uriparser through 0.9.9 allows unbounded recursion and stack consumption,as demonstrated by ParseMustBeSegmentNzNc with large input containing manycommas. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-14 23:15:00 UTC CVE-2025-67899 Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, anunchecked vsnprintf return in SStream_concat lets a maliciouscs_opt_mem.vsnprintf drive SStream’s index negative or past the end,leading to a stack buffer underflow/overflow when the next write occurs.Commit 2c7797182a1618be12017d7d41e0b6581d5d529e fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-17 22:16:00 UTC CVE-2025-68114 Downloading and building modules with malicious version strings can causelocal code execution. On systems with Mercurial (hg) installed, downloadingmodules from non-standard sources (e.g., custom domains) can causeunexpected code execution due to how external VCS commands are constructed.This issue can also be triggered by providing a malicious version string tothe toolchain. On systems with Git installed, downloading and buildingmodules with malicious version strings can allow an attacker to write toarbitrary files on the filesystem. This can only be triggered by explicitlyproviding the malicious version strings to the toolchain and does notaffect usage of @latest or bare module paths. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 20:16:00 UTC CVE-2025-68119 During session resumption in crypto/tls, if the underlying Config has itsClientCAs or RootCAs fields mutated between the initial handshake and theresumed handshake, the resumed handshake may succeed when it should havefailed. This may happen when a user calls Config.Clone and mutates thereturned Config, or uses Config.GetConfigForClient. This can cause a clientto resume a session with a server that it would not have resumed withduring the initial handshake, or cause a server to resume a session with aclient that it would not have resumed with during the initial handshake. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 18:16:00 UTC CVE-2025-68121 cbor2 provides encoding and decoding for the Concise Binary ObjectRepresentation (CBOR) serialization format. Starting in version 3.0.0 andprior to version 5.8.0, whhen a CBORDecoder instance is reused acrossmultiple decode operations, values marked with the shareable tag (28)persist in memory and can be accessed by subsequent CBOR messages using thesharedref tag (29). This allows an attacker-controlled message to read datafrom previously decoded messages if the decoder is reused across trustboundaries. Version 5.8.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-31 02:15:00 UTC CVE-2025-68131 PyMdown Extensions is a set of extensions for the `Python-Markdown`markdown project. Versions prior to 10.16.1 have a ReDOS bug found withinthe figure caption extension (`pymdownx.blocks.caption`). In systems thattake unchecked user content, this could cause long hanges when processingthe data if a malicious payload was crafted. This issue is patched inRelease 10.16.1. As a workaround, those who process unknown user contentwithout timeouts or other safeguards in place to prevent really large,malicious content being aimed at systems may avoid the use of`pymdownx.blocks.caption` until they're able to upgrade. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 18:16:00 UTC CVE-2025-68142 filelock is a platform-independent file lock for Python. In versions priorto 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows localattackers to corrupt or truncate arbitrary user files through symlinkattacks. The vulnerability exists in both Unix and Windows lock filecreation where filelock checks if a file exists before opening it withO_TRUNC. An attacker can create a symlink pointing to a victim file in thetime gap between the check and open, causing os.open() to follow thesymlink and truncate the target file. All users of filelock on Unix, Linux,macOS, and Windows systems are impacted. The vulnerability cascades todependent libraries. The attack requires local filesystem access andability to create symlinks (standard user permissions on Unix; DeveloperMode on Windows 10+). Exploitation succeeds within 1-3 attempts when lockfile paths are predictable. The issue is fixed in version 3.20.1. Ifimmediate upgrade is not possible, use SoftFileLock instead ofUnixFileLock/WindowsFileLock (note: different locking semantics, may not besuitable for all use cases); ensure lock file directories have restrictivepermissions (chmod 0700) to prevent untrusted users from creating symlinks;and/or monitor lock file directories for suspicious symlinks before runningtrusted applications. These workarounds provide only partial mitigation.The race condition remains exploitable. Upgrading to version 3.20.1 isstrongly recommended. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-16 19:15:00 UTC 2025-12-16 19:15:00 UTC https://ubuntu.com/security/notices/USN-7999-1 CVE-2025-68146 Webpack is a module bundler. From version 5.49.0 to before 5.104.0, whenexperiments.buildHttp is enabled, webpack’s HTTP(S) resolver(HttpUriPlugin) enforces allowedUris only for the initial URL, but does notre-validate allowedUris after following HTTP 30x redirects. As a result, animport that appears restricted to a trusted allow-list can be redirected toHTTP(S) URLs outside the allow-list. This is a policy/allow-list bypassthat enables build-time SSRF behavior (requests from the build machine tointernal-only endpoints, depending on network access) and untrusted contentinclusion in build outputs (redirected content is treated as module sourceand bundled). This issue has been patched in version 5.104.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322 CVE-2025-68157 A vulnerability classified as problematic was found in HDF5 1.14.6. Thisvulnerability affects the function H5O__fsinfo_encode of the file/src/H5Ofsinfo.c. The manipulation leads to heap-based buffer overflow. Itis possible to launch the attack on the local host. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-28 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108482 CVE-2025-6816 Issue summary: Writing large, newline-free data into a BIO chain using theline-buffering filter where the next BIO performs short writes can triggera heap-based out-of-bounds write.Impact summary: This out-of-bounds write can cause memory corruption whichtypically results in a crash, leading to Denial of Service for anapplication.The line-buffering BIO filter (BIO_f_linebuffer) is not used by default inTLS/SSL data paths. In OpenSSL command-line applications, it is typicallyonly pushed onto stdout/stderr on VMS systems. Third-party applicationsthatexplicitly use this filter with a BIO chain that can short-write and thatwrite large, newline-free data influenced by an attacker would be affected.However, the circumstances where this could happen are unlikely to be underattacker control, and BIO_f_linebuffer is unlikely to be handlingnon-curateddata controlled by an attacker. For that reason the issue was assessed asLow severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the BIO implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to thisissue.Impact summary: This out-of-bounds write can cause memory corruption whichtypically results in a crash, leading to Denial of Service for anapplication.The line-buffering BIO filter (BIO_f_linebuffer) is not used by default inTLS/SSL data paths. In OpenSSL command-line applications, it is typicallyonly pushed onto stdout/stderr on VMS systems. Third-party applicationsthatexplicitly use this filter with a BIO chain that can short-write and thatwrite large, newline-free data influenced by an attacker would be affected.However, the circumstances where this could happen are unlikely to be underattacker control, and BIO_f_linebuffer is unlikely to be handlingnon-curateddata controlled by an attacker. For that reason the issue was assessed asLow severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the BIO implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to thisissue. Update Instructions: Run `sudo pro fix CVE-2025-68160` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Petr Simecek and Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2025-68160 The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2does not perform TLS hostname verification of the peer certificate, evenwhen the verifyHostNamehttps://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostNamehttps://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.This issue may allow a man-in-the-middle attacker to intercept or redirectlog traffic under the following conditions: * The attacker is able to intercept or redirect network traffic betweenthe client and the log receiver. * The attacker can present a server certificate issued by acertification authority trusted by the Socket Appender’s configured truststore (or by the default Java trust store if no custom trust store isconfigured).Users are advised to upgrade to Apache Log4j Core version 2.25.3, whichaddresses this issue.As an alternative mitigation, the Socket Appender may be configured to usea private or restricted trust root to limit the set of trustedcertificates. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 21:15:00 UTC CVE-2025-68161 A vulnerability, which was classified as problematic, has been found inHDF5 1.14.6. This issue affects the function H5C__load_entry of the file/src/H5Centry.c. The manipulation leads to resource consumption. The attackneeds to be approached locally. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-28 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108481 CVE-2025-6817 A vulnerability, which was classified as problematic, was found in HDF51.14.6. Affected is the function H5O__chunk_protect of the file/src/H5Ochunk.c. The manipulation leads to heap-based buffer overflow. Anattack has to be approached locally. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-28 16:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108480 CVE-2025-6818 libheif is an HEIF and AVIF file format decoder and encoder. Prior toversion 1.21.0, a crafted HEIF that exercises the overlay image item pathtriggers a heap buffer over-read in `HeifPixelImage::overlay()`. Thefunction computes a negative row length (likely from an unclipped overlayrectangle or invalid offsets), which then underflows when converted to`size_t` and is passed to `memcpy`, causing a very large read past the endof the source plane and a crash. Version 1.21.0 contains a patch. As aworkaround, avoid decoding images using `iovl` overlay boxes. Update Instructions: Run `sudo pro fix CVE-2025-68431` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: heif-gdk-pixbuf - 1.21.2-1 heif-thumbnailer - 1.21.2-1 heif-view - 1.21.2-1 libheif-examples - 1.21.2-1 libheif-plugin-aomdec - 1.21.2-1 libheif-plugin-aomenc - 1.21.2-1 libheif-plugin-dav1d - 1.21.2-1 libheif-plugin-ffmpegdec - 1.21.2-1 libheif-plugin-j2kdec - 1.21.2-1 libheif-plugin-j2kenc - 1.21.2-1 libheif-plugin-jpegdec - 1.21.2-1 libheif-plugin-jpegenc - 1.21.2-1 libheif-plugin-kvazaar - 1.21.2-1 libheif-plugin-libde265 - 1.21.2-1 libheif-plugin-rav1e - 1.21.2-1 libheif-plugin-svtenc - 1.21.2-1 libheif-plugin-x265 - 1.21.2-1 libheif-plugins-all - 1.21.2-1 libheif1 - 1.21.2-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-29 19:15:00 UTC 2025-12-29 19:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124317 https://ubuntu.com/security/notices/USN-7952-1 CVE-2025-68431 Webpack is a module bundler. From version 5.49.0 to before 5.104.1, whenexperiments.buildHttp is enabled, webpack’s HTTP(S) resolver(HttpUriPlugin) can be bypassed to fetch resources from hosts outsideallowedUris by using crafted URLs that include userinfo(username:password@host). If allowedUris enforcement relies on a raw stringprefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listedcan pass validation while the actual network request is sent to a differentauthority/host after URL parsing. This is a policy/allow-list bypass thatenables build-time SSRF behavior (outbound requests from the build machineto internal-only endpoints, depending on network access) and untrustedcontent inclusion (the fetched response is treated as module source andbundled). This issue has been patched in version 5.104.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-05 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322 CVE-2025-68458 Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to ainformation disclosure vulnerability in the HTML style sanitizer. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122899 CVE-2025-68460 Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to aCross-Site-Scripting (XSS) vulnerability via the animate tag in an SVGdocument. Ubuntu 26.04 LTS High Copyright (C) 2025 Canonical Ltd. 2025-12-18 05:15:00 UTC 2025-12-18 05:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122899 https://ubuntu.com/security/notices/USN-8097-1 CVE-2025-68461 Freedombox before 25.17.1 does not set proper permissions for thebackups-data directory, allowing the reading of dump files of databases. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 06:15:00 UTC CVE-2025-68462 Bio.Entrez in Biopython through 186 allows doctype XXE. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 06:15:00 UTC CVE-2025-68463 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to version 7.1.1-14, ImageMagick crasheswhen processing a crafted TIFF file. Version 7.1.1-14 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-18 16:15:00 UTC CVE-2025-68469 Marshmallow is a lightweight library for converting complex objects to andfrom simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerableto denial of service attacks. A moderately sized request can consume adisproportionate amount of CPU time. This issue has been patched in version3.26.2 and 4.1.2. Update Instructions: Run `sudo pro fix CVE-2025-68480` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-marshmallow - 3.26.1-0.4ubuntu0.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-22 22:16:00 UTC 2025-12-22 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123888 https://ubuntu.com/security/notices/USN-8225-1 CVE-2025-68480 A vulnerability, which was classified as problematic, was found in HDF51.14.6. Affected is the function H5FL__reg_gc_list of the file src/H5FL.c.The manipulation leads to use after free. Attacking locally is arequirement. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-29 10:15:00 UTC CVE-2025-6856 A vulnerability has been found in HDF5 1.14.6 and classified asproblematic. Affected by this vulnerability is the function H5G__node_cmp3of the file src/H5Gnode.c. The manipulation leads to stack-based bufferoverflow. It is possible to launch the attack on the local host. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-29 10:15:00 UTC CVE-2025-6857 A vulnerability was found in HDF5 1.14.6 and classified as problematic.Affected by this issue is the function H5C__flush_single_entry of the filesrc/H5Centry.c. The manipulation leads to null pointer dereference. Theattack needs to be approached locally. The exploit has been disclosed tothe public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-06-29 11:15:00 UTC CVE-2025-6858 FluidSynth is a software synthesizer based on the SoundFont 2specifications. From versions 2.5.0 to before 2.5.2, a race conditionduring unloading of a DLS file can trigger a heap-based use-after-free. Aconcurrently running thread may be pending to unload a DLS file, leading touse of freed memory, if the synthesizer is being concurrently destroyed, orsamples of the (unloaded) DLS file are concurrently used to synthesizeaudio. This issue has been patched in version 2.5.2. The problem will notoccur, when explicitly unloading a DLS file (before synth destruction),provided that at the time of unloading, no samples of the respective fileare used by active voices. The problem will not occur in versions ofFluidSynth that have been compiled without native DLS support. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 23:15:00 UTC CVE-2025-68617 xrdp is an open source RDP server. xrdp before v0.10.5 contains anunauthenticated stack-based buffer overflow vulnerability. The issue stemsfrom improper bounds checking when processing user domain informationduring the connection sequence. If exploited, the vulnerability could allowremote attackers to execute arbitrary code on the target system. Thevulnerability allows an attacker to overwrite the stack buffer and thereturn address, which could theoretically be used to redirect the executionflow. The impact of this vulnerability is lessened if a compiler flag hasbeen used to build the xrdp executable with stack canary protection. Ifthis is the case, a second vulnerability would need to be used to leak thestack canary value. Upgrade to version 0.10.5 to receive a patch.Additionally, do not rely on stack canary protection on production systems. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 16:16:00 UTC john-breton CVE-2025-68670 httparty is an API tool. In versions 0.23.2 and prior, httparty isvulnerable to SSRF. This issue can pose a risk of leaking API keys, and itcan also allow third parties to issue requests to internal servers. Thisissue has been patched via commit 0529bcd. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-23 23:15:00 UTC CVE-2025-68696 C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644dallows a remote Kermit system to overwrite files on the local system, orretrieve arbitrary files from the local system. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-24 22:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025 CVE-2025-68920 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to version 7.1.2-12, Magick fails tocheck for circular references between two MVGs, leading to a stackoverflow. This is a DoS vulnerability, and any situation that allowsreading the mvg file will be affected. Version 7.1.2-12 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 17:15:00 UTC CVE-2025-68950 A security issue was discovered in GNU Wget2 when handling Metalinkdocuments. The application fails to properly validate file paths providedin Metalink <file name> elements. An attacker can abuse this behavior towrite files to unintended locations on the system. This can lead to dataloss or potentially allow further compromise of the user’s environment. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-09 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124378 CVE-2025-69194 A flaw was found in GNU Wget2. This vulnerability, a stack-based bufferoverflow, occurs in the filename sanitization logic when processingattacker-controlled URL paths, particularly when filename restrictionoptions are active. A remote attacker can exploit this by providing aspecially crafted URL, which, upon user interaction with wget2, can lead tomemory corruption. This can cause the application to crash and potentiallyallow for further malicious activities. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-09 08:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124377 CVE-2025-69195 ArduinoCore-avr contains the source code and configuration files of theArduino AVR Boards platform. A vulnerability in versions prior to 1.8.7allows an attacker to trigger a stack-based buffer overflow when convertingfloating-point values to strings with high precision. By passing very large`decimalPlaces` values to the affected String constructors or concatmethods, the `dtostrf` function writes beyond fixed-size stack buffers,causing memory corruption and denial of service. Under specific conditions,this could enable arbitrary code execution on AVR-based Arduino boards.### Patches- The Fix is included starting from the `1.8.7` release available from thefollowing link [ArduinoCore-avrv1.8.7](https://github.com/arduino/ArduinoCore-avr)- The Fixing Commit is available at the following link[1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59)### References- [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer OverflowVulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX)### Credits- Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate(https://secmate.dev/) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-21 20:16:00 UTC CVE-2025-69209 coturn is a free open source implementation of TURN and STUN Server.Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator fornonces and port randomization after refactoring. Additionally, randomnumbers aren't generated with openssl's RAND_bytes but libc's random() (ifit's not running on Windows). When fetching about 50 sequential nonces(i.e., through sending 50 unauthenticated allocations requests) it ispossible to completely reconstruct the current state of the random numbergenerator, thereby predicting the next nonce. This allows authenticationwhile spoofing IPs. An attacker can send authenticated messages withoutever receiving the responses, including the nonce (requires knowledge ofthe credentials, which is e.g., often the case in IoT settings). Since theport randomization is deterministic given the pseudorandom seed, anattacker can exactly reconstruct the ports and, hence predict therandomization of the ports. If an attacker allocates a relay port, theyknow the current port, and they are able to predict the next relay port (atleast if it is not used before). Commit11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 contains a fix. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 01:15:00 UTC CVE-2025-69217 Improper Authentication vulnerability in Wikimedia Foundation Mediawiki -CentralAuth Extension allows : Bypass Authentication.This issue affectsMediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.Xbefore 1.42.7, from 1.43.X before 1.43.2. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-03 17:15:00 UTC CVE-2025-6926 WasmEdge is a WebAssembly runtime. Prior to version 0.16.0-alpha.3, amultiplication in `WasmEdge/include/runtime/instance/memory.h` can wrap,causing `checkAccessBound()` to incorrectly allow the access. This leads toa segmentation fault. Version 0.16.0-alpha.3 contains a patch for theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-12-30 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124376 CVE-2025-69261 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability isassociated with program files includes/specials/pagers/BlockListPager.Php,includes/api/ApiQueryBlocks.Php.This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2,1.44.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 23:16:00 UTC CVE-2025-6927 KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find inthe Google Safe Browsing Lookup API (aka phishing API), which might allowspoofing of threat data. NOTE: this Lookup API is not contacted in themessagelib default configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-01 00:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124474 CVE-2025-69412 Issue summary: When using the low-level OCB API directly with AES-NIor<br>other hardware-accelerated code paths, inputs whose length is not amultiple<br>of 16 bytes can leave the final partial block unencrypted andunauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of amessage may be exposed in<br>cleartext on encryption and are not covered bythe authentication tag,<br>allowing an attacker to read or tamper withthose bytes without detection.<br><br>The low-level OCB encrypt and decryptroutines in the hardware-accelerated<br>stream path process full 16-byteblocks but do not advance the input/output<br>pointers. The subsequenttail-handling code then operates on the original<br>base pointers,effectively reprocessing the beginning of the buffer while<br>leaving theactual trailing bytes unprocessed. The authentication checksum<br>alsoexcludes the true tail bytes.<br><br>However, typical OpenSSL consumersusing EVP are not affected because the<br>higher-level EVP and provider OCBimplementations split inputs so that full<br>blocks and trailing partialblocks are processed in separate calls, avoiding<br>the problematic codepath. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerabilityonly affects applications that call thelow-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functionsdirectly with<br>non-block-aligned lengths in a single call onhardware-accelerated builds.<br>For these reasons the issue was assessed asLow severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approvedalgorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerableto this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-69418` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2025-69418 Issue summary: Calling PKCS12_get_friendlyname() function on a maliciouslycrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containingnon-ASCII BMP code point can trigger a one byte write before the allocatedbuffer.Impact summary: The out-of-bounds write can cause a memory corruptionwhich can have various consequences including a Denial of Service.The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8bytes,the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16source byte count as the destination buffer capacity to UTF8_putc(). ForBMPcode points above U+07FF, UTF-8 requires three bytes, but the forwardedcapacity can be just two bytes. UTF8_putc() then returns -1, and thisnegativevalue is added to the output length without validation, causing thelength to become negative. The subsequent trailing NUL byte is then writtenat a negative offset, causing write outside of heap allocated buffer.The vulnerability is reachable via the public PKCS12_get_friendlyname() APIwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses adifferent code path that avoids this issue, PKCS12_get_friendlyname()directlyinvokes the vulnerable function. Exploitation requires an attacker toprovidea malicious PKCS#12 file to be parsed by the application and the attackercan just trigger a one zero byte write before the allocated buffer.For that reason the issue was assessed as Low severity according to ourSecurity Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.Impact summary: The out-of-bounds write can cause a memory corruptionwhich can have various consequences including a Denial of Service.The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8bytes,the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16source byte count as the destination buffer capacity to UTF8_putc(). ForBMPcode points above U+07FF, UTF-8 requires three bytes, but the forwardedcapacity can be just two bytes. UTF8_putc() then returns -1, and thisnegativevalue is added to the output length without validation, causing thelength to become negative. The subsequent trailing NUL byte is then writtenat a negative offset, causing write outside of heap allocated buffer.The vulnerability is reachable via the public PKCS12_get_friendlyname() APIwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses adifferent code path that avoids this issue, PKCS12_get_friendlyname()directlyinvokes the vulnerable function. Exploitation requires an attacker toprovidea malicious PKCS#12 file to be parsed by the application and the attackercan just trigger a one zero byte write before the allocated buffer.For that reason the issue was assessed as Low severity according to ourSecurity Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-69419` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Stanislav Fort https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2025-69419 Issue summary: A type confusion vulnerability exists in the TimeStampResponseverification code where an ASN1_TYPE union member is accessed without firstvalidating the type, causing an invalid or NULL pointer dereference whenprocessing a malformed TimeStamp Response file.Impact summary: An application calling TS_RESP_verify_response() with amalformed TimeStamp Response can be caused to dereference an invalid orNULL pointer when reading, resulting in a Denial of Service.The functions ossl_ess_get_signing_cert() andossl_ess_get_signing_cert_v2()access the signing cert attribute value without validating its type.When the type is not V_ASN1_SEQUENCE, this results in accessing invalidmemorythrough the ASN1_TYPE union, causing a crash.Exploiting this vulnerability requires an attacker to provide a malformedTimeStamp Response to an application that verifies timestamp responses. TheTimeStamp protocol (RFC 3161) is not widely used and the impact of theexploit is just a Denial of Service. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the TimeStamp Response implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.Impact summary: An application calling TS_RESP_verify_response() with amalformed TimeStamp Response can be caused to dereference an invalid orNULL pointer when reading, resulting in a Denial of Service.The functions ossl_ess_get_signing_cert() andossl_ess_get_signing_cert_v2()access the signing cert attribute value without validating its type.When the type is not V_ASN1_SEQUENCE, this results in accessing invalidmemorythrough the ASN1_TYPE union, causing a crash.Exploiting this vulnerability requires an attacker to provide a malformedTimeStamp Response to an application that verifies timestamp responses. TheTimeStamp protocol (RFC 3161) is not widely used and the impact of theexploit is just a Denial of Service. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the TimeStamp Response implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2025-69420` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Luigino Camastra https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2025-69420 Issue summary: Processing a malformed PKCS#12 file can trigger a NULLpointerdereference in the PKCS12_item_decrypt_d2i_ex() function.Impact summary: A NULL pointer dereference can trigger a crash which leadstoDenial of Service for an application processing PKCS#12 files.The PKCS12_item_decrypt_d2i_ex() function does not check whether the octparameter is NULL before dereferencing it. When called fromPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter canbe NULL, causing a crash. The vulnerability is limited to Denial of Serviceand cannot be escalated to achieve code execution or memory disclosure.Exploiting this issue requires an attacker to provide a malformed PKCS#12fileto an application that processes it. For that reason the issue was assessedasLow severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to thisissue.Impact summary: A NULL pointer dereference can trigger a crash which leadstoDenial of Service for an application processing PKCS#12 files.The PKCS12_item_decrypt_d2i_ex() function does not check whether the octparameter is NULL before dereferencing it. When called fromPKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter canbe NULL, causing a crash. The vulnerability is limited to Denial of Serviceand cannot be escalated to achieve code execution or memory disclosure.Exploiting this issue requires an attacker to provide a malformed PKCS#12fileto an application that processes it. For that reason the issue was assessedasLow severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to thisissue. Update Instructions: Run `sudo pro fix CVE-2025-69421` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Luigino Camastra https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2025-69421 Python-Markdown version 3.8 contain a vulnerability where malformedHTML-like sequences can cause html.parser.HTMLParser to raise an unhandledAssertionError during Markdown parsing. Because Python-Markdown does notcatch this exception, any application that processes attacker-controlledMarkdown may crash. This enables remote, unauthenticated Denial of Servicein web applications, documentation systems, CI/CD pipelines, and anyservice that renders untrusted Markdown. The issue was acknowledged by thevendor and fixed in version 3.8.1. This issue causes a remote Denial ofService in any application parsing untrusted Markdown, and can lead toInformation Disclosure through uncaught exceptions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 15:16:00 UTC CVE-2025-69534 There exists a vulnerability in SQLite versions before 3.50.2 where thenumber of aggregate terms could exceed the number of columns available.This could lead to a memory corruption issue. We recommend upgrading toversion 3.50.2 or above. Update Instructions: Run `sudo pro fix CVE-2025-6965` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: lemon - 3.46.1-6ubuntu1 libsqlite3-0 - 3.46.1-6ubuntu1 libsqlite3-ext-csv - 3.46.1-6ubuntu1 libsqlite3-ext-icu - 3.46.1-6ubuntu1 libsqlite3-tcl - 3.46.1-6ubuntu1 sqlite3 - 3.46.1-6ubuntu1 sqlite3-tools - 3.46.1-6ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-15 14:15:00 UTC 2025-07-15 14:15:00 UTC gianz https://ubuntu.com/security/notices/USN-7676-1 https://ubuntu.com/security/notices/USN-7679-1 CVE-2025-6965 A crafted JavaScript input can trigger an internal assertion failure inQuickJS release 2025-09-13, fixed in commit1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 (2025-12-11), in filegc_decref_child in quickjs.c, when executed with the qjs interpreter usingthe -m option. This leads to an abort (SIGABRT) during garbage collectionand causes a denial-of-service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 19:16:00 UTC CVE-2025-69653 A crafted JavaScript input executed with the QuickJS release 2025-09-13,fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs`interpreter using the `-m` option and a low memory limit can cause anout-of-memory condition followed by an assertion failure in JS_FreeRuntime(list_empty(&rt->gc_obj_list)) during runtime cleanup. Although the enginereports an OOM error, it subsequently aborts with SIGABRT because the GCobject list is not fully released. This results in a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 20:16:00 UTC CVE-2025-69654 A race condition vulnerability exists in MedusaJS Medusa v2.12.2 andearlier in the registerUsage() function of the promotion module. Thefunction performs a non-atomic read-check-update operation when enforcingpromotion usage limits. This allows unauthenticated remote attackers tobypass usage limits by sending concurrent checkout requests, resulting inunlimited redemptions of limited-use promotional codes and potentialfinancial loss. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 19:15:00 UTC CVE-2025-69871 DiskCache (python-diskcache) through 5.6.3 uses Python pickle forserialization by default. An attacker with write access to the cachedirectory can achieve arbitrary code execution when a victim applicationreads from the cache. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 19:15:00 UTC CVE-2025-69872 ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to RegularExpression Denial of Service (ReDoS) when the $data option is enabled. Thepattern keyword accepts runtime data via JSON Pointer syntax ($datareference), which is passed directly to the JavaScript RegExp() constructorwithout validation. An attacker can inject a malicious regex pattern (e.g.,"^(a|a)*$") combined with crafted input to cause catastrophic backtracking.A 31-character payload causes approximately 44 seconds of CPU blocking,with each additional character doubling execution time. This enablescomplete denial of service with a single HTTP request against any API usingajv with $data: true for dynamic schema validation. This issue is alsofixed in version 6.14.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 19:15:00 UTC CVE-2025-69873 Leaflet versions up to and including 1.9.4 are vulnerable to Cross-SiteScripting (XSS) via the bindPopup() method. This method rendersuser-supplied input as raw HTML without sanitization, allowing attackers toinject arbitrary JavaScript code through event handler attributes (e.g.,<img src=x onerror="alert('XSS')">). When a victim views an affected mappopup, the malicious script executes in the context of the victim's browsersession. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 15:16:00 UTC CVE-2025-69993 Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in theFBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty,where a property key string from a crafted FBX file is copied into afixed-size heap buffer using strcpy() without runtime length validation Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 14:16:00 UTC CVE-2025-70067 An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial ofservice via the FBXConverter.cpp and ConvertMeshMultiMaterial() method Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 14:16:00 UTC CVE-2025-70069 An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial ofservice via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry() Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 15:16:00 UTC CVE-2025-70070 An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial ofservice via the FBXParser.cpp, ParseVectorDataArray() Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 16:16:00 UTC CVE-2025-70071 An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial ofservice via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial()components Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 15:16:00 UTC CVE-2025-70072 A vulnerability classified as problematic was found in HDF5 1.14.6. Thisvulnerability affects the function H5FS__sinfo_serialize_node_cb of thefile src/H5FScache.c. The manipulation leads to heap-based buffer overflow.Local access is required to approach this attack. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-04 18:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108886 CVE-2025-7067 A vulnerability, which was classified as problematic, has been found inHDF5 1.14.6. This issue affects the function H5FL__malloc of the filesrc/H5FL.c. The manipulation leads to memory leak. Attacking locally is arequirement. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-04 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108885 CVE-2025-7068 A vulnerability, which was classified as problematic, was found in HDF51.14.6. Affected is the function H5FS__sect_link_size of the filesrc/H5FSsection.c. The manipulation leads to heap-based buffer overflow. Itis possible to launch the attack on the local host. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-04 21:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108884 CVE-2025-7069 An issue in mtrojnar Osslsigncode affected at v2.10 and before allows aremote attacker to escalate privileges via the osslsigncode.c component Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2025-70888 pf4j before 20c2f80 has a path traversal vulnerability in the extract()function of Unzip.java, where improper handling of zip entry names canallow directory traversal or Zip Slip attacks, due to a lack of proper pathnormalization and validation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132032 CVE-2025-70952 FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 17:16:00 UTC CVE-2025-70968 pytest through 9.0.2 on UNIX relies on directories with the/tmp/pytest-of-{user} name pattern, which allows local users to cause adenial of service or possibly gain privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 05:16:00 UTC CVE-2025-71176 Mumble before 1.6.870 is prone to an out-of-bounds array access, which mayresult in denial of service (client crash). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:18:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129178 CVE-2025-71264 In the Linux kernel, the following vulnerability has been resolved:hfsplus: ensure sb->s_fs_info is always cleaned upWhen hfsplus was converted to the new mount api a bug was introduced bychanging the allocation pattern of sb->s_fs_info. If setup_bdev_super()fails after a new superblock has been allocated by sget_fc(), but beforehfsplus_fill_super() takes ownership of the filesystem-specific s_fs_infodata it was leaked.Fix this by freeing sb->s_fs_info in hfsplus_kill_super(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71271 In the Linux kernel, the following vulnerability has been resolved:most: core: fix resource leak in most_register_interface error pathsThe function most_register_interface() did not correctly release resourcesif it failed early (before registering the device). In these cases, itreturned an error code immediately, leaking the memory allocated for theinterface.Fix this by initializing the device early via device_initialize() andcalling put_device() on all error paths.The most_register_interface() is expected to call put_device() onerror which frees the resources allocated in the caller. Theput_device() either calls release_mdev() or dim2_release(),depending on the caller.Switch to using device_add() instead of device_register() to handlethe split initialization. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71272 In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()Simplify the code by using device managed memory allocations.This also fixes a memory leak in rtw_register_hw(). The supported bandswere not freed in the error path.Copied from commit 145df52a8671 ("wifi: rtw89: Convertrtw89_core_set_supported_band to use devm_*"). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71273 In the Linux kernel, the following vulnerability has been resolved:rpmsg: core: fix race in driver_override_show() and use core helperThe driver_override_show function reads the driver_override stringwithout holding the device_lock. However, the store function modifiesand frees the string while holding the device_lock. This creates a racecondition where the string can be freed by the store function whilebeing read by the show function, leading to a use-after-free.To fix this, replace the rpmsg_string_attr macro with explicit show andstore functions. The new driver_override_store uses the standarddriver_set_override helper. Since the introduction ofdriver_set_override, the comments in include/linux/rpmsg.h have statedthat this helper must be used to set or clear driver_override, but theimplementation was not updated until now.Because driver_set_override modifies and frees the string while holdingthe device_lock, the new driver_override_show now correctly holds thedevice_lock during the read operation to prevent the race.Additionally, since rpmsg_string_attr has only ever been used fordriver_override, removing the macro simplifies the code. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71274 SOGo before 5.12.5 is prone to a XSS vulnerability with events, tasks, andcontacts categories. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 03:16:00 UTC CVE-2025-71276 In the Linux kernel, the following vulnerability has been resolved:net: qrtr: Drop the MHI auto_queue feature for IPCR DL channelsMHI stack offers the 'auto_queue' feature, which allows the MHI stack toauto queue the buffers for the RX path (DL channel). Though this featuresimplifies the client driver design, it introduces race between the clientdrivers and the MHI stack. For instance, with auto_queue, the 'dl_callback'for the DL channel may get called before the client driver is fully probed.This means, by the time the dl_callback gets called, the client driver'sstructures might not be initialized, leading to NULL ptr dereference.Currently, the drivers have to workaround this issue by initializing theinternal structures before calling mhi_prepare_for_transfer_autoqueue().But even so, there is a chance that the client driver's internal code pathmay call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() iscalled, leading to similar NULL ptr dereference. This issue has beenreported on the Qcom X1E80100 CRD machines affecting boot.So to properly fix all these races, drop the MHI 'auto_queue' featurealtogether and let the client driver (QRTR) manage the RX buffers manually.In the QRTR driver, queue the RX buffers based on the ring length duringprobe and recycle the buffers in 'dl_callback' once they are consumed. Thisalso warrants removing the setting of 'auto_queue' flag from controllerdrivers.Currently, this 'auto_queue' feature is only enabled for IPCR DL channel.So only the QRTR client driver requires the modification. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71285 In the Linux kernel, the following vulnerability has been resolved:ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controlsThe size of the data behind of scontrol->ipc_control_data for bytescontrols is:[1] sizeof(struct sof_ipc4_control_data) + // kernel only struct[2] sizeof(struct sof_abi_hdr)) + payloadThe max_size specifies the size of [2] and it is coming from topology.Change the function to take this into account and allocate adequate amountof memory behind scontrol->ipc_control_data.With the change we will allocate [1] amount more memory to be able to holdthe full size of data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71286 In the Linux kernel, the following vulnerability has been resolved:memory: mtk-smi: fix device leak on larb probeMake sure to drop the reference taken when looking up the SMI deviceduring larb probe on late probe failure (e.g. probe deferral) and ondriver unbind. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71287 In the Linux kernel, the following vulnerability has been resolved:memory: mtk-smi: fix device leaks on common probeMake sure to drop the reference taken when looking up the SMI deviceduring common probe on late probe failure (e.g. probe deferral) and ondriver unbind. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71288 In the Linux kernel, the following vulnerability has been resolved:fs/ntfs3: handle attr_set_size() errors when truncating filesIf attr_set_size() fails while truncating down, the error is silentlyignored and the inode may be left in an inconsistent state. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71289 In the Linux kernel, the following vulnerability has been resolved:misc: ti_fpc202: fix a potential memory leak in probe functionUse for_each_child_of_node_scoped() to simplify the code and ensure thedevice node reference is automatically released when the loop scopeends. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71290 In the Linux kernel, the following vulnerability has been resolved:misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()In the function bcm_vk_read(), the pointer entry is checked, indicatingthat it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, thefollowing code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1;To prevent these possible null-pointer dereferences, copy to_h_msg,usr_msg_id, and to_h_blks from iter into temporary variables, and returnthese temporary variables to the application instead of accessing themthrough a potentially NULL entry. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71291 In the Linux kernel, the following vulnerability has been resolved:jfs: nlink overflow in jfs_renameIf nlink is maximal for a directory (-1) and inside that directory youperform a rename for some child directory (not moving from the parent),then the nlink of the first directory is first incremented and laterdecremented. Normally this is fine, but when nlink = -1 this causes awrap around to 0, and then drop_nlink issues a warning.After applying the patch syzbot no longer issues any warnings. I alsoran some basic fs tests to look for any regressions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71292 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu/ras: Move ras data alloc before bad page checkIn the rare event if eeprom has only invalid address entries,allocation is skipped, this causes following NULL pointer issue[ 547.103445] BUG: kernel NULL pointer dereference, address:0000000000000010[ 547.118897] #PF: supervisor read access in kernel mode[ 547.130292] #PF: error_code(0x0000) - not-present page[ 547.141689] PGD 124757067 P4D 0[ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI[ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE6.8.0-38-generic #38-Ubuntu[ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS1.7 09/12/2025[ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0[amdgpu][ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 4444 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1<48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76[ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246[ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX:0000000000000000[ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI:ff11000125b1c800[ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09:0000000000000000[ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12:0000000000000000[ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15:0000000000000092[ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000)knlGS:0000000000000000[ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4:0000000000f71ef0[ 547.389321] PKRU: 55555554[ 547.395316] Call Trace:[ 547.400737] <TASK>[ 547.405386] ? show_regs+0x6d/0x80[ 547.412929] ? __die+0x24/0x80[ 547.419697] ? page_fault_oops+0x99/0x1b0[ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0[ 547.438249] ? exc_page_fault+0x83/0x1b0[ 547.446949] ? asm_exc_page_fault+0x27/0x30[ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu][ 547.470040] ? mas_wr_modify+0xcd/0x140[ 547.478548] sysfs_kf_bin_read+0x63/0xb0[ 547.487248] kernfs_file_read_iter+0xa1/0x190[ 547.496909] kernfs_fop_read_iter+0x25/0x40[ 547.506182] vfs_read+0x255/0x390This also result in space left assigned to negative values.Moving data alloc call before bad page check resolves both the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71293 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: fix NULL pointer issue buffer funcsIf SDMA block not enabled, buffer_funcs will not initialize,fix the null pointer issue if buffer_funcs not initialized. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71294 In the Linux kernel, the following vulnerability has been resolved:fs/buffer: add alert in try_to_free_buffers() for folios without bufferstry_to_free_buffers() can be called on folios with no buffers attachedwhen filemap_release_folio() is invoked on a folio belonging to a mappingwith AS_RELEASE_ALWAYS set but no release_folio operation defined.In such cases, folio_needs_release() returns true because of theAS_RELEASE_ALWAYS flag, but the folio has no private buffer data. Thiscauses try_to_free_buffers() to call drop_buffers() on a folio with nobuffers, leading to a null pointer dereference.Adding a check in try_to_free_buffers() to return early if the folio has nobuffers attached, with WARN_ON_ONCE() to alert about the misconfiguration.This provides defensive hardening. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2025-71295 In the Linux kernel, the following vulnerability has been resolved:drm/tests: shmem: Hold reservation lock around purgeAcquire and release the GEM object's reservation lock around callsto the object's purge operation. The tests usedrm_gem_shmem_purge_locked(), which led to errors such as show below.[ 58.709128] WARNING: CPU: 1 PID: 1354 atdrivers/gpu/drm/drm_gem_shmem_helper.c:515drm_gem_shmem_purge_locked+0x51c/0x740Only export the new helper drm_gem_shmem_purge() for Kunit tests.This is not an interface for regular drivers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71296 In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()rtw8822b_set_antenna() can be called from userspace when the chip ispowered off. In that case a WARNING is triggered inrtw8822b_config_trx_mode() because trying to read the RF registerswhen the chip is powered off returns an unexpected value.Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only whenthe chip is powered on.------------[ cut here ]------------write RF mode table failWARNING: CPU: 0 PID: 7183 at rtw8822b.c:824rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b]CPU: 0 UID: 0 PID: 7183 Comm: iw Tainted: G W OE6.17.5-arch1-1 #1 PREEMPT(full) 01c39fc421df2af799dd5e9180b572af860b40c1Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULEHardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021RIP: 0010:rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b]Call Trace: <TASK> rtw8822b_set_antenna+0x57/0x70 [rtw88_8822b370206f42e5890d8d5f48eb358b759efa37c422b] rtw_ops_set_antenna+0x50/0x80 [rtw88_core711c8fb4f686162be4625b1d0b8e8c6a5ac850fb] ieee80211_set_antenna+0x60/0x100 [mac80211f1845d85d2ecacf3b71867635a050ece90486cf3] nl80211_set_wiphy+0x384/0xe00 [cfg80211296485ee85696d2150309a6d21a7fbca83d3dbda] ? netdev_run_todo+0x63/0x550 genl_family_rcv_msg_doit+0xfc/0x160 genl_rcv_msg+0x1aa/0x2b0 ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 ? refill_obj_stock+0x12e/0x240 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? do_syscall_64+0x81/0x970 ? ksys_read+0x73/0xf0 ? do_syscall_64+0x81/0x970 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>---[ end trace 0000000000000000 ]--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71297 In the Linux kernel, the following vulnerability has been resolved:drm/tests: shmem: Hold reservation lock around madviseAcquire and release the GEM object's reservation lock around callsto the object's madvide operation. The tests usedrm_gem_shmem_madvise_locked(), which led to errors such as show below.[ 58.339389] WARNING: CPU: 1 PID: 1352 atdrivers/gpu/drm/drm_gem_shmem_helper.c:499drm_gem_shmem_madvise_locked+0xde/0x140Only export the new helper drm_gem_shmem_madvise() for Kunit tests.This is not an interface for regular drivers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71298 In the Linux kernel, the following vulnerability has been resolved:spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsingThe recent refactoring of where runtime PM is enabled done in commitf1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier toavoid imbalance") made the fact that when we do a pm_runtime_disable()in the error paths of probe() we can trigger a runtime disable which inturn results in duplicate clock disables. This is particularly likelyto happen when there is missing or broken DT description for the flashesattached to the controller.Early on in the probe function we do a pm_runtime_get_noresume() sincethe probe function leaves the device in a powered up state but in theerror path we can't assume that PM is enabled so we also manuallydisable everything, including clocks. This means that when runtime PM isactive both it and the probe function release the same reference to themain clock for the IP, triggering warnings from the clock subsystem:[ 8.693719] clk:75:7 already disabled[ 8.693791] WARNING: CPU: 1 PID: 185 at/usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb...[ 8.694261] clk_core_disable+0xa0/0xb4 (P)[ 8.694272] clk_disable+0x38/0x60[ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi][ 8.694309] platform_probe+0x5c/0xa4Dealing with this issue properly is complicated by the fact that wedon't know if runtime PM is active so can't tell if it will disable theclocks or not. We can, however, sidestep the issue for the flashdescriptions by moving their parsing to when we parse the controllerproperties which also save us doing a bunch of setup which can never beused so let's do that. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71299 In the Linux kernel, the following vulnerability has been resolved:Revert "arm64: zynqmp: Add an OP-TEE node to the device tree"This reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe.OP-TEE logic in U-Boot automatically injects a reserved-memorynode along with optee firmware node to kernel device tree.The injection logic is dependent on that there is no manuallydefined optee node. Having the node in zynqmp.dtsi effectivelybreaks OP-TEE's insertion of the reserved-memory node, causingmemory access violations during runtime. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71300 In the Linux kernel, the following vulnerability has been resolved:drm/tests: shmem: Hold reservation lock around vmap/vunmapAcquire and release the GEM object's reservation lock around vmap andvunmap operations. The tests use vmap_locked, which led to errors suchas show below.[ 122.292030] WARNING: CPU: 3 PID: 1413 atdrivers/gpu/drm/drm_gem_shmem_helper.c:390drm_gem_shmem_vmap_locked+0x3a3/0x6f0[ 122.468066] WARNING: CPU: 3 PID: 1413 atdrivers/gpu/drm/drm_gem_shmem_helper.c:293drm_gem_shmem_pin_locked+0x1fe/0x350[ 122.563504] WARNING: CPU: 3 PID: 1413 atdrivers/gpu/drm/drm_gem_shmem_helper.c:234drm_gem_shmem_get_pages_locked+0x23c/0x370[ 122.662248] WARNING: CPU: 2 PID: 1413 atdrivers/gpu/drm/drm_gem_shmem_helper.c:452drm_gem_shmem_vunmap_locked+0x101/0x330Only export the new vmap/vunmap helpers for Kunit tests. These arenot interfaces for regular drivers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71301 In the Linux kernel, the following vulnerability has been resolved:drm/panthor: fix for dma-fence safe access rulesCommit 506aa8b02a8d6 ("dma-fence: Add safe access helpers and documentthe rules") details the dma-fence safe access rules. The most commonculprit is that drm_sched_fence_get_timeline_name may race withgroup_free_queue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2025-71302 A vulnerability, which was classified as problematic, was found in mruby upto 3.4.0-rc2. Affected is the function scope_new of the filemrbgems/mruby-compiler/core/codegen.c of the component nregs Handler. Themanipulation leads to heap-based buffer overflow. An attack has to beapproached locally. The exploit has been disclosed to the public and may beused. The name of the patch is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. Itis recommended to apply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-09 01:15:00 UTC CVE-2025-7207 on-headers is a node.js middleware for listening to when a response writesheaders. A bug in on-headers versions `<1.1.0` may result in responseheaders being inadvertently modified when an array is passed to`response.writeHead()`. Users should upgrade to version 1.1.0 to receive apatch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issuecan be worked around by passing an object to `response.writeHead()` ratherthan an array. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-17 16:15:00 UTC https://github.com/jshttp/on-headers/issues/15 CVE-2025-7339 A flaw exists in gdk‑pixbuf within thegdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’sg_base64_encode_step (glib/gbase64.c). When processing maliciously craftedJPEG images, a heap buffer overflow can occur during Base64 encoding,allowing out-of-bounds reads from heap memory, potentially causingapplication crashes or arbitrary code execution. Update Instructions: Run `sudo pro fix CVE-2025-7345` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gdk-pixbuf-tests - 2.42.12+dfsg-4build1 gir1.2-gdkpixbuf-2.0 - 2.42.12+dfsg-4build1 libgdk-pixbuf-2.0-0 - 2.42.12+dfsg-4build1 libgdk-pixbuf2.0-bin - 2.42.12+dfsg-4build1 libgdk-pixbuf2.0-common - 2.42.12+dfsg-4build1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-08 14:15:00 UTC 2025-07-08 14:15:00 UTC https://ubuntu.com/security/notices/USN-7662-1 CVE-2025-7345 In the OpenSSL compatibility layer implementation, the function RAND_poll()was not behaving as expected and leading to the potential for predictablevalues returned from RAND_bytes() after fork() is called. This can lead toweak or predictable random numbers generated in applications that are bothusing RAND_bytes() and doing fork() operations. This only affectsapplications explicitly calling RAND_bytes() after fork() and does notaffect any internal TLS operations. Although RAND_bytes() documentation inOpenSSL calls out not being safe for use with fork() without first callingRAND_poll(), an additional code change was also made in wolfSSL to makeRAND_bytes() behave similar to OpenSSL after a fork() call without callingRAND_poll(). Now the Hash-DRBG used gets reseeded after detecting runningin a new process. If making use of RAND_bytes() and calling fork() werecommend updating to the latest version of wolfSSL. Thanks to PerAllansson from Appgate for the report. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-18 23:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109549 CVE-2025-7394 A certificate verification error in wolfSSL when building with theWOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION optionsresults in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardlessof the hostname. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-18 23:15:00 UTC CVE-2025-7395 In wolfSSL release 5.8.2 blinding support is turned on by default forCurve25519 in applicable builds. The blinding configure option is only forthe base C implementation of Curve25519. It is not needed, or availablewith; ARM assembly builds, Intel assembly builds, and the small Curve25519feature. While the side-channel attack on extracting a private key would bevery difficult to execute in practice, enabling blinding provides anadditional layer of protection for devices that may be more susceptible tophysical access or side-channel observation. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-18 23:15:00 UTC CVE-2025-7396 A flaw was found in libxslt where the attribute type, atype, flags aremodified in a way that corrupts internal memory management. When XSLTfunctions, such as the key() process, result in tree fragments, thiscorruption prevents the proper cleanup of ID attributes. As a result, thesystem may access freed memory, causing crashes or enabling attackers totrigger heap corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-10 14:15:00 UTC 2025-07-10 14:15:00 UTC https://gitlab.gnome.org/GNOME/libxslt/-/issues/140 https://bugzilla.redhat.com/show_bug.cgi?id=2379274 https://ubuntu.com/security/notices/USN-7852-1 https://ubuntu.com/security/notices/USN-7852-2 https://ubuntu.com/security/notices/USN-7896-1 CVE-2025-7425 A vulnerability was found in Artifex GhostPDL up to3989415a5b8e99b9d1b87cc9902bde9b7cdea145. It has been classified asproblematic. This affects the function pdf_ferror of the filedevices/vector/gdevpdf.c of the component New Output File Open ErrorHandler. The manipulation leads to null pointer dereference. It is possibleto initiate the attack remotely. The identifier of the patch is619a106ba4c4abed95110f84d5efcd7aee38c7cb. It is recommended to apply apatch to fix this issue. Update Instructions: Run `sudo pro fix CVE-2025-7462` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ghostscript - 10.05.0dfsg1-0ubuntu4 libgs-common - 10.05.0dfsg1-0ubuntu4 libgs10 - 10.05.0dfsg1-0ubuntu4 libgs10-common - 10.05.0dfsg1-0ubuntu4 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-07-12 06:15:00 UTC 2025-07-12 06:15:00 UTC https://bugs.ghostscript.com/show_bug.cgi?id=708606 (private) https://ubuntu.com/security/notices/USN-7782-1 CVE-2025-7462 A vulnerability classified as problematic has been found in osrg GoBGP upto 3.37.0. Affected is the function SplitRTR of the filepkg/packet/rtr/rtr.go. The manipulation leads to out-of-bounds read. It ispossible to launch the attack remotely. The complexity of an attack israther high. The exploitability is told to be difficult. The name of thepatch is e748f43496d74946d14fed85c776452e47b99d64. It is recommended toapply a patch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-12 07:15:00 UTC CVE-2025-7464 A privilege escalation flaw from host to domain administrator was found inFreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails tovalidate the uniqueness of the krbCanonicalName. While the previouslyreleased version added validations for the admin@REALM credential, FreeIPAstill does not validate the root@REALM canonical name, which can also beused as the realm administrator's name. This flaw allows an attacker toperform administrative tasks over the REALM, leading to access to sensitivedata and sensitive data exfiltration. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-30 15:15:00 UTC CVE-2025-7493 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection byutilizing the \r and \n UTF-8 characters to separate different messages. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-21 18:15:00 UTC CVE-2025-7962 Improper Neutralization of Input During Web Page Generation (XSS or'Cross-site Scripting') vulnerability in markdown-it allows Cross-SiteScripting (XSS). This vulnerability is associated with program fileslib/renderer.mjs.This issue affects markdown-it: 14.1.0. NOTE: the Supplier does notconsider this issue to be a vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-21 17:15:00 UTC CVE-2025-7969 A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has beenclassified as problematic. Affected is the functionexplodeHostedGitFragment of the filesrc/resolvers/exotics/hosted-git-resolver.js. The manipulation leads toinefficient regular expression complexity. It is possible to launch theattack remotely. The patch is identified as97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-28 07:15:00 UTC CVE-2025-8262 A vulnerability was found in the netavark package, a network stack forcontainers used with Podman. Due to dns.podman search domain being removed,netavark may return external servers if a valid A/AAAA record is sent as aresponse. When creating a container with a given name, this name will beused as the hostname for the container itself, as the podman's searchdomain is not added anymore the container is using the host's resolv.conf,and the DNS resolver will try to look into the search domains contained onit. If one of the domains contain a name with the same hostname as therunning container, the connection will forward to unexpected externalservers. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-07-28 19:15:00 UTC CVE-2025-8283 It was discovered that uscan, a tool to scan/watch upstream sources for newreleases of software, included in devscripts (a collection of scripts tomake the life of a Debian Package maintainer easier), skips OpenPGPverification if the upstream source is already downloaded from a previousrun even if the verification failed back then. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-01 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109251 CVE-2025-8454 A vulnerability classified as problematic was found in libtiff 4.6.0. Thisvulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.cof the component tiff2ps. The manipulation leads to null pointerdereference. It is possible to launch the attack on the local host. Thecomplexity of an attack is rather high. The exploitation appears to bedifficult. The exploit has been disclosed to the public and may be used.The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It isrecommended to apply a patch to fix this issue. One of the maintainersexplains, that "[t]his error only occurs if DEFER_STRILE_LOAD(defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used." Update Instructions: Run `sudo pro fix CVE-2025-8534` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.7.0-3ubuntu2 libtiff-tools - 4.7.0-3ubuntu2 libtiff6 - 4.7.0-3ubuntu2 libtiffxx6 - 4.7.0-3ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-05 00:15:00 UTC 2025-08-05 00:15:00 UTC https://ubuntu.com/security/notices/USN-7707-1 CVE-2025-8534 A mismatch caused by client-triggered server-sent stream resets betweenHTTP/2 specifications and the internal architectures of some HTTP/2implementations may result in excessive server resource consumption leadingto denial-of-service (DoS). By opening streams and then rapidly triggeringthe server to reset them—using malformed frames or flow control errors—anattacker can exploit incorrect stream accounting. Streams reset by theserver are considered closed at the protocol level, even though backendprocessing continues. This allows a client to cause the server to handle anunbounded number of concurrent streams on a single connection. This CVEwill be updated as affected product details are released. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-13 13:15:00 UTC 2025-08-13 13:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111140 https://ubuntu.com/security/notices/USN-8037-1 CVE-2025-8671 Querying for records within a specially crafted zone containing certainmalformed DNSKEY records can lead to CPU exhaustion.This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and9.20.9-S1 through 9.20.13-S1. Update Instructions: Run `sudo pro fix CVE-2025-8677` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.11-1ubuntu3 bind9-dnsutils - 1:9.20.11-1ubuntu3 bind9-host - 1:9.20.11-1ubuntu3 bind9-libs - 1:9.20.11-1ubuntu3 bind9-utils - 1:9.20.11-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-22 2025-10-22 Zuyao Xu and Xiang Li https://ubuntu.com/security/notices/USN-7836-1 https://ubuntu.com/security/notices/USN-7836-2 CVE-2025-8677 A vulnerability classified as problematic was found in GNU cflow up to 1.8.Affected by this vulnerability is the function yylex of the file c.c of thecomponent Lexer. The manipulation leads to null pointer dereference. Anattack has to be approached locally. The exploit has been disclosed to thepublic and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-08 19:15:00 UTC CVE-2025-8735 A vulnerability, which was classified as critical, has been found in GNUcflow up to 1.8. Affected by this issue is the function yylex of the filec.c of the component Lexer. The manipulation leads to buffer overflow.Local access is required to approach this attack. The exploit has beendisclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-08 19:15:00 UTC CVE-2025-8736 A vulnerability, which was classified as problematic, was found in GNUlibopts up to 27.6. Affected is the function __strstr_sse2. Themanipulation leads to memory corruption. Local access is required toapproach this attack. The exploit has been disclosed to the public and maybe used. This issue was initially reported to the tcpreplay project, butthe code maintainer explains, that this "bug appears to be in libopts whichis an external library." This vulnerability only affects products that areno longer supported by the maintainer. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-09 06:15:00 UTC CVE-2025-8746 A vulnerability has been found in NASM Netwide Assember 2.17rc0. Affectedby this issue is the function do_directive of the file preproc.c. Themanipulation leads to use after free. An attack has to be approachedlocally. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-11 11:15:00 UTC CVE-2025-8842 A vulnerability was found in NASM Netwide Assember 2.17rc0. This affectsthe function macho_no_dead_strip of the file outmacho.c. The manipulationleads to heap-based buffer overflow. Local access is required to approachthis attack. The exploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-11 11:15:00 UTC CVE-2025-8843 A vulnerability was determined in NASM Netwide Assember 2.17rc0. Thisvulnerability affects the function parse_smacro_template of the filepreproc.c. The manipulation leads to null pointer dereference. Attackinglocally is a requirement. The exploit has been disclosed to the public andmay be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-11 12:15:00 UTC CVE-2025-8844 A vulnerability was identified in NASM Netwide Assember 2.17rc0. This issueaffects the function assemble_file of the file nasm.c. The manipulationleads to stack-based buffer overflow. It is possible to launch the attackon the local host. The exploit has been disclosed to the public and may beused. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-11 13:15:00 UTC CVE-2025-8845 A vulnerability has been found in NASM Netwide Assember 2.17rc0. Affectedis the function parse_line of the file parser.c. The manipulation leads tostack-based buffer overflow. The attack needs to be approached locally. Theexploit has been disclosed to the public and may be used. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-11 13:15:00 UTC CVE-2025-8846 A vulnerability was determined in LibTIFF up to 4.5.1. Affected by thisissue is the function readSeparateStripsetoBuffer of the filetools/tiffcrop.c of the component tiffcrop. The manipulation leads tostack-based buffer overflow. Local access is required to approach thisattack. The patch is identified as8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply apatch to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-11 14:15:00 UTC 2025-08-11 14:15:00 UTC https://ubuntu.com/security/notices/USN-7707-1 CVE-2025-8851 A vulnerability has been found in tcpreplay 4.5.1. This vulnerabilityaffects the function mask_cidr6 of the file cidr.c of the componenttcpprep. The manipulation leads to heap-based buffer overflow. The attackcan be initiated remotely. The complexity of an attack is rather high. Theexploitation appears to be difficult. The exploit has been disclosed to thepublic and may be used. The researcher is able to reproduce this with thelatest official release 4.5.1 and the current master branch. The codemaintainer cannot reproduce this for 4.5.2-beta1. In his reply themaintainer explains that "[i]n that case, this is a duplicate that wasfixed in 4.5.2." Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-15 07:15:00 UTC CVE-2025-9019 A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. Thisaffects the function filestream_vscanf of the filelibretro-common/streams/file_stream.c. This manipulation causesout-of-bounds read. The attack needs to be launched locally. Upgrading toversion 1.21.0 mitigates this issue. It is recommended to upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-19 12:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111614 CVE-2025-9136 A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. Theimpacted element is the function untrunc_packet of the filesrc/tcpedit/edit_packet.c of the component tcprewrite. Executingmanipulation can lead to use after free. It is possible to launch theattack on the local host. The exploit has been publicly disclosed and maybe utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da.Applying a patch is advised to resolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-19 20:15:00 UTC CVE-2025-9157 The Request Tracker software is vulnerable to a Stored XSS vulnerability incalendar invitation parsing feature, which displays invitation data withoutHTML sanitization. XSS vulnerability allows an attacker to send aspecifically crafted e-mail enabling JavaScript code execution bydisplaying the ticket in the context of the logged-in user.This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0through 6.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-10-24 06:15:00 UTC CVE-2025-9158 A flaw has been found in LibTIFF 4.7.0. This affects the function_TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the filetools/tiffcmp.c of the component tiffcmp. Executing manipulation can leadto memory leak. The attack is restricted to local execution. This attack ischaracterized by high complexity. It is indicated that the exploitabilityis difficult. The exploit has been published and may be used. There isongoing doubt regarding the real existence of this vulnerability. Thispatch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is bestpractice to apply a patch to resolve this issue. A researcher disputes thesecurity impact of this issue, because "this is a memory leak on a commandline tool that is about to exit anyway". In the reply the projectmaintainer declares this issue as "a simple 'bug' when leaving the commandline tool and (...) not a security issue at all". Update Instructions: Run `sudo pro fix CVE-2025-9165` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.7.0-3ubuntu3 libtiff-tools - 4.7.0-3ubuntu3 libtiff6 - 4.7.0-3ubuntu3 libtiffxx6 - 4.7.0-3ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-19 20:15:00 UTC 2025-08-19 20:15:00 UTC Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory) https://gitlab.com/libtiff/libtiff/-/issues/728 https://ubuntu.com/security/notices/USN-7783-1 CVE-2025-9165 Issue summary: An application trying to decrypt CMS messages encryptedusingpassword based encryption can trigger an out-of-bounds read and write.Impact summary: This out-of-bounds read may trigger a crash which leads toDenial of Service for an application. The out-of-bounds write can causea memory corruption which can have various consequences includinga Denial of Service or Execution of attacker-supplied code.Although the consequences of a successful exploit of this vulnerabilitycould be severe, the probability that the attacker would be able toperform it is low. Besides, password based (PWRI) encryption support in CMSmessages is very rarely used. For that reason the issue was assessed asModerate severity according to our Security Policy.The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected bythisissue, as the CMS implementation is outside the OpenSSL FIPS moduleboundary. Update Instructions: Run `sudo pro fix CVE-2025-9230` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.3-1ubuntu2 openssl - 3.5.3-1ubuntu2 openssl-provider-legacy - 3.5.3-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-30 2025-09-30 Stanislav Fort https://ubuntu.com/security/notices/USN-7786-1 CVE-2025-9230 Issue summary: A timing side-channel which could potentially allow remoterecovery of the private key exists in the SM2 algorithm implementation on64 bitARM platforms.Impact summary: A timing side-channel in SM2 signature computations on 64bitARM platforms could allow recovering the private key by an attacker..While remote key recovery over a network was not attempted by the reporter,timing measurements revealed a timing signal which may allow such anattack.OpenSSL does not directly support certificates with SM2 keys in TLS, and sothis CVE is not relevant in most TLS contexts. However, given that it ispossible to add support for such certificates via a custom provider,coupledwith the fact that in such a custom provider context the private key may berecoverable via remote timing measurements, we consider this to be aModerateseverity issue.The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected bythisissue, as SM2 is not an approved algorithm. Update Instructions: Run `sudo pro fix CVE-2025-9231` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.3-1ubuntu2 openssl - 3.5.3-1ubuntu2 openssl-provider-legacy - 3.5.3-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-30 2025-09-30 Stanislav Fort https://ubuntu.com/security/notices/USN-7786-1 CVE-2025-9231 Issue summary: An application using the OpenSSL HTTP client API functionsmaytrigger an out-of-bounds read if the 'no_proxy' environment variable is setandthe host portion of the authority component of the HTTP URL is an IPv6address.Impact summary: An out-of-bounds read can trigger a crash which leads toDenial of Service for an application.The OpenSSL HTTP client API functions can be used directly by applicationsbut they are also used by the OCSP client functions and CMP (CertificateManagement Protocol) client implementation in OpenSSL. However the URLsusedby these implementations are unlikely to be controlled by an attacker.In this vulnerable code the out of bounds read can only trigger a crash.Furthermore the vulnerability requires an attacker-controlled URL to bepassed from an application to the OpenSSL function and the user has to havea 'no_proxy' environment variable set. For the aforementioned reasons theissue was assessed as Low severity.The vulnerable code was introduced in the following patch releases:3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected bythisissue, as the HTTP client implementation is outside the OpenSSL FIPS moduleboundary. Update Instructions: Run `sudo pro fix CVE-2025-9232` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.3-1ubuntu2 openssl - 3.5.3-1ubuntu2 openssl-provider-legacy - 3.5.3-1ubuntu2 No subscription required efi-shell-aa64 - 2025.02-8ubuntu3 efi-shell-arm - 2025.02-8ubuntu3 efi-shell-ia32 - 2025.02-8ubuntu3 efi-shell-loongarch64 - 2025.02-8ubuntu3 efi-shell-riscv64 - 2025.02-8ubuntu3 efi-shell-x64 - 2025.02-8ubuntu3 ovmf - 2025.02-8ubuntu3 ovmf-ia32 - 2025.02-8ubuntu3 ovmf-inteltdx - 2025.02-8ubuntu3 qemu-efi-aarch64 - 2025.02-8ubuntu3 qemu-efi-arm - 2025.02-8ubuntu3 qemu-efi-loongarch64 - 2025.02-8ubuntu3 qemu-efi-riscv64 - 2025.02-8ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-09-30 2025-09-30 Stanislav Fort https://ubuntu.com/security/notices/USN-7786-1 https://ubuntu.com/security/notices/USN-7894-1 CVE-2025-9232 A vulnerability was found in saitoha libsixel up to 1.10.3. Affected bythis issue is the function sixel_debug_print_palette of the filesrc/encoder.c of the component img2sixel. The manipulation results instack-based buffer overflow. The attack must be initiated from a localposition. The exploit has been made public and could be used. The patch isidentified as 316c086e79d66b62c0c4bc66229ee894e4fdb7d1. Applying a patch isadvised to resolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-21 13:15:00 UTC https://github.com/saitoha/libsixel/issues/200 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111877 CVE-2025-9300 A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affectsthe function cmForEachFunctionBlocker::ReplayItems of the filecmForEachCommand.cxx. This manipulation causes reachable assertion. Theattack needs to be launched locally. The exploit has been publiclydisclosed and may be utilized. Patch name:37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install apatch to address this issue. Ubuntu 26.04 LTS Negligible Copyright (C) 2025 Canonical Ltd. 2025-08-21 14:15:00 UTC https://gitlab.kitware.com/cmake/cmake/-/issues/27135 https://gitlab.kitware.com/cmake/cmake/-/issues/27135#note_1691629 CVE-2025-9301 A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impactsthe function setOptions of the file src/util/request-manager.js. Suchmanipulation leads to inefficient regular expression complexity. Localaccess is required to approach this attack. This vulnerability only affectsproducts that are no longer supported by the maintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-21 16:15:00 UTC CVE-2025-9308 XML Injection vulnerability in xmltodict allows Input Data Manipulation.This issue affects xmltodict: from 0.14.2 before 0.15.1.NOTE: the scope of this CVE is disputed by the vendor on the grounds thatxmltodict.unparse() delegates element-name handling to Python'sxml.sax.saxutils.XMLGenerator, and that XMLGenerator should be thecomponent performing validation. Update Instructions: Run `sudo pro fix CVE-2025-9375` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-xmltodict - 0.13.0-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-01 17:15:00 UTC 2025-09-01 17:15:00 UTC https://github.com/martinblech/xmltodict/issues/376 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113825 https://ubuntu.com/security/notices/USN-7753-1 CVE-2025-9375 A vulnerability was detected in appneta tcpreplay up to 4.5.1. Impacted isthe function tcpedit_post_args of the file /src/tcpedit/parse_args.c. Themanipulation results in null pointer dereference. The attack is onlypossible with local access. The exploit is now public and may be used.Upgrading to version 4.5.2-beta2 is recommended to address this issue.Upgrading the affected component is advised. The vendor explains, that hewas "[a]ble to reproduce in 6fcbf03 but not in 4.5.2-beta2". Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-24 10:15:00 UTC https://github.com/appneta/tcpreplay/issues/971 CVE-2025-9384 A flaw has been found in appneta tcpreplay up to 4.5.1. The affectedelement is the function fix_ipv6_checksums of the file edit_packet.c of thecomponent tcprewrite. This manipulation causes use after free. The attackis restricted to local execution. The exploit has been published and may beused. Upgrading to version 4.5.2-beta3 is sufficient to fix this issue. Itis advisable to upgrade the affected component. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-24 11:15:00 UTC https://github.com/appneta/tcpreplay/issues/972 CVE-2025-9385 A vulnerability has been found in appneta tcpreplay up to 4.5.1. Theimpacted element is the function get_l2len_protocol of the file get.c ofthe component tcprewrite. Such manipulation leads to use after free. Theattack must be carried out locally. The exploit has been disclosed to thepublic and may be used. Upgrading to version 4.5.2-beta3 is sufficient toresolve this issue. You should upgrade the affected component. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-24 11:15:00 UTC https://github.com/appneta/tcpreplay/issues/973 CVE-2025-9386 A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the functionPdfTokenizer::DetermineDataType of the filesrc/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser.Executing manipulation can lead to use after free. It is possible to launchthe attack on the local host. The exploit has been published and may beused. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. Apatch should be applied to remediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-24 16:15:00 UTC https://github.com/podofo/podofo/issues/275 CVE-2025-9394 A security flaw has been discovered in ckolivas lrzip up to 0.651. Thisimpacts the function __GI_____strtol_l_internal of the file strtol_l.c.Performing manipulation results in null pointer dereference. The attack isonly possible with local access. The exploit has been released to thepublic and may be exploited. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-24 23:15:00 UTC https://github.com/ckolivas/lrzip/issues/264 CVE-2025-9396 A vulnerability was determined in jqlang jq up to 1.6. Impacted is thefunction run_jq_tests of the file jq_test.c of the component JSON Parser.Executing manipulation can lead to reachable assertion. The attack requireslocal access. The exploit has been publicly disclosed and may be utilized.Other versions might be affected as well. Ubuntu 26.04 LTS Negligible Copyright (C) 2025 Canonical Ltd. 2025-08-25 03:15:00 UTC https://github.com/jqlang/jq/issues/3393 CVE-2025-9403 There's a vulnerability in podman where an attacker may use the kube playcommand to overwrite host files when the kube file container a Secrete or aConfigMap volume mount and such volume contains a symbolic link to a hostfile path. In a successful attack, the attacker can only control the targetfile to be overwritten but not the content to be written into the file.Binary-Affected: podmanUpstream-version-introduced: v4.0.0Upstream-version-fixed: v5.6.1 Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-05 20:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114526 CVE-2025-9566 n authorization flaw in Foreman's GraphQL API allows low-privileged usersto access metadata beyond their assigned permissions. Unlike the REST API,which correctly enforces access controls, the GraphQL endpoint does notapply proper filtering, leading to an authorization bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 08:17:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2391715 CVE-2025-9572 A flaw was found in NetworkManager. The NetworkManager package allowsaccess to files that may belong to other users. NetworkManager allowsnon-root users to configure the system's network. The daemon runs with rootprivileges and can access files owned by users different from the one whoadded the connection. Update Instructions: Run `sudo pro fix CVE-2025-9615` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-nm-1.0 - 1.54.3-2ubuntu1 libnm0 - 1.54.3-2ubuntu1 network-manager - 1.54.3-2ubuntu1 network-manager-config-connectivity-debian - 1.54.3-2ubuntu1 network-manager-config-connectivity-ubuntu - 1.54.3-2ubuntu1 network-manager-l10n - 1.54.3-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-26 20:16:00 UTC https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809 (not yet public) CVE-2025-9615 A vulnerability in the CivetWeb library's function mg_handle_form_requestallows remote attackers to trigger a denial of service (DoS) condition. Bysending a specially crafted HTTP POST request containing a null byte in thepayload, the server enters an infinite loop during form data parsing.Multiple malicious requests will result in complete CPU exhaustion andrender the service unresponsive to further requests.This issue was fixed in commit 782e189. This issue affects only thelibrary, standalone executable pre-built by vendor is not affected. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-29 12:15:00 UTC CVE-2025-9648 A security vulnerability has been detected in appneta tcpreplay 4.5.1.Impacted is the function calc_sleep_time of the file send_packets.c. Suchmanipulation leads to divide by zero. An attack has to be approachedlocally. The exploit has been disclosed publicly and may be used. Upgradingto version 4.5.3-beta3 is recommended to address this issue. It isadvisable to upgrade the affected component. The vendor confirms in aGitHub issue reply: "Was able to reproduce in 6fcbf03 but NOT 4.5.3-beta3." Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-29 14:15:00 UTC CVE-2025-9649 A security flaw has been discovered in mixmark-io turndown up to 7.2.1.This affects an unknown function of the file src/commonmark-rules.js.Performing manipulation results in inefficient regular expressioncomplexity. It is possible to initiate the attack remotely. The exploit hasbeen released to the public and may be exploited. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-29 19:15:00 UTC CVE-2025-9670 A security vulnerability has been detected in Mupen64Plus up to 2.6.0. Theaffected element is the function write_is_viewer of the filesrc/device/cart/is_viewer.c. The manipulation leads to integer overflow. Itis possible to initiate the attack remotely. The attack is considered tohave high complexity. The exploitability is described as difficult. Theexploit has been disclosed publicly and may be used. The identifier of thepatch is 3984137fc0c44110f1ef876adb008885b05a6e18. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-08-30 13:15:00 UTC CVE-2025-9688 A vulnerability was identified in DCMTK up to 3.6.9. This affects anunknown function in the library dcmimage/include/dcmtk/dcmimage/diybrpxt.hof the component dcm2img. Such manipulation leads to memory corruption.Local access is required to approach this attack. The name of the patch is7ad81d69b. It is best practice to apply a patch to resolve this issue. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-08-31 14:15:00 UTC CVE-2025-9732 A flaw was found in Undertow where malformed client requests can triggerserver-side stream resets without triggering abuse counters. This issue,referred to as the "MadeYouReset" attack, allows malicious clients toinduce excessive server workload by repeatedly causing server-side streamaborts. While not a protocol bug, this highlights a common implementationweakness that can be exploited to cause a denial of service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-02 14:15:00 UTC CVE-2025-9784 Out-of-bounds write in cdfs_open_cue_track in libretro libretro-commonlatest on all platforms allows remote attackers to execute arbitrary codevia a crafted .cue file with a file path exceeding PATH_MAX_LENGTH that iscopied using memcpy into a fixed-size buffer. Ubuntu 26.04 LTS High Copyright (C) 2025 Canonical Ltd. 2025-09-01 19:15:00 UTC 2025-09-01 19:15:00 UTC https://ubuntu.com/security/notices/USN-8166-1 CVE-2025-9809 SSH dissector crash in Wireshark 4.4.0 to 4.4.8 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-03 08:15:00 UTC CVE-2025-9817 A flaw was found in Libtiff. This vulnerability is a "write-what-where"condition, triggered when the library processes a specially crafted TIFFimage file.By providing an abnormally large image height value in the file's metadata,an attacker can trick the library into writing attacker-controlled colordata to an arbitrary memory location. This memory corruption can beexploited to cause a denial of service (application crash) or to achievearbitrary code execution with the permissions of the user. Update Instructions: Run `sudo pro fix CVE-2025-9900` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.7.0-3ubuntu3 libtiff-tools - 4.7.0-3ubuntu3 libtiff6 - 4.7.0-3ubuntu3 libtiffxx6 - 4.7.0-3ubuntu3 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2025 Canonical Ltd. 2025-09-23 17:15:00 UTC 2025-09-23 17:15:00 UTC elisehdy https://ubuntu.com/security/notices/USN-7783-1 CVE-2025-9900 A flaw was found in libsoup’s caching mechanism, SoupCache, where the HTTPVary header is ignored when evaluating cached responses. This headerensures that responses vary appropriately based on request headers such aslanguage or authentication. Without this check, cached content can beincorrectly reused across different requests, potentially exposingsensitive user information. While the issue is unlikely to affect everydaydesktop use, it could result in confidentiality breaches in proxy ormulti-user environments. Ubuntu 26.04 LTS Low Copyright (C) 2025 Canonical Ltd. 2025-09-03 13:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/453 https://bugzilla.redhat.com/show_bug.cgi?id=2392790 CVE-2025-9901 An SQL injection vulnerability has been identified in the "ID" attribute ofthe SAML response when the replay cache of the Shibboleth Service Provider(SP) is configured to use an SQL database as storage service. Anunauthenticated attacker can exploit this issue via blind SQL injection,allowing for the extraction of arbitrary data from the database, if thedatabase connection is configured to use the ODBC plugin. The vulnerabilityarises from insufficient escaping of single quotes in the class SQLString(file odbc-store.cpp, lines 253-271).This issue affects Shibboleth Service Provider through 3.5.0. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-10 07:15:00 UTC CVE-2025-9943 A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows anattacker to potentially gain remote code execution or cause denial ofservice via the channel definition cdef atom of JPEG2000. Ubuntu 26.04 LTS Medium Copyright (C) 2025 Canonical Ltd. 2025-09-09 14:15:00 UTC 2025-09-09 14:15:00 UTC https://ubuntu.com/security/notices/USN-7830-1 CVE-2025-9951 An attacker might be able to inject HTML content into the internal webdashboard by sending crafted DNS queries to a DNSdist instance wheredomain-based dynamic rules have been enabled via eitherDynBlockRulesGroup:setSuffixMatchRule orDynBlockRulesGroup:setSuffixMatchRuleFFI. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-0396 When the internal webserver is enabled (default is disabled), an attackermight be able to trick an administrator logged to the dashboard intovisiting a malicious website and extract information about the runningconfiguration from the dashboard. The root cause of the issue is amisconfiguration of the Cross-Origin Resource Sharing (CORS) policy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-0397 Crafted zones can lead to increased resource usage and crafted CNAME chainscan lead to cache poisoning in Recursor. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127490 CVE-2026-0398 DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit2726c74, contain a cross-site scripting vulnerability that allows attackersto bypass attribute sanitization by exploiting five missing rawtextelements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XMLregex. Attackers can include payloads like </noscript><img src=xonerror=alert(1)> in attribute values to execute JavaScript when sanitizedoutput is placed inside these unprotected rawtext contexts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 18:16:00 UTC CVE-2026-0540 Improper neutralization of special elements used in an LDAP query ('LDAPinjection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVAbcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before1.81.1, from 1.82 before 1.84. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 10:16:00 UTC CVE-2026-0636 A flaw was found in libsoup’s WebSocket frame processing when handlingincoming messages. If a non-default configuration is used where the maximumincoming payload size is unset, the library may read memory outside theintended bounds. This can cause unintended memory exposure or a crash.Applications using libsoup’s WebSocket support with this configuration maybe impacted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-13 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125156 https://gitlab.gnome.org/GNOME/libsoup/-/issues/476 CVE-2026-0716 A flaw was identified in the NTLM authentication handling of the libsoupHTTP library, used by GNOME and other applications for networkcommunication. When processing extremely long passwords, an internal sizecalculation can overflow due to improper use of signed integers. Thisresults in incorrect memory allocation on the stack, followed by unsafememory copying. As a result, applications using libsoup may crashunexpectedly, creating a denial-of-service risk. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 13:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/477 https://bugzilla.redhat.com/show_bug.cgi?id=2427906 CVE-2026-0719 npm cli Incorrect Permission Assignment Local Privilege EscalationVulnerability. This vulnerability allows local attackers to escalateprivileges on affected installations of npm cli. An attacker must firstobtain the ability to execute low-privileged code on the target system inorder to exploit this vulnerability.The specific flaw exists within the handling of modules. The applicationloads modules from an unsecured location. An attacker can leverage thisvulnerability to escalate privileges and execute arbitrary code in thecontext of a target user. Was ZDI-CAN-25430. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 04:16:00 UTC CVE-2026-0775 GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of ICO files. The issue resultsfrom the lack of proper validation of the length of user-supplied dataprior to copying it to a heap-based buffer. An attacker can leverage thisvulnerability to execute code in the context of the current process. WasZDI-CAN-28599. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128601 CVE-2026-0797 A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedDataencoding functionality. In wc_PKCS7_BuildSignedAttributes(), when addingcustom signed attributes, the code passes an incorrect capacity value(esd->signedAttribsCount) to EncodeAttributes() instead of the remainingavailable space in the fixed-size signedAttribs[7] array. When anapplication sets pkcs7->signedAttribsSz to a value greater thanMAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributesalready added, EncodeAttributes() writes beyond the array bounds, causingstack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heapcorruption. Exploitation requires an application that allows untrustedinput to control the signedAttribs array size when callingwc_PKCS7_EncodeSignedData() or related signing functions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 17:16:00 UTC CVE-2026-0819 A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. Thisvulnerability affects the function js_typed_array_constructor of the filequickjs.c. Executing a manipulation can lead to heap-based buffer overflow.The attack may be launched remotely. The exploit has been publiclydisclosed and may be utilized. This patch is calledc5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied toremediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 13:15:00 UTC https://github.com/quickjs-ng/quickjs/issues/1296 CVE-2026-0821 A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. Thisissue affects the function js_typed_array_sort of the file quickjs.c. Themanipulation leads to heap-based buffer overflow. Remote exploitation ofthe attack is possible. The exploit is publicly available and might beused. The identifier of the patch is53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 14:15:00 UTC https://github.com/quickjs-ng/quickjs/issues/1297 CVE-2026-0822 A vulnerability in the `filestring()` function of the `nltk.util` module innltk version 3.9.2 allows arbitrary file read due to improper validation ofinput paths. The function directly opens files specified by user inputwithout sanitization, enabling attackers to access sensitive system filesby providing absolute paths or traversal paths. This vulnerability can beexploited locally or remotely, particularly in scenarios where the functionis used in web APIs or other interfaces that accept user-supplied input. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-09 20:16:00 UTC ej7367 CVE-2026-0846 A vulnerability in NLTK versions up to and including 3.9.2 allows arbitraryfile read via path traversal in multiple CorpusReader classes, includingWordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader.These classes fail to properly sanitize or validate file paths, enablingattackers to traverse directories and access sensitive files on the server.This issue is particularly critical in scenarios where user-controlled fileinputs are processed, such as in machine learning APIs, chatbots, or NLPpipelines. Exploitation of this vulnerability can lead to unauthorizedaccess to sensitive files, including system files, SSH private keys, andAPI tokens, and may potentially escalate to remote code execution whencombined with other vulnerabilities. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 19:16:00 UTC ej7367 CVE-2026-0847 NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due toimproper input validation in the StanfordSegmenter module. The moduledynamically loads external Java .jar files without verification orsandboxing. An attacker can supply or replace the JAR file, enabling theexecution of arbitrary Java bytecode at import time. This vulnerability canbe exploited through methods such as model poisoning, MITM attacks, ordependency poisoning, leading to remote code execution. The issue arisesfrom the direct execution of the JAR file via subprocess with unvalidatedclasspath input, allowing malicious classes to execute when loaded by theJVM. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 21:16:00 UTC ej7367 CVE-2026-0848 Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0are vulnerable to Stored XSS due to insufficient sanitization ofinteractive attributes in GraphViz diagrams. As a result, a craftedPlantUML diagram can inject malicious JavaScript into generated SVG output,leading to arbitrary script execution in the context of applications thatrender the SVG. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 05:16:00 UTC CVE-2026-0858 Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf thatspecifies the library's DNS backend for networks and queries for azero-valued network in the GNU C Library version 2.0 to version 2.42 canleak stack contents to the configured DNS resolver. Update Instructions: Run `sudo pro fix CVE-2026-0915` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: glibc-source - 2.42-2ubuntu5 libc-bin - 2.42-2ubuntu5 libc-gconv-modules-extra - 2.42-2ubuntu5 libc6 - 2.42-2ubuntu5 libc6-amd64 - 2.42-2ubuntu5 libc6-i386 - 2.42-2ubuntu5 libc6-x32 - 2.42-2ubuntu5 locales - 2.42-2ubuntu5 locales-all - 2.42-2ubuntu5 nscd - 2.42-2ubuntu5 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-15 22:16:00 UTC 2026-01-15 22:16:00 UTC Igor Morgenstern https://sourceware.org/bugzilla/show_bug.cgi?id=33802 https://ubuntu.com/security/notices/USN-8005-1 CVE-2026-0915 HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled librarywith a null pointer dereference vulnerability.Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled ashb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-19 04:15:00 UTC CVE-2026-0943 HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allowsdenial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 21:15:00 UTC https://gitlab.com/wireshark/wireshark/-/issues/20944 CVE-2026-0960 BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 21:15:00 UTC CVE-2026-0961 SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0to 4.4.12 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 21:15:00 UTC CVE-2026-0962 A flaw was found in glib. Missing validation of offset and count parametersin the g_buffered_input_stream_peek() function can lead to an integeroverflow during length calculation. When specially crafted values areprovided, this overflow results in an incorrect size being passed tomemcpy(), triggering a buffer overflow. This can cause application crashes,leading to a Denial of Service (DoS). Update Instructions: Run `sudo pro fix CVE-2026-0988` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.87.2-2 gir1.2-glib-2.0 - 2.87.2-2 girepository-tools - 2.87.2-2 libgirepository-2.0-0 - 2.87.2-2 libglib2.0-0t64 - 2.87.2-2 libglib2.0-bin - 2.87.2-2 libglib2.0-data - 2.87.2-2 libglib2.0-tests - 2.87.2-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 2026-01-16 https://gitlab.gnome.org/GNOME/glib/-/issues/3851 https://ubuntu.com/security/notices/USN-7971-1 CVE-2026-0988 A denial-of-service (DoS) vulnerability exists ingoogle.protobuf.json_format.ParseDict() in Python, where themax_recursion_depth limit can be bypassed when parsing nestedgoogle.protobuf.Any messages.Due to missing recursion depth accounting inside the internal Any-handlinglogic, an attacker can supply deeply nested Any structures that bypass theintended recursion limit, eventually exhausting Python’s recursion stackand causing a RecursionError. Update Instructions: Run `sudo pro fix CVE-2026-0994` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: elpa-protobuf-mode - 3.21.12-15ubuntu1 libprotobuf-java - 3.21.12-15ubuntu1 libprotobuf-lite32t64 - 3.21.12-15ubuntu1 libprotobuf32t64 - 3.21.12-15ubuntu1 libprotoc32t64 - 3.21.12-15ubuntu1 php-google-protobuf - 3.21.12-15ubuntu1 protobuf-compiler - 3.21.12-15ubuntu1 python3-protobuf - 3.21.12-15ubuntu1 ruby-google-protobuf - 3.21.12-15ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 15:16:00 UTC 2026-01-23 15:16:00 UTC https://github.com/protocolbuffers/protobuf/issues/25070 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126302 https://ubuntu.com/security/notices/USN-8063-1 CVE-2026-0994 Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker tocause a buffer overflow in the AEAD decryption path by injecting a TLSrecord shorter than the explicit IV plus authentication tag into trafficinspected by ssl_DecodePacket. The underflow wraps a 16-bit length to alarge value that is passed to AEAD decryption routines, causing heap bufferoverflow and a crash. An unauthenticated attacker can trigger this remotelyvia malformed TLS Application Data records. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 17:16:00 UTC CVE-2026-1005 GitLab has remediated an issue in GitLab EE affecting all versions from16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions could have allowed an authenticated user to accessiteration data from private descendant groups by querying the iterationsAPI endpoint. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2026-1080 GitLab has remediated an issue in GitLab CE/EE affecting all versions from18.8 before 18.8.4 that could have allowed an authenticated developer tohide specially crafted file changes from the WebUI. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2026-1094 A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affectedis an unknown function of the file quickjs.c of the component Atomics OpsHandler. The manipulation results in use after free. The attack can beexecuted remotely. The exploit is now public and may be used. The patch isidentified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch isadvised to resolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-19 08:16:00 UTC CVE-2026-1144 ACE vulnerability in configuration file processing by QOS.CH logback-coreup to and including version 1.5.24 in Java applications, allows an attackerto instantiate classes already present on the class path by compromising anexisting logback configuration file.The instantiation of a potentially malicious Java class requires that saidclass is present on the user's class-path. In addition, the attacker musthave write access to aconfiguration file. However, after successful instantiation, the instanceis very likely to be discarded with no further ado. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 10:16:00 UTC CVE-2026-1225 GitLab has remediated an issue in GitLab CE/EE affecting all versions from18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that couldhave allowed an authenticated user to inject malicious content into projectlabels titles. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2026-1282 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2before 4.2.28.`django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with`html=True`) and the `truncatechars_html` and `truncatewords_html` templatefilters allow a remote attacker to cause a potential denial-of-service viacrafted inputs containing a large number of unmatched HTML end tags.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Seokchan Yoon for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2026-1285` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 14:00:00 UTC 2026-02-03 14:00:00 UTC Seokchan Yoon https://ubuntu.com/security/notices/USN-8009-1 CVE-2026-1285 An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2before 4.2.28.`FilteredRelation` is subject to SQL injection in column aliases viacontrol characters, using a suitably crafted dictionary, with dictionaryexpansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`,`aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Solomon Kebede for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2026-1287` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 14:00:00 UTC 2026-02-03 14:00:00 UTC Solomon Kebede https://ubuntu.com/security/notices/USN-8009-1 CVE-2026-1287 Theemail module, specifically the "BytesGenerator" class, didn’t properlyquote newlines for email headers whenserializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writingheaders that don't respect email folding rules, the new behavior willreject the incorrectly folded headers in "BytesGenerator". Update Instructions: Run `sudo pro fix CVE-2026-1299` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: idle-python3.14 - 3.14.3-1 libpython3.14 - 3.14.3-1 libpython3.14-minimal - 3.14.3-1 libpython3.14-stdlib - 3.14.3-1 libpython3.14-testsuite - 3.14.3-1 python3.14 - 3.14.3-1 python3.14-examples - 3.14.3-1 python3.14-full - 3.14.3-1 python3.14-gdbm - 3.14.3-1 python3.14-minimal - 3.14.3-1 python3.14-nopie - 3.14.3-1 python3.14-tk - 3.14.3-1 python3.14-venv - 3.14.3-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 17:16:00 UTC https://github.com/python/cpython/issues/144125 CVE-2026-1299 GitLab has remediated an issue in GitLab EE affecting all versions from15.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that couldhave allowed an authenticated user to cause Denial of Service by uploadinga malicious file and repeatedly querying it through GraphQl. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2026-1387 A security flaw has been discovered in pymumu SmartDNS up to 47.1. Thisvulnerability affects the function_dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of thecomponent SVBC Record Parser. The manipulation results in stack-basedbuffer overflow. It is possible to launch the attack remotely. A highcomplexity level is associated with this attack. It is stated that theexploitability is difficult. The patch is identified as2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised toresolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-26 08:16:00 UTC CVE-2026-1425 GitLab has remediated an issue in GitLab CE/EE affecting all versions from18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed anunauthenticated user to cause denial of service through CPU exhaustion bysubmitting specially crafted markdown files that trigger exponentialprocessing in markdown preview. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2026-1456 GitLab has remediated an issue in GitLab CE/EE affecting all versions from8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, undercertain conditions could have allowed an unauthenticated user to causedenial of service by uploading malicious files. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 12:16:00 UTC CVE-2026-1458 A flaw was found in libsoup, an HTTP client library. This vulnerability,known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTPproxy is configured and the library improperly handles URL-decoded inputused to create the Host header. A remote attacker can exploit this byproviding a specially crafted URL containing CRLF sequences, allowing themto inject additional HTTP headers or complete HTTP request bodies. This canlead to unintended or unauthorized HTTP requests being forwarded by theproxy, potentially impacting downstream services. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 10:15:00 UTC 2026-01-27 10:15:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/488 https://bugzilla.redhat.com/show_bug.cgi?id=2433174 https://ubuntu.com/security/notices/USN-8020-1 CVE-2026-1467 A flaw was found in the GLib Base64 encoding routine when processing verylarge input data. Due to incorrect use of integer types during lengthcalculation, the library may miscalculate buffer boundaries. This can causememory writes outside the allocated buffer. Applications that processuntrusted or extremely large Base64 input using GLib may crash or behaveunpredictably. Update Instructions: Run `sudo pro fix CVE-2026-1484` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.87.2-2 gir1.2-glib-2.0 - 2.87.2-2 girepository-tools - 2.87.2-2 libgirepository-2.0-0 - 2.87.2-2 libglib2.0-0t64 - 2.87.2-2 libglib2.0-bin - 2.87.2-2 libglib2.0-data - 2.87.2-2 libglib2.0-tests - 2.87.2-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 14:15:00 UTC 2026-01-27 14:15:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2433259 https://ubuntu.com/security/notices/USN-8017-1 CVE-2026-1484 A flaw was found in Glib's content type parsing logic. This bufferunderflow vulnerability occurs because the length of a header line isstored in a signed integer, which can lead to integer wraparound for verylarge inputs. This results in pointer underflow and out-of-bounds memoryaccess. Exploitation requires a local user to install or process aspecially crafted treemagic file, which can lead to local denial of serviceor application instability. Update Instructions: Run `sudo pro fix CVE-2026-1485` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.87.2-2 gir1.2-glib-2.0 - 2.87.2-2 girepository-tools - 2.87.2-2 libgirepository-2.0-0 - 2.87.2-2 libglib2.0-0t64 - 2.87.2-2 libglib2.0-bin - 2.87.2-2 libglib2.0-data - 2.87.2-2 libglib2.0-tests - 2.87.2-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 14:15:00 UTC 2026-01-27 14:15:00 UTC https://gitlab.gnome.org/GNOME/glib/-/issues/3871 https://bugzilla.redhat.com/show_bug.cgi?id=2433325 https://ubuntu.com/security/notices/USN-8017-1 CVE-2026-1485 A flaw was found in GLib. An integer overflow vulnerability in its Unicodecase conversion implementation can lead to memory corruption. By processingspecially crafted and extremely large Unicode strings, an attacker couldtrigger an undersized memory allocation, resulting in out-of-bounds writes.This could cause applications utilizing GLib for string conversion to crashor become unstable. Update Instructions: Run `sudo pro fix CVE-2026-1489` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-girepository-3.0 - 2.87.2-2 gir1.2-glib-2.0 - 2.87.2-2 girepository-tools - 2.87.2-2 libgirepository-2.0-0 - 2.87.2-2 libglib2.0-0t64 - 2.87.2-2 libglib2.0-bin - 2.87.2-2 libglib2.0-data - 2.87.2-2 libglib2.0-tests - 2.87.2-2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 15:15:00 UTC 2026-01-27 15:15:00 UTC https://gitlab.gnome.org/GNOME/glib/-/issues/3872 https://bugzilla.redhat.com/show_bug.cgi?id=2433348 https://ubuntu.com/security/notices/USN-8017-1 CVE-2026-1489 CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 18:16:00 UTC CVE-2026-1502 If a BIND resolver is performing DNSSEC validation and encounters amaliciously crafted zone, the resolver may consume excessive CPU.Authoritative-only servers are generally unaffected, although there arecircumstances where authoritative servers may make recursive queries (see:https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through9.20.20-S1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 2026-03-25 Samy Medjahed https://ubuntu.com/security/notices/USN-8124-1 CVE-2026-1519 Undici allows duplicate HTTP Content-Length headers when they are providedin an array with case-variant names(e.g., Content-Length and content-length). This produces malformed HTTP/1.1requests with multiple conflicting Content-Length values on the wire.Who is impacted: * Applications using undici.request(), undici.Client, or similarlow-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names withoutcase-normalizationPotential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will rejectrequests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary andbackend interpret duplicate headers inconsistently (e.g., one uses thefirst value, the other uses the last), this can enable request smugglingattacks leading to ACL bypass, cache poisoning, or credential hijacking Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 20:16:00 UTC CVE-2026-1525 The undici WebSocket client is vulnerable to a denial-of-service attack viaunbounded memory consumption during permessage-deflate decompression. Whena WebSocket connection negotiates the permessage-deflate extension, theclient decompresses incoming compressed frames without enforcing any limiton the decompressed data size. A malicious WebSocket server can send asmall compressed frame (a "decompression bomb") that expands to anextremely large size in memory, causing the Node.js process to exhaustavailable memory and crash or become unresponsive.The vulnerability exists in the PerMessageDeflate.decompress() method,which accumulates all decompressed chunks in memory and concatenates theminto a single Buffer without checking whether the total size exceeds a safethreshold. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 21:16:00 UTC CVE-2026-1526 ImpactWhen an application passes user-controlled input tothe upgrade option of client.request(), an attacker can inject CRLFsequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data tonon-HTTP services (Redis, Memcached, Elasticsearch)The vulnerability exists because undici writes the upgrade value directlyto the socket without validating for invalid header characters:// lib/dispatcher/client-h1.js:1121if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`} Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 21:16:00 UTC CVE-2026-1527 ImpactA server can reply with a WebSocket frame using the 64-bit lengthform and an extremely large length. undici's ByteParser overflows internalmath, ends up in an invalid state, and throws a fatal TypeError thatterminates the process.PatchesPatched in the undici version v7.24.0 and v6.24.0. Users should upgrade tothis version or later. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 21:16:00 UTC CVE-2026-1528 A flaw was found in libsoup. An attacker who can control the input for theContent-Disposition header can inject CRLF (Carriage Return Line Feed)sequences into the header value. These sequences are then interpretedverbatim when the HTTP request or response is constructed, allowingarbitrary HTTP headers to be injected. This vulnerability can lead to HTTPheader injection or HTTP response splitting without requiringauthentication or user interaction. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 16:16:00 UTC 2026-01-28 16:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/486 https://bugzilla.redhat.com/show_bug.cgi?id=2433834 https://ubuntu.com/security/notices/USN-8020-1 CVE-2026-1536 A flaw was found in the libsoup HTTP library that can cause proxyauthentication credentials to be sent to unintended destinations. Whenhandling HTTP redirects, libsoup removes the Authorization header but doesnot remove the Proxy-Authorization header if the request is redirected to adifferent host. As a result, sensitive proxy credentials may be leaked tothird-party servers. Applications using libsoup for HTTP communication mayunintentionally expose proxy authentication data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 16:16:00 UTC 2026-01-28 16:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/489 https://ubuntu.com/security/notices/USN-8020-1 CVE-2026-1539 In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, classGzipHandler exposes a vulnerability when a compressed HTTP request, withContent-Encoding: gzip, is processed and the corresponding response is notcompressed.This happens because the JDK Inflater is allocated for decompressing therequest, but it is not released because the release mechanism is tied tothe compressed response.In this case, since the response is not compressed, the release mechanismdoes not trigger, causing the leak. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 10:15:00 UTC CVE-2026-1605 A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxyto upstream Transport Layer Security (TLS) servers. An attacker with aman-in-the-middle (MITM) position on the upstream server side—along withconditions beyond the attacker's control—may be able to inject plain textdata into the response from an upstream proxied server.  Note: Softwareversions which have reached End of Technical Support (EoTS) are notevaluated. Update Instructions: Run `sudo pro fix CVE-2026-1642` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnginx-mod-http-geoip - 1.28.1-3ubuntu1 libnginx-mod-http-image-filter - 1.28.1-3ubuntu1 libnginx-mod-http-perl - 1.28.1-3ubuntu1 libnginx-mod-http-xslt-filter - 1.28.1-3ubuntu1 libnginx-mod-mail - 1.28.1-3ubuntu1 libnginx-mod-stream - 1.28.1-3ubuntu1 libnginx-mod-stream-geoip - 1.28.1-3ubuntu1 nginx - 1.28.1-3ubuntu1 nginx-common - 1.28.1-3ubuntu1 nginx-core - 1.28.1-3ubuntu1 nginx-extras - 1.28.1-3ubuntu1 nginx-full - 1.28.1-3ubuntu1 nginx-light - 1.28.1-3ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-04 15:16:00 UTC 2026-02-04 15:16:00 UTC https://ubuntu.com/security/notices/USN-8038-1 CVE-2026-1642 When pip is installing and extracting a maliciously crafted wheel archive,files may be extracted outside the installation directory. The pathtraversal is limited to prefixes of the installation directory, thus isn'table to inject or overwrite executable files in typical situations. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-02 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126875 CVE-2026-1703 A flaw was identified in the interactive shell of the xmllint utility, partof the libxml2 project, where memory allocated for user input is notproperly released under certain conditions. When a user submits inputconsisting only of whitespace, the program skips command execution butfails to free the allocated buffer. Repeating this action causes memory tocontinuously accumulate. Over time, this can exhaust system memory andterminate the xmllint process, creating a denial-of-service condition onthe local system. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-02 13:15:00 UTC https://gitlab.gnome.org/GNOME/libxml2/-/issues/1009 https://bugzilla.redhat.com/show_bug.cgi?id=2435940 CVE-2026-1757 A flaw was found in SoupServer. This HTTP request smuggling vulnerabilityoccurs because SoupServer improperly handles requests that combineTransfer-Encoding: chunked and Connection: keep-alive headers. A remote,unauthenticated client can exploit this by sending specially craftedrequests, causing SoupServer to fail to close the connection as required byRFC 9112. This allows the attacker to smuggle additional requests over thepersistent connection, leading to unintended request processing andpotential denial-of-service (DoS) conditions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126876 https://gitlab.gnome.org/GNOME/libsoup/-/issues/475 https://bugzilla.redhat.com/show_bug.cgi?id=2435951 CVE-2026-1760 A flaw was found in libsoup. This stack-based buffer overflow vulnerabilityoccurs during the parsing of multipart HTTP responses due to an incorrectlength calculation. A remote attacker can exploit this by sending aspecially crafted multipart HTTP response, which can lead to memorycorruption. This issue may result in application crashes or arbitrary codeexecution in applications that process untrusted server responses, and itdoes not require authentication or user interaction. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-02 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126877 https://gitlab.gnome.org/GNOME/libsoup/-/issues/493 https://bugzilla.redhat.com/show_bug.cgi?id=2435961 CVE-2026-1761 A flaw was found in libsoup, an HTTP client/server library. This HTTPRequest Smuggling vulnerability arises from non-RFC-compliant parsing inthe soup_filter_input_stream_read_line() logic, where libsoup acceptsmalformed chunk headers, such as lone line feed (LF) characters instead ofthe required carriage return and line feed (CRLF). A remote attacker canexploit this without authentication or user interaction by sendingspecially crafted chunked requests. This allows libsoup to parse andprocess multiple HTTP requests from a single network message, potentiallyleading to information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-03 21:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/481 https://bugzilla.redhat.com/show_bug.cgi?id=2436315 CVE-2026-1801 wget2 accepts a server certificate with incorrect Key Usage (KU) orExtended Key Usage (EKU). If the attackers compromise a certificate (withthe associated private key) issued for a different purpose, they may beable to reuse it for TLS server authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 21:16:00 UTC CVE-2026-1858 libcurl can in some circumstances reuse the wrong connection when asked todoan Negotiate-authenticated HTTP or HTTPS request.libcurl features a pool of recent connections so that subsequent requestscanreuse an existing connection to avoid overhead.When reusing a connection a range of criterion must first be met. Due to alogical error in the code, a request that was issued by an applicationcouldwrongfully reuse an existing connection to the same server that wasauthenticated using different credentials. One underlying reason being thatNegotiate sometimes authenticates *connections* and not *requests*,contraryto how HTTP is designed to work.An application that allows Negotiate authentication to a server (thatrespondswanting Negotiate) with `user1:password1` and then does another operationtothe same server also using Negotiate but with `user2:password2` (while theprevious connection is still alive) - the second request wrongly reused thesame connection and since it then sees that the Negotiate negotiation isalready made, it just sends the request over that connection thinking itusesthe user2 credentials when it is in fact still using the connectionauthenticated for user1...The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.Applications can disable libcurl's reuse of connections and thus mitigatethisproblem, by using one of the following libcurl options to alter howconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using thecurl_multi API). Update Instructions: Run `sudo pro fix CVE-2026-1965` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2 libcurl3t64-gnutls - 8.18.0-1ubuntu2 libcurl4t64 - 8.18.0-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 18:00:00 UTC 2026-03-11 18:00:00 UTC Zhicheng Chen https://ubuntu.com/security/notices/USN-8084-1 https://ubuntu.com/security/notices/USN-8099-1 CVE-2026-1965 A flaw has been found in mruby up to 3.4.0. This affects the functionmrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIFOptimization. Executing a manipulation can lead to use after free. Theattack needs to be launched locally. The exploit has been published and maybe used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. Itis advisable to implement a patch to correct this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127317 CVE-2026-1979 A vulnerability was detected in libuvc up to 0.0.7. Affected is thefunction uvc_scan_streaming of the file src/device.c of the component UVCDescriptor Handler. The manipulation results in null pointer dereference.The attack needs to be approached locally. The exploit is now public andmay be used. The project was informed of the problem early through an issuereport but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127316 CVE-2026-1991 A flaw has been found in micropython up to 1.27.0. This vulnerabilityaffects the function mp_import_all of the file py/runtime.c. Thismanipulation causes memory corruption. The attack needs to be launchedlocally. The exploit has been published and may be used. Patch name:570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install apatch to address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 07:16:00 UTC CVE-2026-1998 A vulnerability in the HTML Cascading Style Sheets (CSS) module of ClamAVcould allow an unauthenticated, remote attacker to cause a denial ofservice (DoS) condition on an affected device.This vulnerability is due to improper error handling when splitting UTF-8strings. An attacker could exploit this vulnerability by submitting acrafted HTML file to be scanned by ClamAV on an affected device. Asuccessful exploit could allow the attacker to terminate the scanningprocess. Update Instructions: Run `sudo pro fix CVE-2026-20031` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: clamav - 1.4.4+dfsg-0ubuntu0.26.04.1 clamav-base - 1.4.4+dfsg-0ubuntu0.26.04.1 clamav-daemon - 1.4.4+dfsg-0ubuntu0.26.04.1 clamav-freshclam - 1.4.4+dfsg-0ubuntu0.26.04.1 clamav-milter - 1.4.4+dfsg-0ubuntu0.26.04.1 clamav-testfiles - 1.4.4+dfsg-0ubuntu0.26.04.1 clamdscan - 1.4.4+dfsg-0ubuntu0.26.04.1 libclamav12 - 1.4.4+dfsg-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 18:16:00 UTC 2026-03-04 18:16:00 UTC https://ubuntu.com/security/notices/USN-8207-1 CVE-2026-20031 GIMP XWD File Parsing Out-Of-Bounds Write Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of XWD files. The issue resultsfrom the lack of proper validation of user-supplied data, which can resultin a write past the end of an allocated buffer. An attacker can leveragethis vulnerability to execute code in the context of the current process.Was ZDI-CAN-28265. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128604 CVE-2026-2045 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 CVE-2026-2046 GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of ICNS files. The issueresults from the lack of proper validation of the length of user-supplieddata prior to copying it to a heap-based buffer. An attacker can leveragethis vulnerability to execute code in the context of the current process.Was ZDI-CAN-28530. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128605 CVE-2026-2047 GIMP XWD File Parsing Out-Of-Bounds Write Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GIMP. User interaction isrequired to exploit this vulnerability in that the target must visit amalicious page or open a malicious file.The specific flaw exists within the parsing of XWD files. The issue resultsfrom the lack of proper validation of user-supplied data, which can resultin a write past the end of an allocated buffer. An attacker can leveragethis vulnerability to execute code in the context of the current process.Was ZDI-CAN-28591. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128606 CVE-2026-2048 A cross-origin issue in the Navigation API was addressed with improvedinput validation. This issue is fixed in Background Security Improvementsfor iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processingmaliciously crafted web content may bypass Same Origin Policy. Update Instructions: Run `sudo pro fix CVE-2026-20643` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-17 23:16:00 UTC 2026-03-17 23:16:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-20643 The issue was addressed with improved memory handling. This issue is fixedin Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4.Processing maliciously crafted web content may lead to an unexpectedprocess crash. Update Instructions: Run `sudo pro fix CVE-2026-20664` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-20664 This issue was addressed through improved state management. This issue isfixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processingmaliciously crafted web content may prevent Content Security Policy frombeing enforced. Update Instructions: Run `sudo pro fix CVE-2026-20665` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-20665 A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is thefunction llama_grammar_advance_stack of the filellama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. Thismanipulation causes stack-based buffer overflow. The attack needs to belaunched locally. The exploit has been published and may be used. Patchname: 18993. To fix this issue, it is recommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 22:16:00 UTC CVE-2026-2069 An authorization issue was addressed with improved state management. Thisissue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4,visionOS 26.4, watchOS 26.4. A maliciously crafted webpage may be able tofingerprint the user. Update Instructions: Run `sudo pro fix CVE-2026-20691` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-20691 A heap-based buffer overflow vulnerability exists in the Nicolet WFTparsing functionality of The Biosig Project libbiosig 3.9.2 and MasterBranch (db9a9a63). A specially crafted .wft file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 15:16:00 UTC CVE-2026-20777 An integer overflow vulnerability exists in the deflate_dng_load_rawfunctionality of LibRaw Commit 8dc68e2. A specially crafted malicious filecan lead to a heap buffer overflow. An attacker can provide a maliciousfile to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 15:17:00 UTC CVE-2026-20884 A heap-based buffer overflow vulnerability exists in the x3f_thumb_loaderfunctionality of LibRaw Commit d20315b. A specially crafted malicious filecan lead to a heap buffer overflow. An attacker can provide a maliciousfile to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 15:17:00 UTC CVE-2026-20889 A heap-based buffer overflow vulnerability exists in the HuffTable::initvalfunctionality of LibRaw Commit 0b56545 and Commit d20315b. A speciallycrafted malicious file can lead to a heap buffer overflow. An attacker canprovide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 15:17:00 UTC CVE-2026-20911 A heap-based buffer overflow vulnerability exists in thelossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commitd20315b. A specially crafted malicious file can lead to a heap bufferoverflow. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 15:17:00 UTC CVE-2026-21413 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to version 0.30.0, the ``write_headers`` function does notcheck for CR & LF characters in user supplied headers, allowing untrustedheader value to escape header lines.This vulnerability allows attackers to add extra headers, modify requestbody unexpectedly & trigger an SSRF attack. When combined with a serverthat supports http1.1 pipelining (springboot, python twisted etc), this canbe used for server side request forgery (SSRF). Version 0.30.0 fixes thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-01 18:15:00 UTC CVE-2026-21428 urllib3 is an HTTP client library for Python. urllib3's streaming API isdesigned for the efficient handling of large HTTP responses by reading thecontent in chunks, rather than loading the entire response body into memoryat once. urllib3 can perform decoding or decompression based on the HTTP`Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). Whenusing the streaming API, the library decompresses only the necessary bytes,enabling partial content consumption. Starting in version 1.22 and prior toversion 2.6.3, for HTTP redirect responses, the library would read theentire response body to drain the connection and decompress the contentunnecessarily. This decompression occurred even before any read methodswere called, and configured read limits did not restrict the amount ofdecompressed data. As a result, there was no safeguard againstdecompression bombs. A malicious server could exploit this to triggerexcessive resource consumption on the client. Applications and librariesare affected when they stream content from untrusted sources by setting`preload_content=False` when they do not disable redirects. Users shouldupgrade to at least urllib3 v2.6.3, in which the library does not decodecontent of redirect responses when `preload_content=False`. If upgrading isnot immediately possible, disable redirects by setting `redirect=False` forrequests to untrusted source. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 2026-01-08 https://ubuntu.com/security/notices/USN-7955-1 https://ubuntu.com/security/notices/USN-7955-2 https://ubuntu.com/security/notices/USN-8010-1 CVE-2026-21441 MessagePack for Java is a serializer implementation for Java. Adenial-of-service vulnerability exists in versions prior to 0.9.11 whendeserializing .msgpack files containing EXT32 objects withattacker-controlled payload lengths. While MessagePack-Java parsesextension headers lazily, it later trusts the declared EXT payload lengthwhen materializing the extension data. When ExtensionValue.getData() isinvoked, the library attempts to allocate a byte array of the declaredlength without enforcing any upper bound. A malicious .msgpack file of onlya few bytes can therefore trigger unbounded heap allocation, resulting inJVM heap exhaustion, process termination, or service unavailability. Thisvulnerability is triggered during model loading / deserialization, makingit a model format vulnerability suitable for remote exploitation. Thevulnerability enables a remote denial-of-service attack againstapplications that deserialize untrusted .msgpack model files usingMessagePack for Java. A specially crafted but syntactically valid .msgpackfile containing an EXT32 object with an attacker-controlled, excessivelylarge payload length can trigger unbounded memory allocation duringdeserialization. When the model file is loaded, the library trusts thedeclared length metadata and attempts to allocate a byte array of thatsize, leading to rapid heap exhaustion, excessive garbage collection, orimmediate JVM termination with an OutOfMemoryError. The attack requires nomalformed bytes, user interaction, or elevated privileges and can beexploited remotely in real-world environments such as model registries,inference services, CI/CD pipelines, and cloud-based model hostingplatforms that accept or fetch .msgpack artifacts. Because the maliciousfile is extremely small yet valid, it can bypass basic validation andscanning mechanisms, resulting in complete service unavailability andpotential cascading failures in production systems. Version 0.9.11 fixesthe vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-02 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124587 CVE-2026-21452 Uncontrolled Resource Consumption, Deserialization of Untrusted Datavulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_apimodules), erlang rebar3 (r3_hex_api modules) allows Object Injection,Excessive Allocation. This vulnerability is associated with program filessrc/hex_api.erl, src/mix_hex_api.erl,apps/rebar/src/vendored/r3_hex_api.erl and program routineshex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4.This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0before 2.3.2; rebar3: from 3.9.1 before 3.27.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 18:16:00 UTC CVE-2026-21619 Relative Path Traversal, Improper Isolation or Compartmentalizationvulnerability in erlang otp erlang/otp (tftp_file modules), erlang otpinets (tftp_file modules), erlang otp tftp (tftp_file modules) allowsRelative Path Traversal. This vulnerability is associated with programfiles lib/tftp/src/tftp_file.erl, src/tftp_file.erl.This issue affects otp: from 17.0, from07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; otp:from 1.0. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-20 11:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128651 CVE-2026-21620 A flaw in Node.js's permission model allows Unix Domain Socket (UDS)connections to bypass network restrictions when `--permission` is enabled.Even without `--allow-net`, attacker-controlled inputs (such as URLs orsocketPath options) can connect to arbitrary local sockets via net, tls, orundici/fetch. This breaks the intended security boundary of the permissionmodel and enables access to privileged local services, potentially leadingto privilege escalation, data exposure, or local code execution.* The issue affects users of the Node.js permission model on version v25.In the moment of this vulnerability, network permissions (`--allow-net`)are still in the experimental phase. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2026-21636 A flaw in Node.js TLS error handling allows remote attackers to crash orexhaust resources of a TLS server when `pskCallback` or `ALPNCallback` arein use. Synchronous exceptions thrown during these callbacks bypassstandard TLS error handling paths (tlsClientError and error), causingeither immediate process termination or silent file descriptor leaks thateventually lead to denial of service. Because these callbacks processattacker-controlled input during the TLS handshake, a remote client canrepeatedly trigger the issue. This vulnerability affects TLS servers usingPSK or ALPN callbacks across Node.js versions where these callbacks throwwithout being safely wrapped. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 21:16:00 UTC CVE-2026-21637 A flaw in Node.js HTTP request handling causes an uncaught `TypeError` whena request is received with a header named `__proto__` and the applicationaccesses `req.headersDistinct`.When this occurs, `dest["__proto__"]` resolves to `Object.prototype` ratherthan `undefined`, causing `.push()` to be called on a non-array. Thisexception is thrown synchronously inside a property getter and cannot beintercepted by `error` event listeners, meaning it cannot be handledwithout wrapping every `req.headersDistinct` access in a `try/catch`.* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x,24.x, and v25.x** Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21710 A flaw in Node.js Permission Model network enforcement leaves Unix DomainSocket (UDS) server operations without the required permission checks,while all comparable network paths correctly enforce them.As a result, code running under `--permission` without `--allow-net` cancreate and expose local IPC endpoints, allowing communication with otherprocesses on the same host outside of the intended network restrictionboundary.This vulnerability affects Node.js **25.x** processes using the PermissionModel where `--allow-net` is intentionally omitted to restrict networkaccess. Note that `--allow-net` is currently an experimental feature. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21711 A flaw in Node.js URL processing causes an assertion failure in native codewhen `url.format()` is called with a malformed internationalized domainname (IDN) containing invalid characters, crashing the Node.js process. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 16:16:00 UTC CVE-2026-21712 A flaw in Node.js HMAC verification uses a non-constant-time comparisonwhen validating user-provided signatures, potentially leaking timinginformation proportional to the number of matching bytes. Under certainthreat models where high-resolution timing measurements are possible, thisbehavior could be exploited as a timing oracle to infer HMAC values.Node.js already provides timing-safe comparison primitives used elsewherein the codebase, indicating this is an oversight rather than an intentionaldesign decision.This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21713 A memory leak occurs in Node.js HTTP/2 servers when a client sendsWINDOW_UPDATE frames on stream 0 (connection-level) that cause the flowcontrol window to exceed the maximum value of 2³¹-1. The server correctlysends a GOAWAY frame, but the Http2Session object is never cleaned up.This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21714 A flaw in Node.js Permission Model filesystem enforcement leaves`fs.realpathSync.native()` without the required read permission checks,while all comparable filesystem functions correctly enforce them.As a result, code running under `--permission` with restricted`--allow-fs-read` can still use `fs.realpathSync.native()` to check fileexistence, resolve symlink targets, and enumerate filesystem paths outsideof permitted directories.This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes usingthe Permission Model where `--allow-fs-read` is intentionally restricted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21715 An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and`FileHandle.chown()` in the promises API without the required permissionchecks, while their callback-based equivalents (`fs.fchmod()`,`fs.fchown()`) were correctly patched.As a result, code running under `--permission` with restricted`--allow-fs-write` can still use promise-based `FileHandle` methods tomodify file permissions and ownership on already-open file descriptors,bypassing the intended write restrictions.This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes usingthe Permission Model where `--allow-fs-write` is intentionally restricted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21716 A flaw in V8's string hashing mechanism causes integer-like strings to behashed to their numeric value, making hash collisions triviallypredictable. By crafting a request that causes many such collisions in V8'sinternal string table, an attacker can significantly degrade performance ofthe Node.js process.The most common trigger is any endpoint that calls `JSON.parse()` onattacker-controlled input, as JSON parsing automatically internalizes shortstrings into the affected hash table.This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 20:16:00 UTC CVE-2026-21717 llama.cpp is an inference of several LLM models in C/C++. In commits55d4206c8 and prior, the n_discard parameter is parsed directly from JSONinput in the llama.cpp server's completion endpoints without validation toensure it's non-negative. When a negative value is supplied and the contextfills up, llama_memory_seq_rm/add receives a reversed range and negativeoffset, causing out-of-bounds memory writes in the token evaluation loop.This deterministic memory corruption can crash the process or enable remotecode execution (RCE). There is no fix at the time of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125060 CVE-2026-21869 The OWASP core rule set (CRS) is a set of generic attack detection rulesfor use with compatible web application firewalls. Prior to versions 4.22.0and 3.3.8, the current rule 922110 has a bug when processing multipartrequests with multiple parts. When the first rule in a chain iterates overa collection (like `MULTIPART_PART_HEADERS`), the capture variables(`TX:0`, `TX:1`) get overwritten with each iteration. Only the lastcaptured value is available to the chained rule, which means maliciouscharsets in earlier parts can be missed if a later part has a legitimatecharset. Versions 4.22.0 and 3.3.8 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 14:15:00 UTC CVE-2026-21876 Miniflux 2 is an open source feed reader. Prior to version 2.2.16,Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`)can be abused to perform Server-Side Request Forgery (SSRF). Anauthenticated user can cause Miniflux to generate a signed proxy URL forattacker-chosen media URLs embedded in feed entry content, includinginternal addresses (e.g., localhost, private RFC1918 ranges, or link-localmetadata endpoints). Requesting the resulting `/proxy/...` URL makesMiniflux fetch and return the internal response. Version 2.2.16 fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 14:15:00 UTC CVE-2026-21885 Parsl is a Python parallel scripting library. A SQL Injection vulnerabilityexists in the parsl-visualize component of versions prior to 2026.01.05.The application constructs SQL queries using unsafe string formatting(Python % operator) with user-supplied input (workflow_id) directly fromURL routes. This allows an unauthenticated attacker with access to thevisualization dashboard to inject arbitrary SQL commands, potentiallyleading to data exfiltration or denial of service against the monitoringdatabase. Version 2026.01.05 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 14:15:00 UTC CVE-2026-21892 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: RMI). Supportedversions that are affected are Oracle Java SE: 8u471, 8u471-b50,8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK:17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficultto exploit vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized update, insert or delete accessto some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data as well as unauthorized read access toa subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition accessible data. Note: This vulnerability can beexploited by using APIs in the specified Component, e.g., through a webservice which supplies data to the APIs. This vulnerability also applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2026-21925` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u482-ga~us1-0ubuntu1 openjdk-8-source - 8u482-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.30+7-1ubuntu1 openjdk-11-jdk - 11.0.30+7-1ubuntu1 openjdk-11-jdk-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre - 11.0.30+7-1ubuntu1 openjdk-11-jre-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre-zero - 11.0.30+7-1ubuntu1 openjdk-11-source - 11.0.30+7-1ubuntu1 No subscription required openjdk-17-demo - 17.0.18+8-1 openjdk-17-jdk - 17.0.18+8-1 openjdk-17-jdk-headless - 17.0.18+8-1 openjdk-17-jre - 17.0.18+8-1 openjdk-17-jre-headless - 17.0.18+8-1 openjdk-17-jre-zero - 17.0.18+8-1 openjdk-17-source - 17.0.18+8-1 No subscription required openjdk-17-crac-demo - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.18+8-0ubuntu1 openjdk-17-crac-source - 17.0.18+8-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.10+7-1 openjdk-21-crac-jdk - 21.0.10+7-1 openjdk-21-crac-jdk-headless - 21.0.10+7-1 openjdk-21-crac-jre - 21.0.10+7-1 openjdk-21-crac-jre-headless - 21.0.10+7-1 openjdk-21-crac-jre-zero - 21.0.10+7-1 openjdk-21-crac-source - 21.0.10+7-1 openjdk-21-crac-testsupport - 21.0.10+7-1 No subscription required openjdk-25-demo - 25.0.2+10-1 openjdk-25-jdk - 25.0.2+10-1 openjdk-25-jdk-headless - 25.0.2+10-1 openjdk-25-jre - 25.0.2+10-1 openjdk-25-jre-headless - 25.0.2+10-1 openjdk-25-jre-zero - 25.0.2+10-1 openjdk-25-jvmci-jdk - 25.0.2+10-1 openjdk-25-source - 25.0.2+10-1 openjdk-25-testsupport - 25.0.2+10-1 No subscription required openjdk-25-crac-demo - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-zero - 25.0.2+10-0ubuntu1 openjdk-25-crac-source - 25.0.2+10-0ubuntu1 openjdk-25-crac-testsupport - 25.0.2+10-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-8000-1 https://ubuntu.com/security/notices/USN-8001-1 https://ubuntu.com/security/notices/USN-8002-1 https://ubuntu.com/security/notices/USN-8003-1 https://ubuntu.com/security/notices/USN-7995-1 https://ubuntu.com/security/notices/USN-7996-1 https://ubuntu.com/security/notices/USN-7997-1 https://ubuntu.com/security/notices/USN-7998-1 CVE-2026-21925 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: AWT, JavaFX).Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50,8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK:17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easilyexploitable vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition, attacks may significantly impact additional products(scope change). Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data orall Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM EnterpriseEdition accessible data. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). Update Instructions: Run `sudo pro fix CVE-2026-21932` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u482-ga~us1-0ubuntu1 openjdk-8-source - 8u482-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.30+7-1ubuntu1 openjdk-11-jdk - 11.0.30+7-1ubuntu1 openjdk-11-jdk-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre - 11.0.30+7-1ubuntu1 openjdk-11-jre-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre-zero - 11.0.30+7-1ubuntu1 openjdk-11-source - 11.0.30+7-1ubuntu1 No subscription required openjdk-17-demo - 17.0.18+8-1 openjdk-17-jdk - 17.0.18+8-1 openjdk-17-jdk-headless - 17.0.18+8-1 openjdk-17-jre - 17.0.18+8-1 openjdk-17-jre-headless - 17.0.18+8-1 openjdk-17-jre-zero - 17.0.18+8-1 openjdk-17-source - 17.0.18+8-1 No subscription required openjdk-17-crac-demo - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.18+8-0ubuntu1 openjdk-17-crac-source - 17.0.18+8-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.10+7-1 openjdk-21-crac-jdk - 21.0.10+7-1 openjdk-21-crac-jdk-headless - 21.0.10+7-1 openjdk-21-crac-jre - 21.0.10+7-1 openjdk-21-crac-jre-headless - 21.0.10+7-1 openjdk-21-crac-jre-zero - 21.0.10+7-1 openjdk-21-crac-source - 21.0.10+7-1 openjdk-21-crac-testsupport - 21.0.10+7-1 No subscription required openjdk-25-demo - 25.0.2+10-1 openjdk-25-jdk - 25.0.2+10-1 openjdk-25-jdk-headless - 25.0.2+10-1 openjdk-25-jre - 25.0.2+10-1 openjdk-25-jre-headless - 25.0.2+10-1 openjdk-25-jre-zero - 25.0.2+10-1 openjdk-25-jvmci-jdk - 25.0.2+10-1 openjdk-25-source - 25.0.2+10-1 openjdk-25-testsupport - 25.0.2+10-1 No subscription required openjdk-25-crac-demo - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-zero - 25.0.2+10-0ubuntu1 openjdk-25-crac-source - 25.0.2+10-0ubuntu1 openjdk-25-crac-testsupport - 25.0.2+10-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-8000-1 https://ubuntu.com/security/notices/USN-8001-1 https://ubuntu.com/security/notices/USN-8002-1 https://ubuntu.com/security/notices/USN-8003-1 https://ubuntu.com/security/notices/USN-7995-1 https://ubuntu.com/security/notices/USN-7996-1 https://ubuntu.com/security/notices/USN-7997-1 https://ubuntu.com/security/notices/USN-7998-1 CVE-2026-21932 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50,8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK:17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easilyexploitable vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks requirehuman interaction from a person other than the attacker and while thevulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition, attacks may significantly impact additional products(scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE,Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible dataas well as unauthorized read access to a subset of Oracle Java SE, OracleGraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note:This vulnerability can be exploited by using APIs in the specifiedComponent, e.g., through a web service which supplies data to the APIs.This vulnerability also applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1(Confidentiality and Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Update Instructions: Run `sudo pro fix CVE-2026-21933` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u482-ga~us1-0ubuntu1 openjdk-8-source - 8u482-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.30+7-1ubuntu1 openjdk-11-jdk - 11.0.30+7-1ubuntu1 openjdk-11-jdk-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre - 11.0.30+7-1ubuntu1 openjdk-11-jre-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre-zero - 11.0.30+7-1ubuntu1 openjdk-11-source - 11.0.30+7-1ubuntu1 No subscription required openjdk-17-demo - 17.0.18+8-1 openjdk-17-jdk - 17.0.18+8-1 openjdk-17-jdk-headless - 17.0.18+8-1 openjdk-17-jre - 17.0.18+8-1 openjdk-17-jre-headless - 17.0.18+8-1 openjdk-17-jre-zero - 17.0.18+8-1 openjdk-17-source - 17.0.18+8-1 No subscription required openjdk-17-crac-demo - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.18+8-0ubuntu1 openjdk-17-crac-source - 17.0.18+8-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.10+7-1 openjdk-21-crac-jdk - 21.0.10+7-1 openjdk-21-crac-jdk-headless - 21.0.10+7-1 openjdk-21-crac-jre - 21.0.10+7-1 openjdk-21-crac-jre-headless - 21.0.10+7-1 openjdk-21-crac-jre-zero - 21.0.10+7-1 openjdk-21-crac-source - 21.0.10+7-1 openjdk-21-crac-testsupport - 21.0.10+7-1 No subscription required openjdk-25-demo - 25.0.2+10-1 openjdk-25-jdk - 25.0.2+10-1 openjdk-25-jdk-headless - 25.0.2+10-1 openjdk-25-jre - 25.0.2+10-1 openjdk-25-jre-headless - 25.0.2+10-1 openjdk-25-jre-zero - 25.0.2+10-1 openjdk-25-jvmci-jdk - 25.0.2+10-1 openjdk-25-source - 25.0.2+10-1 openjdk-25-testsupport - 25.0.2+10-1 No subscription required openjdk-25-crac-demo - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-zero - 25.0.2+10-0ubuntu1 openjdk-25-crac-source - 25.0.2+10-0ubuntu1 openjdk-25-crac-testsupport - 25.0.2+10-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-8000-1 https://ubuntu.com/security/notices/USN-8001-1 https://ubuntu.com/security/notices/USN-8002-1 https://ubuntu.com/security/notices/USN-8003-1 https://ubuntu.com/security/notices/USN-7995-1 https://ubuntu.com/security/notices/USN-7996-1 https://ubuntu.com/security/notices/USN-7997-1 https://ubuntu.com/security/notices/USN-7998-1 CVE-2026-21933 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.44,8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21936` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.8-0ubuntu1 mysql-client - 8.4.8-0ubuntu1 mysql-client-core - 8.4.8-0ubuntu1 mysql-router - 8.4.8-0ubuntu1 mysql-server - 8.4.8-0ubuntu1 mysql-server-core - 8.4.8-0ubuntu1 mysql-source - 8.4.8-0ubuntu1 mysql-testsuite - 8.4.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-7994-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2026-21936 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DDL). Supported versions that are affected are 8.0.0-8.0.44,8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21937` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.8-0ubuntu1 mysql-client - 8.4.8-0ubuntu1 mysql-client-core - 8.4.8-0ubuntu1 mysql-router - 8.4.8-0ubuntu1 mysql-server - 8.4.8-0ubuntu1 mysql-server-core - 8.4.8-0ubuntu1 mysql-source - 8.4.8-0ubuntu1 mysql-testsuite - 8.4.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-7994-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2026-21937 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44,8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21941` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.8-0ubuntu1 mysql-client - 8.4.8-0ubuntu1 mysql-client-core - 8.4.8-0ubuntu1 mysql-router - 8.4.8-0ubuntu1 mysql-server - 8.4.8-0ubuntu1 mysql-server-core - 8.4.8-0ubuntu1 mysql-source - 8.4.8-0ubuntu1 mysql-testsuite - 8.4.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-7994-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2026-21941 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Security).Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50,8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK:17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easilyexploitable vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle Java SE, OracleGraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5(Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21945` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openjdk-8-demo - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk - 8u482-ga~us1-0ubuntu1 openjdk-8-jdk-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-headless - 8u482-ga~us1-0ubuntu1 openjdk-8-jre-zero - 8u482-ga~us1-0ubuntu1 openjdk-8-source - 8u482-ga~us1-0ubuntu1 No subscription required openjdk-11-demo - 11.0.30+7-1ubuntu1 openjdk-11-jdk - 11.0.30+7-1ubuntu1 openjdk-11-jdk-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre - 11.0.30+7-1ubuntu1 openjdk-11-jre-headless - 11.0.30+7-1ubuntu1 openjdk-11-jre-zero - 11.0.30+7-1ubuntu1 openjdk-11-source - 11.0.30+7-1ubuntu1 No subscription required openjdk-17-demo - 17.0.18+8-1 openjdk-17-jdk - 17.0.18+8-1 openjdk-17-jdk-headless - 17.0.18+8-1 openjdk-17-jre - 17.0.18+8-1 openjdk-17-jre-headless - 17.0.18+8-1 openjdk-17-jre-zero - 17.0.18+8-1 openjdk-17-source - 17.0.18+8-1 No subscription required openjdk-17-crac-demo - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk - 17.0.18+8-0ubuntu1 openjdk-17-crac-jdk-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-headless - 17.0.18+8-0ubuntu1 openjdk-17-crac-jre-zero - 17.0.18+8-0ubuntu1 openjdk-17-crac-source - 17.0.18+8-0ubuntu1 No subscription required openjdk-21-crac-demo - 21.0.10+7-1 openjdk-21-crac-jdk - 21.0.10+7-1 openjdk-21-crac-jdk-headless - 21.0.10+7-1 openjdk-21-crac-jre - 21.0.10+7-1 openjdk-21-crac-jre-headless - 21.0.10+7-1 openjdk-21-crac-jre-zero - 21.0.10+7-1 openjdk-21-crac-source - 21.0.10+7-1 openjdk-21-crac-testsupport - 21.0.10+7-1 No subscription required openjdk-25-demo - 25.0.2+10-1 openjdk-25-jdk - 25.0.2+10-1 openjdk-25-jdk-headless - 25.0.2+10-1 openjdk-25-jre - 25.0.2+10-1 openjdk-25-jre-headless - 25.0.2+10-1 openjdk-25-jre-zero - 25.0.2+10-1 openjdk-25-jvmci-jdk - 25.0.2+10-1 openjdk-25-source - 25.0.2+10-1 openjdk-25-testsupport - 25.0.2+10-1 No subscription required openjdk-25-crac-demo - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk - 25.0.2+10-0ubuntu1 openjdk-25-crac-jdk-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-headless - 25.0.2+10-0ubuntu1 openjdk-25-crac-jre-zero - 25.0.2+10-0ubuntu1 openjdk-25-crac-source - 25.0.2+10-0ubuntu1 openjdk-25-crac-testsupport - 25.0.2+10-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-8000-1 https://ubuntu.com/security/notices/USN-8001-1 https://ubuntu.com/security/notices/USN-8002-1 https://ubuntu.com/security/notices/USN-8003-1 https://ubuntu.com/security/notices/USN-7995-1 https://ubuntu.com/security/notices/USN-7996-1 https://ubuntu.com/security/notices/USN-7997-1 https://ubuntu.com/security/notices/USN-7998-1 CVE-2026-21945 Vulnerability in Oracle Java SE (component: JavaFX). Supported versionsthat are affected are Oracle Java SE: 8u471-b50. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE. Successful attacksrequire human interaction from a person other than the attacker. Successfulattacks of this vulnerability can result in unauthorized update, insert ordelete access to some of Oracle Java SE accessible data. Note: Thisvulnerability applies to Java deployments, typically in clients runningsandboxed Java Web Start applications or sandboxed Java applets, that loadand run untrusted code (e.g., code that comes from the internet) and relyon the Java sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC CVE-2026-21947 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44,8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21948` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.8-0ubuntu1 mysql-client - 8.4.8-0ubuntu1 mysql-client-core - 8.4.8-0ubuntu1 mysql-router - 8.4.8-0ubuntu1 mysql-server - 8.4.8-0ubuntu1 mysql-server-core - 8.4.8-0ubuntu1 mysql-source - 8.4.8-0ubuntu1 mysql-testsuite - 8.4.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-7994-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2026-21948 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC CVE-2026-21955 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC CVE-2026-21956 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Difficult to exploit vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC CVE-2026-21957 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle VMVirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC CVE-2026-21963 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Thread Pooling). Supported versions that are affected are8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 4.9 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21964` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.8-0ubuntu1 mysql-client - 8.4.8-0ubuntu1 mysql-client-core - 8.4.8-0ubuntu1 mysql-router - 8.4.8-0ubuntu1 mysql-server - 8.4.8-0ubuntu1 mysql-server-core - 8.4.8-0ubuntu1 mysql-source - 8.4.8-0ubuntu1 mysql-testsuite - 8.4.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-7994-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2026-21964 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44,8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Update Instructions: Run `sudo pro fix CVE-2026-21968` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libmysqlclient24 - 8.4.8-0ubuntu1 mysql-client - 8.4.8-0ubuntu1 mysql-client-core - 8.4.8-0ubuntu1 mysql-router - 8.4.8-0ubuntu1 mysql-server - 8.4.8-0ubuntu1 mysql-server-core - 8.4.8-0ubuntu1 mysql-source - 8.4.8-0ubuntu1 mysql-testsuite - 8.4.8-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:15:00 UTC 2026-01-20 22:15:00 UTC https://ubuntu.com/security/notices/USN-7994-1 https://ubuntu.com/security/notices/USN-8006-1 CVE-2026-21968 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized read access to a subset of Oracle VM VirtualBox accessibledata and unauthorized ability to cause a partial denial of service (partialDOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21981 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Difficult to exploit vulnerability allows unauthenticated attackerwith access to the physical communication segment attached to the hardwarewhere the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of OracleVM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity andAvailability impacts). CVSS Vector:(CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21982 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Difficult to exploit vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21983 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Difficult to exploit vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21984 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle VMVirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentialityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21985 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows unauthenticated attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized ability to cause a hang or frequently repeatable crash(complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies toWindows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSSVector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21986 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21987 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21988 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized creation, deletion or modification access to critical data orall Oracle VM VirtualBox accessible data as well as unauthorized access tocritical data or complete access to all Oracle VM VirtualBox accessibledata and unauthorized ability to cause a partial denial of service (partialDOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21989 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). Supported versions that are affected are 7.1.14 and7.2.4. Easily exploitable vulnerability allows high privileged attackerwith logon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 22:16:00 UTC CVE-2026-21990 An unprivileged attacker can reliably trigger a crash of the dtrace processwith a malicious ELF binary due to an integer Divide-by-Zero inPbuild_file_symtab() Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 18:16:00 UTC CVE-2026-21996 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC mdeslaur(main) CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Information Schema). Supported versions that are affected are8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitablevulnerability allows high privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized read access to a subset of MySQLServer accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22002 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Editionproduct of Oracle Java SE (component: Hotspot). Supported versions thatare affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVMEnterprise Edition: 21.3.17. Difficult to exploit vulnerability allows lowprivileged attacker with logon to the infrastructure where Oracle Java SE,Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE,Oracle GraalVM Enterprise Edition. Successful attacks require humaninteraction from a person other than the attacker. Successful attacks ofthis vulnerability can result in unauthorized creation, deletion ormodification access to critical data or all Oracle Java SE, Oracle GraalVMEnterprise Edition accessible data and unauthorized ability to cause a hangor frequently repeatable crash (complete DOS) of Oracle Java SE, OracleGraalVM Enterprise Edition. Note: This vulnerability applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. This vulnerability does not apply to Java deployments, typicallyin servers, that load and run only trusted code (e.g., code installed by anadministrator). CVSS 3.1 Base Score 6.0 (Integrity and Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22003 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22005 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Security).Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50,8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficultto exploit vulnerability allows unauthenticated attacker with logon to theinfrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition executes to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized read access to a subset of OracleJava SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability can be exploited by using APIs inthe specified Component, e.g., through a web service which supplies data tothe APIs. This vulnerability also applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. CVSS 3.1 Base Score2.9 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22007 Vulnerability in Oracle Java SE (component: Libraries). The supportedversion that is affected is Oracle Java SE: 25.0.1. Difficult to exploitvulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE. Successful attacks ofthis vulnerability can result in unauthorized update, insert or deleteaccess to some of Oracle Java SE accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7(Integrity impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22008 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22009 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: JGSS). Supportedversions that are affected are Oracle Java SE: 8u481, 8u481-b50,8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficultto exploit vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks requirehuman interaction from a person other than the attacker. Successful attacksof this vulnerability can result in unauthorized access to critical dataor complete access to all Oracle Java SE, Oracle GraalVM for JDK, OracleGraalVM Enterprise Edition accessible data. Note: This vulnerabilityapplies to Java deployments, typically in clients running sandboxed JavaWeb Start applications or sandboxed Java applets, that load and rununtrusted code (e.g., code that comes from the internet) and rely on theJava sandbox for security. This vulnerability does not apply to Javadeployments, typically in servers, that load and run only trusted code(e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3(Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22013 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Information Schema). Supported versions that are affected are8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitablevulnerability allows low privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized read access to a subset of MySQLServer accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22015 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: JAXP). Supportedversions that are affected are Oracle Java SE: 8u481, 8u481-b50,8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easilyexploitable vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized access to critical data orcomplete access to all Oracle Java SE, Oracle GraalVM for JDK, OracleGraalVM Enterprise Edition accessible data. Note: This vulnerability can beexploited by using APIs in the specified Component, e.g., through a webservice which supplies data to the APIs. This vulnerability also applies toJava deployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22016 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22017 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Libraries).Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50,8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficultto exploit vulnerability allows unauthenticated attacker with networkaccess via multiple protocols to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, OracleGraalVM Enterprise Edition. Note: This vulnerability can be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. This vulnerability also applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22018 [updated libpng in Oracle Java] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 CVE-2026-22020 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: JSSE). Supportedversions that are affected are Oracle Java SE: 8u481, 8u481-b50,8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easilyexploitable vulnerability allows unauthenticated attacker with networkaccess via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized ability to cause a partial denialof service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, OracleGraalVM Enterprise Edition. Note: This vulnerability can be exploited byusing APIs in the specified Component, e.g., through a web service whichsupplies data to the APIs. This vulnerability also applies to Javadeployments, typically in clients running sandboxed Java Web Startapplications or sandboxed Java applets, that load and run untrusted code(e.g., code that comes from the internet) and rely on the Java sandbox forsecurity. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-22021 Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "RuleBased Authorization Plugin" are vulnerable to allowing unauthorized accessto certain Solr APIs, due to insufficiently strict input validation inthose components.  Only deployments that meet all of the following criteriaare impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) thatspecifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json)that uses one or more of the following pre-defined permission rules:"config-read", "config-edit", "schema-read", "metrics-read", or"security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the"all" pre-defined permission * A networking setup that allows clients to make unfiltered networkrequests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solras-is, unmodified or restricted by any intervening proxy or gateway)Users can mitigate this vulnerability by ensuring that theirRuleBasedAuthorizationPlugin configuration specifies the "all" pre-definedpermission and associates the permission with an "admin" or otherprivileged role.  Users can also upgrade to a Solr version outside of theimpacted range, such as the recently released Solr 9.10.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-21 14:16:00 UTC CVE-2026-22022 Preact, a lightweight web development framework, JSON serializationprotection to prevent Virtual DOM elements from being constructed fromarbitrary JSON. A regression introduced in Preact 10.26.5 caused thisprotection to be softened. In applications where values from JSON payloadsare assumed to be strings and passed unmodified to Preact as children, aspecially-crafted JSON payload could be constructed that would beincorrectly treated as a valid VNode. When this chain of failures occurs itcan result in HTML injection, which can allow arbitrary script execution ifnot mitigated by CSP or other means. Applications using affected Preactversions are vulnerable if they meet all of the following conditions:first, pass unmodified, unsanitized values from user-modifiable datasources (APIs, databases, local storage, etc.) directly into the rendertree; second assume these values are strings but the data source couldreturn actual JavaScript objects instead of JSON strings; and third, thedata source either fails to perform type sanitization AND blindlystores/returns raw objects interchangeably with strings, OR is compromised(e.g., poisoned local storage, filesystem, or database). Versions 10.26.10,10.27.3, and 10.28.2 patch the issue. The patch versions restore theprevious strict equality checks that prevent JSON-parsed objects from beingtreated as valid VNodes. Other mitigations are available for those whocannot immediately upgrade. Validate input types, cast or validate networkdata, sanitize external data, and use Content Security Policy (CSP). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-08 15:15:00 UTC CVE-2026-22028 Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, thenumber of links in the decompression chain is unbounded and the defaultmaxHeaderSize allows a malicious server to insert thousands compressionsteps leading to high CPU usage and excessive memory allocation. Thisvulnerability is fixed in 7.18.0 and 6.23.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 19:16:00 UTC CVE-2026-22036 zlib versions up to and including 1.3.1.2 include a global buffer overflowin the untgz utility located under contrib/untgz. The vulnerability islimited to the standalone demonstration utility and does not affect thecore zlib compression library. The flaw occurs when a user executes theuntgz command with an excessively long archive name supplied via thecommand line, leading to an out-of-bounds write in a fixed-size globalbuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-07 21:16:00 UTC https://github.com/madler/zlib/issues/1142 CVE-2026-22184 OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to andincluding 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflowin the readline() function of mdb_load. When processing malformed inputcontaining an embedded NUL byte, an unsigned offset calculation canunderflow and cause an out-of-bounds read of one byte before the allocatedheap buffer. This can cause mdb_load to crash, leading to a limiteddenial-of-service condition. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-07 21:16:00 UTC CVE-2026-22185 SPIP versions prior to 4.4.10 contain an authentication bypassvulnerability caused by PHP type juggling that allows unauthenticatedattackers to access protected information. Attackers can exploit loose typecomparisons in authentication logic to bypass login verification andretrieve sensitive internal data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 21:28:00 UTC CVE-2026-22205 SPIP versions prior to 4.4.10 contain a SQL injection vulnerability thatallows authenticated low-privilege users to execute arbitrary SQL queriesby manipulating union-based injection techniques. Attackers can exploitthis SQL injection flaw combined with PHP tag processing to achieve remotecode execution on the server. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 21:28:00 UTC CVE-2026-22206 wlc is a Weblate command-line client using Weblate's REST API. Prior to1.17.0, the SSL verification would be skipped for some crafted URLs. Thisvulnerability is fixed in 1.17.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-12 18:15:00 UTC 2026-01-12 18:15:00 UTC https://ubuntu.com/security/notices/USN-7981-1 CVE-2026-22250 wlc is a Weblate command-line client using Weblate's REST API. Prior to1.17.0, wlc supported providing unscoped API keys in the setting. Thispractice was discouraged for years, but the code was never removed. Thismight cause the API key to be leaked to different servers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-12 18:15:00 UTC 2026-01-12 18:15:00 UTC https://ubuntu.com/security/notices/USN-7981-1 CVE-2026-22251 ImpactThe undici WebSocket client is vulnerable to a denial-of-serviceattack due to improper validation of the server_max_window_bits parameterin the permessage-deflate extension. When a WebSocket client connects to aserver, it automatically advertises support for permessage-deflatecompression. A malicious server can respond with anout-of-range server_max_window_bits value (outside zlib's valid range of8-15). When the server subsequently sends a compressed frame, the clientattempts to create a zlib InflateRaw instance with the invalid windowBitsvalue, causing a synchronous RangeError exception that is not caught,resulting in immediate process termination.The vulnerability exists because: * The isValidClientWindowBits() function only validates that the valuecontains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack andcrashes the Node.js process Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 21:16:00 UTC CVE-2026-2229 A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in thefread_pascal_string function when processing a specially crafted PSD(Photoshop Document) file. This occurs because the buffer allocated for aPascal string is not properly null-terminated, leading to an out-of-boundsread when strlen() is subsequently called. Successfully exploiting thisvulnerability can cause the application to crash, resulting in anapplication level Denial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 21:17:00 UTC CVE-2026-2239 A flaw was found in QEMU. A specially crafted VMDK image could trigger anout-of-bounds read vulnerability, potentially leading to a 12-byte leak ofsensitive information or a denial of service condition (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 18:25:00 UTC 2026-02-19 18:25:00 UTC fabian https://bugzilla.redhat.com/show_bug.cgi?id=2440934 https://ubuntu.com/security/notices/USN-8161-1 CVE-2026-2243 The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficientinput validation on some API parameters, which can cause Solr to check theexistence of and attempt to read file-system paths that should bedisallowed by Solr's "allowPaths" security settinghttps://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element.  These read-only accesses can allow users to create cores usingunexpected configsets if any are accessible via the filesystem.  On Windowssystems configured to allow UNC paths this can additionally causedisclosure of NTLM "user" hashes.Solr deployments are subject to this vulnerability if they meet thefollowing criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access tocertain directories. * Solr's "create core" API is exposed and accessible to untrustedusers.  This can happen if Solr's RuleBasedAuthorizationPluginhttps://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefinedpermission (or an equivalent custom permission) is given to low-trust (i.e.non-admin) user roles.Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (ifdisabled) and configuring a permission-list that prevents untrusted usersfrom creating new Solr cores.  Users should also upgrade to Apache Solr9.10.1 or greater, which contain fixes for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-21 14:16:00 UTC CVE-2026-22444 MediaArea MediaInfoLib Channel Splitting heap-based buffer overflowvulnerability Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-22554 Angular is a development platform for building mobile and desktop webapplications using TypeScript/JavaScript and other languages. Prior toversions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting(XSS) vulnerability has been identified in the Angular Template Compiler.The vulnerability exists because Angular’s internal sanitization schemafails to recognize the href and xlink:href attributes of SVG <script>elements as a Resource URL context. This issue has been patched in versions19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 04:16:00 UTC CVE-2026-22610 pypdf is a free and open-source pure-python PDF library. Prior to version6.6.0, pypdf has possible long runtimes for missing /Root object with large/Size values. An attacker who uses this vulnerability can craft a PDF whichleads to possibly long runtimes for actually invalid files. This can beachieved by omitting the /Root entry in the trailer, while using a ratherlarge /Size value. Only the non-strict reading mode is affected. This issuehas been patched in version 6.6.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125187 CVE-2026-22690 pypdf is a free and open-source pure-python PDF library. Prior to version6.6.0, pypdf has possible long runtimes for malformed startxref. Anattacker who uses this vulnerability can craft a PDF which leads topossibly long runtimes for invalid startxref entries. When rebuilding thecross-reference table, PDF files with lots of whitespace characters becomeproblematic. Only the non-strict reading mode is affected. Only thenon-strict reading mode is affected. This issue has been patched in version6.6.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125187 CVE-2026-22691 filelock is a platform-independent file lock for Python. Prior to version3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLockimplementation of the filelock package. An attacker with local filesystemaccess and permission to create symlinks can exploit a race conditionbetween the permission validation and file creation to cause lockoperations to fail or behave unexpectedly. The vulnerability occurs in the_acquire() method between raise_on_not_writable_file() (permission check)and os.open() (file creation). During this race window, an attacker cancreate a symlink at the lock file path, potentially causing the lock tooperate on an unintended target file or leading to denial of service. Thisissue has been patched in version 3.20.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 06:15:00 UTC 2026-01-10 06:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125190 https://ubuntu.com/security/notices/USN-7999-1 CVE-2026-22701 virtualenv is a tool for creating isolated virtual python environments.Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use)vulnerabilities in virtualenv allow local attackers to performsymlink-based attacks on directory creation operations. An attacker withlocal access can exploit a race condition between directory existencechecks and creation to redirect virtualenv's app_data and lock fileoperations to attacker-controlled locations. This issue has been patched inversion 20.36.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125191 CVE-2026-22702 Cosign provides code signing and transparency for containers and binaries.Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted tosuccessfully verify an artifact even if the embedded Rekor entry does notreference the artifact's digest, signature or public key. When verifying aRekor entry, Cosign verifies the Rekor entry signature, and also comparesthe artifact's digest, the user's public key from either a Fulciocertificate or provided by the user, and the artifact signature to theRekor entry contents. Without these comparisons, Cosign would accept anyresponse from Rekor as valid. A malicious actor that has compromised auser's identity or signing key could construct a valid Cosign bundle byincluding any arbitrary Rekor entry, thus preventing the user from beingable to audit the signing event. This issue has been patched in versions2.6.2 and 3.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-10 07:16:00 UTC CVE-2026-22703 A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remoteattacker could exploit an integer overflow vulnerability in theread_creator_block() function by providing a specially crafted PSP imagefile. This vulnerability occurs when a 32-bit length value from the file isused for memory allocation without proper validation, leading to a heapoverflow and an out-of-bounds write. Successful exploitation could resultin an application level denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 21:17:00 UTC CVE-2026-2271 A flaw was found in GIMP. An integer overflow vulnerability exists whenprocessing ICO image files, specifically in the `ico_read_info` and`ico_read_icon` functions. This issue arises because a size calculation forimage buffers can wrap around due to a 32-bit integer evaluation, allowingoversized image headers to bypass security checks. A remote attacker couldexploit this by providing a specially crafted ICO file, leading to a bufferoverflow and memory corruption, which may result in an application leveldenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 21:17:00 UTC CVE-2026-2272 Spring MVC and WebFlux applications are vulnerable to stream corruptionwhen using Server-Sent Events (SSE). This issue affects Spring Foundation:from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through6.1.25, from 5.3.0 through 5.3.46. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 00:16:00 UTC CVE-2026-22735 Use of Java scripting engine enabled (e.g. JRuby, Jython) template views inSpring MVC and Spring WebFlux applications can result in disclosure ofcontent from files outside the configured locations for script templateviews. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 00:16:00 UTC CVE-2026-22737 A WebFlux server application that processes multipart requests creates tempfiles for parts larger than 10 K. Under some circumstances, temp files mayremain not deleted after the request is fully processed. This allows anattacker to consume available disk space.Older, unsupported versions are also affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 12:16:00 UTC CVE-2026-22740 Spring MVC and WebFlux applications are vulnerable to cache poisoning whenresolving static resources.More precisely, an application can be vulnerable when all the following aretrue: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain supporthttps://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to theapplicationWhen all the conditions above are met, the attacker can send maliciousrequests and poison the resource cache with resources using the wrongencoding. This can cause a denial of service by breaking the front-endapplication for clients. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 12:16:00 UTC CVE-2026-22741 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to version 0.30.1, a Denial of Service (DoS) vulnerabilityexists in cpp-httplib due to the unsafe handling of compressed HTTP requestbodies (Content-Encoding: gzip, br, etc.). The library validates thepayload_max_length against the compressed data size received from thenetwork, but does not limit the size of the decompressed data stored inmemory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-12 19:16:00 UTC CVE-2026-22776 openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0and 3.26.0, there is a heap buffer overflow vulnerability in theCKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local accessto cause out-of-bounds writes in the host process by supplying a compressedEC public key and invoking C_WrapKey. This can lead to heap corruption, ordenial-of-service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-13 19:16:00 UTC CVE-2026-22791 Issue summary: An invalid or NULL pointer dereference can happen inan application processing a malformed PKCS#12 file.Impact summary: An application processing a malformed PKCS#12 file can becaused to dereference an invalid or NULL pointer on memory read, resultingin a Denial of Service.A type confusion vulnerability exists in PKCS#12 parsing code wherean ASN1_TYPE union member is accessed without first validating the type,causing an invalid pointer read.The location is constrained to a 1-byte address space, meaning anyattempted pointer manipulation can only target addresses between 0x00 and0xFF.This range corresponds to the zero page, which is unmapped on most modernoperating systems and will reliably result in a crash, leading only to aDenial of Service. Exploiting this issue also requires a user orapplicationto process a maliciously crafted PKCS#12 file. It is uncommon to acceptuntrusted PKCS#12 files in applications as they are usually used to storeprivate keys which are trusted by definition. For these reasons, the issuewas assessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.Impact summary: An application processing a malformed PKCS#12 file can becaused to dereference an invalid or NULL pointer on memory read, resultingin a Denial of Service.A type confusion vulnerability exists in PKCS#12 parsing code wherean ASN1_TYPE union member is accessed without first validating the type,causing an invalid pointer read.The location is constrained to a 1-byte address space, meaning anyattempted pointer manipulation can only target addresses between 0x00 and0xFF.This range corresponds to the zero page, which is unmapped on most modernoperating systems and will reliably result in a crash, leading only to aDenial of Service. Exploiting this issue also requires a user orapplicationto process a maliciously crafted PKCS#12 file. It is uncommon to acceptuntrusted PKCS#12 files in applications as they are usually used to storeprivate keys which are trusted by definition. For these reasons, the issuewas assessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2026-22795` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Luigino Camastra https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2026-22795 Issue summary: A type confusion vulnerability exists in the signatureverification of signed PKCS#7 data where an ASN1_TYPE union member isaccessed without first validating the type, causing an invalid or NULLpointer dereference when processing malformed PKCS#7 data.Impact summary: An application performing signature verification of PKCS#7data or calling directly the PKCS7_digest_from_attributes() function can becaused to dereference an invalid or NULL pointer when reading, resulting ina Denial of Service.The function PKCS7_digest_from_attributes() accesses the message digestattributevalue without validating its type. When the type is notV_ASN1_OCTET_STRING,this results in accessing invalid memory through the ASN1_TYPE union,causinga crash.Exploiting this vulnerability requires an attacker to provide a malformedsigned PKCS#7 to an application that verifies it. The impact of theexploit is just a Denial of Service, the PKCS7 API is legacy andapplicationsshould be using the CMS API instead. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#7 parsing implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to thisissue.Impact summary: An application performing signature verification of PKCS#7data or calling directly the PKCS7_digest_from_attributes() function can becaused to dereference an invalid or NULL pointer when reading, resulting ina Denial of Service.The function PKCS7_digest_from_attributes() accesses the message digestattributevalue without validating its type. When the type is notV_ASN1_OCTET_STRING,this results in accessing invalid memory through the ASN1_TYPE union,causinga crash.Exploiting this vulnerability requires an attacker to provide a malformedsigned PKCS#7 to an application that verifies it. The impact of theexploit is just a Denial of Service, the PKCS7 API is legacy andapplicationsshould be using the CMS API instead. For these reasons the issue wasassessed as Low severity.The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the PKCS#7 parsing implementation is outside the OpenSSL FIPS moduleboundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to thisissue. Update Instructions: Run `sudo pro fix CVE-2026-22796` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu1 openssl - 3.5.5-1ubuntu1 openssl-provider-legacy - 3.5.5-1ubuntu1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-01-27 2026-01-27 Luigino Camastra https://ubuntu.com/security/notices/USN-7980-1 https://ubuntu.com/security/notices/USN-7980-2 CVE-2026-22796 LIBPNG is a reference library for use in applications that read, create,and manipulate PNG (Portable Network Graphics) raster image files. From1.6.26 to 1.6.53, there is an integer truncation in the libpng simplifiedwrite API functions png_write_image_16bit and png_write_image_8bit causesheap buffer over-read when the caller provides a negative row stride (forbottom-up image layouts) or a stride exceeding 65535 bytes. The bug wasintroduced in libpng 1.6.26 (October 2016) by casts added to silencecompiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. Update Instructions: Run `sudo pro fix CVE-2026-22801` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libpng-tools - 1.6.54-1 libpng16-16t64 - 1.6.54-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-12 23:15:00 UTC 2026-01-12 23:15:00 UTC Cosmin Truta https://github.com/pnggroup/libpng/issues/778 https://ubuntu.com/security/notices/USN-7963-1 https://ubuntu.com/security/notices/USN-8035-1 CVE-2026-22801 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, insufficient restrictions inheader/trailer handling could cause uncapped memory usage. This issue hasbeen patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:16:00 UTC CVE-2026-22815 Gradle is a build automation tool, and its native-platform tool providesJava bindings for native APIs. When resolving dependencies in versionsbefore 9.3.0, some exceptions were not treated as fatal errors and wouldnot cause a repository to be disabled. If a build encountered one of theseexceptions, Gradle would continue to the next repository in the list andpotentially resolve dependencies from a different repository. If a Gradlebuild used an unresolvable host name, Gradle would continue to work as longas all dependencies could be resolved from another repository. Anunresolvable host name could be caused by allowing a repository's domainname registration to lapse or typo-ing the real domain name. This behaviorcould allow an attacker to register a service under the host name used bythe build and serve malicious artifacts. The attack requires the repositoryto be listed before others in the build configuration. Gradle hasintroduced a change in behavior in Gradle 9.3.0 to stop searching otherrepositories when encountering these errors. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 23:15:00 UTC CVE-2026-22816 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, a race condition between the RDPGFX dynamic virtual channel threadand the SDL render thread leads to a heap use-after-free. Specifically, anescaped pointer to sdl->primary (SDL_Surface) is accessed after it has beenfreed during RDPGFX ResetGraphics handling. This vulnerability is fixed in3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22851` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22851 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write inthe FreeRDP client when processing Audio Input (AUDIN) format lists.audin_process_formats reuses callback->formats_count across multipleMSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array,causing memory corruption and a crash. This vulnerability is fixed in3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22852` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22852 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, a heap-buffer-overflow occurs in drive read when aserver-controlled read length is used to read file data into an IRP outputstream buffer without a hard upper bound, allowing an oversized read tooverwrite heap memory. This vulnerability is fixed in 3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22854` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22854 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib pathwhen cbAttrLen does not match the actual NDR buffer length. Thisvulnerability is fixed in 3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22855` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22855 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, a race in the serial channel IRP thread tracking allows a heapuse‑after‑free when one thread removes an entry from serial->IrpThreadswhile another reads it. This vulnerability is fixed in 3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22856` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22856 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP isfreed by irp->Complete() and then accessed again on the error path. Thisvulnerability is fixed in 3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22857` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22857 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decodingpath. The root cause appears to be implementation-defined char signedness:on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <=0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes(e.g., 0x80-0xFF) may bypass the intended range restriction and be used asan index into a global lookup table, causing out-of-bounds access. Thisvulnerability is fixed in 3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22858` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22858 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to3.20.1, the URBDRC client does not perform bounds checking onserver‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indicesin libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. Thisvulnerability is fixed in 3.20.1. Update Instructions: Run `sudo pro fix CVE-2026-22859` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: freerdp3-proxy - 3.20.2+dfsg-1 freerdp3-proxy-modules - 3.20.2+dfsg-1 freerdp3-sdl - 3.20.2+dfsg-1 freerdp3-shadow-x11 - 3.20.2+dfsg-1 freerdp3-wayland - 3.20.2+dfsg-1 freerdp3-x11 - 3.20.2+dfsg-1 libfreerdp-client3-3 - 3.20.2+dfsg-1 libfreerdp-server-proxy3-3 - 3.20.2+dfsg-1 libfreerdp-server3-3 - 3.20.2+dfsg-1 libfreerdp-shadow-subsystem3-3 - 3.20.2+dfsg-1 libfreerdp-shadow3-3 - 3.20.2+dfsg-1 libfreerdp3-3 - 3.20.2+dfsg-1 libwinpr-tools3-3 - 3.20.2+dfsg-1 libwinpr3-3 - 3.20.2+dfsg-1 winpr3-utils - 3.20.2+dfsg-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-14 18:16:00 UTC 2026-01-14 18:16:00 UTC https://ubuntu.com/security/notices/USN-8105-1 CVE-2026-22859 Rack is a modular Ruby web server interface. Prior to versions 2.2.22,3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefixmatch on the expanded path. A request like `/../root_example/` can escapethe configured root if the target path starts with the root string,allowing directory listing outside the intended root. Versions 2.2.22,3.1.20, and 3.2.5 fix the issue. Update Instructions: Run `sudo pro fix CVE-2026-22860` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack - 3.2.4-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 19:21:00 UTC 2026-02-18 19:21:00 UTC https://ubuntu.com/security/notices/USN-8066-1 CVE-2026-22860 Gradle is a build automation tool, and its native-platform tool providesJava bindings for native APIs. When resolving dependencies in versionsbefore 9.3.0, some exceptions were not treated as fatal errors and wouldnot cause a repository to be disabled. If a build encountered one of theseexceptions, Gradle would continue to the next repository in the list andpotentially resolve dependencies from a different repository. An exceptionlike NoHttpResponseException can indicate transient errors. If the errorspersist after a maximum number of retries, Gradle would continue to thenext repository. This behavior could allow an attacker to disrupt theservice of a repository and leverage another repository to serve maliciousartifacts. This attack requires the attacker to have control over arepository after the disrupted repository. Gradle has introduced a changein behavior in Gradle 9.3.0 to stop searching other repositories whenencountering these errors. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 23:15:00 UTC CVE-2026-22865 A heap-based buffer overflow vulnerability exists in the Intan CLP parsingfunctionality of The Biosig Project libbiosig 3.9.2 and Master Branch(db9a9a63). A specially crafted Intan CLP file can lead to arbitrary codeexecution. An attacker can provide a malicious file to trigger thisvulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 15:16:00 UTC CVE-2026-22891 dnsmasqs extract_name() function can be abused to cause a heap bufferoverflow, allowing an attacker to inject false DNS cache entries, whichcould result in DNS lookups to redirect to an attacker-controlled IPaddress, or to cause a DoS. Update Instructions: Run `sudo pro fix CVE-2026-2291` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsmasq - 2.92-1ubuntu0.2 dnsmasq-base - 2.92-1ubuntu0.2 dnsmasq-base-lua - 2.92-1ubuntu0.2 dnsmasq-utils - 2.92-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 12:00:00 UTC 2026-05-11 12:00:00 UTC https://ubuntu.com/security/notices/USN-8268-1 CVE-2026-2291 The import hook in CPython that handles legacy *.pyc files(SourcelessFileLoader) is incorrectly handled in FileLoader (a base class)and so does not use io.open_code() to read the .pyc files. sys.audithandlers for this audit event therefore do not fire. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 23:16:00 UTC CVE-2026-2297 Under specific conditions when processing a maliciously crafted value oftype Hash r, Mongoid::Criteria.from_hash may allow for executing arbitraryRuby code. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 19:16:00 UTC CVE-2026-2302 Versions of the package markdown-it from 13.0.0 and before 14.1.1 arevulnerable to Regular Expression Denial of Service (ReDoS) due to the useof the regex /\*+$/ in the linkify function. An attacker can supply a longsequence of * characters followed by a non-matching character, whichtriggers excessive backtracking and may lead to a denial-of-servicecondition. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-12 06:16:00 UTC CVE-2026-2327 In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smugglingwhen chunk extensions are used, similar to the "funky chunks" techniquesoutlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.htmlJetty terminates chunk extension parsing at \r\n inside quoted stringsinstead of treating this as an error.POST / HTTP/1.1Host: localhostTransfer-Encoding: chunked1;ext="valX0GET /smuggled HTTP/1.1...Note how the chunk extension does not close the double quotes, and it isable to inject a smuggled request. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 12:16:00 UTC CVE-2026-2332 Redis is an in-memory data structure store. In redis-server from 7.2.0until 8.6.3, the unblock client flow does not handle an error return from`processCommandAndResetClient` when re-executing a blocked command. If ablocked client is evicted during this flow, an authenticated attacker cantrigger a use-after-free that may lead to remote code execution. This hasbeen patched in version 8.6.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 17:17:00 UTC CVE-2026-23479 Dask distributed is a distributed task scheduler for Dask. Prior to2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed areall run together, it is possible to craft a URL which will result in codebeing executed by Jupyter due to a cross-side-scripting (XSS) bug in theDask dashboard. It is possible for attackers to craft a phishing URL thatassumes Jupyter Lab and Dask may be running on localhost and using defaultports. If a user clicks on the malicious link it will open an error page inthe Dask Dashboard via the Jupyter Lab proxy which will cause code to beexecuted by the default Jupyter Python kernel. This vulnerability is fixedin 2026.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 17:15:00 UTC CVE-2026-23528 wlc is a Weblate command-line client using Weblate's REST API. Prior to1.17.2, the multi-translation download could write to an arbitrary locationwhen instructed by a crafted server. This vulnerability is fixed in 1.17.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125755 CVE-2026-23535 In the context switch logic Xen attempts to skip an IBPB in the case ofa vCPU returning to a CPU on which it was the previous vCPU to run.While safe for Xen's isolation between vCPUs, this prevents the guestkernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again.Now, task 2 is running on CPU A with task 1's training still in the BTB. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 16:16:00 UTC CVE-2026-23553 The Intel EPT paging code uses an optimization to defer flushing of anycachedEPT state until the p2m lock is dropped, so that multiple modificationsdoneunder the same locked region only issue a single flush.Freeing of paging structures however is not deferred until the flushing isdone, and can result in freed pages transiently being present in cachedstate.Such stale entries can point to memory ranges not owned by the guest, thusallowing access to unintended memory regions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 07:16:00 UTC CVE-2026-23554 Any guest issuing a Xenstore command accessing a node using the(illegal) node path "/local/domain/", will crash xenstored due to aclobbered error indicator in xenstored when verifying the node path.Note that the crash is forced via a failing assert() statement inxenstored. In case xenstored is being built with NDEBUG #defined,an unprivileged guest trying to access the node path "/local/domain/"will result in it no longer being serviced by xenstored, other guests(including dom0) will still be serviced, but xenstored will use upall cpu time it can get. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 07:16:00 UTC CVE-2026-23555 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 CVE-2026-23556 Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHEScommand within a transaction due to an assert() triggering.In case xenstored was built with NDEBUG #defined nothing bad willhappen, as assert() is doing nothing in this case. Note that thedefault is not to define NDEBUG for xenstored builds even in releasebuilds of Xen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 14:16:00 UTC CVE-2026-23557 The adjustments made for XSA-379 as well as those subsequently becomingXSA-387 still left a race window, when a HVM or PVH guest does a granttable version change from v2 to v1 in parallel with mapping the statuspage(s) via XENMEM_add_to_physmap. Some of the status pages may then befreed while mappings of them would still be inserted into the guest'ssecondary (P2M) page tables. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 14:16:00 UTC CVE-2026-23558 Redis is an in-memory data structure store. In all versions of redis-serverwith Lua scripting, an authenticated attacker can exploit themaster-replica synchronization mechanism to trigger a use-after-free onreplicas where replica-read-only is disabled or can be disabled, which maylead to remote code execution. A workaround is to prevent users fromexecuting Lua scripts or avoid using replicas where replica-read-only isdisabled. This is patched in version 8.6.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 17:17:00 UTC CVE-2026-23631 A flaw was found in libsoup. An integer underflow vulnerability occurs whenprocessing content with a zero-length resource, leading to a bufferoverread. This can allow an attacker to potentially access sensitiveinformation or cause an application level denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 15:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/498 CVE-2026-2369 Asterisk is an open source private branch exchange and telephony toolkit.Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, usersupplied/control values for Cookies and any GET variable query Parameterare directly interpolated into the HTML of the page using ast_str_append.The endpoint at GET /httpstatus is the potential vulnerable endpointrelating to asterisk/main /http.c. This issue has been patched in versions20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 17:16:00 UTC CVE-2026-23738 Asterisk is an open source private branch exchange and telephony toolkit.Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, theast_xml_open() function in xml.c parses XML documents using libxml withunsafe parsing options that enable entity expansion and XIncludeprocessing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENTflag and later processes XIncludes via xmlXIncludeProcess().If anyuntrusted or user-supplied XML file is passed to this function, it canallow an attacker to trigger XML External Entity (XXE) or XInclude-basedlocal file disclosure, potentially exposing sensitive files from the hostsystem. This can also be triggered in other cases in which the user is ableto supply input in xml format that triggers the asterisk process to parseit. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1,22.8.2, and 23.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 17:16:00 UTC CVE-2026-23739 Asterisk is an open source private branch exchange and telephony toolkit.Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, whenast_coredumper writes its gdb init and output files to a directory that isworld-writable (for example /tmp), an attacker with write permission(whichis all users on a linux system) to that directory can cause root to executearbitrary commands or overwrite arbitrary files by controlling the gdb initfile and output paths. This issue has been patched in versions 20.7-cert9,20.18.2, 21.12.1, 22.8.2, and 23.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 17:16:00 UTC CVE-2026-23740 Asterisk is an open source private branch exchange and telephony toolkit.Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, theasterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTEStag on line 689 of the ast_coredumper file. The script will source thecontents of /etc/asterisk/ast_debug_tools.conf, which resides in a folderthat is writeable by the asterisk user:group. Due to the/etc/asterisk/ast_debug_tools.conf file following bash semantics and itbeing loaded; an attacker with write permissions may add or modify the filesuch that when the root ast_coredumper is run; it would source and therebyexecute arbitrary bash code found in the/etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 17:16:00 UTC CVE-2026-23741 node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails tosanitize the linkpath of Link (hardlink) and SymbolicLink entries whenpreservePaths is false (the default secure behavior). This allows maliciousarchives to bypass the extraction root restriction, leading to ArbitraryFile Overwrite via hardlinks and Symlink Poisoning via absolute symlinktargets. This vulnerability is fixed in 7.5.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-16 22:16:00 UTC CVE-2026-23745 Rekor is a software supply chain transparency log. In versions 1.4.3 andbelow, the entry implementation can panic on attacker-controlled input whencanonicalizing a proposed entry with an empty spec.message, causing nilPointer Dereference. Function validate() returns nil (success) when messageis empty, leaving sign1Msg uninitialized, and Canonicalize() laterdereferences v.sign1Msg.Payload. A malformed proposed entry of thecose/v0.0.1 type can cause a panic on a thread within the Rekor process.The thread is recovered so the client receives a 500 error message andservice still continues, so the availability impact of this is minimal.This issue has been fixed in version 1.5.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 22:16:00 UTC CVE-2026-23831 Giflib contains a double-free vulnerability that is the result of a shallowcopy in GifMakeSavedImage and incorrect error handling. The conditionsneeded to trigger this vulnerability are difficult but may be possible. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 20:16:00 UTC CVE-2026-23868 ImageMagick is free and open-source software used for editing andmanipulating digital images. Versions prior to 7.1.2-13 have a stackoverflow via infinite recursion in MSL (Magick Scripting Language)`<write>` command when writing to MSL format. Version 7.1.2-13 fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 01:15:00 UTC CVE-2026-23874 openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX.Versions 2.3.2 and above are vulnerable to symlink-following when runningin privileged contexts. A token-group user can redirect file operations toarbitrary filesystem targets by planting symlinks in group-writable tokendirectories, resulting in privilege escalation or data exposure. Token andlock directories are 0770 (group-writable for token users), so anytoken-group member can plant files and symlinks inside them. When run asroot, the base code handling token directory file access, as well asseveral openCryptoki tools used for administrative purposes, may resetownership or permissions on existing files inside the token directories. Anattacker with token-group membership can exploit the system when anadministrator runs a PKCS#11 application or administrative tool thatperforms chown on files inside the token directory during normalmaintenance. This issue is fixed in commit 5e6e4b4, but has not beenincluded in a released version at the time of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 01:15:00 UTC CVE-2026-23893 Observable Timing Discrepancy vulnerability in Apache Shiro.This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7.Users are recommended to upgrade to version 2.0.7 or later, which fixes theissue.Prior to Shiro 2.0.7, code paths for non-existent vs. existing users aredifferent enough,that a brute-force attack may be able to tell, by timing the requests only,determine ifthe request failed because of a non-existent user vs. wrong password.The most likely attack vector is a local attack only.Shiro security modelhttps://shiro.apache.org/security-model.html#username_enumeration discusses this as well.Typically, brute force attack can be mitigated at the infrastructure level. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 10:15:00 UTC CVE-2026-23901 Authentication Bypass by Alternate Name vulnerability in Apache Shiro.This issue affects Apache Shiro: before 2.0.7.Users are recommended to upgrade to version 2.0.7, which fixes the issue.The issue only effects static files. If static files are served from acase-insensitive filesystem,such as default macOS setup, static files may be accessed by varying thecase of the filename in the request.If only lower-case (common default) filters are present in Shiro, they maybe bypassed this way.Shiro 2.0.7 and later has a new parameters to remediate this issueshiro.ini: filterChainResolver.caseInsensitive = trueapplication.propertie: shiro.caseInsensitive=trueShiro 3.0.0 and later (upcoming) makes this the default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 10:15:00 UTC CVE-2026-23903 This issue affects theExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35,from 3.0.0 through 3.0.6.The ExtractEmbeddedFiles example contains a path traversal vulnerability(CWE-22) becausethe filename that is obtained fromPDComplexFileSpecification.getFilename() is appended to the extractionpath.Users who have copied this example into their production code shouldreview it to ensure that the extraction path is acceptable. The examplehas been changed accordingly, now the initial path and the extractionpaths are converted into canonical paths and it is verified thatextraction path contains the initial path. The documentation has alsobeen adjusted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 18:18:00 UTC CVE-2026-23907 ### SummaryThe `arrayLimit` option in qs does not enforce limits for comma-separatedvalues when `comma: true` is enabled, allowing attackers to causedenial-of-service via memory exhaustion. This is a bypass of the arraylimit enforcement, similar to the bracket notation bypass addressed inGHSA-6rw7-vpxm-498p (CVE-2025-15284).### DetailsWhen the `comma` option is set to `true` (not the default, but configurablein applications), qs allows parsing comma-separated strings as arrays(e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit checkfor `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occurafter the comma-handling logic in `parseArrayValue`, enabling a bypass.This permits creation of arbitrarily large arrays from a single parameter,leading to excessive memory allocation.**Vulnerable code** (lib/parse.js: lines ~40-50):```jsif (val && typeof val === 'string' && options.comma && val.indexOf(',') >-1) {    return val.split(',');}if (options.throwOnLimitExceeded && currentArrayLength >=options.arrayLimit) {    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit+ ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in anarray.');}return val;```The `split(',')` returns the array immediately, skipping the subsequentlimit check. Downstream merging via `utils.combine` does not preventallocation, even if it marks overflows for sparse arrays.This discrepancyallows attackers to send a single parameter with millions of commas (e.g.,`?param=,,,,,,,,...`), allocating massive arrays in memory withouttriggering limits. It bypasses the intent of `arrayLimit`, which isenforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations(the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).### PoC**Test 1 - Basic bypass:**```npm install qs``````jsconst qs = require('qs');const payload = 'a=' + ','.repeat(25); // 26 elements after split(bypasses arrayLimit: 5)const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };try {  const result = qs.parse(payload, options);  console.log(result.a.length); // Outputs: 26 (bypass successful)} catch (e) {  console.log('Limit enforced:', e.message); // Not thrown}```**Configuration:**- `comma: true`- `arrayLimit: 5`- `throwOnLimitExceeded: true`Expected: Throws "Array limit exceeded" error.Actual: Parses successfully, creating an array of length 26.### ImpactDenial of Service (DoS) via memory exhaustion. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-12 05:17:00 UTC CVE-2026-2391 Double Free and possible RCE vulnerability in Apache HTTP Server with theHTTP/2 protocol.This issue affects Apache HTTP Server: 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-23918` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Bartlomiej Dmitruk, Stanislaw Strzalkowski https://bz.apache.org/bugzilla/show_bug.cgi?id=69899 https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-23918 Zabbix Agent 2 Docker plugin does not properly sanitize the'docker.container_info' parameters when forwarding them to the Dockerdaemon. An attacker capable of invoking Agent 2 can read arbitrary filesfrom running Docker containers by injecting them via the Docker archiveAPI. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132226 CVE-2026-23924 The Item history widget (in Zabbix 7.0+) or the Plain text widget (inZabbix 6.0) can execute injected JavaScript when HTML display is enabled.This can allow an attacker to perform unauthorized actions depending onwhich user opens a dashboard containing these widgets. The maliciousJavaScript would have to come from a monitored host controlled by theattacker. Note: the Item history widget is a replacement for the Plain textwidget since Zabbix 7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 08:16:00 UTC CVE-2026-23928 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')vulnerability in Erlang OTP (inets httpd module) allows HTTP RequestSmuggling.This vulnerability is associated with program fileslib/inets/src/http_server/httpd_request.erl and program routineshttpd_request:parse_headers/7.The server does not reject or normalize duplicate Content-Length headers.The earliest Content-Length in the request is used for body parsing whilecommon reverse proxies (nginx, Apache httpd, Envoy) honor the lastContent-Length value. This violates RFC 9112 Section 6.3 and allowsfront-end/back-end desynchronization, leaving attacker-controlled bytesqueued as the start of the next request.This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP26.2.5.18, corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and9.1.0.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130912 CVE-2026-23941 Improper Limitation of a Pathname to a Restricted Directory ('PathTraversal') vulnerability in Erlang OTP (ssh_sftpd module) allows PathTraversal.This vulnerability is associated with program fileslib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:is_within_root/2.The SFTP server uses string prefix matching via lists:prefix/2 rather thanproper path component validation when checking if a path is within theconfigured root directory. This allows authenticated users to accesssibling directories that share a common name prefix with the configuredroot directory. For example, if root is set to /home/user1, paths like/home/user10 or /home/user1_backup would incorrectly be considered withinthe root.This issue affects OTP from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP26.2.5.18, corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and5.1.4.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130912 CVE-2026-23942 Improper Handling of Highly Compressed Data (Compression Bomb)vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial ofService via Resource Depletion.The SSH transport layer advertises legacy zlib compression by default andinflates attacker-controlled payloads pre-authentication without any sizelimit, enabling reliable memory exhaustion DoS.Two compression algorithms are affected:* zlib: Activates immediately after key exchange, enabling unauthenticatedattacks* zlib@openssh.com: Activates post-authentication, enabling authenticatedattacksEach SSH packet can decompress ~255 MB from 256 KB of wire data (1029:1amplification ratio). Multiple packets can rapidly exhaust availablememory, causing OOM kills in memory-constrained environments.This vulnerability is associated with program fileslib/ssh/src/ssh_transport.erl and program routinesssh_transport:decompress/2, ssh_transport:handle_packet_part/4.This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and5.1.4.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130912 CVE-2026-23943 node-tar,a Tar for Node.js, has a race condition vulnerability in versionsup to and including 7.5.3. This is due to an incomplete handling of Unicodepath collisions in the `path-reservations` system. On case-insensitive ornormalization-insensitive filesystems (such as macOS APFS, In which it hasbeen tested), the library fails to lock colliding paths (e.g., `ß` and`ss`), allowing them to be processed in parallel. This bypasses thelibrary's internal concurrency safeguards and permits Symlink Poisoningattacks via race conditions. The library uses a `PathReservations` systemto ensure that metadata checks and file operations for the same path areserialized. This prevents race conditions where one entry might clobberanother concurrently. This is a Race Condition which enables Arbitrary FileOverwrite. This vulnerability affects users and systems using node-tar onmacOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which`ß` and `ss` are different), conflicting paths do not have their orderproperly preserved under filesystems that ignore Unicode normalization(e.g., APFS (in which `ß` causes an inode collision with `ss`)). Thisenables an attacker to circumvent internal parallelization locks(`PathReservations`) using conflicting filenames within a malicious tararchive. The patch in version 7.5.4 updates `path-reservations.js` to use anormalization form that matches the target filesystem's behavior (e.g.,`NFKD`), followed by first `toLocaleLowerCase('en')` and then`toLocaleUpperCase('en')`. As a workaround, users who cannot upgradepromptly, and who are programmatically using `node-tar` to extractarbitrary tarball data should filter out all `SymbolicLink` entries (as npmdoes) to defend against arbitrary file writes via this file system entryname collision issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-20 01:15:00 UTC CVE-2026-23950 Incus is a system container and virtual machine manager. In versions 6.20.0and below, a user with the ability to launch a container with a custom YAMLconfiguration (e.g a member of the ‘incus’ group) can create an environmentvariable containing newlines, which can be used to add additionalconfiguration items in the container’s lxc.conf due to newline injection.This can allow adding arbitrary lifecycle hooks, ultimately resulting inarbitrary command execution on the host. Exploiting this issue on IncusOSrequires a slight modification of the payload to change to a differentwritable directory for the validation step (e.g /tmp). This can beconfirmed with a second container with /tmp mounted from the host (Aprivileged action for validation only). A fix is planned for versions 6.0.6and 6.21.0, but they have not been released at the time of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 22:16:00 UTC CVE-2026-23953 Incus is a system container and virtual machine manager. Versions 6.21.0and below allow a user with the ability to launch a container with a customimage (e.g a member of the ‘incus’ group) to use directory traversal orsymbolic links in the templating functionality to achieve host arbitraryfile read, and host arbitrary file write. This ultimately results inarbitrary command execution on the host. When using an image with ametadata.yaml containing templates, both the source and target paths arenot checked for symbolic links or directory traversal. This can also beexploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, butthey have not been released at the time of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 22:16:00 UTC CVE-2026-23954 jsdiff is a JavaScript text differencing implementation. Prior to versions8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filenameheaders contain the line break characters `\r`, `\u2028`, or `\u2029` cancause the `parsePatch` method to enter an infinite loop. It then consumesmemory without limit until the process crashes due to running out ofmemory. Applications are therefore likely to be vulnerable to adenial-of-service attack if they call `parsePatch` with a user-providedpatch as input. A large payload is not needed to trigger the vulnerability,so size limits on user input do not provide any protection. Furthermore,some applications may be vulnerable even when calling `parsePatch` on apatch generated by the application itself if the user is nonetheless ableto control the filename headers (e.g. by directly providing the filenamesof the files to be diffed). The `applyPatch` method is similarly affectedif (and only if) called with a string representation of a patch as anargument, since under the hood it parses that string using `parsePatch`.Other methods of the library are unaffected. Finally, a second and lesserinterdependent bug - a ReDOS - also exhibits when those same line breakcharacters are present in a patch's *patch* header (also known as its"leading garbage"). A maliciously-crafted patch header of length *n* cantake `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and3.5.1 contain a fix. As a workaround, do not attempt to parse patches thatcontain any of these characters: `\r`, `\u2028`, or `\u2029`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 03:15:00 UTC CVE-2026-24001 Crafted zones can lead to increased incoming network traffic. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127490 CVE-2026-24027 An attacker might be able to trigger an out-of-bounds read by sending acrafted DNS response packet, when custom Lua code uses newDNSPacketOverlayto parse DNS packets. The out-of-bounds read might trigger a crash, leadingto a denial of service, or access unrelated memory, leading to potentialinformation disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-24028 When the early_acl_drop (earlyACLDrop in Lua) option is disabled (defaultis enabled) on a DNS over HTTPs frontend using the nghttp2 provider, theACL check is skipped, allowing all clients to send DoH queries regardlessof the configured ACL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-24029 An attacker might be able to trick DNSdist into allocating too much memorywhile processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in adenial of service. In setups with a large quantity of memory available thisusually results in an exception and the QUIC connection is properly closed,but in some cases the system might enter an out-of-memory state instead andterminate the process. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-24030 wheel is a command line tool for manipulating Python wheel files, asdefined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack functionis vulnerable to file permission modification through mishandling of filepermissions after extraction. The logic blindly trusts the filename fromthe archive header for the chmod operation, even though the extractionprocess itself might have sanitized the path. Attackers can craft amalicious wheel file that, when unpacked, changes the permissions ofcritical system files (e.g., /etc/passwd, SSH keys, config files), allowingfor Privilege Escalation or arbitrary code execution by modifyingnow-writable scripts. This issue has been fixed in version 0.46.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 05:16:00 UTC 2026-01-22 05:16:00 UTC bruce https://ubuntu.com/security/notices/USN-8221-1 CVE-2026-24049 An escalation of privilege bug in various modules in Apache HTTP 2.4.66 andearlier allows local .htaccess authors to read files with the privileges ofthe httpd user.Users are recommended to upgrade to version 2.4.67, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2026-24072` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 y7syeu https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-24072 Rekor is a software supply chain transparency log. In versions 1.4.3 andbelow, attackers can trigger SSRF to arbitrary internal services because/api/v1/index/retrieve supports retrieving a public key via user-providedURL. Since the SSRF only can trigger GET requests, the request cannotmutate state. The response from the GET request is not returned to thecaller so data exfiltration is not possible. A malicious actor couldattempt to probe an internal network through Blind SSRF. The issue has beenfixed in version 1.5.0. To workaround this issue, disable the searchendpoint with --enable_retrieve_api=false. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-22 22:16:00 UTC CVE-2026-24117 Cosign provides code signing and transparency for containers and binaries.In versions 3.0.4 and below, an issuing certificate with a validity thatexpires before the leaf certificate will be considered valid duringverification even if the provided timestamp would mean the issuingcertificate should be considered expired. When verifying artifactsignatures using a certificate, Cosign first verifies the certificate chainusing the leaf certificate's "not before" timestamp and later checks expiryof the leaf certificate using either a signed timestamp provided by theRekor transparency log or from a timestamp authority, or using the currenttime. The root and all issuing certificates are assumed to be valid duringthe leaf certificate's validity. There is no impact to users of the publicSigstore infrastructure. This may affect private deployments withcustomized PKIs. This issue has been fixed in version 3.0.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 23:16:00 UTC CVE-2026-24122 Hostname verification in Apache ZooKeeper ZKTrustManager falls back toreverse DNS (PTR) when IP SAN validation fails, allowing attackers whocontrol or spoof PTR records to impersonate ZooKeeper servers or clientswith a valid certificate for the PTR name. It's important to note thatattacker must present a certificate which is trusted by ZKTrustManagerwhich makes the attack vector harder to exploit. Users are recommended toupgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing anew configuration option to disable reverse DNS lookup in client and quorumprotocols. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 09:16:00 UTC CVE-2026-24281 Improper handling of configuration values in ZKConfig in Apache ZooKeeper3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitiveinformation stored in client configuration in the client's logfile.Configuration values are exposed at INFO level logging rendering potentialproduction systems affected by the issue. Users are recommended to upgradeto version 3.8.6 or 3.9.5 which fixes this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 09:16:00 UTC CVE-2026-24308 A flaw was found in libsoup's SoupServer. A remote attacker could exploit ause-after-free vulnerability where the `soup_server_disconnect()` functionfrees connection objects prematurely, even if a TLS handshake is stillpending. If the handshake completes after the connection object has beenfreed, a dangling pointer is accessed, leading to a server crash and aDenial of Service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 20:16:00 UTC CVE-2026-2436 AssertJ provides Fluent testing assertions for Java and the Java VirtualMachine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, anXML External Entity (XXE) vulnerability exists in`org.assertj.core.util.xml.XmlStringPrettyFormatter`: the`toXmlDocument(String)` method initializes `DocumentBuilderFactory` withdefault settings, without disabling DTDs or external entities. Thisformatter is used by the `isXmlEqualTo(CharSequence)` assertion for`CharSequence` values. An application is vulnerable only when it usesuntrusted XML input with either `isXmlEqualTo(CharSequence)` from`org.assertj.core.api.AbstractCharSequenceAssert` or`xmlPrettyFormat(String)` from`org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XMLinput is processed by tone of these methods, an attacker couldnreadarbitrary local files via `file://` URIs (e.g., `/etc/passwd`, applicationconfiguration files); perform Server-Side Request Forgery (SSRF) viaHTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entityexpansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated infavor of XMLUnit in version 3.18.0 and will be removed in version 4.0.Users of affected versions should, in order of preference: replace`isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, oravoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` withuntrusted input. `XmlStringPrettyFormatter` has historically beenconsidered a utility for `isXmlEqualTo(CharSequence)` rather than a featurefor AssertJ users, so it is deprecated in version 3.27.7 and removed inversion 4.0, with no replacement. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-26 23:16:00 UTC CVE-2026-24400 Avahi is a system which facilitates service discovery on a local networkvia the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below,avahi-daemon can be crashed via a segmentation fault by sending anunsolicited mDNS response containing a recursive CNAME record, where thealias and canonical name point to the same domain (e.g., "h.local" as aCNAME for "h.local"). This causes unbounded recursion in thelookup_handle_cname function, leading to stack exhaustion. Thevulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST isset explicitly, which includes record browsers created by resolvers used bynss-mdns. This issue is patched in commit78eab31128479f06e30beb8c1cbf99dd921e2524. Update Instructions: Run `sudo pro fix CVE-2026-24401` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: avahi-autoipd - 0.8-18ubuntu1.1 avahi-daemon - 0.8-18ubuntu1.1 avahi-discover - 0.8-18ubuntu1.1 avahi-dnsconfd - 0.8-18ubuntu1.1 avahi-ui-utils - 0.8-18ubuntu1.1 avahi-utils - 0.8-18ubuntu1.1 gir1.2-avahi-0.6 - 0.8-18ubuntu1.1 libavahi-client3 - 0.8-18ubuntu1.1 libavahi-common-data - 0.8-18ubuntu1.1 libavahi-common3 - 0.8-18ubuntu1.1 libavahi-compat-libdnssd1 - 0.8-18ubuntu1.1 libavahi-core7 - 0.8-18ubuntu1.1 libavahi-glib1 - 0.8-18ubuntu1.1 libavahi-gobject0 - 0.8-18ubuntu1.1 libavahi-ui-gtk3-0 - 0.8-18ubuntu1.1 python3-avahi - 0.8-18ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-24 02:15:00 UTC 2026-01-24 02:15:00 UTC https://github.com/avahi/avahi/issues/501 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126342 https://ubuntu.com/security/notices/USN-8269-1 CVE-2026-24401 Icinga 2 is an open source monitoring system. Starting in version 2.3.0 andprior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not setappropriate permissions for the `%ProgramData%\icinga2\var` folder onWindows. This resulted in the its contents - including the private key ofthe user and synced configuration - being readable by all local users. Allinstallations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2contains a fix. There are two possibilities to work around the issuewithout upgrading Icinga 2. Upgrade Icinga for Windows to at least versionv1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLsfor the Icinga 2 agent as well. Alternatively, manually update the ACL forthe given folder `C:\ProgramData\icinga2\var` (and `C:\ProgramFiles\WindowsPowerShell\modules\icinga-powershell-framework\certificate` tofix the issue for the Icinga for Windows as well) including everysub-folder and item to restrict access for general users, only allowing theIcinga service user and administrators access. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-29 18:16:00 UTC CVE-2026-24413 Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypassvulnerability when using a SourcePolicyInterface that allows attackers withtemplate rendering capabilities to pass arbitrary PHP callables to sort,filter, map, and reduce filters. Attackers can exploit the runtime checkthat fails to use the current template source to bypass sandboxrestrictions and execute arbitrary code when the sandbox is enabled througha source policy rather than globally. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-24425 A flaw was identified in libsoup, a widely used HTTP library in GNOME-basedsystems. When processing specially crafted HTTP Range headers, the librarymay improperly validate requested byte ranges. In certain buildconfigurations, this could allow a remote attacker to access portions ofserver memory beyond the intended response. Exploitation requires avulnerable configuration and access to a server using the embeddedSoupServer component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-13 12:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127905 https://gitlab.gnome.org/GNOME/libsoup/-/issues/487 https://bugzilla.redhat.com/show_bug.cgi?id=2439671 CVE-2026-2443 An integer overflow vulnerability exists in theuncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2. Aspecially crafted malicious file can lead to a heap buffer overflow. Anattacker can provide a malicious file to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 15:17:00 UTC CVE-2026-24450 Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2,and Thunderbird 147.0.2. Update Instructions: Run `sudo pro fix CVE-2026-2447` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libvpx12 - 1.16.0-2ubuntu1 vpx-tools - 1.16.0-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-16 15:18:00 UTC 2026-02-16 15:18:00 UTC https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 https://ubuntu.com/security/notices/USN-8053-1 CVE-2026-2447 QGIS is a free, open source, cross platform geographical information system(GIS) The repository contains a GitHub Actions workflow called "pre-commitchecks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, wasvulnerable to remote code execution and repository compromise because itused the `pull_request_target` trigger and then checked out and executeduntrusted pull request code in a privileged context. Workflows triggered by`pull_request_target` ran with the base repository's credentials and accessto secrets. If these workflows then checked out and executed code from thehead of an external pull request (which could have been attackercontrolled), the attacker could have executed arbitrary commands withelevated privileges. This insecure pattern has been documented as asecurity risk by GitHub and security researchers. Commit76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 01:16:00 UTC CVE-2026-24480 Python-Multipart is a streaming multipart parser for Python. Prior toversion 0.0.22, a Path Traversal vulnerability exists when usingnon-default configuration options `UPLOAD_DIR` and`UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files toarbitrary locations on the filesystem by crafting a malicious filename.Users should upgrade to version 0.0.22 to receive a patch or, as aworkaround, avoid using `UPLOAD_KEEP_FILENAME=True` in projectconfigurations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 01:16:00 UTC 2026-01-27 01:16:00 UTC https://ubuntu.com/security/notices/USN-8027-1 CVE-2026-24486 In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copyunknown encoding handler user data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-23 08:16:00 UTC 2026-01-23 08:16:00 UTC https://ubuntu.com/security/notices/USN-8022-1 https://ubuntu.com/security/notices/USN-8023-1 https://ubuntu.com/security/notices/USN-8022-2 CVE-2026-24515 A heap-based buffer overflow vulnerability exists in the x3f_load_huffmanfunctionality of LibRaw Commit d20315b. A specially crafted malicious filecan lead to a heap buffer overflow. An attacker can provide a maliciousfile to trigger this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 15:17:00 UTC CVE-2026-24660 pypdf is a free and open-source pure-python PDF library. An attacker whouses an infinite loop vulnerability that is present in versions prior to6.6.2 can craft a PDF which leads to an infinite loop. This requiresaccessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. Ifprojects cannot upgrade yet, consider applying the changes from PR #3610manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 20:16:00 UTC CVE-2026-24688 Improper Input Validation vulnerability in Apache Tomcat.Tomcat did not limit HTTP/0.9 requests to the GET method. If a securityconstraint was configured to allow HEAD requests to a URI but deny GETrequests, the user could bypass that constraint on GET requests bysending a (specification invalid) HEAD request using HTTP/0.9.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.Older, EOL versions are also affected.Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 orlater or 9.0.113 or later, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-17 19:21:00 UTC CVE-2026-24733 Improper Input Validation vulnerability in Apache Tomcat Native, ApacheTomcat.When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of theTomcat Native code) did not complete verification or freshness checks onthe OCSP response which could allow certificate revocation to be bypassed.This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.The following versions were EOL at the time the CVE was created but areknown to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through1.2.39. Older EOL versions are not affected.Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 orlater or 2.0.12 or later, which fix the issue.Apache Tomcat users are recommended to upgrade to versions 11.0.18 orlater, 10.1.52 or later or 9.0.115 or later which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-17 19:21:00 UTC CVE-2026-24734 PyTorch is a Python package that provides tensor computation. Prior toversion 2.10.0, a vulnerability in PyTorch's `weights_only` unpicklerallows an attacker to craft a malicious checkpoint file (`.pth`) that, whenloaded with `torch.load(..., weights_only=True)`, can corrupt memory andpotentially lead to arbitrary code execution. Version 2.10.0 fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 22:15:00 UTC CVE-2026-24747 PHPUnit is a testing framework for PHP. A vulnerability has been discoveredin versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involvingunsafe deserialization of code coverage data in PHPT test execution. Thevulnerability exists in the `cleanupForCoverage()` method, whichdeserializes code coverage files without validation, potentially allowingremote code execution if malicious `.coverage` files are present prior tothe execution of the PHPT test. The vulnerability occurs when a `.coverage`file, which should not exist before test execution, is deserialized withoutthe `allowed_classes` parameter restriction. An attacker with local filewrite access can place a malicious serialized object with a `__wakeup()`method into the file system, leading to arbitrary code execution duringtest runs with code coverage instrumentation enabled. This vulnerabilityrequires local file write access to the location where PHPUnit stores orexpects code coverage files for PHPT tests. This can occur through CI/CDpipeline attacks, the local development environment, and/or compromiseddependencies. Rather than just silently sanitizing the input via`['allowed_classes' => false]`, the maintainer has chosen to make theanomalous state explicit by treating pre-existing `.coverage` files forPHPT tests as an error condition. Starting in versions in versions 12.5.8,11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPTtest prior to execution, PHPUnit will emit a clear error messageidentifying the anomalous state. Organizations can reduce the effectiverisk of this vulnerability through proper CI/CD configuration, includingephemeral runners, code review enforcement, branch protection, artifactisolation, and access control. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-27 22:15:00 UTC CVE-2026-24765 node-tar,a Tar for Node.js, contains a vulnerability in versions prior to7.5.7 where the security check for hardlink entries uses different pathresolution semantics than the actual hardlink creation logic. This mismatchallows an attacker to craft a malicious TAR archive that bypasses pathtraversal protections and creates hardlinks to arbitrary files outside theextraction directory. Version 7.5.7 contains a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-28 01:16:00 UTC CVE-2026-24842 Inconsistent Interpretation of HTTP Requests ('HTTP Request/ResponseSmuggling') vulnerability in Apache Tomcat via invalid chunk extension.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0through 8.5.100, from 7.0.0 through 7.0.109.Other, unsupported versions may also be affected.Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-24880 Kanboard is project management software focused on Kanban methodology.Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability existsin the ProjectPermissionController within the Kanboard application. Theapplication fails to strictly enforce the application/json Content-Type forthe changeUserRole action. Although the request body is JSON, the serveraccepts text/plain, allowing an attacker to craft a malicious form usingthe text/plain attribute. Which allows unauthorized modification of projectuser roles if an authenticated admin visits a malicious site Thisvulnerability is fixed in 1.2.50. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 17:16:00 UTC CVE-2026-24885 TensorFlow HDF5 Library Uncontrolled Search Path Element Local PrivilegeEscalation Vulnerability. This vulnerability allows local attackers toescalate privileges on affected installations of TensorFlow. An attackermust first obtain the ability to execute low-privileged code on the targetsystem in order to exploit this vulnerability.The specific flaw exists within the handling of plugins. The applicationloads plugins from an unsecured location. An attacker can leverage thisvulnerability to escalate privileges and execute arbitrary code in thecontext of a target user. Was ZDI-CAN-25480. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128653 CVE-2026-2492 tcpflow is a TCP/IP packet demultiplexer. In versions up to and including1.61, wifipcap parses 802.11 management frame elements and performs alength check on the wrong field when handling the TIM element. A craftedframe with a large TIM length can cause a 1-byte out-of-bounds write past`tim.bitmap[251]`. The overflow is small and DoS is the likely impact; codeexecution is potential, but still up in the air. The affected structure isstack-allocated in `handle_beacon()` and related handlers. As of time ofpublication, no known patches are available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-29 22:15:00 UTC CVE-2026-25061 gradle-completion provides Bash and Zsh completion support for Gradle. Acommand injection vulnerability was found in gradle-completion up to andincluding 9.3.0 that allows arbitrary code execution when a user triggersBash tab completion in a project containing a malicious Gradle build file.The `gradle-completion` script for Bash fails to adequately sanitize Gradletask names and task descriptions, allowing command injection via amalicious Gradle build file when the user completes a command in Bash(without them explicitly running any task in the build). For example, givena task description that includes a string between backticks, then thatstring would be evaluated as a command when presenting the task descriptionin the completion list. While task execution is the core feature of Gradle,this inherent execution may lead to unexpected outcomes. The vulnerabilitydoes not affect zsh completion. The first patched version is 9.3.1. As aworkaround, it is possible and effective to temporarily disable bashcompletion for Gradle by removing `gradle-completion` from `.bashrc` or`.bash_profile`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-29 22:15:00 UTC CVE-2026-25063 alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit5f7fe33, contain a heap-based buffer overflow in the topology mixer controldecoder. The tplg_decode_control_mixer1() function reads the num_channelsfield from untrusted .tplg data and uses it as a loop bound withoutvalidating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). Acrafted topology file with an excessive num_channels value can causeout-of-bounds heap writes, leading to a crash. Update Instructions: Run `sudo pro fix CVE-2026-25068` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libasound2-data - 1.2.15.3-1ubuntu1 libasound2-plugin-smixer - 1.2.15.3-1ubuntu1 libasound2t64 - 1.2.15.3-1ubuntu1 libatopology2t64 - 1.2.15.3-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-29 20:16:00 UTC 2026-01-29 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126629 https://ubuntu.com/security/notices/USN-8044-1 CVE-2026-25068 fast-xml-parser allows users to validate XML, parse XML to JS object, orbuild XML from JS object without C/C++ based libraries and no callback. Inversions 5.0.9 through 5.3.3, a RangeError vulnerability exists in thenumeric entity processing of fast-xml-parser when parsing XML without-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). Thiscauses the parser to throw an uncaught exception, crashing any applicationthat processes untrusted XML input. Version 5.3.4 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 16:16:00 UTC CVE-2026-25128 In libexpat before 2.7.4, the doContent function does not properlydetermine the buffer size bufSize because there is no integer overflowcheck for tag buffer reallocation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-01-30 07:16:00 UTC 2026-01-30 07:16:00 UTC https://ubuntu.com/security/notices/USN-8022-1 https://ubuntu.com/security/notices/USN-8023-1 https://ubuntu.com/security/notices/USN-8022-2 CVE-2026-25210 Redis is an in-memory data structure store. In versions of redis-server upto 8.6.3, the RESTORE command does not properly validate serialized values.An authenticated attacker with permission to execute RESTORE can supply acrafted serialized payload that triggers invalid memory access and may leadto remote code execution. A workaround is to restrict access to the RESTOREcommand with ACL rules. This is patched in version 8.6.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 17:17:00 UTC CVE-2026-25243 Rack is a modular Ruby web server interface. Prior to versions 2.2.22,3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory indexwhere each file entry is rendered as a clickable link. If a file exists ondisk whose basename starts with the `javascript:` scheme (e.g.`javascript:alert(1)`), the generated index contains an anchor whose `href`is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript inthe browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and3.2.5 fix the issue. Update Instructions: Run `sudo pro fix CVE-2026-25500` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack - 3.2.4-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 20:18:00 UTC 2026-02-18 20:18:00 UTC https://ubuntu.com/security/notices/USN-8066-1 CVE-2026-25500 Kanboard is project management software focused on Kanban methodology.Prior to 1.2.50, the getSwimlane API method lacks project-levelauthorization, allowing authenticated users to access swimlane data fromprojects they cannot access. This vulnerability is fixed in 1.2.50. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 17:16:00 UTC CVE-2026-25530 Kanboard is project management software focused on Kanban methodology.Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. TheTaskCreationController::duplicateProjects() endpoint does not validate userpermissions for target projects, allowing authenticated users to duplicatetasks into projects they cannot access. This vulnerability is fixed in1.2.50. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-13 15:15:00 UTC CVE-2026-25531 @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork ofbrace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion isvulnerable to a denial of service (DoS) issue caused by unbounded bracerange expansion. When an attacker provides a pattern containing repeatednumeric brace ranges, the library attempts to eagerly generate everypossible combination synchronously. Because the expansion growsexponentially, even a small input can consume excessive CPU and memory andmay crash the Node.js process. This issue has been patched in version5.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-04 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127313 CVE-2026-25547 MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability infz_fill_pixmap_from_display_list() when an exception occurs during displaylist rendering. The function accepts a caller-owned fz_pixmap pointer butincorrectly drops the pixmap in its error handling path before rethrowingthe exception. Callers (including the barcode decoding path infz_decode_barcode_from_display_list) also drop the same pixmap in cleanup,resulting in a double-free that can corrupt the heap and crash the process.This issue affects applications that enable and use MuPDF barcode decodingand can be triggered by processing crafted input that causes arendering-time error while decoding barcodes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127318 CVE-2026-25556 RedisTimeSeries is a time-series module for Redis. In all versions before1.12.14 of RedisTimeSeries, the module does not properly validateserialized values processed through the Redis RESTORE command. Anauthenticated attacker with permission to execute RESTORE on a server withthe RedisTimeSeries module loaded can supply a crafted serialized payloadthat triggers invalid memory access and may lead to remote code execution.A workaround is to restrict access to the RESTORE command with ACL rules.This has been patched in version 1.12.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 17:17:00 UTC CVE-2026-25588 RedisBloom is a probabilistic data structures module for Redis. In allversions of RedisBloom before 2.8.20, the module does not properly validateserialized values processed through the Redis RESTORE command. Anauthenticated attacker with permission to execute RESTORE on a server withthe RedisBloom module loaded can supply a crafted serialized payload thattriggers invalid memory access and may lead to remote code execution. Aworkaround is to restrict access to the RESTORE command with ACL rules.This issue is fixed in version 2.8.20. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 17:17:00 UTC CVE-2026-25589 calibre is an e-book manager. Prior to 9.2.0, Calibre's CHM reader containsa path traversal vulnerability that allows arbitrary file writes anywherethe user has write permissions. On Windows (haven't tested on other OS's),this can lead to Remote Code Execution by writing a payload to the Startupfolder, which executes on next login. This vulnerability is fixed in 9.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 21:16:00 UTC CVE-2026-25635 calibre is an e-book manager. In 9.1.0 and earlier, a path traversalvulnerability in Calibre's EPUB conversion allows a malicious EPUB file tocorrupt arbitrary existing files writable by the Calibre process. Duringconversion, Calibre resolves CipherReference URI fromMETA-INF/encryption.xml to an absolute filesystem path and opens it inread-write mode, even when it points outside the conversion extractiondirectory. This vulnerability is fixed in 9.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 21:16:00 UTC CVE-2026-25636 Axios is a promise based HTTP client for the browser and Node.js. Prior toversions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes witha TypeError when processing configuration objects containing __proto__ asan own property. An attacker can trigger this by providing a maliciousconfiguration object created via JSON.parse(), causing complete denial ofservice. This vulnerability is fixed in versions 0.30.3 and 1.13.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 21:15:00 UTC CVE-2026-25639 Requests is a HTTP library. Prior to version 2.33.0, the`requests.utils.extract_zipped_paths()` utility function uses a predictablefilename when extracting files from zip archives into the system temporarydirectory. If the target file already exists, it is reused withoutvalidation. A local attacker with write access to the temp directory couldpre-create a malicious file that would be loaded in place of the legitimateone. Standard usage of the Requests library is not affected by thisvulnerability. Only applications that call `extract_zipped_paths()`directly are impacted. Starting in version 2.33.0, the library extractsfiles to a non-deterministic location. If developers are unable to upgrade,they can set `TMPDIR` in their environment to a directory with restrictedwrite access. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-25 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132071 CVE-2026-25645 LIBPNG is a reference library for use in applications that read, create,and manipulate PNG (Portable Network Graphics) raster image files. Prior to1.6.55, an out-of-bounds read vulnerability exists in thepng_set_quantize() API function. When the function is called with nohistogram and the number of colors in the palette is more than twice themaximum supported by the user's display, certain palettes will cause thefunction to enter into an infinite loop that reads past the end of aninternal heap-allocated buffer. The images that trigger this vulnerabilityare valid per the PNG specification. This vulnerability is fixed in 1.6.55. Update Instructions: Run `sudo pro fix CVE-2026-25646` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libpng-tools - 1.6.55-1 libpng16-16t64 - 1.6.55-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-10 18:16:00 UTC 2026-02-10 18:16:00 UTC iconstantin Joshua Inscoe http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127566 https://ubuntu.com/security/notices/USN-8035-1 https://ubuntu.com/security/notices/USN-8039-1 https://ubuntu.com/security/notices/USN-8081-1 CVE-2026-25646 An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2before 4.2.29.Race condition in file-system storage and file-based cache backends inDjango allows an attacker to cause file system objects to be created withincorrect permissions via concurrent requests, where one thread's temporary`umask` change affects other threads in multi-threaded environments.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Tarek Nakkouch for reporting this issue. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-03 14:00:00 UTC Tarek Nakkouch CVE-2026-25674 url.Parse insufficiently validated the host/authority component andaccepted some invalid URLs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 22:16:00 UTC CVE-2026-25679 A Improper Access Control vulnerability in the kernel of SUSE SUSE LinuxEnterprise Server 12 SP5 breaks nftables, causing firewall rules appliedvia nftables to not be effective.This issue affects SUSE Linux EnterpriseServer: from 9e6d9d4601768c75fdb0bad3fbbe636e748939c2 before9c294edb7085fb91650bc12233495a8974c5ff2d. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 07:16:00 UTC CVE-2026-25702 calibre is an e-book manager. Prior to 9.2.0, a Server-Side TemplateInjection (SSTI) vulnerability in Calibre's Templite templating engineallows arbitrary code execution when a user converts an ebook using amalicious custom template file via the --template-html or--template-html-index command-line options. This vulnerability is fixed in9.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-06 21:16:00 UTC CVE-2026-25731 Faraday is an HTTP client library abstraction layer that provides a commoninterface over many adapters. Prior to 2.14.1, Faraday'sbuild_exclusive_url method (in lib/faraday/connection.rb) uses Ruby'sURI#merge to combine the connection's base URL with a user-supplied path.Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated asnetwork-path references that override the base URL's host/authoritycomponent. This means that if any application passes user-controlled inputto Faraday's get(), post(), build_url(), or other request methods, anattacker can supply a protocol-relative URL like //attacker.com/endpoint toredirect the request to an arbitrary host, enabling Server-Side RequestForgery (SSRF). This vulnerability is fixed in 2.14.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 21:15:00 UTC CVE-2026-25765 This is an uncontrolled resource consumption vulnerability (CWE-400) thatcan lead to Denial of Service (DoS).In vulnerable Undici versions, when interceptors.deduplicate() is enabled,response data for deduplicated requests could be accumulated in memory fordownstream handlers. An attacker-controlled or untrusted upstream endpointcan exploit this with large/chunked responses and concurrent identicalrequests, causing high memory usage and potential OOM process termination.Impacted users are applications that use Undici’s deduplication interceptoragainst endpoints that may produce large or long-lived response bodies.PatchesThe issue has been patched by changing deduplication behavior tostream response chunks to downstream handlers as they arrive (instead offull-body accumulation), and by preventing late deduplication when bodystreaming has already started.Users should upgrade to the first official Undici (and Node.js, whereapplicable) releases that include this patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 21:16:00 UTC CVE-2026-2581 Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow inthe x509_inet_pton_ipv6() function Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 19:16:00 UTC CVE-2026-25833 Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 18:16:00 UTC CVE-2026-25834 Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in aPseudo-Random Number Generator (PRNG). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 19:16:00 UTC CVE-2026-25835 Occasional URL redirection to untrusted Site ('Open Redirect')vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30through 8.5.100.Other, unsupported versions may also be affectedUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-25854 Exiv2 is a C++ library and a command-line utility to read, write, deleteand modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8,an out-of-bounds read was found. The vulnerability is in the CRW imageparser. This issue has been patched in version 0.28.8. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-02 20:16:00 UTC 2026-03-02 20:16:00 UTC https://ubuntu.com/security/notices/USN-8103-1 CVE-2026-25884 Adminer is open-source database management software. Adminer v5.4.1 andearlier has a version check mechanism where adminer.org sends signedversion info via JavaScript postMessage, which the browser then POSTs to?script=version. This endpoint lacks origin validation and accepts POSTdata from any source. An attacker can POST version[] parameter which PHPconverts to an array. On next page load, openssl_verify() receives thisarray instead of string and throws TypeError, returning HTTP 500 to allusers. Upgrade to Adminer 5.4.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 22:16:00 UTC CVE-2026-25892 fast-xml-parser allows users to validate XML, parse XML to JS object, orbuild XML from JS object without C/C++ based libraries and no callback.From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated asa regex wildcard during entity replacement, allowing an attacker to shadowbuilt-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitraryvalues. This bypasses entity encoding and leads to XSS when parsed outputis rendered. This vulnerability is fixed in 5.3.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 21:19:00 UTC CVE-2026-25896 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, anInteger Overflow vulnerability exists in the sun decoder. On 32-bitsystems/builds, a carefully crafted image can lead to an out of bounds heapwrite. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Update Instructions: Run `sudo pro fix CVE-2026-25897` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC 2026-02-24 02:16:00 UTC john-breton https://ubuntu.com/security/notices/USN-8069-1 https://ubuntu.com/security/notices/USN-8263-1 CVE-2026-25897 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, theUIL and XPM image encoder do not validate the pixel index value returned by`GetPixelIndex()` before using it as an array subscript. In HDRI builds,`Quantum` is a floating-point type, so pixel index values can be negative.An attacker can craft an image with negative pixel index values to triggera global buffer overflow read during conversion, leading to informationdisclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain apatch. Update Instructions: Run `sudo pro fix CVE-2026-25898` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC 2026-02-24 02:16:00 UTC john-breton ylwango613 https://ubuntu.com/security/notices/USN-8069-1 https://ubuntu.com/security/notices/USN-8263-1 CVE-2026-25898 Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remoteimages" is used, does not block SVG feImage. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 09:16:00 UTC 2026-02-09 09:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127447 https://ubuntu.com/security/notices/USN-8223-1 CVE-2026-25916 unity-cli is a command line utility for the Unity Game Engine. Prior to1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logssensitive credentials in plaintext when the --verbose flag is used.Command-line arguments including --email and --password are output viaJSON.stringify without sanitization, exposing secrets to shell history,CI/CD logs, and log aggregation systems. This vulnerability is fixed in1.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 22:16:00 UTC CVE-2026-25918 Kanboard is project management software focused on Kanban methodology.Prior to 1.2.50, a security control bypass vulnerability in Kanboard allowsan authenticated administrator to achieve full Remote Code Execution (RCE).Although the application correctly hides the plugin installation interfacewhen the PLUGIN_INSTALLER configuration is set to false, the underlyingbackend endpoint fails to verify this security setting. An attacker canexploit this oversight to force the server to download and install amalicious plugin, leading to arbitrary code execution. This vulnerabilityis fixed in 1.2.50. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 21:16:00 UTC CVE-2026-25924 go-git is a highly extensible git implementation library written in pureGo. Prior to 5.16.5, a vulnerability was discovered in go-git whereby dataintegrity values for .pack and .idx files were not properly verified. Thisresulted in go-git potentially consuming corrupted files, which wouldlikely result in unexpected errors such as object not found. For context,clients fetch packfiles from upstream Git servers. Those files contain achecksum of their contents, so that clients can perform integrity checksbefore consuming it. The pack indexes (.idx) are generated locally bygo-git, or the git cli, when new .pack files are received and processed.The integrity checks for both files were not being verified correctly. Thisvulnerability is fixed in 5.16.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-09 23:16:00 UTC 2026-02-09 23:16:00 UTC https://ubuntu.com/security/notices/USN-8088-1 CVE-2026-25934 ImageMagick is free and open-source software used for editing andmanipulating digital images. The shipped "secure" security policy includesa rule intended to prevent reading/writing from standard streams. However,ImageMagick also supports fd:<n> pseudo-filenames (e.g., fd:0, fd:1). Priorto versions 7.1.2-15 and 6.9.13-40, this path form is not blocked by thesecure policy templates, and therefore bypasses the protection goal of "nostdin/stdout." Versions 7.1.2-15 and 6.9.13-40 contain a patch by includinga change to the more secure policies by default. As a workaround, add thechange to one's security policy manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC CVE-2026-25966 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, astack buffer overflow occurs when processing the an attribute in msl.c. Along value overflows a fixed-size stack buffer, leading to memorycorruption. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Update Instructions: Run `sudo pro fix CVE-2026-25968` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC 2026-02-24 02:16:00 UTC ylwango613 https://ubuntu.com/security/notices/USN-8069-1 CVE-2026-25968 Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heapbuffer overflow in the XS function random_bytes().The function does not validate that the length parameter is non-negative.If a negative value (e.g. -1) is supplied, the expression length + 1ucauses an integer wraparound, resulting in a zero-byte allocation. Thesubsequent call to chosen random function (e.g. getrandom) passes theoriginal negative value, which is implicitly converted to a large unsignedvalue (typically SIZE_MAX). This can result in writes beyond the allocatedbuffer, leading to heap memory corruption and application crash (denial ofservice).In common usage, the length argument is typically hardcoded by the caller,which reduces the likelihood of attacker-controlled exploitation.Applications that pass untrusted input to this parameter may be affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 00:16:00 UTC CVE-2026-2597 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40,Magick fails to check for circular references between two MSLs, leading toa stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC CVE-2026-25971 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, aheap out-of-bounds read vulnerability exists in the `coders/dcm.c` module.When processing DICOM files with a specific configuration, the decoder loopincorrectly reads bytes per iteration. This causes the function to readpast the end of the allocated buffer, potentially leading to a Denial ofService (crash) or Information Disclosure (leaking heap memory into theimage). Versions 7.1.2-15 and 6.9.13-40 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC CVE-2026-25982 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, acrafted MSL script triggers a heap-use-after-free. The operation elementhandler replaces and frees the image while the parser continues readingfrom it, leading to a UAF in ReadBlobString during further parsing.Versions 7.1.2-15 and 6.9.13-40 contain a patch. Update Instructions: Run `sudo pro fix CVE-2026-25983` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC 2026-02-24 02:16:00 UTC https://ubuntu.com/security/notices/USN-8069-1 CVE-2026-25983 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, acrafted SVG file containing an malicious element causes ImageMagick toattempt to allocate ~674 GB of memory, leading to an out-of-memory abort.Versions 7.1.2-15 and 6.9.13-40 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC CVE-2026-25985 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, aheap buffer overflow write vulnerability exists in ReadYUVImage()(coders/yuv.c) when processing malicious YUV 4:2:2 (NoInterlace) images.The pixel-pair loop writes one pixel beyond the allocated row buffer.Versions 7.1.2-15 and 6.9.13-40 contain a patch. Update Instructions: Run `sudo pro fix CVE-2026-25986` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC 2026-02-24 02:16:00 UTC ylwango613 https://ubuntu.com/security/notices/USN-8069-1 CVE-2026-25986 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, aheap buffer over-read vulnerability exists in the MAP image decoder whenprocessing crafted MAP files, potentially leading to crashes or unintendedmemory disclosure during image decoding. Versions 7.1.2-15 and 6.9.13-40contain a patch. Update Instructions: Run `sudo pro fix CVE-2026-25987` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 02:16:00 UTC 2026-02-24 02:16:00 UTC ylwango613 https://ubuntu.com/security/notices/USN-8069-1 CVE-2026-25987 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, acrafted SVG file can cause a denial of service. An off-by-one boundarycheck (`>` instead of `>=`) that allows bypass the guard and reach anundefined `(size_t)` cast. Versions 7.1.2-15 and 6.9.13-40 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC CVE-2026-25989 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Versions 9.2.1 and below contain a PathTraversal vulnerability that allows arbitrary file writes anywhere the userhas write permissions. On Windows, this leads to Remote Code Execution bywriting a payload to the Startup folder, which executes on next login.Function extract_pictures only checks startswith('Pictures'), and does notsanitize '..' sequences. calibre's own ZipFile.extractall() inutils/zipfile.py does sanitize '..' via _get_targetpath(), butextract_pictures() bypasses this by using manual zf.read() + open(). Thisissue has been fixed in version 9.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 02:16:00 UTC CVE-2026-26064 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Versions 9.2.1 and below are vulnerable toPath Traversal through PDB readers (both 132-byte and 202-byte headervariants) that allow arbitrary file writes with arbitrary extension andarbitrary content anywhere the user has write permissions. Files arewritten in 'wb' mode, silently overwriting existing files. This can lead topotential code execution and Denial of Service through file corruption.This issue has been fixed in version 9.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 02:16:00 UTC CVE-2026-26065 ntpd-rs is a full-featured implementation of the Network Time Protocol.Prior to 1.7.1, an attacker can remotely induce moderate increases (2-4times above normal) in cpu usage. When having NTS enabled on an ntpd-rsserver, an attacker can create malformed NTS packets that takesignificantly more effort for the server to respond to by requesting alarge number of cookies. This can lead to degraded server performance evenwhen a server could otherwise handle the load. This vulnerability is fixedin 1.7.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-12 22:16:00 UTC CVE-2026-26076 Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows CascadingStyle Sheets (CSS) injection, e.g., because comments are mishandled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 05:16:00 UTC 2026-02-11 05:16:00 UTC https://ubuntu.com/security/notices/USN-8223-1 CVE-2026-26079 Allocation of resources without limits or throttling in ASP.NET Core allowsan unauthorized attacker to deny service over a network. Update Instructions: Run `sudo pro fix CVE-2026-26130` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.4-0ubuntu1 aspnetcore-targeting-pack-10.0 - 10.0.4-0ubuntu1 dotnet-apphost-pack-10.0 - 10.0.4-0ubuntu1 dotnet-host-10.0 - 10.0.4-0ubuntu1 dotnet-hostfxr-10.0 - 10.0.4-0ubuntu1 dotnet-runtime-10.0 - 10.0.4-0ubuntu1 dotnet-targeting-pack-10.0 - 10.0.4-0ubuntu1 dotnet-sdk-10.0 - 10.0.104-0ubuntu1 dotnet-sdk-10.0-source-built-artifacts - 10.0.104-0ubuntu1 dotnet-sdk-aot-10.0 - 10.0.104-0ubuntu1 dotnet-templates-10.0 - 10.0.104-0ubuntu1 dotnet10 - 10.0.104-10.0.4-0ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 2026-03-10 Bartlomiej Dach https://ubuntu.com/security/notices/USN-8085-1 CVE-2026-26130 A flaw was found in BusyBox. Incomplete path sanitization in its archiveextraction utilities allows an attacker to craft malicious archives thatwhen extracted, and under specific conditions, may write to files outsidethe intended directory. This can lead to arbitrary file overwrite,potentially enabling code execution through the modification of sensitivesystem files. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127782 https://bugzilla.redhat.com/show_bug.cgi?id=2439039 CVE-2026-26157 A flaw was found in BusyBox. This vulnerability allows an attacker tomodify files outside of the intended extraction directory by crafting amalicious tar archive containing unvalidated hardlink or symlink entries.If the tar archive is extracted with elevated privileges, this flaw canlead to privilege escalation, enabling an attacker to gain unauthorizedaccess to critical system files. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-11 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127782 https://bugzilla.redhat.com/show_bug.cgi?id=2439040 CVE-2026-26158 Uncontrolled resource consumption in .NET allows an unauthorized attackerto deny service over a network. Update Instructions: Run `sudo pro fix CVE-2026-26171` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 aspnetcore-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-apphost-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-host-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-hostfxr-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-sdk-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-10.0-source-built-artifacts - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-aot-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-templates-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet10 - 10.0.107-10.0.7-0ubuntu1~26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 2026-04-14 Ludvig Pedersen https://ubuntu.com/security/notices/USN-8176-1 https://ubuntu.com/security/notices/USN-8216-1 CVE-2026-26171 Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0,when performing aggregate queries, Ormar ORM constructs SQL expressions bypassing user-supplied column names directly into `sqlalchemy.text()`without any validation or sanitization. The `min()` and `max()` methods inthe `QuerySet` class accept arbitrary string input as the column parameter.While `sum()` and `avg()` are partially protected by an `is_numeric` typecheck that rejects non-existent fields, `min()` and `max()` skip thisvalidation entirely. As a result, an attacker-controlled string is embeddedas raw SQL inside the aggregate function call. Any unauthorized user canexploit this vulnerability to read the entire database contents, includingtables unrelated to the queried model, by injecting a subquery as thecolumn parameter. Version 0.23.0 contains a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC CVE-2026-26198 HDF5 is software for managing data. Prior to version 1.14.4-2, an attackerwho can control an `h5` file parsed by HDF5 can trigger a write-based heapbuffer overflow condition. This can lead to a denial-of-service condition,and potentially further issues such as remote code execution depending onthe practical exploitability of the heap overflow against modern operatingsystems. Real-world exploitability of this issue in terms of remote-codeexecution is currently unknown. Version 1.14.4-2 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 20:25:00 UTC CVE-2026-26200 cbor2 provides encoding and decoding for the Concise Binary ObjectRepresentation (CBOR) serialization format. Versions prior to 5.9.0 arevulnerable to a Denial of Service (DoS) attack caused by uncontrolledrecursion when decoding deeply nested CBOR structures. This vulnerabilityaffects both the pure Python implementation and the C extension `_cbor2`.The C extension relies on Python's internal recursion limits`Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning itstill raises `RecursionError` and crashes the worker process when the limitis hit. While the library handles moderate nesting levels, it lacks a harddepth limit. An attacker can supply a crafted CBOR payload containingapproximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attemptsto parse this, it hits the Python interpreter's maximum recursion depth orexhausts the stack, causing the process to crash with a `RecursionError`.Because the library does not enforce its own limits, it allows an externalattacker to exhaust the host application's stack resource. In many webapplication servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), anunhandled `RecursionError` terminates the worker process immediately. Bysending a stream of these small (<100KB) malicious packets, an attacker canrepeatedly crash worker processes, resulting in a complete Denial ofService for the application. Version 5.9.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 19:16:00 UTC CVE-2026-26209 SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area viamalicious iframe tags. The application does not properly sandbox or escapeiframe content in the back-office, allowing an attacker to inject andexecute malicious scripts. The fix adds a sandbox attribute to iframe tagsin the private area. This vulnerability is not mitigated by the SPIPsecurity screen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 16:27:00 UTC CVE-2026-26223 A flaw was found in rust-rpm-sequoia. An attacker can exploit thisvulnerability by providing a specially crafted Red Hat Package Manager(RPM) file. During the RPM signature verification process, this craftedfile can trigger an error in the OpenPGP signature parsing code, leading toan unconditional termination of the rpm process. This issue results in anapplication level denial of service, making the system unable to processRPM files for signature verification. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 19:17:00 UTC CVE-2026-2625 Vim is an open source, command line text editor. Prior to 9.1.2148, a stackbuffer overflow vulnerability exists in Vim's NetBeans integration whenprocessing the specialKeys command, affecting Vim builds that enable anduse the NetBeans feature. The Stack buffer overflow exists inspecial_keys() (in src/netbeans.c). The while (*tok) loop writes two bytesper iteration into a 64-byte stack buffer (keybuf) with no bounds check. Amalicious NetBeans server can overflow keybuf with a single specialKeyscommand. The issue has been fixed as of Vim patch v9.1.2148. Update Instructions: Run `sudo pro fix CVE-2026-26269` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-13 20:17:00 UTC 2026-02-13 20:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127930 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-26269 fast-xml-parser allows users to validate XML, parse XML to JS object, orbuild XML from JS object without C/C++ based libraries and no callback. Inversions 4.1.3 through 5.3.5, the XML parser can be forced to do anunlimited amount of entity expansion. With a very small XML input, it’spossible to make the parser spend seconds or even minutes processing asingle request, effectively freezing the application. Version 5.3.6 fixesthe issue. As a workaround, avoid using DOCTYPE parsing by`processEntities: false` option. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 20:25:00 UTC CVE-2026-26278 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a`continue` statement in the JPEG extent binary search loop in the jpegencoder causes an infinite loop when writing persistently fails. Anattacker can trigger a 100% CPU consumption and process hang (Denial ofService) with a crafted image. Versions 7.1.2-15 and 6.9.13-40 contain apatch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC iconstantin CVE-2026-26283 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40,ImageMagick lacks proper boundary checking when processing Huffman-codeddata from PCD (Photo CD) files. The decoder contains an function that hasan incorrect initialization that could cause an out of bounds read.Versions 7.1.2-15 and 6.9.13-40 contain a patch. Update Instructions: Run `sudo pro fix CVE-2026-26284` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7-common - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16 - 8:7.1.2.13+dfsg1-1ubuntu1 imagemagick-7.q16hdri - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libimage-magick-q16hdri-perl - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagick++-7.q16hdri-5 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-arch-config - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickcore-7.q16hdri-10-extra - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7-headers - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16-10 - 8:7.1.2.13+dfsg1-1ubuntu1 libmagickwand-7.q16hdri-10 - 8:7.1.2.13+dfsg1-1ubuntu1 perlmagick - 8:7.1.2.13+dfsg1-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC 2026-02-24 03:16:00 UTC ylwango613 https://ubuntu.com/security/notices/USN-8069-1 CVE-2026-26284 yt-dlp is a command-line audio/video downloader. Starting in version2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd`command-line option (or `netrc_cmd` Python API parameter) is used, anattacker could achieve arbitrary command injection on the user's systemwith a maliciously crafted URL. yt-dlp maintainers assume the impact ofthis vulnerability to be high for anyone who uses `--netrc-cmd` in theircommand/configuration or `netrc_cmd` in their Python scripts. Even thoughthe maliciously crafted URL itself will look very suspicious to many users,it would be trivial for a maliciously crafted webpage with an inconspicuousURL to covertly exploit this vulnerability via HTTP redirect. Users without`--netrc-cmd` in their arguments or `netrc_cmd` in their scripts areunaffected. No evidence has been found of this exploit being used in thewild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc"machine" values and raising an error upon unexpected input. As aworkaround, users who are unable to upgrade should avoid using the`--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), orthey should at least not pass a placeholder (`{}`) in their `--netrc-cmd`argument. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC CVE-2026-26331 SPIP before 4.4.8 contains a stored cross-site scripting (XSS)vulnerability in the public area triggered in certain edge-case usagepatterns. The echapper_html_suspect() function does not adequately sanitizeuser-controlled content, allowing authenticated users with content-editingprivileges (e.g., author-level roles and above) to inject maliciousscripts. The injected payload may be rendered across multiple pages withinthe framework and execute in the browser context of other users, includingadministrators. Successful exploitation can allow attackers to performactions in the security context of the victim user, including unauthorizedmodification of application state. This vulnerability is not mitigated bythe SPIP security screen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 16:27:00 UTC CVE-2026-26345 A stack-use-after-return issue exists in the Arduino_Core_STM32 libraryprior to version 1.7.0. The pwm_start() function allocates aTIM_HandleTypeDef structure on the stack and passes its address to HALinitialization routines, where it is stored in a global timer handleregistry. After the function returns, interrupt service routines maydereference this dangling pointer, resulting in memory corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 18:16:00 UTC CVE-2026-26399 A weakness has been identified in universal-ctags ctags up to 6.2.1. Theaffected element is the function parseExpression/parseExprList of the fileparsers/v.c of the component V Language Parser. Executing a manipulationcan lead to uncontrolled recursion. It is possible to launch the attack onthe local host. The exploit has been made available to the public and couldbe used for attacks. The project was informed of the problem early throughan issue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 06:16:00 UTC CVE-2026-2641 A weakness has been identified in niklasso minisat up to 2.2.0. This issueaffects the function Solver::value in the library core/SolverTypes.h of thecomponent DIMACS File Parser. This manipulation of the argument variableindex with the input 2147483648 causes out-of-bounds read. The attack needsto be launched locally. The exploit has been made available to the publicand could be used for attacks. The project was informed of the problemearly through an issue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 07:16:00 UTC CVE-2026-2644 In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 serverstate machine implementation. The server could incorrectly accept theCertificateVerify message before the ClientKeyExchange message had beenreceived. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 andearlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL woulddetect the issue later in the handshake. 5.9.0 was further hardened tocatch the issue earlier in the handshake. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 18:16:00 UTC CVE-2026-2645 A heap-buffer-overflow vulnerability exists in wolfSSL'swolfSSL_d2i_SSL_SESSION() function. When deserializing session data withSESSION_CERTS enabled, certificate and session id lengths are read from anuntrusted input without bounds validation, allowing an attacker to overflowfixed-size buffers and corrupt heap memory. A maliciously crafted sessionwould need to be loaded from an external source to trigger thisvulnerability. Internal sessions were not vulnerable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 18:16:00 UTC CVE-2026-2646 An issue in Dokuwiki v.2025-05-14b "Librarian" [56.2] allows a remoteattacker to cause a denial of service via the media_upload_xhr() functionin the media.php file Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 15:16:00 UTC CVE-2026-26477 A security flaw has been discovered in admesh up to 0.98.5. This issueaffects the function stl_check_normal_vector of the file src/normals.c.Performing a manipulation results in heap-based buffer overflow. The attackmust be initiated from a local position. The exploit has been released tothe public and may be used for attacks. It looks like this product is notreally maintained anymore. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 11:16:00 UTC CVE-2026-2653 A vulnerability was determined in Squirrel up to 3.2. Affected by thisvulnerability is the function SQFuncState::PopTarget of the filesrc/squirrel/squirrel/sqfuncstate.cpp. Executing a manipulation of theargument _target_stack can lead to out-of-bounds read. It is possible tolaunch the attack on the local host. The exploit has been publiclydisclosed and may be utilized. The project was informed of the problemearly through an issue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 18:24:00 UTC CVE-2026-2659 A security flaw has been discovered in Squirrel up to 3.2. This affects thefunction SQObjectPtr::operator in the library squirrel/sqobject.h. Themanipulation results in heap-based buffer overflow. The attack needs to beapproached locally. The exploit has been released to the public and may beused for attacks. The project was informed of the problem early through anissue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-18 20:18:00 UTC CVE-2026-2661 Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expectedpreferred key exchange group when its key exchange group configurationincludesthe default by using the 'DEFAULT' keyword.Impact summary: A less preferred key exchange may be used even when a morepreferred group is supported by both client and server, if the groupwas not included among the client's initial predicated keyshares.This will sometimes be the case with the new hybrid post-quantum groups,if the client chooses to defer their use until specifically requested bythe server.If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword tointerpolate the built-in default group list into its own configuration,perhapsadding or removing specific elements, then an implementation defect causesthe'DEFAULT' list to lose its 'tuple' structure, and all server-supportedgroupswere treated as a single sufficiently secure 'tuple', with the server notsending a Hello Retry Request (HRR) even when a group in a more preferredtuplewas mutually supported.As a result, the client and server might fail to negotiate a mutuallysupportedpost-quantum key agreement group, such as 'X25519MLKEM768', if the client'sconfiguration results in only 'classical' groups (such as 'X25519' beingtheonly ones in the client's initial keyshare prediction).OpenSSL 3.5 and later support a new syntax for selecting the most preferredTLS1.3 key agreement group on TLS servers. The old syntax had a single 'flat'list of groups, and treated all the supported groups as sufficientlysecure.If any of the keyshares predicted by the client were supported by theserverthe most preferred among these was selected, even if other groups supportedbythe client, but not included in the list of predicted keyshares would havebeenmore preferred, if included.The new syntax partitions the groups into distinct 'tuples' of roughlyequivalent security. Within each tuple the most preferred group includedamongthe client's predicted keyshares is chosen, but if the client supports agroupfrom a more preferred tuple, but did not predict any correspondingkeyshares,the server will ask the client to retry the ClientHello (by issuing a HelloRetry Request or HRR) with the most preferred mutually supported group.The above works as expected when the server's configuration uses thebuilt-indefault group list, or explicitly defines its own list by directly definingthevarious desired groups and group 'tuples'.No OpenSSL FIPS modules are affected by this issue, the code in questionliesoutside the FIPS boundary.OpenSSL 3.6 and 3.5 are vulnerable to this issue.OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released.OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released.OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue. Update Instructions: Run `sudo pro fix CVE-2026-2673` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC 2026-03-13 19:54:00 UTC Viktor Dukhovni http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130650 https://ubuntu.com/security/notices/USN-8155-1 CVE-2026-2673 Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker tocause a denial of service via the EGifGCBToExtension overwriting anexisting Graphic Control Extension block without validating its allocatedsize. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC CVE-2026-26740 node-tar is a full-featured Tar for Node.js. When using default options inversions 7.5.7 and below, an attacker-controlled archive can create ahardlink inside the extraction directory that points to a file outside theextraction root, enabling arbitrary file read and write as the extractinguser. Severity is high because the primitive bypasses path protections andturns archive extraction into a direct filesystem access primitive. Thisissue has been fixed in version 7.5.8. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 02:16:00 UTC CVE-2026-26960 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameterfrom multipart/form-data using a greedy regular expression. When aContent-Type header contains multiple boundary parameters, Rack selects thelast one rather than the first. In deployments where an upstream proxy,WAF, or intermediary interprets the first boundary parameter, this mismatchcan allow an attacker to smuggle multipart content past upstream inspectionand have Rack parse a different body structure than the intermediaryvalidated. This issue has been patched in versions 2.2.23, 3.1.21, and3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-26961 Rack is a modular Ruby web server interface. From version 3.2.0 to beforeversion 3.2.6, Rack::Multipart::Parser unfolds folded multipart partheaders incorrectly. When a multipart header contains an obs-fold sequence,Rack preserves the embedded CRLF in parsed parameter values such asfilename or name instead of removing the folded line break duringunfolding. As a result, applications that later reuse those parsed valuesin HTTP response headers may be vulnerable to downstream header injectionor response splitting. This issue has been patched in version 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC 2026-04-02 18:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-26962 Ghostty is a cross-platform terminal emulator. Ghostty allows controlcharacters such as 0x03 (Ctrl+C) in pasted and dropped text. These can beused to execute arbitrary commands in some shell environments. This attackrequires an attacker to convince the user to copy and paste or drag anddrop malicious text. The attack requires user interaction to be triggered,but the dangerous characters are invisible in most GUI environments so itisn't trivially detected, especially if the string contents are complex.Fixed in Ghostty v1.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:42:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091469 CVE-2026-26982 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, theMSL interpreter crashes when processing a invalid `<map>` element thatcauses it to use an image after it has been freed. Versions 7.1.2-15 and6.9.13-40 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC CVE-2026-26983 minimatch is a minimal matching utility for converting glob expressionsinto JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable toRegular Expression Denial of Service (ReDoS) when a glob pattern containsmany consecutive * wildcards followed by a literal character that doesn'tappear in the test string. Each * compiles to a separate [^/]*? regexgroup, and when the match fails, V8's regex engine backtracks exponentiallyacross all possible splits. The time complexity is O(4^N) where N is thenumber of * characters. With N=15, a single minimatch() call takes ~2seconds. With N=34, it hangs effectively forever. Any application thatpasses user-controlled strings to minimatch() as the pattern argument isvulnerable to DoS. This issue has been fixed in version 10.2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128579 CVE-2026-26996 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, anattacker who uses this vulnerability can craft a PDF which leads to aninfinite loop. This requires accessing the children of a TreeObject, forexample as part of outlines. This vulnerability is fixed in 6.7.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128654 CVE-2026-27024 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, anattacker who uses this vulnerability can craft a PDF which leads to longruntimes and large memory consumption. This requires parsing the /ToUnicodeentry of a font with unusually large values, for example during textextraction. This vulnerability is fixed in 6.7.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128656 CVE-2026-27025 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, anattacker who uses this vulnerability can craft a PDF which leads to longruntimes. This requires a malformed /FlateDecode stream, where thebyte-by-byte decompression is used. This vulnerability is fixed in 6.7.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128690 CVE-2026-27026 A security vulnerability has been detected in Open Babel up to 3.1.1. Theaffected element is the function OpenBabel::transform3d::DescribeAsStringof the file src/math/transform3d.cpp of the component CIF File Handler. Themanipulation leads to out-of-bounds read. It is possible to initiate theattack remotely. The exploit has been disclosed publicly and may be used.The identifier of the patch is e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. Itis suggested to install a patch to address this issue. The project wasinformed of the problem early through an issue report but has not respondedyet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 07:17:00 UTC CVE-2026-2704 A vulnerability was detected in Open Babel up to 3.1.1. The impactedelement is the function OBAtom::SetFormalCharge in the libraryinclude/openbabel/atom.h of the component MOL2 File Handler. Themanipulation results in out-of-bounds read. It is possible to launch theattack remotely. The exploit is now public and may be used. The patch isidentified as e23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. A patch should beapplied to remediate this issue. The project was informed of the problemearly through an issue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 07:17:00 UTC CVE-2026-2705 A request smuggling vulnerability exists in libsoup's HTTP/1 header parsinglogic. The soup_message_headers_append_common() function inlibsoup/soup-message-headers.c unconditionally appends each header valuewithout validating for duplicate or conflicting Content-Length fields. Thisallows an attacker to send HTTP requests containing multiple Content-Lengthheaders with differing values. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128582 https://gitlab.gnome.org/GNOME/libsoup/-/issues/500 CVE-2026-2708 Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commitcf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commita4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrarycommand injection can lead to code execution when a user enters a directoryin a Git repository containing a crafted branch name. Exploitation requiresthe LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default),gitstatusd to be installed and started before Liquid Prompt is loaded (notthe default), and shell prompt substitution to be active (enabled bydefault in Bash via "shopt -s promptvars", not enabled by default in Zsh).A branch name containing shell syntax such as "$(...)" or backtickexpressions in the default branch or a checked-out branch will be evaluatedby the shell when the prompt is rendered. No stable release is affected;only the master branch contains the vulnerable commit. Commita4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround,set the LP_ENABLE_GITSTATUSD config option to 0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 22:16:00 UTC CVE-2026-27113 nghttp2 is an implementation of the Hypertext Transfer Protocol version 2in C. Prior to version 1.68.1, the nghttp2 library stops reading theincoming data when user facing public API`nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2`is called by the application. They might be called internally by thelibrary when it detects the situation that is subject to connection error.Due to the missing internal state validation, the library keeps reading therest of the data after one of those APIs is called. Then receiving amalformed frame that causes FRAME_SIZE_ERROR causes assertion failure.nghttp2 v1.68.1 adds missing state validation to avoid assertion failure.No known workarounds are available. Update Instructions: Run `sudo pro fix CVE-2026-27135` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnghttp2-14 - 1.68.0-2ubuntu0.1 nghttp2 - 1.68.0-2ubuntu0.1 nghttp2-client - 1.68.0-2ubuntu0.1 nghttp2-proxy - 1.68.0-2ubuntu0.1 nghttp2-server - 1.68.0-2ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC 2026-03-18 18:16:00 UTC https://ubuntu.com/security/notices/USN-8233-1 https://ubuntu.com/security/notices/USN-8233-2 CVE-2026-27135 When verifying a certificate chain which contains a certificate containingmultiple email address constraints which share common local portions butdifferent domain portions, these constraints will not be properly applied,and only the last constraint will be considered. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 22:16:00 UTC CVE-2026-27137 Certificate verification can panic when a certificate in the chain has anempty DNS name and another certificate in the chain has excluded nameconstraints. This can crash programs that are either directly verifyingX.509 certificate chains, or those that use TLS. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 22:16:00 UTC CVE-2026-27138 On Unix platforms, when listing the contents of a directory usingFile.ReadDir or File.Readdir the returned FileInfo could reference a fileoutside of the Root in which the File was opened. The impact of this escapeis limited to reading metadata provided by lstat from arbitrary locationson the filesystem without permitting reading or writing files outside theroot. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 22:16:00 UTC CVE-2026-27139 SWIG file names containing 'cgo' and well-crafted payloads could lead tocode smuggling and arbitrary code execution at build time due to trustlayer bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-27140 Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause arunning server to panic Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 20:31:00 UTC CVE-2026-27141 Actions which insert URLs into the content attribute of HTML meta tags arenot escaped. This can allow XSS if the meta tag also has an http-equivattribute with the value "refresh". A new GODEBUG setting has been added,htmlmetacontenturlescape, which can be used to disable escaping URLs inactions in the meta content attribute which follow "url=" by settinghtmlmetacontenturlescape=0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 22:16:00 UTC CVE-2026-27142 Arithmetic over induction variables in loops were not correctly checked forunderflow or overflow. As a result, the compiler would allow for invalidindexing to occur at runtime, potentially leading to memory corruption. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-27143 The compiler is meant to unwrap pointers which are the operands of a memorymove; a no-op interface conversion prevented the compiler from making thecorrect determination about non-overlapping moves, potentially leading tomemory corruption at runtime. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-27144 SAIL is a cross-platform library for loading and saving images with supportfor animation, metadata, and ICC profiles. All versions are vulnerable toHeap-based Buffer Overflow through the XWD parser's use of thebytes_per_line value. The value os read directly from the file as the readsize in io->strict_read(), and is never compared to the actual size of thedestination buffer. An attacker can provide an XWD file with an arbitrarilylarge bytes_per_line, causing a massive write operation beyond the bufferheap allocated for the image pixels. The issue did not have a fix at thetime of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-21 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128621 CVE-2026-27168 zlib before 1.3.2 allows CPU consumption via crc32_combine64 andcrc32_combine_gen64 because x2nmodp can do right shifts within a loop thathas no termination condition. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-18 04:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128336 https://github.com/madler/zlib/issues/904 CVE-2026-27171 Zumba Json Serializer is a library to serialize PHP variables in JSONformat. In versions 3.2.2 and below, the library allows deserialization ofPHP objects from JSON using a special @type field. The deserializerinstantiates any class specified in the @type field without restriction.When processing untrusted JSON input, this behavior may allow an attackerto instantiate arbitrary classes available in the application. If avulnerable application passes attacker-controlled JSON intoJsonSerializer::unserialize() and contains classes with dangerous magicmethods (such as __wakeup() or __destruct()), this may lead to PHP ObjectInjection and potentially Remote Code Execution (RCE), depending onavailable gadget chains in the application or its dependencies. Thisbehavior is similar in risk profile to PHP's native unserialize() when usedwithout the allowed_classes restriction. Applications are impacted only ifuntrusted or attacker-controlled JSON is passed intoJsonSerializer::unserialize() and the application or its dependenciescontain classes that can be leveraged as a gadget chain. This issue hasbeen fixed in version 3.2.3. If an immediate upgrade isn't feasible,mitigate the vulnerability by never deserializing untrusted JSON withJsonSerializer::unserialize(), validating and sanitizing all JSON inputbefore deserialization, and disabling @type-based object instantiationwherever possible. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-21 07:16:00 UTC CVE-2026-27206 This affects versions of the package bn.js before 5.2.3. Calling maskn(0)on any BN instance corrupts the internal state, causing toString(),divmod(), and other methods to enter an infinite loop, hanging the processindefinitely. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-20 05:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128619 CVE-2026-2739 Missing Authentication for Critical Function (CWE-306) vulnerability inApache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attackercan use the Core protocol to force a target broker to establish an outboundCore federation connection to an attacker-controlled rogue broker. Thiscould potentially result in message injection into any queue and/or messageexfiltration from any queue via the rogue broker. This impacts environmentsthat allow both:- incoming Core protocol connections from untrusted sources to the broker- outgoing Core protocol connections from the broker to untrusted targetsThis issue affects:- Apache Artemis from 2.50.0 through 2.51.0- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.Users are recommended to upgrade to Apache Artemis version 2.52.0, whichfixes the issue.The issue can be mitigated by one of the following:- Remove Core protocol support from any acceptor receiving connections fromuntrusted sources. Incoming Core protocol connections are supported bydefault via the "artemis" acceptor listening on port 61616. See the"protocols" URL parameter configured for the acceptor. An acceptor URLwithout this parameter supports all protocols by default, including Core.- Use two-way SSL (i.e. certificate-based authentication) in order to forceevery client to present the proper SSL certificate when establishing aconnection before any message protocol handshake is attempted. This willprevent unauthenticated exploitation of this vulnerability.- Implement and deploy a Core interceptor to deny all Core downstreamfederation connect packets. Such packets have a type of (int) -16 or(byte) 0xfffffff0. Documentation for interceptors is available athttps://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 09:15:00 UTC CVE-2026-27446 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, CUPS daemon(cupsd) contains an authorization bypass vulnerability due tocase-insensitive username comparison during authorization checks. Thevulnerability allows an unprivileged user to gain unauthorized access torestricted operations by using a user with a username that differs only incase from an authorized user. At time of publication, there are no publiclyavailable patches. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC mdeslaur(main) Ariel Silver http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132716 CVE-2026-27447 util-linux is a random collection of Linux utilities. Prior to version2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has beenidentified in the SUID binary /usr/bin/mount from util-linux. The mountbinary, when setting up loop devices, validates the source file path withuser privileges via fork() + setuid() + realpath(), but subsequentlyre-canonicalizes and opens it with root privileges (euid=0) withoutverifying that the path has not been replaced between both operations.Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() areemployed. This allows a local unprivileged user to replace the source filewith a symlink pointing to any root-owned file or device during the racewindow, causing the SUID binary to open and mount it as root. Exploitationrequires an /etc/fstab entry with user,loop options whose path points to adirectory where the attacker has write permission, and that /usr/bin/mounthas the SUID bit set (the default configuration on virtually all Linuxdistributions). The impact is unauthorized read access to root-protectedfiles and block devices, including backup images, disk volumes, and anyfile containing a valid filesystem. This issue has been patched in version2.41.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC CVE-2026-27456 ZoneMinder is a free, open source closed-circuit television softwareapplication. In versions 1.36.37 and below and 1.37.61 through 1.38.0,there is a second-order SQL Injection vulnerability in theweb/ajax/status.php file within the getNearEvents() function. Event fieldvalues (specifically Name and Cause) are stored safely via parameterizedqueries but are later retrieved and concatenated directly into SQL WHEREclauses without escaping. An authenticated user with Events edit and viewpermissions can exploit this to execute arbitrary SQL queries. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-21 08:16:00 UTC CVE-2026-27470 SPIP before 4.4.9 allows Blind Server-Side Request Forgery (SSRF) viasyndicated sites in the private area. When editing a syndicated site, theapplication does not verify that the syndication URL is a valid remote URL,allowing an authenticated attacker to make the server issue requests toarbitrary internal or external destinations. This vulnerability is notmitigated by the SPIP security screen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 19:22:00 UTC CVE-2026-27472 SPIP before 4.4.9 allows Stored Cross-Site Scripting (XSS) via syndicatedsites in the private area. The #URL_SYNDIC output is not properly sanitizedon the private syndicated site page, allowing an attacker who can set amalicious syndication URL to inject persistent scripts that execute whenother administrators view the syndicated site details. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 19:22:00 UTC CVE-2026-27473 SPIP before 4.4.9 allows Cross-Site Scripting (XSS) in the private area,complementing an incomplete fix from SPIP 4.4.8. The echappe_anti_xss()function was not systematically applied to input, form, button, and anchor(a) HTML tags, allowing an attacker to inject malicious scripts throughthese elements. This vulnerability is not mitigated by the SPIP securityscreen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 19:22:00 UTC CVE-2026-27474 SPIP before 4.4.9 allows Insecure Deserialization in the public areathrough the table_valeur filter and the DATA iterator, which acceptserialized data. An attacker who can place malicious serialized content (apre-condition requiring prior access or another vulnerability) can triggerarbitrary object instantiation and potentially achieve code execution. Theuse of serialized data in these components has been deprecated and will beremoved in SPIP 5. This vulnerability is not mitigated by the SPIP securityscreen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-19 19:22:00 UTC CVE-2026-27475 Open Neural Network Exchange (ONNX) is an open standard for machinelearning interoperability. Prior to version 1.21.0, a path traversalvulnerability via symlink allows to read arbitrary files outside model oruser-provided directory. This issue has been patched in version 1.21.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 18:16:00 UTC CVE-2026-27489 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. The WebSockets handling of NATS messages handlescompressed messages via the WebSockets negotiated compression. Prior toversions 2.11.2 and 2.12.3, the implementation bound the memory size of aNATS message but did not independently bound the memory consumption of thememory stream when constructing a NATS message which might then failvalidation for size reasons. An attacker can use a compression bomb tocause excessive memory consumption, often resulting in the operating systemterminating the server process. The use of compression is negotiated beforeauthentication, so this does not require valid NATS credentials to exploit.The fix, present in versions 2.11.2 and 2.12.3, was to bounds thedecompression to fail once the message was too large, instead of continuingon. The vulnerability only affects deployments which use WebSockets andwhich expose the network port to untrusted end-points. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27571 Caddy is an extensible server platform that uses TLS by default. Prior toversion 2.11.1, the path sanitization routine in file matcher doesn'tsanitize backslashes which can lead to bypassing path related securityprotections. It affects users with specific Caddy and environmentconfigurations. Version 2.11.1 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27585 Caddy is an extensible server platform that uses TLS by default. Prior toversion 2.11.1, two swallowed errors in `ClientAuthentication.provision()`cause mTLS client certificate authentication to silently fail open when aCA certificate file is missing, unreadable, or malformed. The server startswithout error but accepts any client certificate signed by anysystem-trusted CA, completely bypassing the intended private CA trustboundary. Any deployment using `trusted_ca_cert_file` or`trusted_ca_certs_pem_files` for mTLS will silently degrade to acceptingany system-trusted client certificate if the CA file becomes unavailable.This can happen due to a typo in the path, file rotation, corruption, orpermission changes. The server gives no indication that mTLS ismisconfigured. Version 2.11.1 fixes the vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27586 Caddy is an extensible server platform that uses TLS by default. Prior toversion 2.11.1, Caddy's HTTP `path` request matcher is intended to becase-insensitive, but when the match pattern contains percent-escapesequences (`%xx`) it compares against the request's escaped path withoutlowercasing. An attacker can bypass path-based routing and any accesscontrols attached to that route by changing the casing of the request path.Version 2.11.1 contains a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27587 Caddy is an extensible server platform that uses TLS by default. Prior toversion 2.11.1, Caddy's HTTP `host` request matcher is documented ascase-insensitive, but when configured with a large host list (>100 entries)it becomes case-sensitive due to an optimized matching path. An attackercan bypass host-based routing and any access controls attached to thatroute by changing the casing of the `Host` header. Version 2.11.1 containsa fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27588 Caddy is an extensible server platform that uses TLS by default. Prior toversion 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`)exposes a state-changing `POST /load` endpoint that replaces the entirerunning configuration. When origin enforcement is not enabled(`enforce_origin` not configured), the admin endpoint accepts cross-originrequests (e.g., from attacker-controlled web content in a victim browser)and applies an attacker-supplied JSON config. This can change the adminlistener settings and alter HTTP server behavior without user intent.Version 2.11.1 contains a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27589 Caddy is an extensible server platform that uses TLS by default. Prior toversion 2.11.1, Caddy's FastCGI path splitting logic computes the splitindex on a lowercased copy of the request path and then uses that byteindex to slice the original path. This is unsafe for Unicode because`strings.ToLower()` can change UTF-8 byte length for some characters. As aresult, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and`PATH_INFO`, potentially causing a request that contains `.php` to executea different on-disk file than intended (path confusion). In setups where anattacker can control file contents (e.g., upload features), this can leadto unintended PHP execution of non-.php files (potential RCE depending ondeployment). Version 2.11.1 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 17:29:00 UTC CVE-2026-27590 Exiv2 is a C++ library and a command-line utility to read, write, deleteand modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8,an out-of-bounds read was found in Exiv2. The vulnerability is in thepreview component, which is only triggered when running Exiv2 with an extracommand line argument, like -pp. The out-of-bounds read is at a 4GB offset,which usually causes Exiv2 to crash. This issue has been patched in version0.28.8. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-02 20:16:00 UTC 2026-03-02 20:16:00 UTC https://ubuntu.com/security/notices/USN-8103-1 CVE-2026-27596 Rollup is a module bundler for JavaScript. Versions prior to 2.80.0,3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x andpresent in current source) is vulnerable to an Arbitrary File Write viaPath Traversal. Insecure file name sanitization in the core engine allowsan attacker to control output filenames (e.g., via CLI named inputs, manualchunk aliases, or malicious plugins) and use traversal sequences (`../`) tooverwrite files anywhere on the host filesystem that the build process haspermissions for. This can lead to persistent Remote Code Execution (RCE) byoverwriting critical system or user configuration files. Versions 2.80.0,3.30.0, and 4.59.0 contain a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 03:16:00 UTC CVE-2026-27606 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry. InCompositeDeepScanLine::readPixels, per-pixel totals are accumulated invector<unsigned int> total_sizes for attacker-controlled large countsacross many parts, total_sizes[ptr] wraps modulo 2^32.overall_sample_count is then derived from wrapped totals and used insamples[channel].resize(overall_sample_count). Decode pointersetup/consumption proceeds with true sample counts, and write operations incore unpack (generic_unpack_deep_pointers) overrun the undersized compositesample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6. Update Instructions: Run `sudo pro fix CVE-2026-27622` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenexr-3-1-30 - 3.1.13-2ubuntu0.26.04.1~esm1 openexr - 3.1.13-2ubuntu0.26.04.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 23:15:00 UTC 2026-03-03 23:15:00 UTC https://ubuntu.com/security/notices/USN-8259-1 CVE-2026-27622 Coturn is a free open source implementation of TURN and STUN Server. Coturnis commonly configured to block loopback and internal ranges using"denied-peer-ip" and/or default loopback restrictions. CVE-2020-26262addressed bypasses involving "0.0.0.0", "[::1]" and "[::]", but IPv4-mappedIPv6 is not covered. When sending a "CreatePermission" or "ChannelBind"request with the "XOR-PEER-ADDRESS" value of "::ffff:127.0.0.1", asuccessful response is received, even though "127.0.0.0/8" is blocked via"denied-peer-ip". The root cause is that, prior to the updated fiximplemented in version 4.9.0, three functions in"src/client/ns_turn_ioaddr.c" do not check "IN6_IS_ADDR_V4MAPPED"."ioa_addr_is_loopback()" checks "127.x.x.x" (AF_INET) and "::1" (AF_INET6),but not "::ffff:127.0.0.1." "ioa_addr_is_zero()" checks "0.0.0.0" and "::",but not "::ffff:0.0.0.0." "addr_less_eq()" used by "ioa_addr_in_range()"for "denied-peer-ip" matching: when the range is AF_INET and the peer isAF_INET6, the comparison returns 0 without extracting the embedded IPv4.Version 4.9.0 contains an updated fix to address the bypass of the fix forCVE-2020-26262. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 05:17:00 UTC CVE-2026-27624 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, anattacker who uses this vulnerability can craft a PDF which leads to aninfinite loop. This requires reading the file. This has been fixed in pypdf6.7.2. As a workaround, one may apply the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 03:16:00 UTC CVE-2026-27628 Exiv2 is a C++ library and a command-line utility to read, write, deleteand modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8,an uncaught exception was found in Exiv2. The vulnerability is in thepreview component, which is only triggered when running Exiv2 with an extracommand line argument, like -pp. Due to an integer overflow, the codeattempts to create a huge std::vector, which causes Exiv2 to crash with anuncaught exception. This issue has been patched in version 0.28.8. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-02 20:16:00 UTC 2026-03-02 20:16:00 UTC https://ubuntu.com/security/notices/USN-8103-1 CVE-2026-27631 The `basic-ftp` FTP client library for Node.js contains a path traversalvulnerability (CWE-22) in versions prior to 5.2.0 in the`downloadToDir()` method. A malicious FTP server can send directorylistings with filenames containing path traversal sequences (`../`) thatcause files to be written outside the intended download directory. Version5.2.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 15:20:00 UTC CVE-2026-27699 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, aheap buffer over-read vulnerability exists in the DJVU image formathandler. The vulnerability occurs due to integer truncation whencalculating the stride (row size) for pixel buffer allocation. The stridecalculation overflows a 32-bit signed integer, resulting in anout-of-bounds memory reads. Versions 7.1.2-15 and 6.9.13-40 contain apatch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 00:16:00 UTC CVE-2026-27799 psd-tools is a Python package for working with Adobe Photoshop PSD files.Prior to version 1.12.2, when a PSD file contains malformed RLE-compressedimage data (e.g. a literal run that extends past the expected row size),decode_rle() raises ValueError which propagated all the way to the user,crashing psd.composite() and psd-tools export. decompress() already had afallback that replaces failed channels with black pixels when result isNone, but it never triggered because the ValueError from decode_rle() wasnot caught. The fix in version 1.12.2 wraps the decode_rle() call in atry/except so the existing fallback handles the error gracefully. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 00:16:00 UTC CVE-2026-27809 Integer overflow in the Libraries component in NSS. This vulnerability wasfixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird140.8, and Firefox ESR 115.35. Update Instructions: Run `sudo pro fix CVE-2026-2781` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnss3 - 2:3.120-1ubuntu1 libnss3-tools - 2:3.120-1ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 14:16:00 UTC 2026-02-24 14:16:00 UTC https://bugzilla.mozilla.org/show_bug.cgi?id=2009552 (private) https://ubuntu.com/security/notices/USN-8071-1 https://ubuntu.com/security/notices/USN-8071-2 CVE-2026-2781 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Prior to version 9.4.0, an HTTP ResponseHeader Injection vulnerability in the calibre Content Server allows anyauthenticated user to inject arbitrary HTTP headers into server responsesvia an unsanitized `content_disposition` query parameter in the `/get/` and`/data-files/get/` endpoints. All users running the calibre Content Serverwith authentication enabled are affected. The vulnerability is exploitableby any authenticated user and can also be triggered by tricking anauthenticated victim into clicking a crafted link. Version 9.4.0 contains afix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 20:21:00 UTC CVE-2026-27810 zlib is a Ruby interface for the zlib compression/decompression library.Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a bufferoverflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungetsfunction prepends caller-provided bytes ahead of previously produced outputbut fails to guarantee the backing Ruby string has enough capacity beforethe memmove shifts the existing data. This can lead to memory corruptionwhen the buffer length exceeds capacity. This issue has been fixed inversions 3.0.1, 3.1.2 and 3.2.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 18:16:00 UTC CVE-2026-27820 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Prior to version 9.4.0, the calibreContent Server's brute-force protection mechanism uses a ban key derivedfrom both `remote_addr` and the `X-Forwarded-For` header. Since the`X-Forwarded-For` header is read directly from the HTTP request without anyvalidation or trusted-proxy configuration, an attacker can bypass IP-basedbans by simply changing or adding this header, rendering the brute-forceprotection completely ineffective. This is particularly dangerous forcalibre servers exposed to the internet, where brute-force protection isthe primary defense against credential stuffing and password guessingattacks. Version 9.4.0 contains a fix for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 20:21:00 UTC CVE-2026-27824 c3p0, a JDBC Connection pooling library, is vulnerable to attack viamaliciously crafted Java-serialized objects and `javax.naming.Reference`instances. Several c3p0 `ConnectionPoolDataSource` implementations have aproperty called `userOverridesAsString` which conceptually represents a`Map<String,Map<String,String>>`. Prior to v0.12.0, that property wasmaintained as a hex-encoded serialized object. Any attacker able to resetthis property, on an existing `ConnectionPoolDataSource` or via maliciouslycrafted serialized objects or `javax.naming.Reference` instances could betailored execute unexpected code on the application's `CLASSPATH`. Thedanger of this vulnerability was strongly magnified by vulnerabilities inc3p0's main dependency, mchange-commons-java. This library includes codethat mirrors early implementations of JNDI functionality, including ungatedsupport for remote `factoryClassLocation` values. Attackers could setc3p0's `userOverridesAsString` hex-encoded serialized objects that includeobjects "indirectly serialized" via JNDI references. Deserialization ofthose objects and dereferencing of the embedded `javax.naming.Reference`objects could provoke download and execution of malicious code from aremote `factoryClassLocation`. Although hazard presented by c3p0'svulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java,use of Java-serialized-object hex as the format for a writable Java-Beanproperty, of objects that may be exposed across JNDI interfaces, representsa serious independent fragility. The `userOverridesAsString` property ofc3p0 `ConnectionPoolDataSource` classes has been reimplemented to use asafe CSV-based format, rather than rely upon potentially dangerous Javaobject deserialization. c3p0-0.12.0+ and above depend uponmchange-commons-java 0.4.0+, which gates support for remote`factoryClassLocation` values by configuration parameters that default torestrictive values. c3p0 additionally enforces the new mchange-commons-java`com.mchange.v2.naming.nameGuardClassName` to prevent injection ofunexpected, potentially remote JNDI names. There is no supported workaroundfor versions of c3p0 prior to 0.12.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 01:16:00 UTC CVE-2026-27830 Dottie provides nested object access and manipulation in JavaScript.Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132.The prototype pollution guard introduced in commit `7d3aee1` only validatesthe first segment of a dot-separated path, allowing an attacker to bypassthe protection by placing `__proto__` at any position other than the first.Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7contains an updated fix to address the residual vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 01:16:00 UTC CVE-2026-27837 When safe filter is used with variable expansion, all following pipelineson the same string are incorrectly interpreted as safe too, enabling unsafedata to be unescaped. This can enable SQL / LDAP injection attacks whenused in authentication. Avoid using safe filter until on fixed version. Nopublicly available exploits are known. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 14:16:00 UTC CVE-2026-27851 An attacker might be able to trigger an out-of-bounds write by sendingcrafted DNS responses to a DNSdist using the DNSQuestion:changeName orDNSResponse:changeName methods in custom Lua code. In some cases therewritten packet might become larger than the initial response and evenexceed 65535 bytes, potentially leading to a crash resulting in denial ofservice. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-27853 An attacker might be able to trigger a use-after-free by sending craftedDNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method incustom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to aversion of the DNS packet that has been modified, thus triggering ause-after-free and potentially a crash resulting in denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 12:16:00 UTC CVE-2026-27854 pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, anattacker who uses this vulnerability can craft a PDF which leads to the RAMbeing exhausted. This requires accessing the `xfa` property of a reader orwriter and the corresponding stream being compressed using `/FlateDecode`.This has been fixed in pypdf 6.7.3. As a workaround, apply the patchmanually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 01:16:00 UTC CVE-2026-27888 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Starting in version 2.2.0 and prior to versions2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame couldtrigger a server panic in the nats-server. This happens beforeauthentication, and so is exposed to anyone who can connect to thewebsockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaroundis available. The vulnerability only affects deployments which useWebSockets and which expose the network port to untrusted end-points. Ifone is able to do so, a defense in depth of restricting either of thesewill mitigate the attack. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-27889 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, when processingCNCT_specific_data segments during authentication, the server assumessegments arrive in strictly ascending order. If segments arrive out oforder, the Array class's grow() method computes a negative size value,causing a SIGSEGV crash. An unauthenticated attacker who knows only theserver's IP and port can exploit this to crash the server. This issue hasbeen fixed in versions 5.0.4, 4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-27890 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. Prior to version9.5, a local file inclusion was detected in the PDF export that allowsusers to include local PHP files and this way execute code. In combinationwith GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users needto login to LAM to exploit this vulnerability. Version 9.5 fixes the issue.Although upgrading is recommended, a workaround would be to make/var/lib/ldap-account-manager/config read-only for the web-server user anddelete the PDF profile files (making PDF exports impossible). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 00:16:00 UTC CVE-2026-27894 LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g.users, groups, DHCP settings) stored in an LDAP directory. Prior to version9.5, the PDF export component does not correctly validate uploaded fileextensions. This way any file type (including .php files) can be uploaded.With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution asthe web server user. Version 9.5 fixes the issue. Although upgrading isrecommended, a workaround would be to make/var/lib/ldap-account-manager/config read-only for the web-server user. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 00:16:00 UTC CVE-2026-27895 minimatch is a minimal matching utility for converting glob expressionsinto JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6,7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unboundedrecursive backtracking when a glob pattern contains multiple non-adjacent`**` (GLOBSTAR) segments and the input path does not match. The timecomplexity is O(C(n, k)) -- binomial -- where `n` is the number of pathsegments and `k` is the number of globstars. With k=11 and n=30, a call tothe default `minimatch()` API stalls for roughly 5 seconds. With k=13, itexceeds 15 seconds. No memoization or call budget exists to bound thisbehavior. Any application where an attacker can influence the glob patternpassed to `minimatch()` is vulnerable. The realistic attack surfaceincludes build tools and task runners that accept user-supplied globarguments (ESLint, Webpack, Rollup config), multi-tenant systems where onetenant configures glob-based rules that run in a shared process, admin ordeveloper interfaces that accept ignore-rule or filter configuration asglobs, and CI/CD pipelines that evaluate user-submitted config filescontaining glob patterns. An attacker who can place a crafted pattern intoany of these paths can stall the Node.js event loop for tens of seconds perinvocation. The pattern is 56 bytes for a 5-second stall and does notrequire authentication in contexts where pattern input is part of thefeature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and3.1.3 fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 02:16:00 UTC CVE-2026-27903 minimatch is a minimal matching utility for converting glob expressionsinto JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6,7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produceregexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), whichexhibit catastrophic backtracking in V8. With a 12-byte pattern`*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls forover 7 seconds. Adding a single nesting level or a few input characterspushes this to minutes. This is the most severe finding: it is triggered bythe default `minimatch()` API with no special options, and the minimumviable pattern is only 12 bytes. The same issue affects `+()` extglobsequally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and3.1.4 fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 02:16:00 UTC CVE-2026-27904 joserfc is a Python library that provides an implementation of several JSONObject Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, aresource exhaustion vulnerability in joserfc allows an unauthenticatedattacker to cause a Denial of Service (DoS) via CPU exhaustion. When thelibrary decrypts a JSON Web Encryption (JWE) token using Password-BasedEncryption (PBES2) algorithms, it reads the p2c (PBES2 Count) parameterdirectly from the token's protected header. This parameter defines thenumber of iterations for the PBKDF2 key derivation function. Becausejoserfc does not validate or bound this value, an attacker can specify anextremely large iteration count (e.g., 2^31 - 1), forcing the server toexpend massive CPU resources processing a single token. This vulnerabilityexists at the JWA layer and impacts all high-level JWE and JWT decryptioninterfaces if PBES2 algorithms are allowed by the application's policy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 23:15:00 UTC CVE-2026-27932 llama.cpp is an inference of several LLM models in C/C++. Prior to b8146,the gguf_init_from_file_impl() in gguf.cpp is vulnerable to an Integeroverflow, leading to an undersized heap allocation. Using the subsequentfread() writes 528+ bytes of attacker-controlled data past the bufferboundary. This is a bypass of a similar bug in the same file -CVE-2025-53630, but the fix overlooked some areas. This vulnerability isfixed in b8146. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 17:16:00 UTC CVE-2026-27940 fast-xml-parser allows users to validate XML, parse XML to JS object, orbuild XML from JS object without C/C++ based libraries and no callback.Prior to version 5.3.8, the application crashes with stack overflow whenuser use XML builder with `preserveOrder:true`. Version 5.3.8 fixes theissue. As a workaround, use XML builder with `preserveOrder:false` or checkthe input data before passing to builder. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 02:16:00 UTC CVE-2026-27942 ormar is a async mini ORM for Python. Versions 0.23.0 and below arevulnerable to Pydantic validation bypass through the model constructor,allowing any unauthenticated user to skip all field validation by injecting"__pk_only__": true into a JSON request body. By injecting "__pk_only__":true into a JSON request body, an unauthenticated attacker can skip allfield validation and persist unvalidated data directly to the database. Asecondary __excluded__ parameter injection uses the same pattern toselectively nullify arbitrary model fields (e.g., email or role) duringconstruction. This affects ormar's canonical FastAPI integration patternrecommended in its official documentation, enabling privilege escalation,data integrity violations, and business logic bypass in any applicationusing ormar.Model directly as a request body parameter. This issue has beenfixed in version 0.23.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131494 CVE-2026-27953 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib'sJWS implementation allows an unauthenticated attacker to forge arbitraryJWT tokens that pass signature verification. When key=None is passed to anyJWS deserialization function, the library extracts and uses thecryptographic key embedded in the attacker-controlled JWT jwk header field.An attacker can sign a token with their own private key, embed the matchingpublic key in the header, and have the server accept the forged token ascryptographically valid — bypassing authentication and authorizationentirely. This issue has been patched in version 1.6.9. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 18:16:00 UTC CVE-2026-27962 Angular is a development platform for building mobile and desktop webapplications using TypeScript/JavaScript and other languages. Versionsprior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scriptingvulnerability in the Angular internationalization (i18n) pipeline. In ICUmessages (International Components for Unicode), HTML from translatedcontent was not properly sanitized and could execute arbitrary JavaScript.Angular i18n typically involves three steps, extracting all messages froman application in the source language, sending the messages to betranslated, and then merging their translations back into the final sourcecode. Translations are frequently handled by contracts with specificpartner companies, and involve sending the source messages to a separatecontractor before receiving final translations for display to the end user.If the returned translations have malicious content, it could be renderedinto the application and execute arbitrary JavaScript. When successfullyexploited, this vulnerability allows for execution of attacker controlledJavaScript in the application origin. Depending on the nature of theapplication being exploited this could lead to credential exfiltrationand/or page vandalism. Several preconditions apply to the attack. Theattacker must compromise the translation file (xliff, xtb, etc.). Unlikemost XSS vulnerabilities, this issue is not exploitable by arbitrary users.An attacker must first compromise an application's translation file beforethey can escalate privileges into the Angular application client. Thevictim application must use Angular i18n, use one or more ICU messages,render an ICU message, and not defend against XSS via a safe contentsecurity policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch theissue. Until the patch is applied, developers should consider reviewing andverifying translated content received from untrusted third parties beforeincorporating it in an Angular application, enabling strict CSP controls toblock unauthorized JavaScript from executing on the page, and enablingTrusted Types to enforce proper HTML sanitization. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-26 02:16:00 UTC CVE-2026-27970 An open redirect vulnerability exists in django-allauth versions prior to65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default),which may allow an attacker to redirect users to an arbitrary externalwebsite via a crafted URL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 06:16:00 UTC CVE-2026-27982 Firebird is an open-source relational database management system. Inversions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing anop_slice network packet, the server passes an unprepared structurecontaining a null pointer to the SDL_info() function, resulting in a nullpointer dereference and server crash. An unauthenticated attacker cantrigger this by sending a crafted packet to the server port. This issue hasbeen fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-28212 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, theClumpletReader::getClumpletSize() function can overflow the totalLengthvalue when parsing a Wide type clumplet, causing an infinite loop. Anauthenticated user with INSERT privileges on any table can exploit this viaa crafted Batch Parameter Block to cause a denial of service against theserver. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-28214 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives anop_crypt_key_callback packet without prior authentication, theport_server_crypt_callback handler is not initialized, resulting in a nullpointer dereference and server crash. An unauthenticated attacker who knowsonly the server's IP and port can exploit this to crash the server. Thisissue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-28224 CKEditor 5 is a modern JavaScript rich-text editor with an MVCarchitecture. Starting in version 29.0.0 and prior to version 47.6.0, across-site scripting (XSS) vulnerability has been discovered in the GeneralHTML Support feature. This vulnerability could be triggered by insertingspecially crafted markup, leading to unauthorized JavaScript codeexecution, if the editor instance used an unsafe General HTML Supportconfiguration. This issue has been patched in version 47.6.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 20:16:00 UTC CVE-2026-28343 lxml_html_clean is a project for HTML cleaning functionalities copied from`lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript()method strips backslashes before checking for dangerous CSS keywords. Thiscauses CSS Unicode escape sequences to bypass the @import and expression()filters, allowing external CSS loading or XSS in older browsers. This issuehas been patched in version 0.4.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 20:16:00 UTC CVE-2026-28348 lxml_html_clean is a project for HTML cleaning functionalities copied from`lxml.html.clean`. Prior to version 0.4.4, the <base> tag passes throughthe default Cleaner configuration. While page_structure=True removes html,head, and title tags, there is no specific handling for <base>, allowing anattacker to inject it and hijack relative links on the page. This issue hasbeen patched in version 0.4.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 20:16:00 UTC CVE-2026-28350 pypdf is a free and open-source pure-python PDF library. Prior to version6.7.4, an attacker who uses this vulnerability can craft a PDF which leadsto large memory usage. This requires parsing the content stream using theRunLengthDecode filter. This has been fixed in pypdf 6.7.4. As aworkaround, consider applying the changes from PR #3664. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 21:16:00 UTC CVE-2026-28351 multipart is a fast multipart/form-data parser for python. Prior to 1.2.2,1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.pyuses a regular expression with an ambiguous alternation, which can causeexponential backtracking (ReDoS) when parsing maliciously crafted HTTP ormultipart segment headers. This can be abused for denial of service (DoS)attacks against web applications using this library to parse requestheaders or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1and 1.4.0-dev. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 17:16:00 UTC CVE-2026-28356 In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshaldeserialization (runtime/intern.c) enables remote code execution through amulti-phase attack chain. The vulnerability stems from missing boundsvalidation in the readblock() function, which performs unbounded memcpy()operations using attacker-controlled lengths from crafted Marshal data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 04:16:00 UTC CVE-2026-28364 A flaw was found in Undertow. A remote attacker can exploit thisvulnerability by sending `\r\r\r` as a header block terminator. This can beused for request smuggling with certain proxy servers, such as olderversions of Apache Traffic Server and Google Cloud Classic Application LoadBalancer, potentially leading to unauthorized access or manipulation of webrequests. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 17:16:00 UTC CVE-2026-28367 A flaw was found in Undertow. This vulnerability allows a remote attackerto construct specially crafted requests where header names are parseddifferently by Undertow compared to upstream proxies. This discrepancy inheader interpretation can be exploited to launch request smuggling attacks,potentially bypassing security controls and accessing unauthorizedresources. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 17:16:00 UTC CVE-2026-28368 A flaw was found in Undertow. When Undertow receives an HTTP request wherethe first header line starts with one or more spaces, it incorrectlyprocesses the request by stripping these leading spaces. This behavior,which violates HTTP standards, can be exploited by a remote attacker toperform request smuggling. Request smuggling allows an attacker to bypasssecurity mechanisms, access restricted information, or manipulate webcaches, potentially leading to unauthorized actions or data exposure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 17:16:00 UTC CVE-2026-28369 In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and15.0.0, a user allowed to access the Vitrage API may trigger code executionon the Vitrage service host as the user the Vitrage service runs under.This may result in unauthorized access to the host and further compromiseof the Vitrage service. All deployments exposing the Vitrage API areaffected. This occurs in _create_query_function in vitrage/graph/query.py. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 05:18:00 UTC CVE-2026-28370 telnetd in GNU inetutils through 2.7 allows privilege escalation that canbe exploited by abusing systemd service credentials support added to thelogin(1) implementation of util-linux in release 2.40. This is related toclient control over the CREDENTIALS_DIRECTORY environment variable, andrequires an unprivileged local user to create a login.noauth file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 06:18:00 UTC Ron Ben Yizhak CVE-2026-28372 Issue summary: An uncommon configuration of clients performing DANETLSA-basedserver authentication, when paired with uncommon server DANE TLSA records,mayresult in a use-after-free and/or double-free on the client side.Impact summary: A use after free can have a range of potential consequencessuch as the corruption of valid data, crashes or execution of arbitrarycode.However, the issue only affects clients that make use of TLSA records withboththe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificateusage.By far the most common deployment of DANE is in SMTP MTAs for which RFC7672recommends that clients treat as 'unusable' any TLSA records that have thePKIXcertificate usages. These SMTP (or other similar) clients are notvulnerableto this issue. Conversely, any clients that support only the PKIX usages,andignore the DANE-TA(2) usage are also not vulnerable.The client would also need to be communicating with a server that publishesaTLSA RRset with both types of TLSA records.No FIPS modules are affected by this issue, the problem code is outside theFIPS module boundary. Update Instructions: Run `sudo pro fix CVE-2026-28387` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-07 2026-04-07 Igor Morgenstern https://ubuntu.com/security/notices/USN-8155-1 https://ubuntu.com/security/notices/USN-8155-2 CVE-2026-28387 Issue summary: When a delta CRL that contains a Delta CRL Indicatorextensionis processed a NULL pointer dereference might happen if the required CRLNumber extension is missing.Impact summary: A NULL pointer dereference can trigger a crash whichleads to a Denial of Service for an application.When CRL processing and delta CRL processing is enabled during X.509certificate verification, the delta CRL processing does not checkwhether the CRL Number extension is NULL before dereferencing it.When a malformed delta CRL file is being processed, this parametercan be NULL, causing a NULL pointer dereference.Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to beenabled inthe verification context, the certificate being verified to contain afreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set,andan attacker to provide a malformed CRL to an application that processes it.The vulnerability is limited to Denial of Service and cannot be escalatedtoachieve code execution or memory disclosure. For that reason the issue wasassessed as Low severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the affected code is outside the OpenSSL FIPS module boundary.Impact summary: A NULL pointer dereference can trigger a crash whichleads to a Denial of Service for an application.When CRL processing and delta CRL processing is enabled during X.509certificate verification, the delta CRL processing does not checkwhether the CRL Number extension is NULL before dereferencing it.When a malformed delta CRL file is being processed, this parametercan be NULL, causing a NULL pointer dereference.Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to beenabled inthe verification context, the certificate being verified to contain afreshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set,andan attacker to provide a malformed CRL to an application that processes it.The vulnerability is limited to Denial of Service and cannot be escalatedtoachieve code execution or memory disclosure. For that reason the issue wasassessed as Low severity according to our Security Policy.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue,as the affected code is outside the OpenSSL FIPS module boundary. Update Instructions: Run `sudo pro fix CVE-2026-28388` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-07 2026-04-07 Igor Morgenstern https://ubuntu.com/security/notices/USN-8155-1 https://ubuntu.com/security/notices/USN-8155-2 CVE-2026-28388 Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyAgreeRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo isprocessed, the optional parameters field ofKeyEncryptionAlgorithmIdentifieris examined without checking for its presence. This results in a NULLpointer dereference if the field is missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo isprocessed, the optional parameters field ofKeyEncryptionAlgorithmIdentifieris examined without checking for its presence. This results in a NULLpointer dereference if the field is missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary. Update Instructions: Run `sudo pro fix CVE-2026-28389` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-07 2026-04-07 Nathan Sportsman, Daniel Rhea, and Jaeho Nam https://ubuntu.com/security/notices/USN-8155-1 https://ubuntu.com/security/notices/USN-8155-2 CVE-2026-28389 Issue summary: During processing of a crafted CMS EnvelopedData messagewith KeyTransportRecipientInfo a NULL pointer dereference can happen.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyTransportRecipientInfo withRSA-OAEP encryption is processed, the optional parameters field ofRSA-OAEP SourceFunc algorithm identifier is examined without checkingfor its presence. This results in a NULL pointer dereference if the fieldis missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary.Impact summary: Applications that process attacker-controlled CMS data maycrash before authentication or cryptographic operations occur resulting inDenial of Service.When a CMS EnvelopedData message that uses KeyTransportRecipientInfo withRSA-OAEP encryption is processed, the optional parameters field ofRSA-OAEP SourceFunc algorithm identifier is examined without checkingfor its presence. This results in a NULL pointer dereference if the fieldis missing.Applications and services that call CMS_decrypt() on untrusted input(e.g., S/MIME processing or CMS-based protocols) are vulnerable.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary. Update Instructions: Run `sudo pro fix CVE-2026-28390` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-07 2026-04-07 Muhammad Daffa, XlabAI Team, Joshua Rogers, and Chanho Kim https://ubuntu.com/security/notices/USN-8155-1 https://ubuntu.com/security/notices/USN-8155-2 CVE-2026-28390 Vim is an open source, command line text editor. Prior to version 9.2.0073,an OS command injection vulnerability exists in the `netrw` standard pluginbundled with Vim. By inducing a user to open a crafted URL (e.g., using the`scp://` protocol handler), an attacker can execute arbitrary shellcommands with the privileges of the Vim process. Version 9.2.0073 fixes theissue. Update Instructions: Run `sudo pro fix CVE-2026-28417` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 22:16:00 UTC 2026-02-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129427 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-28417 Vim is an open source, command line text editor. Prior to version 9.2.0074,a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-styletags file parsing logic. When processing a malformed tags file, Vim can betricked into reading up to 7 bytes beyond the allocated memory boundary.Version 9.2.0074 fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-28418` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 22:16:00 UTC 2026-02-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129428 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-28418 Vim is an open source, command line text editor. Prior to version 9.2.0075,a heap-based buffer underflow exists in Vim's Emacs-style tags file parsinglogic. When processing a malformed tags file where a delimiter appears atthe start of a line, Vim attempts to read memory immediately preceding theallocated buffer. Version 9.2.0075 fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-28419` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 22:16:00 UTC 2026-02-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129429 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-28419 Vim is an open source, command line text editor. Prior to version 9.2.0076,a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim'sterminal emulator when processing maximum combining characters from Unicodesupplementary planes. Version 9.2.0076 fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-28420` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 22:16:00 UTC 2026-02-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129430 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-28420 Vim is an open source, command line text editor. Versions prior to 9.2.0077have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim'sswap file recovery logic. Both are caused by unvalidated fields read fromcrafted pointer blocks within a swap file. Version 9.2.0077 fixes theissue. Update Instructions: Run `sudo pro fix CVE-2026-28421` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 22:16:00 UTC 2026-02-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129431 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-28421 Vim is an open source, command line text editor. Prior to version 9.2.0078,a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering astatusline with a multi-byte fill character on a very wide terminal.Version 9.2.0078 patches the issue. Update Instructions: Run `sudo pro fix CVE-2026-28422` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu2 vim-common - 2:9.1.2141-1ubuntu2 vim-gtk3 - 2:9.1.2141-1ubuntu2 vim-gui-common - 2:9.1.2141-1ubuntu2 vim-motif - 2:9.1.2141-1ubuntu2 vim-nox - 2:9.1.2141-1ubuntu2 vim-runtime - 2:9.1.2141-1ubuntu2 vim-tiny - 2:9.1.2141-1ubuntu2 xxd - 2:9.1.2141-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 22:16:00 UTC 2026-02-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129432 https://ubuntu.com/security/notices/USN-8101-1 CVE-2026-28422 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.35.0, when a request handler throws a C++ exception andthe application has not registered a custom exception handler viaset_exception_handler(), the library catches the exception and writes itsmessage directly into the HTTP response as a header named EXCEPTION_WHAT.This header is sent to whoever made the request, with no authenticationcheck and no special configuration required to trigger it. The behavior ison by default. A developer who does not know to opt in toset_exception_handler() will ship a server that leaks internal exceptionmessages to any client. This vulnerability is fixed in 0.35.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 20:16:00 UTC CVE-2026-28434 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforceServer::set_payload_max_length() on the decompressed request body whenusing HandlerWithContentReader (streaming ContentReader) withContent-Encoding: gzip (or other supported encodings). A small compressedpayload can expand beyond the configured payload limit and be processed bythe application, enabling a payload size limit bypass and potential denialof service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-04 20:16:00 UTC CVE-2026-28435 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to version 1.6.9, a cryptographic padding oracle vulnerability wasidentified in the Authlib Python library concerning the implementation ofthe JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlibregisters RSA1_5 in its default algorithm registry without requiringexplicit opt-in, and actively destroys the constant-time Bleichenbachermitigation that the underlying cryptography library implements correctly.This issue has been patched in version 1.6.9. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 18:16:00 UTC CVE-2026-28490 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16, an integeroverflow vulnerability exists in the SIXEL decoer. The vulnerability allowsan attacker to perform an out of bounds via a specially crafted image. Thisvulnerability is fixed in 7.1.2-16. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28493 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, astack buffer overflow exists in ImageMagick's morphology kernel parsingfunctions. User-controlled kernel strings exceeding a buffer are copiedinto fixed-size stack buffers via memcpy without bounds checking, resultingin stack corruption. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28494 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to version 1.6.9, a library-level vulnerability was identified in theAuthlib Python library concerning the validation of OpenID Connect (OIDC)ID Tokens. Specifically, the internal hash verification logic(_verify_hash) responsible for validating the at_hash (Access Token Hash)and c_hash (Authorization Code Hash) claims exhibits a fail-open behaviorwhen encountering an unsupported or unknown cryptographic algorithm. Thisflaw allows an attacker to bypass mandatory integrity protections bysupplying a forged ID Token with a deliberately unrecognized alg headerparameter. The library intercepts the unsupported state and silentlyreturns True (validation passed), inherently violating fundamentalcryptographic design principles and direct OIDC specifications. This issuehas been patched in version 1.6.9. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 18:16:00 UTC CVE-2026-28498 Open Neural Network Exchange (ONNX) is an open standard for machinelearning interoperability. In versions up to and including 1.20.1, asecurity control bypass exists in onnx.hub.load() due to improper logic inthe repository trust verification mechanism. While the function is designedto warn users when loading models from non-official sources, the use of thesilent=True parameter completely suppresses all security warnings andconfirmation prompts. This vulnerability transforms a standardmodel-loading function into a vector for Zero-Interaction Supply-ChainAttacks. When chained with file-system vulnerabilities, an attacker cansilently exfiltrate sensitive files (SSH keys, cloud credentials) from thevictim's machine the moment the model is loaded. As of time of publication,no known patched versions are available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 02:16:00 UTC CVE-2026-28500 SWUpdate contains an integer underflow vulnerability in the multipartupload parser in mongoose_multipart.c that allows unauthenticated attackersto cause a denial of service by sending a crafted HTTP POST request to/upload with a malformed multipart boundary and controlled TCP streamtiming. Attackers can trigger an integer underflow in themg_http_multipart_continue_wait_for_chunk() function when the buffer lengthfalls within a specific range, causing an out-of-bounds heap read thatwrites data beyond the allocated receive buffer to a local IPC socket. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 21:16:00 UTC CVE-2026-28525 FRRouting before 10.5.3 contains an integer overflow vulnerability in sevenOSPF Traffic Engineering and Segment Routing TLV parser functions where auint16_t accumulator variable truncates uint32_t values returned by theTLV_SIZE() macro, causing the loop termination condition to fail whilepointer advancement continues unchecked. Attackers with an established OSPFadjacency can send a crafted LS Update packet with a malicious Type 10 orType 11 Opaque LSA to trigger out-of-bounds memory reads and crash allaffected routers in the OSPF area or autonomous system. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 21:16:00 UTC CVE-2026-28532 python-dotenv reads key-value pairs from a .env file and can set them asenvironment variables. Prior to version 1.2.2, `set_key()` and`unset_key()` in python-dotenv follow symbolic links when rewriting `.env`files, allowing a local attacker to overwrite arbitrary files via a craftedsymlink when a cross-device rename fallback is triggered. Users shouldupgrade to v.1.2.2 or, as a workaround, apply the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134491 CVE-2026-28684 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, Aheap-buffer-overflow vulnerability exists in the PCL encode due to anundersized output buffer allocation. This vulnerability is fixed in7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28686 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, aheap use-after-free vulnerability in ImageMagick's MSL decoder allows anattacker to trigger access to freed memory by crafting an MSL file. Thisvulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28687 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, aheap-use-after-free vulnerability exists in the MSL encoder, where a clonedimage is destroyed twice. The MSL coder does not support writing MSL so thewrite capability has been removed. This vulnerability is fixed in 7.1.2-16and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28688 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41,domain="path" authorization is checked before final file open/use. Asymlink swap between check-time and use-time bypasses policy-deniedread/write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28689 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, astack buffer overflow vulnerability exists in the MNG encoder. There is abounds checks missing that could corrupting the stack withattacker-controlled data. This vulnerability is fixed in 7.1.2-16 and6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28690 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, anuninitialized pointer dereference vulnerability exists in the JBIG decoderdue to a missing check. This vulnerability is fixed in 7.1.2-16 and6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28691 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, MATdecoder uses 32-bit arithmetic due to incorrect parenthesization resultingin a heap over-read. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28692 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, aninteger overflow in DIB coder can result in out of bounds read or write.This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:43:00 UTC CVE-2026-28693 Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTPServer.If mod_proxy_ajp connects to a malicious AJP server this AJP server cansend a malicious AJP message back to mod_proxy_ajp and cause it to write 4attacker controlled bytes after the end of a heap based buffer.This issue affects Apache HTTP Server: through 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-28780` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Andrew Lacambra, Elhanan Haenel, Tianshuo Han, Tristan Madani https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-28780 Authlib is a Python library which builds OAuth and OpenID Connect servers.From version 1.6.5 to before version 1.6.7, previous tests involvingpassing a malicious JWT containing alg: none and an empty signature waspassing the signature verification step without any changes to theapplication code when a failure was expected.. This issue has been patchedin version 1.6.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 07:16:00 UTC CVE-2026-28802 pypdf is a free and open-source pure-python PDF library. Prior to version6.7.5, an attacker who uses this vulnerability can craft a PDF which leadsto long runtimes. This requires accessing a stream which uses the/ASCIIHexDecode filter. This issue has been patched in version 6.7.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 07:16:00 UTC CVE-2026-28804 Incorrect Authorization vulnerability in Erlang OTP (inets modules) allowsunauthenticated access to CGI scripts protected by directory rules whenserved via script_alias.When script_alias maps a URL prefix to a directory outside DocumentRoot,mod_auth evaluates directory-based access controls against theDocumentRoot-relative path while mod_cgi executes the script at theScriptAlias-resolved path. This path mismatch allows unauthenticated accessto CGI scripts that directory rules were meant to protect.This vulnerability is associated with program fileslib/inets/src/http_server/mod_alias.erl,lib/inets/src/http_server/mod_auth.erl, andlib/inets/src/http_server/mod_cgi.erl.This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and9.1.0.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 13:16:00 UTC CVE-2026-28808 Generation of Predictable Numbers or Identifiers vulnerability inErlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning.The built-in DNS resolver (inet_res) uses a sequential, process-global16-bit transaction ID for UDP queries and does not implement source portrandomization. Response validation relies almost entirely on this ID,making DNS cache poisoning practical for an attacker who can observe onequery or predict the next ID. This conflicts with RFC 5452 recommendationsfor mitigating forged DNS answers.inet_res is intended for use in trusted network environments and withtrusted recursive resolvers. Earlier documentation did not clearly statethis deployment assumption, which could lead users to deploy the resolverin environments where spoofed DNS responses are possible.This vulnerability is associated with program fileslib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl.This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and9.2.4.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 09:16:00 UTC CVE-2026-28810 The issue was addressed with improved memory handling. This issue is fixedin Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4.Processing maliciously crafted web content may lead to an unexpectedprocess crash. Update Instructions: Run `sudo pro fix CVE-2026-28857` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-28857 The issue was addressed with improved memory handling. This issue is fixedin Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4,visionOS 26.4, watchOS 26.4. A malicious website may be able to processrestricted web content outside the sandbox. Update Instructions: Run `sudo pro fix CVE-2026-28859` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-28859 A logic issue was addressed with improved state management. This issue isfixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able toaccess script message handlers intended for other origins. Update Instructions: Run `sudo pro fix CVE-2026-28861` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-28861 A logic issue was addressed with improved checks. This issue is fixed inSafari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOSTahoe 26.4. Visiting a maliciously crafted website may lead to a cross-sitescripting attack. Update Instructions: Run `sudo pro fix CVE-2026-28871` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-javascriptcoregtk-4.1 - 2.52.3-0ubuntu0.26.04.2 gir1.2-javascriptcoregtk-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit-6.0 - 2.52.3-0ubuntu0.26.04.2 gir1.2-webkit2-4.1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-6.0-1 - 2.52.3-0ubuntu0.26.04.2 libjavascriptcoregtk-bin - 2.52.3-0ubuntu0.26.04.2 libwebkit2gtk-4.1-0 - 2.52.3-0ubuntu0.26.04.2 libwebkitgtk-6.0-4 - 2.52.3-0ubuntu0.26.04.2 webkitgtk-webdriver - 2.52.3-0ubuntu0.26.04.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 01:17:00 UTC 2026-03-25 01:17:00 UTC https://ubuntu.com/security/notices/USN-8237-1 CVE-2026-28871 BusyBox before commit 42202bf contains a heap buffer overflow vulnerabilityin the DHCPv6 client (udhcpc6) DNS_SERVERS option handler innetworking/udhcp/d6_dhcpc.c that allows network-adjacent attackers totrigger memory corruption by sending a crafted DHCPv6 response with amalformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heapbuffer allocation calculations in the option_to_env() function to causedenial of service or achieve arbitrary code execution on embedded systemswithout heap hardening. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 18:16:00 UTC CVE-2026-29004 libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.crelies solely on assert() for bounds checking, which is removed in releasebuilds compiled with NDEBUG. Attackers can send crafted CoAP requests withmalformed OSCORE options or responses during OSCORE negotiation to triggerout-of-bounds reads during CBOR parsing and potentially cause heap bufferoverflow writes through integer wraparound in allocation size computation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134340 CVE-2026-29013 dr_libs dr_wav.h version 0.14.4 and earlier (fixed in commit 8a7258c)contain a heap buffer overflow vulnerability in thedrwav__read_smpl_to_metadata_obj() function of dr_wav.h that allows memorycorruption via crafted WAV files. Attackers can exploit a mismatch betweensampleLoopCount validation in pass 1 and unconditional processing in pass 2to overflow heap allocations with 36 bytes of attacker-controlled datathrough any drwav_init_*_with_metadata() call on untrusted input. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 20:16:00 UTC https://github.com/mackron/dr_libs/issues/296 CVE-2026-29022 A flaw has been found in skvadrik re2c up to 4.4. Impacted is the functioncheck_and_merge_special_rules of the file src/parse/ast.cc. Thismanipulation causes null pointer dereference. The attack can only beexecuted locally. The exploit has been published and may be used. Patchname: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to installa patch to address this issue. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-02-22 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128782 https://github.com/skvadrik/re2c/issues/571 CVE-2026-2903 HDF5 is software for managing data. In 1.14.1-2 and earlier, an attackerwho can control an h5 file parsed by HDF5 can trigger a write-based heapbuffer overflow condition in the H5T__ref_mem_setnull method. This can leadto a denial-of-service condition, and potentially further issues such asremote code execution depending on the practical exploitability of the heapoverflow against modern operating systems. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-29043 jackson-core contains core low-level incremental ("streaming") parser andgenerator abstractions used by Jackson Data Processor. From version 3.0.0to before version 3.1.0, the UTF8DataInputJsonParser, which is used whenparsing from a java.io.DataInput source, bypasses the maxNestingDepthconstraint (default: 500) defined in StreamReadConstraints. A similar issuewas found in ReaderBasedJsonParser. This allows a user to supply a JSONdocument with excessive nesting, which can cause a StackOverflowError whenthe structure is processed, leading to a Denial of Service (DoS). Thisissue has been patched in version 3.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 08:16:00 UTC CVE-2026-29062 Immutable.js provides many Persistent Immutable data structures. Prior toversions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible inimmutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), andMap.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7,and 5.1.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-06 19:16:00 UTC CVE-2026-29063 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++)to parse RFC 5987 encoded filename* values in multipart Content-Dispositionheaders. The regex engine in libstdc++ implements backtracking via deeprecursion, consuming one stack frame per input character. An attacker cansend a single HTTP POST request with a crafted filename* parameter thatcauses uncontrolled stack growth, resulting in a stack overflow (SIGSEGV)that crashes the server process. This issue has been patched in version0.37.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 16:15:00 UTC CVE-2026-29076 Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JPencoder in Lexbor fails to reset the temporary size variable betweeniterations. The statement ctx->buffer_used -= size with a stale size = 3causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy iscalled with a negative length, leading to an out‑of‑bounds read from thestack and an out‑of‑bounds write to the heap. The source data is partiallycontrollable via the contents of the DOM tree. This vulnerability is fixedin 2.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130747 CVE-2026-29078 Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusionvulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, acomment is created using the “unknown element” constructor. The comment’sdata are written into the element’s fields via an unsafe cast, corruptingthe qualified_name field. That corrupted value is later used as a pointerand dereferenced near the zero page. This vulnerability is fixed in 2.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130747 CVE-2026-29079 Configured cipher preference order not preserved vulnerability in ApacheTomcat.This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-29129 A vulnerability was determined in libvips up to 8.19.0. The affectedelement is the function vips_source_read_to_memory of the filelibvips/iofuncs/source.c. This manipulation causes heap-based bufferoverflow. It is possible to launch the attack on the local host. Theattack's complexity is rated as high. The exploitability is described asdifficult. The exploit has been publicly disclosed and may be utilized.Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch isthe recommended action to fix this issue. The confirmation of the bugfixmentions: "[T]he impact of this is negligible, since this only affectscustom seekable sources larger than 4 GiB (and the crash occurs in usercode rather than libvips itself)." Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-22 04:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128785 CVE-2026-2913 CLIENT_CERT authentication does not fail as expected for some scenarioswhen soft fail is disabled vulnerability in Apache Tomcat, Apache TomcatNative.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache TomcatNative: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0through 1.3.6, from 2.0.0 through 2.0.13.Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-29145 Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor withdefault configuration.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through8.5.100, from 7.0.100 through 7.0.109.Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116,which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-29146 Allocation of Resources Without Limits or Throttling vulnerability inApache HTTP Server's  mod_md via OCSP response data.This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-29168` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Pavel Kohout https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-29168 A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 andearlier may allow an attacker to crash the server with a maliciousrequest.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.The only known use-case for mod_dav_lock was mod_dav_svn from ApacheSubversion earlier than version 1.2.0.Users are recommended to upgrade to version 2.4.66, which fixes this issue,or remove mod_dav_lock. Update Instructions: Run `sudo pro fix CVE-2026-29169` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Pavel Kohout https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-29169 GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GStreamer. Interaction withthis library is required to exploit this vulnerability but attack vectorsmay vary depending on the implementation.The specific flaw exists within the processing of stream headers within ASFfiles. The issue results from the lack of proper validation of the lengthof user-supplied data prior to copying it to a fixed-length heap-basedbuffer. An attacker can leverage this vulnerability to execute code in thecontext of the current process. Was ZDI-CAN-28843. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-2920 GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code ExecutionVulnerability. This vulnerability allows remote attackers to executearbitrary code on affected installations of GStreamer. Interaction withthis library is required to exploit this vulnerability but attack vectorsmay vary depending on the implementation.The specific flaw exists within the processing of video packets. The issueresults from the lack of proper validation of user-supplied data, which canresult in a write past the end of an allocated buffer. An attacker canleverage this vulnerability to execute code in the context of the currentprocess. Was ZDI-CAN-28845. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-2922 Impact:Lodash versions 4.17.23 and earlier are vulnerable to prototype pollutionin the _.unset and _.omit functions. The fix for (CVE-2025-13465:https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg)only guards against string key members, so an attacker can bypass the checkby passing array-wrapped path segments. This allows deletion of propertiesfrom built-in prototypes such as Object.prototype, Number.prototype, andString.prototype.The issue permits deletion of prototype properties but does not allowoverwriting their original behavior.Patches:This issue is patched in 4.18.0.Workarounds:None. Upgrade to the patched version. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 20:16:00 UTC CVE-2026-2950 An rsync daemon configured with "use chroot = no" is exposedto a time-of-check / time-of-use race on parent path components. A localattacker with write access to a module can replace a parent directorycomponent with a symlink between the receiver's check and its open(),redirecting reads (basis-file disclosure) and writes (file overwrite)outside the module. Under elevated daemon privilege this allows privilegeescalation. Default "use chroot = yes" is not exposed. Update Instructions: Run `sudo pro fix CVE-2026-29518` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-20 00:00:00 UTC 2026-05-20 00:00:00 UTC Batuhan SANCAK, Damien Neil, Michael Stapelberg https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-29518 A stack overflow in the experimental/tinyobj_loader_opt.h file oftinyobjloader commit d56555b allows attackers to cause a Denial of Service(DoS) via supplying a crafted .mtl file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 15:17:00 UTC CVE-2026-29628 A weakness has been identified in Cesanta Mongoose up to 7.20. The impactedelement is the function mg_sendnsreq of the file /src/dns.c of thecomponent DNS Transaction ID Handler. Executing a manipulation of theargument random can lead to insufficiently random values. The attack can belaunched remotely. The attack requires a high level of complexity. Theexploitability is regarded as difficult. The exploit has been madeavailable to the public and could be used for attacks. The vendor wascontacted early about this disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-23 03:15:00 UTC CVE-2026-2966 A security vulnerability has been detected in Cesanta Mongoose up to 7.20.This affects the function getpeer of the file /src/net_builtin.c of thecomponent TCP Sequence Number Handler. The manipulation leads to improperverification of source of a communication channel. The attack may beinitiated remotely. The attack's complexity is rated as high. Theexploitability is reported as difficult. The exploit has been disclosedpublicly and may be used. The vendor was contacted early about thisdisclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-23 04:16:00 UTC CVE-2026-2967 A vulnerability was detected in Cesanta Mongoose up to 7.20. This impactsthe function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.cof the component Poly1305 Authentication Tag Handler. The manipulationresults in improper verification of cryptographic signature. The attack maybe launched remotely. This attack is characterized by high complexity. Theexploitability is said to be difficult. The exploit is now public and maybe used. The vendor was contacted early about this disclosure but did notrespond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-23 04:16:00 UTC CVE-2026-2968 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.14 and 2.12.5, if thenats-server has the "leafnode" configuration enabled (not default), thenanyone who can connect can crash the nats-server by triggering a panic.This happens pre-authentication and requires that compression be enabled(which it is, by default, when leafnodes are used). Versions 2.11.14 and2.12.5 contain a fix. As a workaround, disable compression on the leafnodeport. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-29785 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tarcan be tricked into creating a hardlink that points outside the extractiondirectory by using a drive-relative link target such as C:../target.txt,which enables file overwrite outside cwd during normal tar.x() extraction.This issue has been patched in version 7.5.10. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 16:15:00 UTC CVE-2026-29786 BIND 9 server memory exhaustion during GSS-API TKEY negotiation Update Instructions: Run `sudo pro fix CVE-2026-3039` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.18-1ubuntu2.1 bind9-dnsutils - 1:9.20.18-1ubuntu2.1 bind9-host - 1:9.20.18-1ubuntu2.1 bind9-libs - 1:9.20.18-1ubuntu2.1 bind9-utils - 1:9.20.18-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 mdeslaur(main) Vitaly Simonovich https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-3039 An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denialof service via the NEXT_HOP path attribute Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 17:16:00 UTC CVE-2026-30405 A Dynamic-link Library Injection vulnerability in OSGeo Project MapServerbefore v8.0 allows attackers to execute arbitrary code via a craftedexecutable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 17:16:00 UTC CVE-2026-30479 A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impactsan unknown function. The manipulation of the argument hint leads to crosssite scripting. The attack can be initiated remotely. The exploit ispublicly available and might be used. The vendor was contacted early aboutthis disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-24 03:16:00 UTC CVE-2026-3054 A NULL pointer dereference vulnerability exists in fio (Flexible I/OTester) v3.41 when parsing job files containing the fdp_pli option. Thecallback function str_fdp_pli_cb() does not validate the input pointer andcalls strdup() on a NULL value when the option is specified without anargument. This results in a segmentation fault and process crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 15:17:00 UTC CVE-2026-30656 league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, theDisallowedRawHtml extension can be bypassed by inserting a newline, tab, orother ASCII whitespace character between a disallowed HTML tag name and theclosing >. For example, <script\n> would pass through unfiltered and berendered as a valid HTML tag by browsers. This is a cross-site scripting(XSS) vector for any application that relies on this extension to sanitizeuntrusted user input. All applications using the DisallowedRawHtmlextension to process untrusted markdown are affected. Applications that usea dedicated HTML sanitizer (such as HTML Purifier) on the rendered outputare not affected. This issue has been patched in version 2.8.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 16:15:00 UTC 2026-03-07 16:15:00 UTC https://ubuntu.com/security/notices/USN-8194-1 CVE-2026-30838 Caddy is an extensible server platform that uses TLS by default. Fromversion 2.10.0 to before version 2.11.2, forward_auth copy_headers does notstrip client-supplied headers, allowing identity injection and privilegeescalation. This issue has been patched in version 2.11.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 17:15:00 UTC CVE-2026-30851 Caddy is an extensible server platform that uses TLS by default. Fromversion 2.7.5 to before version 2.11.2, the vars_regexp matcher invars.go:337 double-expands user-controlled input through the Caddyreplacer. When vars_regexp matches against a placeholder like{http.request.header.X-Input}, the header value gets resolved once(expected), then passed through repl.ReplaceAll() again (the bug). Thismeans an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in arequest header and the server will evaluate it, leaking environmentvariables, file contents, and system info. This issue has been patched inversion 2.11.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-07 17:15:00 UTC CVE-2026-30852 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Prior to 9.5.0, a path traversalvulnerability in the RocketBook (.rb) input plugin(src/calibre/ebooks/rb/reader.py) allows an attacker to write arbitraryfiles to any path writable by the calibre process when a user opens orconverts a crafted .rb file. This is the same bug class fixed inCVE-2026-26065 for the PDB readers, but the fix was never applied to the RBreader. This vulnerability is fixed in 9.5.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC CVE-2026-30853 If `shutil.unpack_archive()` is given a ZIP archive with an absoluteWindows path containing a drive (`C:\\...`) then the archive will beextracted outside the target directory which is different than otheroperating systems. Only Windows is affected by this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 21:16:00 UTC CVE-2026-3087 crun is an open source OCI Container Runtime fully written in C. Inversions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) isincorrectly parsed. The value `1` is interpreted as UID 0 and GID 0 when itshould have been UID 1 and GID 0. The process thus runs with higherprivileges than expected. Version 1.27 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 00:16:00 UTC CVE-2026-30892 ModSecurity is an open source, cross platform web application firewall(WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component ofthe ModSecurity v3 project. A segmentation fault occurs when a rule usingthe t:hexDecode transformation inspects a query string parameter containinga single character. An attacker can exploit this to crash worker processes,causing a denial of service. Service resumes once the attack stops asworker processes recover from the segfault. All versions before 3.0.15 oflibModSecurity3 are affected. This has been patched in version 3.0.15. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 19:16:00 UTC CVE-2026-30923 qui is a web interface for managing qBittorrent instances. Versions 1.14.1and below use a permissive CORS policy that reflects arbitrary originswhile also returning Access-Control-Allow-Credentials: true, effectivelyallowing any external webpage to make authenticated requests on behalf of alogged-in user. An attacker can exploit this by tricking a victim intoloading a malicious webpage, which silently interacts with the applicationusing the victim's session and potentially exfiltrating sensitive data suchas API keys and account credentials, or even achieving full systemcompromise through the built-in External Programs manager. Exploitationrequires that the victim access the application via a non-localhosthostname and load an attacker-controlled webpage, making highly targetedsocial-engineering attacks the most likely real-world scenario. This issuewas not fixed at the time of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-30924 Glances is an open-source system cross-platform monitoring tool. Prior to4.5.1, the /api/4/config REST API endpoint returns the entire parsedGlances configuration file (glances.conf) via self.config.as_dict() with nofiltering of sensitive values. The configuration file contains credentialsfor all configured backend services including database passwords, APItokens, JWT signing keys, and SSL key passwords. This vulnerability isfixed in 4.5.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 18:18:00 UTC CVE-2026-30928 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41,MagnifyImage uses a fixed-size stack buffer. When using a specific image itis possible to overflow this buffer and corrupt the stack. Thisvulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:44:00 UTC CVE-2026-30929 Glances is an open-source system cross-platform monitoring tool. Prior to4.5.1, The TimescaleDB export module constructs SQL queries using stringconcatenation with unsanitized system monitoring data. The normalize()method wraps string values in single quotes but does not escape embeddedsingle quotes, making SQL injection trivial via attacker-controlled datasuch as process names, filesystem mount points, network interface names, orcontainer names. This vulnerability is fixed in 4.5.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 18:18:00 UTC CVE-2026-30930 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16, a heap-basedbuffer overflow in the UHDR encoder can happen due to truncation of a valueand it would allow an out of bounds write. This vulnerability is fixed in7.1.2-16. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:44:00 UTC CVE-2026-30931 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16, BilateralBlurImagecontains a heap buffer over-read caused by an incorrect conversion. Whenprocessing a crafted image with the -bilateral-blur operation an out ofbounds read can occur. This vulnerability is fixed in 7.1.2-16. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:44:00 UTC CVE-2026-30935 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, acrafted image could cause an out of bounds heap write inside theWaveletDenoiseImage method. When processing a crafted image with the-wavelet-denoise operation an out of bounds write can occur. Thisvulnerability is fixed in 7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:44:00 UTC CVE-2026-30936 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a32-bit unsigned integer overflow in the XWD (X Windows) encoder can causean undersized heap buffer allocation. When writing a extremely large imagean out of bounds heap write can occur. This vulnerability is fixed in7.1.2-16 and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:44:00 UTC CVE-2026-30937 A flaw was found in Libsoup. The server-side digest authenticationimplementation in the SoupAuthDomainDigest class does not properly trackissued nonces or enforce the required incrementing nonce-count (nc)attribute. This vulnerability allows a remote attacker to capture a singlevalid authentication header and replay it repeatedly. Consequently, theattacker can bypass authentication and gain unauthorized access toprotected resources, impersonating the legitimate user. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-12 14:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/495 CVE-2026-3099 An out-of-bounds read in the read_global_param() function(libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denialof Service (DoS) via a crafted input. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 15:17:00 UTC CVE-2026-30997 An improper resource deallocation and closure vulnerability in thetools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause aDenial of Service (DoS) via supplying a crafted input file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 15:17:00 UTC CVE-2026-30998 A heap buffer overflow in the av_bprint_finalize() function of FFmpegv8.0.1 allows attackers to cause a Denial of Service (DoS) via a craftedinput. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 15:17:00 UTC CVE-2026-30999 A specially crafted domain can be used to cause a memory leak in a BINDresolver simply by querying this domain.This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through9.21.19, and 9.20.9-S1 through 9.20.20-S1.BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1are NOT affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 2026-03-25 Vitaly Simonovich https://ubuntu.com/security/notices/USN-8124-1 CVE-2026-3104 An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackersto execute arbitrary code via supplying a crafted pickled string message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 20:16:00 UTC CVE-2026-31048 The JSONSerializer and CBORSerializer in APScheduler (all versionsincluding 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE)via Insecure Deserialization. The unmarshal_object function allows forarbitrary class instantiation and state injection by dynamically importingmodules and calling __setstate__ on any class available in the Pythonenvironment. An attacker can exploit this by submitting a specially craftedJSON or CBOR payload to an application using these serializers Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 16:16:00 UTC CVE-2026-31072 Under certain conditions, `named` may crash when processing a correctlysigned query containing a TKEY record. The affected code can only bereached if an incoming request has a valid transaction signature (TSIG)from a key declared in the `named` configuration.This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through9.21.19, and 9.20.9-S1 through 9.20.20-S1.BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1are NOT affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 2026-03-25 Vitaly Simonovich https://ubuntu.com/security/notices/USN-8124-1 CVE-2026-3119 PyTorch-Lightning versions 2.6.0 and earlier contain an insecuredeserialization vulnerability (CWE-502) in the checkpoint loadingmechanism. The LightningModule.load_from_checkpoint() method, which iscommonly used to load saved model states, internally calls torch.load()without setting the security-restrictive weights_only=True parameter. Thisdefault behavior allows the deserialization of arbitrary Python objects viathe Pickle module. A remote attacker can exploit this by providing amaliciously crafted checkpoint file, leading to arbitrary code execution onthe victim's system when the file is loaded. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 16:16:00 UTC CVE-2026-31221 In the Linux kernel, the following vulnerability has been resolved:ipv6: avoid overflows in ip6_datagram_send_ctl()Yiming Qian reported :<quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header(`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr*/`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`:- In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). ----truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31415 In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: account for netlink header sizeThis is a followup to an old bug fix: NLMSG_DONE needs to accountfor the netlink header size, not just the attribute size.This can result in a WARN splat + drop of the netlink message,but other than this there are no ill effects. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31416 In the Linux kernel, the following vulnerability has been resolved:net/x25: Fix overflow when accumulating packetsAdd a check to ensure that `x25_sock.fraglen` does not overflow.The `fraglen` also needs to be resetted when purging `fragment_queue` in`x25_clear_queues()`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31417 In the Linux kernel, the following vulnerability has been resolved:netfilter: ipset: drop logically empty buckets in mtype_delmtype_del() counts empty slots below n->pos in k, but it only drops thebucket when both n->pos and k are zero. This misses buckets whose liveentries have all been removed while n->pos still points past deleted slots.Treat a bucket as empty when all positions below n->pos are unused andrelease it directly instead of shrinking it further. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31418 In the Linux kernel, the following vulnerability has been resolved:net: bonding: fix use-after-free in bond_xmit_broadcast()bond_xmit_broadcast() reuses the original skb for the last slave(determined by bond_is_last_slave()) and clones it for others.Concurrent slave enslave/release can mutate the slave list duringRCU-protected iteration, changing which slave is "last" mid-loop.This causes the original skb to be double-consumed (double-freed).Replace the racy bond_is_last_slave() check with a simple indexcomparison (i + 1 == slaves_count) against the pre-snapshot slavecount taken via READ_ONCE() before the loop. This preserves thezero-copy optimization for the last slave while making the "last"determination stable against concurrent list mutations.The UAF can trigger the following crash:==================================================================BUG: KASAN: slab-use-after-free in skb_cloneRead of size 8 at addr ffff888100ef8d40 by task exploit/147CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZYCall Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792include/linux/skbuff.h:3396 net/core/skbuff.c:2108) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) bond_start_xmit (drivers/net/bonding/bond_main.c:5567drivers/net/bonding/bond_main.c:5593) dev_hard_start_xmit (include/linux/netdevice.h:5325include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) ip6_finish_output2 (include/net/neighbour.h:540include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) ip6_output (net/ipv6/ip6_output.c:250) ip6_send_skb (net/ipv6/ip6_output.c:1985) udp_v6_send_skb (net/ipv6/udp.c:1442) udpv6_sendmsg (net/ipv6/udp.c:1733) __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK>Allocated by task 147:Freed by task 147:The buggy address belongs to the object at ffff888100ef8c80 which belongs to the cache skbuff_head_cache of size 224The buggy address is located 192 bytes inside of freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)Memory state around the buggy address: ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb================================================================== Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC 2026-04-13 14:16:00 UTC https://ubuntu.com/security/notices/USN-8277-1 https://ubuntu.com/security/notices/USN-8278-1 https://ubuntu.com/security/notices/USN-8279-1 https://ubuntu.com/security/notices/USN-8289-1 CVE-2026-31419 In the Linux kernel, the following vulnerability has been resolved:bridge: mrp: reject zero test interval to avoid OOM panicbr_mrp_start_test() and br_mrp_start_in_test() accept the user-suppliedinterval value from netlink without validation. When interval is 0,usecs_to_jiffies(0) yields 0, causing the delayed work(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to rescheduleitself with zero delay. This creates a tight loop on system_percpu_wqthat allocates and transmits MRP test frames at maximum rate, exhaustingall system memory and causing a kernel panic via OOM deadlock.The same zero-interval issue applies to br_mrp_start_in_test_parse()for interconnect test frames.Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for bothIFLA_BRIDGE_MRP_START_TEST_INTERVAL andIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at thenetlink attribute parsing layer before the value ever reaches theworkqueue scheduling code. This is consistent with how other bridgesubsystems (br_fdb, br_mst) enforce range constraints on netlinkattributes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31420 In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_fw: fix NULL pointer dereference on shared blocksThe old-method path in fw_classify() calls tcf_block_q() anddereferences q->handle. Shared blocks leave block->q NULL, causing aNULL deref when an empty cls_fw filter is attached to a shared blockand a packet with a nonzero major skb mark is classified.Reject the configuration in fw_change() when the old method (noTCA_OPTIONS) is used on a shared block, since fw_classify()'sold-method path needs block->q which is NULL for shared blocks.The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31421 In the Linux kernel, the following vulnerability has been resolved:net/sched: cls_flow: fix NULL pointer dereference on shared blocksflow_change() calls tcf_block_q() and dereferences q->handle to derivea default baseclass. Shared blocks leave block->q NULL, causing a NULLderef when a flow filter without a fully qualified baseclass is createdon a shared block.Check tcf_block_shared() before accessing block->q and return -EINVALfor shared blocks. This avoids the null-deref shown below:=======================================================================KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]RIP: 0010:flow_change (net/sched/cls_flow.c:508)Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...]======================================================================= Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31422 In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()m2sm() converts a u32 slope to a u64 scaled value. For large inputs(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() storesthe difference of two such u64 values in a u32 variable `dsm` anduses it as a divisor. When the difference is exactly 2^32 thetruncation yields zero, causing a divide-by-zero oops in theconcave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...]Widen `dsm` to u64 and replace do_div() with div64_u64() so the fulldifference is preserved. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31423 In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: restrict xt_check_match/xt_check_target extensions forNFPROTO_ARPWeiming Shi says:xt_match and xt_target structs registered with NFPROTO_UNSPEC can beloaded by any protocol family through nft_compat. When such amatch/target sets .hooks to restrict which hooks it may run on, thebitmask uses NF_INET_* constants. This is only correct for familieswhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridgeall share the same five hooks (PRE_ROUTING ... POST_ROUTING).ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with differentsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooksvalidation silently passes for the wrong reasons, allowing matches torun on ARP chains where the hook assumptions (e.g. state->in beingset on input hooks) do not hold. This leads to NULL pointerdereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interruptFix it by restricting arptables to NFPROTO_ARP extensions only.Note that arptables-legacy only supports:- arpt_CLASSIFY- arpt_mangle- arpt_MARKthat provide explicit NFPROTO_ARP match/target declarations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31424 In the Linux kernel, the following vulnerability has been resolved:rds: ib: reject FRMR registration before IB connection is establishedrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_dataand passes it to rds_ib_reg_frmr() for FRWR memory registration. On afresh outgoing connection, ic is allocated in rds_ib_conn_alloc() withi_cm_id = NULL because the connection worker has not yet calledrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() withRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parsesthe control message before any connection establishment, allowingrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash thekernel.The existing guard in rds_ib_reg_frmr() only checks for !ic (added incommit 9e630bcb7701), which does not catch this case since ic is allocatedearly and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are allnon-NULL before proceeding with FRMR registration, mirroring the guardalready present in rds_ib_post_inv(). Return -ENODEV when the connectionis not ready, which the existing error handling in rds_cmsg_send() convertsto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() tostart the connection worker. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 14:16:00 UTC CVE-2026-31425 In the Linux kernel, the following vulnerability has been resolved:net: skb: fix cross-cache free of KFENCE-allocated skb headSKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2value (e.g. 704 on x86_64) to avoid collisions with generic kmallocbucket sizes. This ensures that skb_kfree_head() can reliably useskb_end_offset to distinguish skb heads allocated fromskb_small_head_cache vs. generic kmalloc caches.However, when KFENCE is enabled, kfence_ksize() returns the exactrequested allocation size instead of the slab bucket size. If a caller(e.g. bpf_test_init) allocates skb head data via kzalloc() and therequested size happens to equal SKB_SMALL_HEAD_CACHE_SIZE, thenslab_build_skb() -> ksize() returns that exact value. After subtractingskb_shared_info overhead, skb_end_offset ends up matchingSKB_SMALL_HEAD_HEADROOM, causing skb_kfree_head() to incorrectly freethe object to skb_small_head_cache instead of back to the originalkmalloc cache, resulting in a slab cross-cache free: kmem_cache_free(skbuff_small_head): Wrong slab cache. Expected skbuff_small_head but got kmalloc-1kFix this by always calling kfree(head) in skb_kfree_head(). This keepsthe free path generic and avoids allocator-specific misclassificationfor KFENCE objects. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 10:16:00 UTC CVE-2026-31429 In the Linux kernel, the following vulnerability has been resolved:X.509: Fix out-of-bounds access when parsing extensionsLeo reports an out-of-bounds access when parsing a certificate withempty Basic Constraints or Key Usage extension because the first byte ofthe extension is read before checking its length. Fix it.The bug can be triggered by an unprivileged user by submitting aspecially crafted certificate to the kernel through the keyrings(7) API.Leo has demonstrated this with a proof-of-concept program responsiblydisclosed off-list. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 10:16:00 UTC CVE-2026-31430 In the Linux kernel, the following vulnerability has been resolved:crypto: algif_aead - Revert to operating out-of-placeThis mostly reverts commit 72548b093ee3 except for the copying ofthe associated data.There is no benefit in operating in-place in algif_aead since thesource and destination come from different mappings. Get rid ofall the complexity added for in-place operation and just copy theAD directly. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-04-22 09:16:00 UTC 2026-04-22 09:16:00 UTC https://ubuntu.com/security/notices/USN-8226-1 https://ubuntu.com/security/notices/USN-8277-1 https://ubuntu.com/security/notices/USN-8278-1 https://ubuntu.com/security/notices/USN-8279-1 https://ubuntu.com/security/notices/USN-8280-1 https://ubuntu.com/security/notices/USN-8281-1 https://ubuntu.com/security/notices/USN-8289-1 CVE-2026-31431 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix OOB write in QUERY_INFO for compound requestsWhen a compound request such as READ + QUERY_INFO(Security) is received,and the first command (READ) consumes most of the response buffer,ksmbd could write beyond the allocated buffer while building a securitydescriptor.The root cause was that smb2_get_info_sec() checked buffer space usingppntsd_size from xattr, while build_sec_desc() often synthesized asignificantly larger descriptor from POSIX ACLs.This patch introduces smb_acl_sec_desc_scratch_len() to accuratelycompute the final descriptor size beforehand, performs proper bufferchecking with smb2_calc_max_out_buf_len(), and uses exact-sizedallocation + iov pinning. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 09:16:00 UTC CVE-2026-31432 A flaw has been found in libvips up to 8.18.0. The affected element is thefunction vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_headerof the file libvips/foreign/matrixload.c. Executing a manipulation can leadto memory corruption. The attack needs to be launched locally. This patchis called d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should beapplied to remediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 03:16:00 UTC CVE-2026-3145 A vulnerability has been found in libvips up to 8.18.0. The impactedelement is the function vips_foreign_load_matrix_header of the filelibvips/foreign/matrixload.c. The manipulation leads to null pointerdereference. The attack needs to be performed locally. The identifier ofthe patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue,it is recommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 03:16:00 UTC CVE-2026-3146 A vulnerability was found in libvips up to 8.18.0. This affects thefunction vips_foreign_load_csv_build of the file libvips/foreign/csvload.c.The manipulation results in heap-based buffer overflow. The attack requiresa local approach. The exploit has been made public and could be used. Thepatch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It isadvisable to implement a patch to correct this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 04:16:00 UTC CVE-2026-3147 In the Linux kernel, the following vulnerability has been resolved:ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()When querying a nexthop object via RTM_GETNEXTHOP, the kernel currentlyallocates a fixed-size skb using NLMSG_GOODSIZE. While sufficient forsingle nexthops and small Equal-Cost Multi-Path groups, this fixedallocation fails for large nexthop groups like 512 nexthops.This results in the following warning splat: WARNING: net/ipv4/nexthop.c:3395 at rtm_get_nexthop+0x176/0x1c0, CPU#20:rep/4608 [...] RIP: 0010:rtm_get_nexthop (net/ipv4/nexthop.c:3395) [...] Call Trace: <TASK> rtnetlink_rcv_msg (net/core/rtnetlink.c:6989) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) ____sys_sendmsg (net/socket.c:721 net/socket.c:736 net/socket.c:2585) ___sys_sendmsg (net/socket.c:2641) __sys_sendmsg (net/socket.c:2671) do_syscall_64 (arch/x86/entry/syscall_64.c:63arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK>Fix this by allocating the size dynamically using nh_nlmsg_size() andusing nlmsg_new(), this is consistent with nexthop_notify() behavior. Inaddition, adjust nh_nlmsg_size_grp() so it calculates the size neededbased on flags passed. While at it, also add the size of NHA_FDB fornexthop group size calculation as it was missing too.This cannot be reproduced via iproute2 as the group size is currentlylimited and the command fails as follows:addattr_l ERROR: message exceeded bound of 1048 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 12:17:00 UTC CVE-2026-31531 In the Linux kernel, the following vulnerability has been resolved:can: raw: fix ro->uniq use-after-free in raw_rcv()raw_release() unregisters raw CAN receive filters via can_rx_unregister(),but receiver deletion is deferred with call_rcu(). This leaves a windowwhere raw_rcv() may still be running in an RCU read-side critical sectionafter raw_release() frees ro->uniq, leading to a use-after-free of thepercpu uniq storage.Move free_percpu(ro->uniq) out of raw_release() and into a raw-specificsocket destructor. can_rx_unregister() takes an extra reference to thesocket and only drops it from the RCU callback, so freeing uniq fromsk_destruct ensures the percpu area is not released until the relevantcallbacks have drained.[mkl: applied manually] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 12:17:00 UTC CVE-2026-31532 In the Linux kernel, the following vulnerability has been resolved:net/tls: fix use-after-free in -EBUSY error path of tls_do_encryptionThe -EBUSY handling in tls_do_encryption(), introduced by commit859054147318 ("net: tls: handle backlogging of crypto requests"), hasa use-after-free due to double cleanup of encrypt_pending and thescatterlist entry.When crypto_aead_encrypt() returns -EBUSY, the request is enqueued tothe cryptd backlog and the async callback tls_encrypt_done() will beinvoked upon completion. That callback unconditionally restores thescatterlist entry (sge->offset, sge->length) and decrementsctx->encrypt_pending. However, if tls_encrypt_async_wait() returns anerror, the synchronous error path in tls_do_encryption() performs thesame cleanup again, double-decrementing encrypt_pending anddouble-restoring the scatterlist.The double-decrement corrupts the encrypt_pending sentinel (initializedto 1), making tls_encrypt_async_wait() permanently skip the wait forpending async callbacks. A subsequent sendmsg can then free thetls_rec via bpf_exec_tx_verdict() while a cryptd callback is stillpending, resulting in a use-after-free when the callback fires on thefreed record.Fix this by skipping the synchronous cleanup when the -EBUSY asyncwait returns an error, since the callback has already handledencrypt_pending and sge restoration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 18:16:00 UTC 2026-04-23 18:16:00 UTC https://ubuntu.com/security/notices/USN-8277-1 https://ubuntu.com/security/notices/USN-8278-1 https://ubuntu.com/security/notices/USN-8279-1 https://ubuntu.com/security/notices/USN-8280-1 https://ubuntu.com/security/notices/USN-8289-1 CVE-2026-31533 In the Linux kernel, the following vulnerability has been resolved:smb: client: make use of smbdirect_socket.recv_io.credits.availableThe logic off managing recv credits by counting posted recv_io andgranted credits is racy.That's because the peer might already consumed a credit,but between receiving the incoming recv at the hardwareand processing the completion in the 'recv_done' functionswe likely have a window where we grant credits, whichdon't really exist.So we better have a decicated counter for theavailable credits, which will be incrementedwhen we posted new recv buffers and drained whenwe grant the credits to the peer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31535 In the Linux kernel, the following vulnerability has been resolved:smb: server: let send_done handle a completion without IB_SEND_SIGNALEDWith smbdirect_send_batch processing we likely have requests withoutIB_SEND_SIGNALED, which will be destroyed in the final requestthat has IB_SEND_SIGNALED set.If the connection is broken all requests are signaledeven without explicit IB_SEND_SIGNALED. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31536 In the Linux kernel, the following vulnerability has been resolved:smb: server: make use of smbdirect_socket.send_io.bcreditsIt turns out that our code will corrupt the stream ofreassabled data transfer messages when we trigger animmendiate (empty) send.In order to fix this we'll have a single 'batch' credit perconnection. And code getting that credit is free to useas much messages until remaining_length reaches 0, thenthe batch credit it given back and the next logical send canhappen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31537 In the Linux kernel, the following vulnerability has been resolved:smb: server: make use of smbdirect_socket.recv_io.credits.availableThe logic off managing recv credits by counting posted recv_io andgranted credits is racy.That's because the peer might already consumed a credit,but between receiving the incoming recv at the hardwareand processing the completion in the 'recv_done' functionswe likely have a window where we grant credits, whichdon't really exist.So we better have a decicated counter for theavailable credits, which will be incrementedwhen we posted new recv buffers and drained whenwe grant the credits to the peer.This fixes regression Namjae reported withthe 6.18 release. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31538 In the Linux kernel, the following vulnerability has been resolved:smb: smbdirect: introduce smbdirect_socket.recv_io.credits.availableThe logic off managing recv credits by counting posted recv_io andgranted credits is racy.That's because the peer might already consumed a credit,but between receiving the incoming recv at the hardwareand processing the completion in the 'recv_done' functionswe likely have a window where we grant credits, whichdon't really exist.So we better have a decicated counter for theavailable credits, which will be incrementedwhen we posted new recv buffers and drained whenwe grant the credits to the peer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31539 In the Linux kernel, the following vulnerability has been resolved:drm/i915/gt: Check set_default_submission() before deferencingWhen the i915 driver firmware binaries are not present, theset_default_submission pointer is not set. This pointer isdereferenced during suspend anyways.Add a check to make sure it is set before dereferencing.[ 23.289926] PM: suspend entry (deep)[ 23.293558] Filesystems sync: 0.000 seconds[ 23.298010] Freezing user space processes[ 23.302771] Freezing user space processes completed (elapsed 0.000seconds)[ 23.309766] OOM killer disabled.[ 23.313027] Freezing remaining freezable tasks[ 23.318540] Freezing remaining freezable tasks completed (elapsed 0.001seconds)[ 23.342038] serial 00:05: disabled[ 23.345719] serial 00:02: disabled[ 23.349342] serial 00:01: disabled[ 23.353782] sd 0:0:0:0: [sda] Synchronizing SCSI cache[ 23.358993] sd 1:0:0:0: [sdb] Synchronizing SCSI cache[ 23.361635] ata1.00: Entering standby power mode[ 23.368863] ata2.00: Entering standby power mode[ 23.445187] BUG: kernel NULL pointer dereference, address:0000000000000000[ 23.452194] #PF: supervisor instruction fetch in kernel mode[ 23.457896] #PF: error_code(0x0010) - not-present page[ 23.463065] PGD 0 P4D 0[ 23.465640] Oops: Oops: 0010 [#1] SMP NOPTI[ 23.469869] CPU: 8 UID: 0 PID: 211 Comm: kworker/u48:18 Tainted: G S W 6.19.0-rc4-00020-gf0b9d8eb98df #10 PREEMPT(voluntary)[ 23.482512] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN[ 23.496511] Workqueue: async async_run_entry_fn[ 23.501087] RIP: 0010:0x0[ 23.503755] Code: Unable to access opcode bytes at 0xffffffffffffffd6.[ 23.510324] RSP: 0018:ffffb4a60065fca8 EFLAGS: 00010246[ 23.515592] RAX: 0000000000000000 RBX: ffff9f428290e000 RCX:000000000000000f[ 23.522765] RDX: 0000000000000000 RSI: 0000000000000282 RDI:ffff9f428290e000[ 23.529937] RBP: ffff9f4282907070 R08: ffff9f4281130428 R09:00000000ffffffff[ 23.537111] R10: 0000000000000000 R11: 0000000000000001 R12:ffff9f42829070f8[ 23.544284] R13: ffff9f4282906028 R14: ffff9f4282900000 R15:ffff9f4282906b68[ 23.551457] FS: 0000000000000000(0000) GS:ffff9f466b2cf000(0000)knlGS:0000000000000000[ 23.559588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 23.565365] CR2: ffffffffffffffd6 CR3: 000000031c230001 CR4:0000000000f70ef0[ 23.572539] PKRU: 55555554[ 23.575281] Call Trace:[ 23.577770] <TASK>[ 23.579905] intel_engines_reset_default_submission+0x42/0x60[ 23.585695] __intel_gt_unset_wedged+0x191/0x200[ 23.590360] intel_gt_unset_wedged+0x20/0x40[ 23.594675] gt_sanitize+0x15e/0x170[ 23.598290] i915_gem_suspend_late+0x6b/0x180[ 23.602692] i915_drm_suspend_late+0x35/0xf0[ 23.607008] ? __pfx_pci_pm_suspend_late+0x10/0x10[ 23.611843] dpm_run_callback+0x78/0x1c0[ 23.615817] device_suspend_late+0xde/0x2e0[ 23.620037] async_suspend_late+0x18/0x30[ 23.624082] async_run_entry_fn+0x25/0xa0[ 23.628129] process_one_work+0x15b/0x380[ 23.632182] worker_thread+0x2a5/0x3c0[ 23.635973] ? __pfx_worker_thread+0x10/0x10[ 23.640279] kthread+0xf6/0x1f0[ 23.643464] ? __pfx_kthread+0x10/0x10[ 23.647263] ? __pfx_kthread+0x10/0x10[ 23.651045] ret_from_fork+0x131/0x190[ 23.654837] ? __pfx_kthread+0x10/0x10[ 23.658634] ret_from_fork_asm+0x1a/0x30[ 23.662597] </TASK>[ 23.664826] Modules linked in:[ 23.667914] CR2: 0000000000000000[ 23.671271] ------------[ cut here ]------------(cherry picked from commit daa199abc3d3d1740c9e3a2c3e9216ae5b447cad) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31540 In the Linux kernel, the following vulnerability has been resolved:tracing: Fix trace_marker copy link list updatesWhen the "copy_trace_marker" option is enabled for an instance, anythingwritten into /sys/kernel/tracing/trace_marker is also copied into thatinstances buffer. When the option is set, that instance's trace_arraydescriptor is added to the marker_copies link list. This list is protectedby RCU, as all iterations uses an RCU protected list traversal.When the instance is deleted, all the flags that were enabled are cleared.This also clears the copy_trace_marker flag and removes the trace_arraydescriptor from the list.The issue is after the flags are called, a direct call toupdate_marker_trace() is performed to clear the flag. This functionreturns true if the state of the flag changed and false otherwise. If itreturns true here, synchronize_rcu() is called to make sure all readerssee that its removed from the list.But since the flag was already cleared, the state does not change and thesynchronization is never called, leaving a possible UAF bug.Move the clearing of all flags below the updating of the copy_trace_markeroption which then makes sure the synchronization is performed.Also use the flag for checking the state in update_marker_trace() insteadof looking at if the list is empty. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31541 In the Linux kernel, the following vulnerability has been resolved:x86/platform/uv: Handle deconfigured socketsWhen a socket is deconfigured, it's mapped to SOCK_EMPTY (0xffff). Thiscausesa panic while allocating UV hub info structures.Fix this by using NUMA_NO_NODE, allowing UV hub info structures to beallocated on valid nodes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31542 In the Linux kernel, the following vulnerability has been resolved:crash_dump: don't log dm-crypt key bytes in read_key_from_user_keyingWhen debug logging is enabled, read_key_from_user_keying() logs the first8 bytes of the key payload and partially exposes the dm-crypt key. Stoplogging any key bytes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31543 In the Linux kernel, the following vulnerability has been resolved:firmware: arm_scmi: Fix NULL dereference on notify error pathSince commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifierregistration for unsupported events") the call chains leading to the helper__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure toget an handler for the requested event key, while the current helper canstill return a NULL when no handler could be found or created.Fix by forcing an ERR_PTR return value when the handler reference is NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31544 In the Linux kernel, the following vulnerability has been resolved:NFC: nxp-nci: allow GPIOs to sleepAllow the firmware and enable GPIOs to sleep.This fixes a `WARN_ON' and allows the driver to operate GPIOs which areconnected to I2C GPIO expanders.-- >8 --kernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880gpiod_set_value+0x88/0x98-- >8 -- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31545 In the Linux kernel, the following vulnerability has been resolved:net: bonding: fix NULL deref in bond_debug_rlb_hash_showrlb_clear_slave intentionally keeps RLB hash-table entries onthe rx_hashtbl_used_head list with slave set to NULL when noreplacement slave is available. However, bond_debug_rlb_hash_showvisites client_info->slave without checking if it's NULL.Other used-list iterators in bond_alb.c already handle this NULL-slavestate safely:- rlb_update_client returns early on !client_info->slave- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalancecompare slave values before visiting- lb_req_update_subnet_clients continues if slave is NULLThe following NULL deref crash can be trigger inbond_debug_rlb_hash_show:[ 1.289791] BUG: kernel NULL pointer dereference, address:0000000000000000[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show(drivers/net/bonding/bond_debugfs.c:41)[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX:ffff888102b48204[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI:ffff888102815078[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09:0000000000000000[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12:ffff888100f929c0[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15:ffffc900004a7ed8[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000)knlGS:0000000000000000[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4:0000000000772ef0[ 1.295897] Call Trace:[ 1.296134] seq_read_iter (fs/seq_file.c:231)[ 1.296341] seq_read (fs/seq_file.c:164)[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))[ 1.296658] vfs_read (fs/read_write.c:572)[ 1.296981] ksys_read (fs/read_write.c:717)[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63(discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))[ 1.297325] entry_SYSCALL_64_after_hwframe(arch/x86/entry/entry_64.S:130)Add a NULL check and print "(none)" for entries with no assigned slave. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31546 In the Linux kernel, the following vulnerability has been resolved:drm/xe: Fix missing runtime PM reference in ccs_mode_storeccs_mode_store() calls xe_gt_reset() which internally invokesxe_pm_runtime_get_noresume(). That function requires the callerto already hold an outer runtime PM reference and warns if noneis held: [46.891177] xe 0000:03:00.0: [drm] Missing outer runtime PM protection [46.891178] WARNING: drivers/gpu/drm/xe/xe_pm.c:885 at xe_pm_runtime_get_noresume+0x8b/0xc0Fix this by protecting xe_gt_reset() with the scope-basedguard(xe_pm_runtime)(xe), which is the preferred form whenthe reference lifetime matches a single scope.v2:- Use scope-based guard(xe_pm_runtime)(xe) (Shuicheng)- Update commit message accordingly(cherry picked from commit 7937ea733f79b3f25e802a0c8360bf7423856f36) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31547 In the Linux kernel, the following vulnerability has been resolved:wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_downWhen the nl80211 socket that originated a PMSR request isclosed, cfg80211_release_pmsr() sets the request's nl_portidto zero and schedules pmsr_free_wk to process the abortasynchronously. If the interface is concurrently torn downbefore that work runs, cfg80211_pmsr_wdev_down() callscfg80211_pmsr_process_abort() directly. However, the already-scheduled pmsr_free_wk work item remains pending and may runafter the interface has been removed from the driver. Thiscould cause the driver's abort_pmsr callback to operate on atorn-down interface, leading to undefined behavior andpotential crashes.Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()before calling cfg80211_pmsr_process_abort(). This ensures anypending or in-progress work is drained before interface teardownproceeds, preventing the work from invoking the driver abortcallback after the interface is gone. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31548 In the Linux kernel, the following vulnerability has been resolved:i2c: cp2615: fix serial string NULL-deref at probeThe cp2615 driver uses the USB device serial string as the i2c adaptername but does not make sure that the string exists.Verify that the device has a serial number before accessing it to avoidtriggering a NULL-pointer dereference (e.g. with malicious devices). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31549 In the Linux kernel, the following vulnerability has been resolved:pmdomain: bcm: bcm2835-power: Increase ASB control timeoutThe bcm2835_asb_control() function uses a tight polling loop to waitfor the ASB bridge to acknowledge a request. During intensive workloads,this handshake intermittently fails for V3D's master ASB on BCM2711,resulting in "Failed to disable ASB master for v3d" errors duringruntime PM suspend. As a consequence, the failed power-off leaves V3D ina broken state, leading to bus faults or system hangs on later accesses.As the timeout is insufficient in some scenarios, increase the pollingtimeout from 1us to 5us, which is still negligible in the context of apower domain transition. Also, replace the open-coded ktime_get_ns()/cpu_relax() polling loop with readl_poll_timeout_atomic(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31550 In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]The problem is that aql_enable_write() does not serialise concurrentwrite()s to the debugfs.aql_enable_write() checks static_key_false(&aql_disable.key) andlater calls static_branch_inc() or static_branch_dec(), but thestate may change between the two calls.aql_disable does not need to track inc/dec.Let's use static_branch_enable() and static_branch_disable().[0]:val == 0WARNING: kernel/jump_label.c:311 at__static_key_slow_dec_cpuslocked.part.0+0x107/0x120kernel/jump_label.c:311, CPU#0: syz.1.3155/20288Modules linked in:CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U Lsyzkaller #0 PREEMPT(full)Tainted: [U]=USER, [L]=SOFTLOCKUPHardware name: Google Google Compute Engine/Google Compute Engine, BIOSGoogle 01/24/2026RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120kernel/jump_label.c:311Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ffeb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 9748 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000aR13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000)knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0Call Trace: <TASK> __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline] __static_key_slow_dec kernel/jump_label.c:321 [inline] static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336 aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343 short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383 vfs_write+0x2aa/0x1070 fs/read_write.c:684 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f530cf9aeb9Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f748 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ffff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978 </TASK> Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31551 In the Linux kernel, the following vulnerability has been resolved:wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enoughheadroomSince upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroombefore skb_push"), wl1271_tx_allocate() and with itwl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.However, in wlcore_tx_work_locked(), a return value of -EAGAIN fromwl1271_prepare_tx_frame() is interpreted as the aggregation buffer beingfull. This causes the code to flush the buffer, put the skb back at thehead of the queue, and immediately retry the same skb in a tight whileloop.Because wlcore_tx_work_locked() holds wl->mutex, and the retry happensimmediately with GFP_ATOMIC, this will result in an infinite loop and aCPU soft lockup. Return -ENOMEM instead so the packet is dropped andthe loop terminates.The problem was found by an experimental code review agent based ongemini-3.1-pro while reviewing backports into v6.18.y. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31552 In the Linux kernel, the following vulnerability has been resolved:KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc()Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2descriptors looks really wrong, if offset is not zero. What we want to getfor swapping is hva + offset, not hva + offset*8. ;-)Fix it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31553 In the Linux kernel, the following vulnerability has been resolved:futex: Require sys_futex_requeue() to have identical flagsNicholas reported that his LLM found it was possible to create a UaFwhen sys_futex_requeue() is used with different flags. The initialmotivation for allowing different flags was the variable sized futex,but since that hasn't been merged (yet), simply mandate the flags areidentical, as is the case for the old style sys_futex() requeueoperations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31554 In the Linux kernel, the following vulnerability has been resolved:futex: Clear stale exiting pointer in futex_lock_pi() retry pathFuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80,CPU#11: futex_lock_pi_s/524When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSYand stores a refcounted task pointer in 'exiting'.After wait_for_owner_exiting() consumes that reference, the local pointeris never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns adifferent error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting)Fix this by resetting upon retry, essentially aligning it with requeue_pi. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31555 In the Linux kernel, the following vulnerability has been resolved:xfs: scrub: unlock dquot before early return in quota scrubxchk_quota_item can return early after calling xchk_fblock_process_error.When that helper returns false, the function returned immediately withoutdropping dq->q_qlock, which can leave the dquot lock held and risk lockleaks or deadlocks in later quota operations.Fix this by unlocking dq->q_qlock before the early return. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31556 In the Linux kernel, the following vulnerability has been resolved:nvmet: move async event work off nvmet-wqFor target nvmet_ctrl_free() flushes ctrl->async_event_work.If nvmet_ctrl_free() runs on nvmet-wq, the flush re-enters workqueuecompletion for the same worker:-A. Async event work queued on nvmet-wq (prior to disconnect): nvmet_execute_async_event() queue_work(nvmet_wq, &ctrl->async_event_work) nvmet_add_async_event() queue_work(nvmet_wq, &ctrl->async_event_work)B. Full pre-work chain (RDMA CM path): nvmet_rdma_cm_handler() nvmet_rdma_queue_disconnect() __nvmet_rdma_queue_disconnect() queue_work(nvmet_wq, &queue->release_work) process_one_work() lock((wq_completion)nvmet-wq) <--------- 1st nvmet_rdma_release_queue_work()C. Recursive path (same worker): nvmet_rdma_release_queue_work() nvmet_rdma_free_queue() nvmet_sq_destroy() nvmet_ctrl_put() nvmet_ctrl_free() flush_work(&ctrl->async_event_work) __flush_work() touch_wq_lockdep_map() lock((wq_completion)nvmet-wq) <--------- 2ndLockdep splat: ============================================ WARNING: possible recursive locking detected 6.19.0-rc3nvme+ #14 Tainted: G N -------------------------------------------- kworker/u192:42/44933 is trying to acquire lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at:touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at:process_one_work+0x53e/0x660 3 locks held by kworker/u192:42/44933: #0: ffff888118a00948 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at:process_one_work+0x53e/0x660 #1: ffffc9000e6cbe28((work_completion)(&queue->release_work)){+.+.}-{0:0}, at:process_one_work+0x1c5/0x660 #2: ffffffff82d4db60 (rcu_read_lock){....}-{1:3}, at:__flush_work+0x62/0x530 Workqueue: nvmet-wq nvmet_rdma_release_queue_work [nvmet_rdma] Call Trace: __flush_work+0x268/0x530 nvmet_ctrl_free+0x140/0x310 [nvmet] nvmet_cq_put+0x74/0x90 [nvmet] nvmet_rdma_free_queue+0x23/0xe0 [nvmet_rdma] nvmet_rdma_release_queue_work+0x19/0x50 [nvmet_rdma] process_one_work+0x206/0x660 worker_thread+0x184/0x320 kthread+0x10c/0x240 ret_from_fork+0x319/0x390Move async event work to a dedicated nvmet-aen-wq to avoid reentrantflush on nvmet-wq. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31557 In the Linux kernel, the following vulnerability has been resolved:spi: spi-dw-dma: fix print error log when wait finish transactionIf an error occurs, the device may not have a current message. In thiscase, the system will crash.In this case, it's better to use dev from the struct ctlr (structspi_controller*). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31560 In the Linux kernel, the following vulnerability has been resolved:x86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits maskCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask sothat whenever something else modifies CR4, that bit remains set. Whichin itself is a perfectly fine idea.However, there's an issue when during boot FRED is initialized: first onthe BSP and later on the APs. Thus, there's a window in time whenexceptions cannot be handled.This becomes particularly nasty when running as SEV-{ES,SNP} or TDXguests which, when they manage to trigger exceptions during that shortwindow described above, triple fault due to FRED MSRs not being set upyet.See Link tag below for a much more detailed explanation of thesituation.So, as a result, the commit in that Link URL tried to address thisshortcoming by temporarily disabling CR4 pinning when an AP is notonline yet.However, that is a problem in itself because in this case, an attack onthe kernel needs to only modify the online bit - a single bit in RWmemory - and then disable CR4 pinning and then disable SM*P, leading tomore and worse things to happen to the system.So, instead, remove the FRED bit from the CR4 pinning mask, thusobviating the need to temporarily disable CR4 pinning.If someone manages to disable FRED when poking at CR4, thenidt_invalidate() would make sure the system would crash'n'burn on thefirst exception triggered, which is a much better outcome security-wise. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31561 In the Linux kernel, the following vulnerability has been resolved:drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_registerThe call to mipi_dsi_host_register triggers a callback to mtk_dsi_bind,which uses dev_get_drvdata to retrieve the mtk_dsi struct, so thisstructure needs to be stored inside the driver data before invoking it.As drvdata is currently uninitialized it leads to a crash whenregistering the DSI DRM encoder right after acquiringthe mode_config.idr_mutex, blocking all subsequent DRM operations.Fixes the following crash during mediatek-drm probe (tested on XiaomiSmart Clock x04g):Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040[...]Modules linked in: mediatek_drm(+) drm_display_helper cec drm_client_lib drm_dma_helper drm_kms_helper panel_simple[...]Call trace: drm_mode_object_add+0x58/0x98 (P) __drm_encoder_init+0x48/0x140 drm_encoder_init+0x6c/0xa0 drm_simple_encoder_init+0x20/0x34 [drm_kms_helper] mtk_dsi_bind+0x34/0x13c [mediatek_drm] component_bind_all+0x120/0x280 mtk_drm_bind+0x284/0x67c [mediatek_drm] try_to_bring_up_aggregate_device+0x23c/0x320 __component_add+0xa4/0x198 component_add+0x14/0x20 mtk_dsi_host_attach+0x78/0x100 [mediatek_drm] mipi_dsi_attach+0x2c/0x50 panel_simple_dsi_probe+0x4c/0x9c [panel_simple] mipi_dsi_drv_probe+0x1c/0x28 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __device_attach_driver+0xbc/0x17c bus_for_each_drv+0x88/0xf0 __device_attach+0x9c/0x1cc device_initial_probe+0x54/0x60 bus_probe_device+0x34/0xa0 device_add+0x5b0/0x800 mipi_dsi_device_register_full+0xdc/0x16c mipi_dsi_host_register+0xc4/0x17c mtk_dsi_probe+0x10c/0x260 [mediatek_drm] platform_probe+0x5c/0xa4 really_probe+0xc0/0x3dc __driver_probe_device+0x80/0x160 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1f8 bus_for_each_dev+0x7c/0xe0 driver_attach+0x24/0x30 bus_add_driver+0x11c/0x240 driver_register+0x68/0x130 __platform_register_drivers+0x64/0x160 mtk_drm_init+0x24/0x1000 [mediatek_drm] do_one_initcall+0x60/0x1d0 do_init_module+0x54/0x240 load_module+0x1838/0x1dc0 init_module_from_file+0xd8/0xf0 __arm64_sys_finit_module+0x1b4/0x428 invoke_syscall.constprop.0+0x48/0xc8 do_el0_svc+0x3c/0xb8 el0_svc+0x34/0xe8 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19cCode: 52800022 941004ab 2a0003f3 37f80040 (29005a80) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31562 In the Linux kernel, the following vulnerability has been resolved:net: macb: Use dev_consume_skb_any() to free TX SKBsThe napi_consume_skb() function is not intended to be called in an IRQdisabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fixtx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQsdisabled. To resolve the following call trace, use dev_consume_skb_any()for freeing TX SKBs: WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188,CPU#0: ksoftirqd/0/15 Modules linked in: CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT Hardware name: ZynqMP ZCU102 Rev1.1 (DT) pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __local_bh_enable_ip+0x174/0x188 lr : local_bh_enable+0x24/0x38 sp : ffff800082b3bb10 x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0 x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80 x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000 x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001 x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000 x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650 x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258 x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc Call trace: __local_bh_enable_ip+0x174/0x188 (P) local_bh_enable+0x24/0x38 skb_attempt_defer_free+0x190/0x1d8 napi_consume_skb+0x58/0x108 macb_tx_poll+0x1a4/0x558 __napi_poll+0x50/0x198 net_rx_action+0x1f4/0x3d8 handle_softirqs+0x16c/0x560 run_ksoftirqd+0x44/0x80 smpboot_thread_fn+0x1d8/0x338 kthread+0x120/0x150 ret_from_fork+0x10/0x20 irq event stamp: 29751 hardirqs last enabled at (29750): [<ffff8000813be184>]_raw_spin_unlock_irqrestore+0x44/0x88 hardirqs last disabled at (29751): [<ffff8000813bdf60>]_raw_spin_lock_irqsave+0x38/0x98 softirqs last enabled at (29150): [<ffff8000800f1aec>]handle_softirqs+0x504/0x560 softirqs last disabled at (29153): [<ffff8000800f2fec>]run_ksoftirqd+0x44/0x80 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31563 In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Fix deadlock during netdev reset with active connectionsResolve deadlock that occurs when user executes netdev reset while RDMAapplications (e.g., rping) are active. The netdev reset causes icedriver to remove irdma auxiliary driver, triggering device_delete andsubsequent client removal. During client removal, uverbs_client waitsfor QP reference count to reach zero while cma_client holds the finalreference, creating circular dependency and indefinite wait in iWARPmode. Skip QP reference count wait during device reset to preventdeadlock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31565 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ibamdgpu_amdkfd_submit_ib() submits a GPU job and gets a fencefrom amdgpu_ib_schedule(). This fence is used to wait for jobcompletion.Currently, the code drops the fence reference using dma_fence_put()before calling dma_fence_wait().If dma_fence_put() releases the last reference, the fence may befreed before dma_fence_wait() is called. This can lead to ause-after-free.Fix this by waiting on the fence first and releasing the referenceonly after dma_fence_wait() completes.Fixes the below:drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib()warn: passing freed memory 'f' (line 696)(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31566 In the Linux kernel, the following vulnerability has been resolved:PM: sleep: Drop spurious WARN_ON() from pm_restore_gfp_mask()Commit 35e4a69b2003f ("PM: sleep: Allow pm_restrict_gfp_mask()stacking") introduced refcount-based GFP mask management that warnswhen pm_restore_gfp_mask() is called with saved_gfp_count == 0.Some hibernation paths call pm_restore_gfp_mask() defensively wherethe GFP mask may or may not be restricted depending on the executionpath. For example, the uswsusp interface invokes it inSNAPSHOT_CREATE_IMAGE, SNAPSHOT_UNFREEZE, and snapshot_release().Before the stacking change this was a silent no-op; it now triggersa spurious WARNING.Remove the WARN_ON() wrapper from the !saved_gfp_count check whileretaining the check itself, so that defensive calls remain harmlesswithout producing false warnings.[ rjw: Subject tweak ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31567 In the Linux kernel, the following vulnerability has been resolved:s390/mm: Add missing secure storage access fixups for donated memoryThere are special cases where secure storage access exceptions happenin a kernel context for pages that don't have the PG_arch_1 bitset. That bit is set for non-exported guest secure storage (memory)but is absent on storage donated to the Ultravisor since the kernelisn't allowed to export donated pages.Prior to this patch we would try to export the page by callingarch_make_folio_accessible() which would instantly return since thearch bit is absent signifying that the page was already exported andno further action is necessary. This leads to secure storage accessexception loops which can never be resolved.With this patch we unconditionally try to export and if that fails wefixup. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31568 In the Linux kernel, the following vulnerability has been resolved:LoongArch: KVM: Handle the case that EIOINTC's coremap is emptyEIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currentlywe get a cpuid with -1 in this case, but we actually need 0 because it'ssimilar as the case that cpuid >= 4.This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[]. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31569 In the Linux kernel, the following vulnerability has been resolved:can: gw: fix OOB heap access in cgw_csum_crc8_rel()cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return;However, the loop and the result write then use the raw s8 fields directlyinstead of the computed variables: for (i = crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates withi = -64, reading cf->data[-64], and the write goes to cf->data[-64].This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before thestart of the canfd_frame on the heap.The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`correctly throughout; fix cgw_csum_crc8_rel() to match.Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31570 In the Linux kernel, the following vulnerability has been resolved:drm/i915: Unlink NV12 planes earlierunlink_nv12_plane() will clobber parts of the plane statepotentially already set up by plane_atomic_check(), so wemust make sure not to call the two in the wrong order.The problem happens when a plane previously selected asa Y plane is now configured as a normal plane by user space.plane_atomic_check() will first compute the proper planestate based on the userspace request, and unlink_nv12_plane()later clears some of the state.This used to work on account of unlink_nv12_plane() skippingthe state clearing based on the plane visibility. But I removedthat check, thinking it was an impossible situation. Now whenthat situation happens unlink_nv12_plane() will just WARNand proceed to clobber the state.Rather than reverting to the old way of doing things, I thinkit's more clear if we unlink the NV12 planes before we evencompute the new plane state.(cherry picked from commit 017ecd04985573eeeb0745fa2c23896fb22ee0cc) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31571 In the Linux kernel, the following vulnerability has been resolved:i2c: designware: amdisp: Fix resume-probe race condition issueIdentified resume-probe race condition in kernel v7.0 with the commit38fa29b01a6a ("i2c: designware: Combine the init functions"),but thisissue existed from the beginning though not detected.The amdisp i2c device requires ISP to be in power-on state for probeto succeed. To meet this requirement, this device is added to genpdto control ISP power using runtime PM. The pm_runtime_get_sync() calledbefore i2c_dw_probe() triggers PM resume, which powers on ISP and alsoinvokes the amdisp i2c runtime resume before the probe completes resultingin this race condition and a NULL dereferencing issue in v7.0Fix this race condition by using the genpd APIs directly during probe: - Call dev_pm_genpd_resume() to Power ON ISP before probe - Call dev_pm_genpd_suspend() to Power OFF ISP after probe - Set the device to suspended state with pm_runtime_set_suspended() - Enable runtime PM only after the device is fully initialized Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31572 In the Linux kernel, the following vulnerability has been resolved:media: verisilicon: Fix kernel panic due to __initconst misuseFix a kernel panic when probing the driver as a module: Unable to handle kernel paging request at virtual address ffffd9c18eb05000 of_find_matching_node_and_match+0x5c/0x1a0 hantro_probe+0x2f4/0x7d0 [hantro_vpu]The imx8mq_vpu_shared_resources array is referenced by variantstructures through their shared_devices field. When built as amodule, __initconst causes this data to be freed after moduleinit, but it's later accessed during probe, causing a page fault.The imx8mq_vpu_shared_resources is referenced from non-init code,so keeping __initconst or __initconst_or_module here is wrong.Drop the __initconst annotation and let it live in the normal .rodatasection.A bug of __initconst called from regular non-init probe codeleading to bugs during probe deferrals or during unbind-bind cycles. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31573 In the Linux kernel, the following vulnerability has been resolved:clockevents: Add missing resets of the next_event_forced flagThe prevention mechanism against timer interrupt starvation missed to resetthe next_event_forced flag in a couple of places: - When the clock event state changes. That can cause the flag to be stale over a shutdown/startup sequence - When a non-forced event is armed, which then prevents rearming before that event. If that event is far out in the future this will cause missed timer interrupts. - In the suspend wakeup handler.That led to stalls which have been reported by several people.Add the missing resets, which fixes the problems for the reporters. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31574 In the Linux kernel, the following vulnerability has been resolved:mm/userfaultfd: fix hugetlb fault mutex hash calculationIn mfill_atomic_hugetlb(), linear_page_index() is used to calculate thepage index for hugetlb_fault_mutex_hash(). However, linear_page_index()returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()expects the index in huge page units. This mismatch means that differentaddresses within the same huge page can produce different hash values,leading to the use of different mutexes for the same huge page. This cancause races between faulting threads, which can corrupt the reservationmap and trigger the BUG_ON in resv_map_release().Fix this by introducing hugetlb_linear_page_index(), which returns thepage index in huge page granularity, and using it in place oflinear_page_index(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31575 In the Linux kernel, the following vulnerability has been resolved:media: hackrf: fix to not free memory after the device is registered inhackrf_probe()In hackrf driver, the following race condition occurs:``` CPU0 CPU1hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... fd = sys_open("/path/to/dev"); // open hackrf fd .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... sys_ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... sys_close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!!```When a V4L2 or video device is unregistered, the device node is removed sonew open() calls are blocked.However, file descriptors that are already open-and any in-flight I/O-donot terminate immediately; they remain valid until the last reference isdropped and the driver's release() is invoked.Therefore, freeing device memory on the error path after hackrf_probe()has registered dev it will lead to a race to use-after-free vuln, sincethose already-open handles haven't been released yet.And since release() free memory too, race to use-after-free anddouble-free vuln occur.To prevent this, if device is registered from probe(), it should bemodified to free memory only through release() rather than callingkfree() directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31576 In the Linux kernel, the following vulnerability has been resolved:nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_mapThe DAT inode's btree node cache (i_assoc_inode) is initialized lazilyduring btree operations. However, nilfs_mdt_save_to_shadow_map()assumes i_assoc_inode is already initialized when copying dirty pagesto the shadow map during GC.If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount beforeany btree operation has occurred on the DAT inode, i_assoc_inode isNULL leading to a general protection fault.Fix this by calling nilfs_attach_btree_node_cache() on the DAT inodein nilfs_dat_read() at mount time, ensuring i_assoc_inode is alwaysinitialized before any GC operation can use it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31577 In the Linux kernel, the following vulnerability has been resolved:media: as102: fix to not free memory after the device is registered inas102_usb_probe()In as102_usb driver, the following race condition occurs:``` CPU0 CPU1as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); fd = sys_open("/path/to/dev"); // open as102 fd .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... sys_close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!!```When a USB character device registered with usb_register_dev() is laterunregistered (via usb_deregister_dev() or disconnect), the device node isremoved so new open() calls fail. However, file descriptors that arealready open do not go away immediately: they remain valid until the lastreference is dropped and the driver's .release() is invoked.In as102, as102_usb_probe() calls usb_register_dev() and then, on anerror path, does usb_deregister_dev() and frees as102_dev_t right away.If userspace raced a successful open() before the deregistration, thatopen FD will later hit as102_release() --> as102_usb_release() and accessor free as102_dev_t again, occur a race to use-after-free anddouble-free vuln.The fix is to never kfree(as102_dev_t) directly once usb_register_dev()has succeeded. After deregistration, defer freeing memory to .release().In other words, let release() perform the last kfree when the final openFD is closed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31578 In the Linux kernel, the following vulnerability has been resolved:wireguard: device: use exit_rtnl callback instead of manual rtnl_lock inpre_exitwg_netns_pre_exit() manually acquires rtnl_lock() inside thepernet .pre_exit callback. This causes a hung task when anotherthread holds rtnl_mutex - the cleanup_net workqueue (or thesetup_net failure rollback path) blocks indefinitely inwg_netns_pre_exit() waiting to acquire the lock.Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net:Add ->exit_rtnl() hook to struct pernet_operations."), where theframework already holds RTNL and batches all callbacks under asingle rtnl_lock()/rtnl_unlock() pair, eliminating the contentionwindow.The rcu_assign_pointer(wg->creating_net, NULL) is safe to movefrom .pre_exit to .exit_rtnl (which runs after synchronize_rcu())because all RCU readers of creating_net either use maybe_get_net()- which returns NULL for a dying namespace with zero refcount - oraccess net->user_ns which remains valid throughout the entireops_undo_list sequence.[ Jason: added __net_exit and __read_mostly annotations that were missing.] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31579 In the Linux kernel, the following vulnerability has been resolved:bcache: fix cached_dev.sb_bio use-after-free and crashIn our production environment, we have received multiple crash reportsregarding libceph, which have caught our attention:```[6888366.280350] Call Trace:[6888366.280452] blk_update_request+0x14e/0x370[6888366.280561] blk_mq_end_request+0x1a/0x130[6888366.280671] rbd_img_handle_request+0x1a0/0x1b0 [rbd][6888366.280792] rbd_obj_handle_request+0x32/0x40 [rbd][6888366.280903] __complete_request+0x22/0x70 [libceph][6888366.281032] osd_dispatch+0x15e/0xb40 [libceph][6888366.281164] ? inet_recvmsg+0x5b/0xd0[6888366.281272] ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph][6888366.281405] ceph_con_process_message+0x79/0x140 [libceph][6888366.281534] ceph_con_v1_try_read+0x5d7/0xf30 [libceph][6888366.281661] ceph_con_workfn+0x329/0x680 [libceph]```After analyzing the coredump file, we found that the address ofdc->sb_bio has been freed. We know that cached_dev is only freed when itis stopped.Since sb_bio is a part of struct cached_dev, rather than an alloc everytime. If the device is stopped while writing to the superblock, thereleased address will be accessed at endio.This patch hopes to wait for sb_write to complete in cached_dev_free.It should be noted that we analyzed the cause of the problem, then tellall details to the QWEN and adopted the modifications it made. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31580 In the Linux kernel, the following vulnerability has been resolved:ALSA: 6fire: fix use-after-free on disconnectIn usb6fire_chip_abort(), the chip struct is allocated as the card'sprivate data (via snd_card_new with sizeof(struct sfire_chip)). Whensnd_card_free_when_closed() is called and no file handles are open, thecard and embedded chip are freed synchronously. The subsequentchip->card = NULL write then hits freed slab memory.Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953Fix by moving the card lifecycle out of usb6fire_chip_abort() and intousb6fire_chip_disconnect(). The card pointer is saved in a localbefore any teardown, snd_card_disconnect() is called first to preventnew opens, URBs are aborted while chip is still valid, andsnd_card_free_when_closed() is called last so chip is never accessedafter the card may be freed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31581 In the Linux kernel, the following vulnerability has been resolved:hwmon: (powerz) Fix use-after-free on USB disconnectAfter powerz_disconnect() frees the URB and releases the mutex, asubsequent powerz_read() call can acquire the mutex and callpowerz_read_data(), which dereferences the freed URB pointer.Fix by: - Setting priv->urb to NULL in powerz_disconnect() so that powerz_read_data() can detect the disconnected state. - Adding a !priv->urb check at the start of powerz_read_data() to return -ENODEV on a disconnected device. - Moving usb_set_intfdata() before hwmon registration so the disconnect handler can always find the priv pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31582 In the Linux kernel, the following vulnerability has been resolved:media: em28xx: fix use-after-free in em28xx_v4l2_open()em28xx_v4l2_open() reads dev->v4l2 without holding dev->lock,creating a race with em28xx_v4l2_init()'s error path andem28xx_v4l2_fini(), both of which free the em28xx_v4l2 structand set dev->v4l2 to NULL under dev->lock.This race leads to two issues: - use-after-free in v4l2_fh_init() when accessing vdev->ctrl_handler, since the video_device is embedded in the freed em28xx_v4l2 struct. - NULL pointer dereference in em28xx_resolution_set() when accessing v4l2->norm, since dev->v4l2 has been set to NULL.Fix this by moving the mutex_lock() before the dev->v4l2 read andadding a NULL check for dev->v4l2 under the lock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31583 In the Linux kernel, the following vulnerability has been resolved:media: mediatek: vcodec: fix use-after-free in encoder release pathThe fops_vcodec_release() function frees the context structure (ctx)without first cancelling any pending or running work in ctx->encode_work.This creates a race window where the workqueue handler (mtk_venc_worker)may still be accessing the context memory after it has been freed.Race condition: CPU 0 (release path) CPU 1 (workqueue) --------------------- ------------------ fops_vcodec_release() v4l2_m2m_ctx_release() v4l2_m2m_cancel_job() // waits for m2m job "done" mtk_venc_worker() v4l2_m2m_job_finish() // m2m job "done" // BUT worker still running! // post-job_finish access: other ctx dereferences // UAF if ctx already freed // returns (job "done") kfree(ctx) // ctx freedRoot cause: The v4l2_m2m_ctx_release() only waits for the m2m joblifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.After v4l2_m2m_job_finish() is called, the m2m framework considersthe job complete and v4l2_m2m_ctx_release() returns, but the workerfunction continues executing and may still access ctx.The work is queued during encode operations via: queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctxfields even after calling v4l2_m2m_job_finish().This vulnerability was confirmed with KASAN by running an instrumentedtest module that widens the post-job_finish race window. KASAN detected: BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12 Workqueue: mtk_vcodec_enc_wq mtk_venc_worker Allocated by task 47: __kasan_kmalloc+0x7f/0x90 fops_vcodec_open+0x85/0x1a0 Freed by task 47: __kasan_slab_free+0x43/0x70 kfree+0xee/0x3a0 fops_vcodec_release+0xb7/0x190Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).This ensures the workqueue handler is both cancelled (if pending) andsynchronized (waits for any running handler to complete) before thecontext is freed.Placement rationale: The fix is placed after v4l2_ctrl_handler_free()and before list_del_init(&ctx->list). At this point, all m2m operationsare done (v4l2_m2m_ctx_release() has returned), and we need to ensurethe workqueue is synchronized before removing ctx from the list andfreeing it.Note: The open error path does NOT need cancel_work_sync() becauseINIT_WORK() only initializes the work structure - it does not scheduleit. Work is only scheduled later during device_run() operations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31584 In the Linux kernel, the following vulnerability has been resolved:media: vidtv: fix nfeeds state corruption on start_streaming failuresyzbot reported a memory leak in vidtv_psi_service_desc_init [1].When vidtv_start_streaming() fails inside vidtv_start_feed(), thenfeeds counter is left incremented even though no feed was actuallystarted. This corrupts the driver state: subsequent start_feed callssee nfeeds > 1 and skip starting the mux, while stop_feed callseventually try to stop a non-existent stream.This state corruption can also lead to memory leaks, since the muxand channel resources may be partially allocated during a failedstart_streaming but never cleaned up, as the stop path findsdvb->streaming == false and returns early.Fix by decrementing nfeeds back when start_streaming fails, keepingthe counter in sync with the actual number of active feeds.[1]BUG: memory leakunreferenced object 0xffff888145b50820 (size 32): comm "syz.0.17", pid 6068, jiffies 4294944486 backtrace (crc 90a0c7d4): vidtv_psi_service_desc_init+0x74/0x1b0drivers/media/test-drivers/vidtv/vidtv_psi.c:288 vidtv_channel_s302m_init+0xb1/0x2a0drivers/media/test-drivers/vidtv/vidtv_channel.c:83 vidtv_channels_init+0x1b/0x40drivers/media/test-drivers/vidtv/vidtv_channel.c:524 vidtv_mux_init+0x516/0xbe0drivers/media/test-drivers/vidtv/vidtv_mux.c:518 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194[inline] vidtv_start_feed+0x33e/0x4d0drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31585 In the Linux kernel, the following vulnerability has been resolved:mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesseswb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the lastreference, the blkcg can be freed asynchronously (css_free_rwork_fn ->blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences thepointer to access blkcg->online_pin, resulting in a use-after-free: BUG: KASAN: slab-use-after-free in blkcg_unpin_online(./include/linux/instrumented.h:112./include/linux/atomic/atomic-instrumented.h:400./include/linux/refcount.h:389 ./include/linux/refcount.h:432./include/linux/refcount.h:450 block/blk-cgroup.c:1367) Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 Workqueue: cgwb_release cgwb_release_workfn Call Trace: <TASK> blkcg_unpin_online (./include/linux/instrumented.h:112./include/linux/atomic/atomic-instrumented.h:400./include/linux/refcount.h:389 ./include/linux/refcount.h:432./include/linux/refcount.h:450 block/blk-cgroup.c:1367) cgwb_release_workfn (mm/backing-dev.c:629) process_scheduled_works (kernel/workqueue.c:3278kernel/workqueue.c:3385) Freed by task 1016: kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246mm/slub.c:6561) css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) process_scheduled_works (kernel/workqueue.c:3302kernel/workqueue.c:3385)** Stack based on commit 66672af7a095 ("Add linux-next specific filesfor 20260410")I am seeing this crash sporadically in Meta fleet across multiple kernelversions. A full reproducer is available at:https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh(The race window is narrow. To make it easily reproducible, inject amsleep(100) between css_put() and blkcg_unpin_online() incgwb_release_workfn(). With that delay and a KASAN-enabled kernel, thereproducer triggers the splat reliably in less than a second.)Fix this by moving blkcg_unpin_online() before css_put(), so thecgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online()accesses it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31586 In the Linux kernel, the following vulnerability has been resolved:ASoC: qcom: q6apm: move component registration to unmanaged versionq6apm component registers dais dynamically from ASoC toplology, whichare allocated using device managed version apis. Allocating bothcomponent and dynamic dais using managed version could lead to incorrectfree ordering, dai will be freed while component still holding referencesto it.Fix this issue by moving component to unmanged version sothat the dai pointers are only freeded after the component is removed.==================================================================BUG: KASAN: slab-use-after-free insnd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426Tainted: [W]=WARNHardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 )08/08/2024Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]Call trace: show_stack+0x28/0x7c (C) dump_stack_lvl+0x60/0x80 print_report+0x160/0x4b4 kasan_report+0xac/0xfc __asan_report_load8_noabort+0x20/0x34 snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core] snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core] devm_component_release+0x30/0x5c [snd_soc_core] devres_release_all+0x13c/0x210 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x350/0x468 device_release_driver+0x18/0x30 bus_remove_device+0x1a0/0x35c device_del+0x314/0x7f0 device_unregister+0x20/0xbc apr_remove_device+0x5c/0x7c [apr] device_for_each_child+0xd8/0x160 apr_pd_status+0x7c/0xa8 [apr] pdr_notifier_work+0x114/0x240 [pdr_interface] process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20Allocated by task 77: kasan_save_stack+0x40/0x68 kasan_save_track+0x20/0x40 kasan_save_alloc_info+0x44/0x58 __kasan_kmalloc+0xbc/0xdc __kmalloc_node_track_caller_noprof+0x1f4/0x620 devm_kmalloc+0x7c/0x1c8 snd_soc_register_dai+0x50/0x4f0 [snd_soc_core] soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core] snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core] audioreach_tplg_init+0x124/0x1fc [snd_q6apm] q6apm_audio_probe+0x10/0x1c [snd_q6apm] snd_soc_component_probe+0x5c/0x118 [snd_soc_core] soc_probe_component+0x44c/0xaf0 [snd_soc_core] snd_soc_bind_card+0xad0/0x2370 [snd_soc_core] snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core] devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core] x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100] platform_probe+0xc0/0x188 really_probe+0x188/0x804 __driver_probe_device+0x158/0x358 driver_probe_device+0x60/0x190 __device_attach_driver+0x16c/0x2a8 bus_for_each_drv+0x100/0x194 __device_attach+0x174/0x380 device_initial_probe+0x14/0x20 bus_probe_device+0x124/0x154 deferred_probe_work_func+0x140/0x220 process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20Freed by task 3426: kasan_save_stack+0x40/0x68 kasan_save_track+0x20/0x40 __kasan_save_free_info+0x4c/0x80 __kasan_slab_free+0x78/0xa0 kfree+0x100/0x4a4 devres_release_all+0x144/0x210 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x350/0x468 device_release_driver+0x18/0x30 bus_remove_device+0x1a0/0x35c device_del+0x314/0x7f0 device_unregister+0x20/0xbc apr_remove_device+0x5c/0x7c [apr] device_for_each_child+0xd8/0x160 apr_pd_status+0x7c/0xa8 [apr] pdr_notifier_work+0x114/0x240 [pdr_interface] process_one_work+0x500/0xb70 worker_thread+0x630/0xfb0 kthread+0x370/0x6c0 ret_from_fork+0x10/0x20 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31587 In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Use scratch field in MMIO fragment to hold small write valuesWhen exiting to userspace to service an emulated MMIO write, copy theto-be-written value to a scratch field in the MMIO fragment if the sizeof the data payload is 8 bytes or less, i.e. can fit in a single chunk,instead of pointing the fragment directly at the source value.This fixes a class of use-after-free bugs that occur when the emulatorinitiates a write using an on-stack, local variable as the source, thewrite splits a page boundary, *and* both pages are MMIO pages. BecauseKVM's ABI only allows for physically contiguous MMIO requests, accessesthat split MMIO pages are separated into two fragments, and are sent touserspace one at a time. When KVM attempts to complete userspace MMIO inresponse to KVM_RUN after the first fragment, KVM will detect the secondfragment and generate a second userspace exit, and reference the on-stackvariable.The issue is most visible if the second KVM_RUN is performed by a separatetask, in which case the stack of the initiating task can show up as trulyfreed data. ================================================================== BUG: KASAN: use-after-free in complete_emulated_mmio+0x305/0x420 Read of size 1 at addr ffff888009c378d1 by task syz-executor417/984 CPU: 1 PID: 984 Comm: syz-executor417 Not tainted5.10.0-182.0.0.95.h2627.eulerosv2r13.x86_64 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOSrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xbe/0xfd print_address_description.constprop.0+0x19/0x170 __kasan_report.cold+0x6c/0x84 kasan_report+0x3a/0x50 check_memory_region+0xfd/0x1f0 memcpy+0x20/0x60 complete_emulated_mmio+0x305/0x420 kvm_arch_vcpu_ioctl_run+0x63f/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscall_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 RIP: 0033:0x42477d Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa8e6890e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004d7338 RCX: 000000000042477d RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00000000004d7330 R08: 00007fff28d546df R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004d733c R13: 0000000000000000 R14: 000000000040a200 R15: 00007fff28d54720 The buggy address belongs to the page: page:0000000029f6a428 refcount:0 mapcount:0 mapping:0000000000000000index:0x0 pfn:0x9c37 flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0000000 0000000000000000 ffffea0000270dc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009c37780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888009c37880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888009c37900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888009c37980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================The bug can also be reproduced with a targeted KVM-Unit-Test by hackingKVM to fill a large on-stack variable in complete_emulated_mmio(), i.e. byoverwrite the data value with garbage.Limit the use of the scratch fields to 8-byte or smaller accesses, and tojust writes, as larger accesses and reads are not affected thanks toimplementation details in the emulator, but add a sanity check to ensurethose details don't change in the future. Specifically, KVM never useson-stack variables for accesses larger that 8 bytes, e.g. uses an operandin the emulator context, and *al---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31588 In the Linux kernel, the following vulnerability has been resolved:mm: call ->free_folio() directly in folio_unmap_invalidate()We can only call filemap_free_folio() if we have a reference to (or hold alock on) the mapping. Otherwise, we've already removed the folio from themapping so it no longer pins the mapping and the mapping can be removed,causing a use-after-free when accessing mapping->a_ops.Follow the same pattern as __remove_mapping() and load the free_foliofunction pointer before dropping the lock on the mapping. That lets usmake filemap_free_folio() static as this was the only caller outsidefilemap.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31589 In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGIONDrop the WARN in sev_pin_memory() on npages overflowing an int, as theWARN is comically trivially to trigger from userspace, e.g. by doing: struct kvm_enc_region range = { .addr = 0, .size = -1ul, }; __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range);Note, the checks in sev_mem_enc_register_region() that presumably exist toverify the incoming address+size are completely worthless, as both "addr"and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greaterthan ULONG_MAX. That wart will be cleaned up in the near future. if (range->addr > ULONG_MAX || range->size > ULONG_MAX) return -EINVAL;Opportunistically add a comment to explain why the code calculates thenumber of pages the "hard" way, e.g. instead of just shifting @ulen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31590 In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finishLock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, asallowing userspace to manipulate and/or run a vCPU while its state is beingsynchronized would at best corrupt vCPU state, and at worst crash the hostkernel.Opportunistically assert that vcpu->mutex is held when synchronizing itsVMSA (the SEV-ES path already locks vCPUs). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31591 In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lockTake and hold kvm->lock for before checking sev_guest() insev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lockis held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can'trollack state). If KVM_SEV_INIT{2} fails, KVM can end up trying to add toa not-yet-initialized sev->regions_list, e.g. triggering a #GP Oops: general protection fault, probably for non-canonical address0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G U W O 6.16.0-smp-DEV #1 NONE Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-010/28/2024 RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0../include/linux/list.h:83 Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00 RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256 RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000 RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000 R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000 R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000 FS: 00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0 Call Trace: <TASK> kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371 kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363 __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f34e9f7e9a9 Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9 RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007 RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8 </TASK>with a syzlang reproducer that looks like: syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0,&(0x7f0000000180)=ANY=[], 0x70}) (async) syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0,&(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async) r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0,0x5625e9b0}) (async) ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5})(async) ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async) r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async) ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0,0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async) r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2) close(r0) (async) openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async) ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b,&(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0,0x1000]}) (async) ioctl$KVM_RUN(r5, 0xae80, 0x0)Opportunistically use guard() to avoid having to define a new error labeland goto usage. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31592 In the Linux kernel, the following vulnerability has been resolved:KVM: SEV: Reject attempts to sync VMSA of an already-launched/encryptedvCPUReject synchronizing vCPU state to its associated VMSA if the vCPU hasalready been launched, i.e. if the VMSA has already been encrypted. On ahost with SNP enabled, accessing guest-private memory generates an RMP #PFand panics the host. BUG: unable to handle page fault for address: ff1276cbfdf36000 #PF: supervisor write access in kernel mode #PF: error_code(0x80000003) - RMP violation PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE80000040fdf36163 SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 -0x000000000000001f] Oops: Oops: 0003 [#1] SMP NOPTI CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023 RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd] Call Trace: <TASK> snp_launch_update_vmsa+0x19d/0x290 [kvm_amd] snp_launch_finish+0xb6/0x380 [kvm_amd] sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd] kvm_arch_vm_ioctl+0x837/0xcf0 [kvm] kvm_vm_ioctl+0x3fd/0xcc0 [kvm] __x64_sys_ioctl+0xa3/0x100 x64_sys_call+0xfe0/0x2350 do_syscall_64+0x81/0x10f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7ffff673287d </TASK>Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM:Provide support to launch and run an SEV-ES guest"), but has only beenactively dangerous for the host since SNP support was added. With SEV-ES,KVM would "just" clobber guest state, which is totally fine from a hostkernel perspective since userspace can clobber guest state any time beforesev_launch_update_vmsa(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31593 In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardownepf_ntb_epc_destroy() duplicates the teardown that the caller issupposed to perform later. This leads to an oops when .allow_link failsor when .drop_link is performed. The following is an example oops of theformer case: Unable to handle kernel paging request at virtual addressdead000000000108 [...] [dead000000000108] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] SMP [...] Call trace: pci_epc_remove_epf+0x78/0xe0 (P) pci_primary_epc_epf_link+0x88/0xa8 configfs_symlink+0x1f4/0x5a0 vfs_symlink+0x134/0x1d8 do_symlinkat+0x88/0x138 __arm64_sys_symlinkat+0x74/0xe0 [...]Remove the helper, and drop pci_epc_put(). EPC device refcounting istied to the configfs EPC group lifetime, and pci_epc_put() in the.drop_link path is sufficient. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31594 In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanupDisable the delayed work before clearing BAR mappings and doorbells toavoid running the handler after resources have been torn down. Unable to handle kernel paging request at virtual addressffff800083f46004 [...] Internal error: Oops: 0000000096000007 [#1] SMP [...] Call trace: epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) process_one_work+0x154/0x3b0 worker_thread+0x2c8/0x400 kthread+0x148/0x210 ret_from_fork+0x10/0x20 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31595 In the Linux kernel, the following vulnerability has been resolved:ocfs2: handle invalid dinode in ocfs2_group_extend[BUG]kernel BUG at fs/ocfs2/resize.c:308!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTIRIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1feCall Trace: ... ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e ...[CAUSE]ocfs2_group_extend() assumes that the global bitmap inode blockreturned from ocfs2_inode_lock() has already been validated andBUG_ONs when the signature is not a dinode. That assumption is toostrong for crafted filesystems because the JBD2-managed buffer pathcan bypass structural validation and return an invalid dinode to theresize ioctl.[FIX]Validate the dinode explicitly in ocfs2_group_extend(). If the globalbitmap buffer does not contain a valid dinode, report filesystemcorruption with ocfs2_error() and fail the resize operation instead ofcrashing the kernel. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31596 In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRYfilemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY,as documented in mm/filemap.c: "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()."When this happens, a concurrent munmap() can call remove_vma() and freethe vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() thenbecomes a dangling pointer, and the subsequent trace_ocfs2_fault() calldereferences it -- a use-after-free.Fix this by saving ip_blkno as a plain integer before callingfilemap_fault(), and removing vma from the trace event. Sinceip_blkno is copied by value before the lock can be dropped, itremains valid regardless of what happens to the vma or inodeafterward. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31597 In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix possible deadlock between unlink and dio_end_io_writeocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem,while in ocfs2_dio_end_io_write, it acquires these locks in reverse order.This creates an ABBA lock ordering violation on lock classesocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] andocfs2_file_ip_alloc_sem_key.Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem):ocfs2_unlink ocfs2_prepare_orphan_dir ocfs2_lookup_lock_orphan_dir inode_lock(orphan_dir_inode) <- lock A __ocfs2_prepare_orphan_dir ocfs2_prepare_dir_for_insert ocfs2_extend_dir ocfs2_expand_inline_dir down_write(&oi->ip_alloc_sem) <- Lock BLock Chain #1 (ip_alloc_sem -> orphan dir inode_lock):ocfs2_dio_end_io_write down_write(&oi->ip_alloc_sem) <- Lock B ocfs2_del_inode_from_orphan() inode_lock(orphan_dir_inode) <- Lock ADeadlock Scenario: CPU0 (unlink) CPU1 (dio_end_io_write) ------ ------ inode_lock(orphan_dir_inode) down_write(ip_alloc_sem) down_write(ip_alloc_sem) inode_lock(orphan_dir_inode)Since ip_alloc_sem is to protect allocation changes, which is unrelatedwith operations in ocfs2_del_inode_from_orphan. So moveocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31598 In the Linux kernel, the following vulnerability has been resolved:media: vidtv: fix NULL pointer dereference invidtv_channel_pmt_match_sectionssyzbot reported a general protection fault in vidtv_psi_desc_assign [1].vidtv_psi_pmt_stream_init() can return NULL on memory allocationfailure, but vidtv_channel_pmt_match_sections() does not check forthis. When tail is NULL, the subsequent call tovidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULLpointer offset, causing a general protection fault.Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, cleanup the already-allocated stream chain and return.[1]Oops: general protection fault, probably for non-canonical address0xdffffc0000000000: 0000 [#1] SMP KASAN PTIKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]RIP: 0010:vidtv_psi_desc_assign+0x24/0x90drivers/media/test-drivers/vidtv/vidtv_psi.c:629Call Trace: <TASK> vidtv_channel_pmt_match_sectionsdrivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline] vidtv_channel_si_init+0x1445/0x1a50drivers/media/test-drivers/vidtv/vidtv_channel.c:479 vidtv_mux_init+0x526/0xbe0drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194[inline] vidtv_start_feed+0x33e/0x4d0drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31599 In the Linux kernel, the following vulnerability has been resolved:arm64: mm: Handle invalid large leaf mappings correctlyIt has been possible for a long time to mark ptes in the linear map asinvalid. This is done for secretmem, kfence, realm dma memory un/share,and others, by simply clearing the PTE_VALID bit. But until commita166563e7ec37 ("arm64: mm: support large block mapping whenrodata=full") large leaf mappings were never made invalid in this way.It turns out various parts of the code base are not equipped to handleinvalid large leaf mappings (in the way they are currently encoded) andI've observed a kernel panic while booting a realm guest on aBBML2_NOABORT system as a result:[ 15.432706] software IO TLB: Memory encryption is active and system isusing DMA bounce buffers[ 15.476896] Unable to handle kernel paging request at virtual addressffff000019600000[ 15.513762] Mem abort info:[ 15.527245] ESR = 0x0000000096000046[ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits[ 15.572146] SET = 0, FnV = 0[ 15.592141] EA = 0, S1PTW = 0[ 15.612694] FSC = 0x06: level 2 translation fault[ 15.640644] Data abort info:[ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000[ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0[ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000[ 15.800410] [ffff000019600000] pgd=0000000000000000,p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704[ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP[ 15.886394] Modules linked in:[ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted7.0.0-rc4-dirty #4 PREEMPT[ 15.935258] Hardware name: linux,dummy-virt (DT)[ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBSBTYPE=--)[ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c[ 16.006163] lr : swiotlb_bounce+0xf4/0x158[ 16.024145] sp : ffff80008000b8f0[ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27:0000000000000000[ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24:ffff000019600000[ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21:0000000000007ff0[ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18:ffff00001ffe3fcc[ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15:646e612065766974[ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12:0000000000000000[ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 :0000000000000018[ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 :0000000000000000[ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 :ffff000019600000[ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 :ffff000019600000[ 16.349071] Call trace:[ 16.360143] __pi_memcpy_generic+0x128/0x22c (P)[ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4[ 16.400282] swiotlb_map+0x5c/0x228[ 16.415984] dma_map_phys+0x244/0x2b8[ 16.432199] dma_map_page_attrs+0x44/0x58[ 16.449782] virtqueue_map_page_attrs+0x38/0x44[ 16.469596] virtqueue_map_single_attrs+0xc0/0x130[ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc[ 16.510355] try_fill_recv+0x2a4/0x584[ 16.526989] virtnet_open+0xd4/0x238[ 16.542775] __dev_open+0x110/0x24c[ 16.558280] __dev_change_flags+0x194/0x20c[ 16.576879] netif_change_flags+0x24/0x6c[ 16.594489] dev_change_flags+0x48/0x7c[ 16.611462] ip_auto_config+0x258/0x1114[ 16.628727] do_one_initcall+0x80/0x1c8[ 16.645590] kernel_init_freeable+0x208/0x2f0[ 16.664917] kernel_init+0x24/0x1e0[ 16.680295] ret_from_fork+0x10/0x20[ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)[ 16.723106] ---[ end trace 0000000000000000 ]---[ 16.752866] Kernel panic - not syncing: Attempted to kill init!exitcode=0x0000000b[ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31600 In the Linux kernel, the following vulnerability has been resolved:vfio/xe: Reorganize the init to decouple migration from resetAttempting to issue reset on VF devices that don't support migrationleads to the following: BUG: unable to handle page fault for address: 00000000000011f8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 7443 Comm: xe_sriov_flr Tainted: G S U7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy) Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-PDDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 RIP: 0010:xe_sriov_vfio_wait_flr_done+0xc/0x80 [xe] Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 1100 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89 RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202 RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800 R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0 FS: 00007877d3d0d940(0000) GS:ffff88890b6d3000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0 PKRU: 55555554 Call Trace: <TASK> xe_vfio_pci_reset_done+0x49/0x120 [xe_vfio_pci] pci_dev_restore+0x3b/0x80 pci_reset_function+0x109/0x140 reset_store+0x5c/0xb0 dev_attr_store+0x17/0x40 sysfs_kf_write+0x72/0x90 kernfs_fop_write_iter+0x161/0x1f0 vfs_write+0x261/0x440 ksys_write+0x69/0xf0 __x64_sys_write+0x19/0x30 x64_sys_call+0x259/0x26e0 do_syscall_64+0xcb/0x1500 ? __fput+0x1a2/0x2d0 ? fput_close_sync+0x3d/0xa0 ? __x64_sys_close+0x3e/0x90 ? x64_sys_call+0x1b7c/0x26e0 ? do_syscall_64+0x109/0x1500 ? __task_pid_nr_ns+0x68/0x100 ? __do_sys_getpid+0x1d/0x30 ? x64_sys_call+0x10b5/0x26e0 ? do_syscall_64+0x109/0x1500 ? putname+0x41/0x90 ? do_faccessat+0x1e8/0x300 ? __x64_sys_access+0x1c/0x30 ? x64_sys_call+0x1822/0x26e0 ? do_syscall_64+0x109/0x1500 ? tick_program_event+0x43/0xa0 ? hrtimer_interrupt+0x126/0x260 ? irqentry_exit+0xb2/0x710 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7877d5f1c5a4 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4 RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009 RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9 R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0 </TASK>This is caused by the fact that some of the xe_vfio_pci_core_devicemembers needed for handling reset are only initialized as part ofmigration init.Fix the problem by reorganizing the code to decouple VF init frommigration init. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31601 In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Limit PTP to a single pageCommit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256playback streams, but the additional pages are not used by the cardcorrectly. The CT20K2 hardware already has multiple VMEM_PTPALregisters, but using them separately would require refactoring theentire virtual memory allocation logic.ct_vm_map() always uses PTEs in vm->ptp[0].area regardless ofCT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). Whenaggregate memory allocations exceed this limit, ct_vm_map() tries toaccess beyond the allocated space and causes a page fault: BUG: unable to handle page fault for address: ffffd4ae8a10a000 Oops: Oops: 0002 [#1] SMP PTI RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] Call Trace: atc_pcm_playback_prepare+0x225/0x3b0 ct_pcm_playback_prepare+0x38/0x60 snd_pcm_do_prepare+0x2f/0x50 snd_pcm_action_single+0x36/0x90 snd_pcm_action_nonatomic+0xbf/0xd0 snd_pcm_ioctl+0x28/0x40 __x64_sys_ioctl+0x97/0xe0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7eRevert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_countremain unchanged. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31602 In the Linux kernel, the following vulnerability has been resolved:staging: sm750fb: fix division by zero in ps_to_hz()ps_to_hz() is called from hw_sm750_crtc_set_mode() without validatingthat pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFOcauses a division by zero.Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistentwith other framebuffer drivers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31603 In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: fix device leak on probe failureDriver core holds a reference to the USB interface and its parent USBdevice while the interface is bound to a driver and there is no need totake additional references unless the structures are needed afterdisconnect.This driver takes a reference to the USB device during probe but doesnot to release it on all probe errors (e.g. when descriptor parsingfails).Drop the redundant device reference to fix the leak, reduce cargoculting, make it easier to spot drivers where an extra reference isneeded, and reduce the risk of further memory leaks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31604 In the Linux kernel, the following vulnerability has been resolved:fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFOMuch like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divideby zero error"), we also need to prevent that same crash from happeningin the udlfb driver as it uses pixclock directly when dividing, whichwill crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31605 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_hid: don't call cdev_init while cdev in useWhen calling unbind, then bind again, cdev_init reinitialized the cdev,even though there may still be references to it. That's the case whenthe /dev/hidg* device is still opened. This obviously unsafe behaviorlike oopes.This fixes this by using cdev_alloc to put the cdev on the heap. Thatway, we can simply allocate a new one in hidg_bind. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31606 In the Linux kernel, the following vulnerability has been resolved:usbip: validate number_of_packets in usbip_pack_ret_submit()When a USB/IP client receives a RET_SUBMIT response,usbip_pack_ret_submit() unconditionally overwritesurb->number_of_packets from the network PDU. This value issubsequently used as the loop bound in usbip_recv_iso() andusbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexiblearray whose size was fixed at URB allocation time based on the*original* number_of_packets from the CMD_SUBMIT.A malicious USB/IP server can set number_of_packets in the responseto a value larger than what was originally submitted, causing a heapout-of-bounds write when usbip_recv_iso() writes tourb->iso_frame_desc[i] beyond the allocated region.KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40)The server side (stub_rx.c) and gadget side (vudc_rx.c) alreadyvalidate number_of_packets in the CMD_SUBMIT path since commitsc6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handlemalicious input") and b78d830f0049 ("usbip: fix vudc_rx: hardenCMD_SUBMIT path to handle malicious input"). The server side validatesagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.On the client side we have the original URB, so we can use the tighterbound: the response must not exceed the original number_of_packets.This mirrors the existing validation of actual_length againsttransfer_buffer_length in usbip_recv_xbuff(), which checks theresponse value against the original allocation size.Kelvin Mbogo's series ("usb: usbip: fix integer overflow inusbip_recv_iso()", v2) hardens the receive-side functions themselves;this patch complements that work by catching the bad value at itssource -- in usbip_pack_ret_submit() before the overwrite -- andusing the tighter per-URB allocation bound rather than the globalUSBIP_MAX_ISO_PACKETS limit.Fix this by checking rpdu->number_of_packets againsturb->number_of_packets in usbip_pack_ret_submit() before theoverwrite. On violation, clamp to zero so that usbip_recv_iso() andusbip_pad_iso() safely return early. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31607 In the Linux kernel, the following vulnerability has been resolved:smb: server: avoid double-free in smb_direct_free_sendmsg aftersmb_direct_flush_send_list()smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),so we should not call it again after post_sendmsg()moved it to the batch list. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31608 In the Linux kernel, the following vulnerability has been resolved:smb: client: avoid double-free in smbd_free_send_io() aftersmbd_send_batch_flush()smbd_send_batch_flush() already calls smbd_free_send_io(),so we should not call it again after smbd_post_send()moved it to the batch list. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31609 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix mechToken leak when SPNEGO decode fails after token allocThe kernel ASN.1 BER decoder calls action callbacks incrementally as itwalks the input. When ksmbd_decode_negTokenInit() reaches the mechToken[2] OCTET STRING element, ksmbd_neg_token_alloc() allocatesconn->mechToken immediately via kmemdup_nul(). If a later element inthe same blob is malformed, then the decoder will return nonzero afterthe allocation is already live. This could happen if mechListMIC [3]overrunse the enclosing SEQUENCE.decode_negotiation_token() then sets conn->use_spnego = false becauseboth the negTokenInit and negTokenTarg grammars failed. The cleanup atthe bottom of smb2_sess_setup() is gated on use_spnego: if (conn->use_spnego && conn->mechToken) { kfree(conn->mechToken); conn->mechToken = NULL; }so the kfree is skipped, causing the mechToken to never be freed.This codepath is reachable pre-authentication, so untrusted clients cancause slow memory leaks on a server without even being properlyauthenticated.Fix this up by not checking check for use_spnego, as it's not required,so the memory will always be properly freed. At the same time, alwaysfree the memory in ksmbd_conn_free() incase some other failure pathforgot to free it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31610 In the Linux kernel, the following vulnerability has been resolved:ksmbd: require 3 sub-authorities before reading sub_auth[2]parse_dacl() compares each ACE SID against sid_unix_NFS_mode and onmatch reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode isthe prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() comparesonly min(num_subauth, 2) sub-authorities so a client SID withnum_subauth = 2 and sub_auth = {88, 3} will match.If num_subauth = 2 and the ACE is placed at the very end of the securitydescriptor, sub_auth[2] will be 4 bytes past end_of_acl. Theout-of-band bytes will then be masked to the low 9 bits and applied asthe file's POSIX mode, probably not something that is good to havehappen.Fix this up by forcing the SID to actually carry a third sub-authoritybefore reading it at all. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31611 In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate EaNameLength in smb2_get_ea()smb2_get_ea() reads ea_req->EaNameLength from the client request andpasses it directly to strncmp() as the comparison length withoutverifying that the length of the name really is the size of the inputbuffer received.Fix this up by properly checking the size of the name based on the valuereceived and the overall size of the request, to prevent a laterstrncmp() call to use the length as a "trusted" size of the buffer.Without this check, uninitialized heap values might be slowly leaked tothe client. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31612 In the Linux kernel, the following vulnerability has been resolved:smb: client: fix OOB reads parsing symlink error responseWhen a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message()returns success without any length validation, leaving the symlinkparsers as the only defense against an untrusted server.symlink_data() walks SMB 3.1.1 error contexts with the loop test "p <end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset0. When the server-controlled ErrorDataLength advances p to within 1-7bytes of end, the next iteration will read past it. When the matchingcontext is found, sym->SymLinkErrorTag is read at offset 4 fromp->ErrorContextData with no check that the symlink header itself fits.smb2_parse_symlink_response() then bounds-checks the substitute nameusing SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer fromiov_base. That value is computed as sizeof(smb2_err_rsp) +sizeof(smb2_symlink_err_rsp), which is correct only whenErrorContextCount == 0.With at least one error context the symlink data sits 8 bytes deeper,and each skipped non-matching context shifts it further by 8 +ALIGN(ErrorDataLength, 8). The check is too short, allowing thesubstitute name read to run past iov_len. The out-of-bound heap bytesare UTF-16-decoded into the symlink target and returned to userspace viareadlink(2).Fix this all up by making the loops test require the full context headerto fit, rejecting sym if its header runs past end, and bound thesubstitute name against the actual position of sym->PathBuffer ratherthan a fixed offset.Because sub_offs and sub_len are 16bits, the pointer math will notoverflow here with the new greater-than. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31613 In the Linux kernel, the following vulnerability has been resolved:smb: client: fix off-by-8 bounds check in check_wsl_eas()The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EAname and value, but ea_data sits at offset sizeof(structsmb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp()later reads ea->ea_data[0..nlen-1] and the value bytes follow atea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1+ vlen. Isn't pointer math fun?The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the8-byte header is in bounds, but since the last EA is placed within 8bytes of the end of the response, the name and value bytes are read pastthe end of iov.Fix this mess all up by using ea->ea_data as the base for the boundscheck.An "untrusted" server can use this to leak up to 8 bytes of kernel heapinto the EA name comparison and influence which WSL xattr the data isinterpreted as. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31614 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: renesas_usb3: validate endpoint index in standard requesthandlersThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpointnumber from the host-supplied wIndex without any sort of validation.Fix this up by validating the number of endpoints actually match up withthe number the device has before attempting to dereference a pointerbased on this math.This is just like what was done in commit ee0d382feb44 ("usb: gadget:aspeed_udc: validate endpoint index for ast udc") for the aspeed driver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31615 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()A broken/bored/mean USB host can overflow the skb_shared_info->frags[]array on a Linux gadget exposing a Phonet function by sending anunbounded sequence of full-page OUT transfers.pn_rx_complete() finalizes the skb only when req->actual < req->length,where req->length is set to PAGE_SIZE by the gadget. If the host alwayssends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never bereset and each completion will add another fragment viaskb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),subsequent frag stores overwrite memory adjacent to the shinfo on theheap.Drop the skb and account a length error when the frag limit is reached,matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:t7xx: fix potential skb->frags overflow in RX path"). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31616 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()The block_len read from the host-supplied NTB header is checked againstntb_max but has no lower bound. When block_len is smaller thanopts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size)will underflow producing a huge unsigned value that ndp_index can neverexceed, defeating the check entirely.The same underflow occurs in the datagram index checks against block_len- opts->dpe_size. With those checks neutered, a malicious USB host canchoose ndp_index and datagram offsets that point past the actualtransfer, and the skb_put_data() copies adjacent kernel memory into thenetwork skb.Fix this by rejecting block lengths that cannot hold at least the NTBheader plus one NDP. This will make block_len - opts->ndp_size andblock_len - opts->dpe_size both well-defined.Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixeda related class of issues on the host side of NCM. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31617 In the Linux kernel, the following vulnerability has been resolved:fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFOMuch like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divideby zero error"), we also need to prevent that same crash from happeningin the udlfb driver as it uses pixclock directly when dividing, whichwill crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31618 In the Linux kernel, the following vulnerability has been resolved:ALSA: fireworks: bound device-supplied status before string array lookupThe status field in an EFW response is a 32-bit value supplied by thefirewire device. efr_status_names[] has 17 entries so a status valueoutside that range goes off into the weeds when looking at the %s value.Even worse, the status could return EFR_STATUS_INCOMPLETE which is0x80000000, and is obviously not in that array of potential strings.Fix this up by properly bounding the index against the array size andprinting "unknown" if it's not recognized. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31619 In the Linux kernel, the following vulnerability has been resolved:ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0A malicious USB device with the TASCAM US-144MKII device id can have aconfiguration containing bInterfaceNumber=1 but no interface 0. USBconfiguration descriptors are not required to assign interface numberssequentially, so usb_ifnum_to_if(dev, 0) returns will NULL, which willthen be dereferenced directly.Fix this up by checking the return value properly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31620 In the Linux kernel, the following vulnerability has been resolved:bnge: return after auxiliary_device_uninit() in error pathWhen auxiliary_device_add() fails, the error block callsauxiliary_device_uninit() but does not return. The uninit drops thelast reference and synchronously runs bnge_aux_dev_release(), which setsbd->auxr_dev = NULL and frees the underlying object. The subsequentbd->auxr_dev->net = bd->netdev then dereferences NULL, which is not agood thing to have happen when trying to clean up from an error.Add the missing return, as the auxiliary bus documentation states is arequirement (seems that LLM tools read documentation better than humansdo...) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31621 In the Linux kernel, the following vulnerability has been resolved:NFC: digital: Bounds check NFC-A cascade depth in SDD response handlerThe NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3or 4 bytes to target->nfcid1 on each round, but the number of cascaderounds is controlled entirely by the peer device. The peer sets thecascade tag in the SDD_RES (deciding 3 vs 4 bytes) and thecascade-incomplete bit in the SEL_RES (deciding whether another roundfollows).ISO 14443-3 limits NFC-A to three cascade levels and target->nfcid1 issized accordingly (NFC_NFCID1_MAXSIZE = 10), but nothing in the driveractually enforces this. This means a malicious peer can keep thecascade running, writing past the heap-allocated nfc_target with eachround.Fix this by rejecting the response when the accumulated UID would exceedthe buffer.Commit e329e71013c9 ("NFC: nci: Bounds check struct nfc_target arrays")fixed similar missing checks against the same field on the NCI path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31622 In the Linux kernel, the following vulnerability has been resolved:net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()A malicious USB device claiming to be a CDC Phonet modem can overflowthe skb_shared_info->frags[] array by sending an unbounded sequence offull-page bulk transfers.Drop the skb and increment the length error when the frag limit isreached. This matches the same fix that commit f0813bcd2d9d ("net:wwan: t7xx: fix potential skb->frags overflow in RX path") did for thet7xx driver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31623 In the Linux kernel, the following vulnerability has been resolved:HID: core: clamp report_size in s32ton() to avoid undefined shifts32ton() shifts by n-1 where n is the field's report_size, a value thatcomes directly from a HID device. The HID parser bounds report_sizeonly to <= 256, so a broken HID device can supply a report descriptorwith a wide field that triggers shift exponents up to 256 on a 32-bittype when an output report is built via hid_output_field() orhid_set_field().Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds inhid_report_raw_event") added the same n > 32 clamp to the functionsnto32(), but s32ton() was never given the same fix as I guess syzbothadn't figured out how to fuzz a device the same way.Fix this up by just clamping the max value of n, just like snto32()does. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31624 In the Linux kernel, the following vulnerability has been resolved:HID: alps: fix NULL pointer dereference in alps_raw_event()Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_eventcallbacks missing them") attempted to fix up the HID drivers that hadmissed the previous fix that was done in 2ff5baa9b527 ("HID: appleir:Fix potential NULL dereference at raw event handle"), but the alpsdriver was missed.Fix this up by properly checking in the hid-alps driver that it had beenclaimed correctly before attempting to process the raw event. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31625 In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent usinguninitialized data.Smatch warns that only 6 bytes are copied to this 8-byte (u64)variable, leaving the last two bytes uninitialized:drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)Initializing the variable at the start of the function fixes thiswarning and ensures predictable behavior. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31626 In the Linux kernel, the following vulnerability has been resolved:i2c: s3c24xx: check the size of the SMBUS message before using itThe first byte of an i2c SMBUS message is the size, and it should beverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAXbefore processing it.This is the same logic that was added in commit a6e04f05ce0b ("i2c:tegra: check msg length in SMBUS block read") to the i2c tegra driver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31627 In the Linux kernel, the following vulnerability has been resolved:x86/CPU: Fix FPDSS on Zen1Zen1's hardware divider can leave, under certain circumstances, partialresults from previous operations. Those results can be leaked byanother, attacker thread.Fix that with a chicken bit. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31628 In the Linux kernel, the following vulnerability has been resolved:nfc: llcp: add missing return after LLCP_CLOSED checksIn nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socketstate is LLCP_CLOSED, the code correctly calls release_sock() andnfc_llcp_sock_put() but fails to return. Execution falls through tothe remainder of the function, which calls release_sock() andnfc_llcp_sock_put() again. This results in a double release_sock()and a refcount underflow via double nfc_llcp_sock_put(), leading toa use-after-free.Add the missing return statements after the LLCP_CLOSED branchesin both functions to prevent the fall-through. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31629 In the Linux kernel, the following vulnerability has been resolved:rxrpc: proc: size address buffers for %pISpc outputThe AF_RXRPC procfs helpers format local and remote socket addresses intofixed 50-byte stack buffers with "%pISpc".That is too small for the longest current-tree IPv6-with-port form theformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses adotted-quad tail not only for v4mapped addresses, but also for ISATAPaddresses via ipv6_addr_is_isatap().As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535is possible with the current formatter. That is 50 visible characters, so51 bytes including the trailing NUL, which does not fit in the existingchar[50] buffers used by net/rxrpc/proc.c.Size the buffers from the formatter's maximum textual form and switch thecall sites to scnprintf().Changes since v1:- correct the changelog to cite the actual maximum current-tree case explicitly- frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31630 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()Fix rxgk_do_verify_authenticator() to check the buffer size before checkingthe nonce. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31631 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix leak of rxgk context in rxgk_verify_response()Fix rxgk_verify_response() to clean up the rxgk context it creates. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31632 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix integer overflow in rxgk_verify_response()In rxgk_verify_response(), there's a potential integer overflow due torounding up token_len before checking it, thereby allowing the length checktobe bypassed.Fix this by checking the unrounded value against len too (len is limited asthe response must fit in a single UDP packet). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31633 In the Linux kernel, the following vulnerability has been resolved:rxrpc: fix reference count leak in rxrpc_server_keyring()This patch fixes a reference count leak in rxrpc_server_keyring()by checking if rx->securities is already set. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31634 In the Linux kernel, the following vulnerability has been resolved:rxrpc: fix oversized RESPONSE authenticator length checkrxgk_verify_response() decodes auth_len from the packet and is supposedto verify that it fits in the remaining bytes. The existing check isinverted, so oversized RESPONSE authenticators are accepted and passedto rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with animpossible length and hit BUG_ON(len).Decoded from the original latest-net reproduction logs withscripts/decode_stacktrace.sh:RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)]Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164]Reject authenticator lengths that exceed the remaining packet payload. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31635 In the Linux kernel, the following vulnerability has been resolved:rxrpc: fix RESPONSE authenticator parser OOB readrxgk_verify_authenticator() copies auth_len bytes into a temporarybuffer and then passes p + auth_len as the parser limit torxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates theparser end pointer by a factor of four and lets malformed RESPONSEauthenticators read past the kmalloc() buffer.Decoded from the original latest-net reproduction logs withscripts/decode_stacktrace.sh:BUG: KASAN: slab-out-of-bounds in rxgk_verify_response()Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164]Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386]Convert the byte count to __be32 units before constructing the parserlimit. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31636 In the Linux kernel, the following vulnerability has been resolved:rxrpc: reject undecryptable rxkad response ticketsrxkad_decrypt_ticket() decrypts the RXKAD response ticket and thenparses the buffer as plaintext without checking whethercrypto_skcipher_decrypt() succeeded.A malformed RESPONSE can therefore use a non-block-aligned ticketlength, make the decrypt operation fail, and still drive the ticketparser with attacker-controlled bytes.Check the decrypt result and abort the connection with RXKADBADTICKETwhen ticket decryption fails. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31637 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Only put the call ref if one was acquiredrxrpc_input_packet_on_conn() can process a to-client packet after thecurrent client call on the channel has already been torn down. In thatcase chan->call is NULL, rxrpc_try_get_call() returns NULL and there isno reference to drop.The client-side implicit-end error path does not account for that andunconditionally calls rxrpc_put_call(). This turns a protocol errorpath into a kernel crash instead of rejecting the packet.Only drop the call reference if one was actually acquired. Keep theexisting protocol error handling unchanged. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31638 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix key reference count leak from call->keyWhen creating a client call in rxrpc_alloc_client_call(), the code obtainsa reference to the key. This is never cleaned up and gets leaked when thecall is destroyed.Fix this by freeing call->key in rxrpc_destroy_call().Before the patch, it shows the key reference counter elevated:$ cat /proc/keys | grep afs@543211bffe9cd I--Q--i 8053480 4169w 3b010000 1000 1000 rxrpc afs@54321: ka$After the patch, the invalidated key is removed when the code exits:$ cat /proc/keys | grep afs@54321$ Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31639 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix use of wrong skb when comparing queued RESP challenge serialIn rxrpc_post_response(), the code should be comparing the challenge serialnumber from the cached response before deciding to switch to a newerresponse, but looks at the newer packet private data instead, rendering thecomparison always false.Fix this by switching to look at the older packet.Fix further[1] to substitute the new packet in place of the old one ifnewer and also to release whichever we don't use. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31640 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix RxGK token loading to check boundsrxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket lengthfrom the XDR token as u32 values and passes each through round_up(x, 4)before using the rounded value for validation and allocation. When the rawlength is >= 0xfffffffd, round_up() wraps to 0, so the bounds check andkzalloc both use 0 while the subsequent memcpy still copies the original~4 GiB value, producing a heap buffer overflow reachable from anunprivileged add_key() call.Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse.The control path (valid token with lengths within bounds) is unaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31641 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix call removal to use RCU safe deletionFix rxrpc call removal from the rxnet->calls list to use list_del_rcu()rather than list_del_init() to prevent stuffing up reading/proc/net/rxrpc/calls from potentially getting into an infinite loop.This, however, means that list_empty() no longer works on an entry that'sbeen deleted from the list, making it harder to detect prior deletion. Fixthis by:Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls thatare unexpectedly still on the list. Limiting the number of steps meansthere's no need to call cond_resched() or to remove calls from the listhere, thereby eliminating the need for rxrpc_put_call() to check for that.rxrpc_put_call() can then be fixed to unconditionally delete the call fromthe list as it is the only place that the deletion occurs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31642 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix key parsing memleakIn rxrpc_preparse_xdr_yfs_rxgk(), the memory attached to token->rxgk can beleaked in a few error paths after it's allocated.Fix this by freeing it in the "reject_token:" case. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31643 In the Linux kernel, the following vulnerability has been resolved:net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()When lan966x_fdma_reload() fails to allocate new RX buffers, the restorepath restarts DMA using old descriptors whose pages were already freedvia lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() canrelease pages back to the buddy allocator, the hardware may DMA intomemory now owned by other kernel subsystems.Additionally, on the restore path, the newly created page pool (ifallocation partially succeeded) is overwritten without being destroyed,leaking it.Fix both issues by deferring the release of old pages until after thenew allocation succeeds. Save the old page array before the allocationso old pages can be freed on the success path. On the failure path, theold descriptors, pages and page pool are all still valid, making therestore safe. Also ensure the restore path re-enables NAPI and wakesthe netdev, matching the success path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31644 In the Linux kernel, the following vulnerability has been resolved:net: lan966x: fix page pool leak in error pathslan966x_fdma_rx_alloc() creates a page pool but does not destroy it ifthe subsequent fdma_alloc_coherent() call fails, leaking the pool.Similarly, lan966x_fdma_init() frees the coherent DMA memory whenlan966x_fdma_tx_alloc() fails but does not destroy the page pool thatwas successfully created by lan966x_fdma_rx_alloc(), leaking it.Add the missing page_pool_destroy() calls in both error paths. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31645 In the Linux kernel, the following vulnerability has been resolved:net: lan966x: fix page_pool error handling inlan966x_fdma_rx_alloc_page_pool()page_pool_create() can return an ERR_PTR on failure. The return valueis used unconditionally in the loop that follows, passing the errorpointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),which dereferences it, causing a kernel oops.Add an IS_ERR check after page_pool_create() to return early on failure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31646 In the Linux kernel, the following vulnerability has been resolved:idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handlingSwitch from using the completion's raw spinlock to a local lock in theidpf_vc_xn struct. The conversion is safe because complete/_all() arecalled outside the lock and there is no reason to share the completionlock in the current logic. This avoids invalid wait context reported bythe kernel due to the async handler taking BH spinlock:[ 805.726977] =============================[ 805.726991] [ BUG: Invalid wait context ][ 805.727006] 7.0.0-rc2-net-devq-031026+ #28 Tainted: G S OE[ 805.727026] -----------------------------[ 805.727038] kworker/u261:0/572 is trying to lock:[ 805.727051] ff190da6a8dbb6a0(&vport_config->mac_filter_list_lock){+...}-{3:3}, at:idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727099] other info that might help us debug this:[ 805.727111] context-{5:5}[ 805.727119] 3 locks held by kworker/u261:0/572:[ 805.727132] #0: ff190da6db3e6148((wq_completion)idpf-0000:83:00.0-mbx){+.+.}-{0:0}, at:process_one_work+0x4b5/0x730[ 805.727163] #1: ff3c6f0a6131fe50((work_completion)(&(&adapter->mbx_task)->work)){+.+.}-{0:0}, at:process_one_work+0x1e5/0x730[ 805.727191] #2: ff190da765190020 (&x->wait#34){+.+.}-{2:2}, at:idpf_recv_mb_msg+0xc8/0x710 [idpf][ 805.727218] stack backtrace:...[ 805.727238] Workqueue: idpf-0000:83:00.0-mbx idpf_mbx_task [idpf][ 805.727247] Call Trace:[ 805.727249] <TASK>[ 805.727251] dump_stack_lvl+0x77/0xb0[ 805.727259] __lock_acquire+0xb3b/0x2290[ 805.727268] ? __irq_work_queue_local+0x59/0x130[ 805.727275] lock_acquire+0xc6/0x2f0[ 805.727277] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727284] ? _printk+0x5b/0x80[ 805.727290] _raw_spin_lock_bh+0x38/0x50[ 805.727298] ? idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727303] idpf_mac_filter_async_handler+0xe9/0x260 [idpf][ 805.727310] idpf_recv_mb_msg+0x1c8/0x710 [idpf][ 805.727317] process_one_work+0x226/0x730[ 805.727322] worker_thread+0x19e/0x340[ 805.727325] ? __pfx_worker_thread+0x10/0x10[ 805.727328] kthread+0xf4/0x130[ 805.727333] ? __pfx_kthread+0x10/0x10[ 805.727336] ret_from_fork+0x32c/0x410[ 805.727345] ? __pfx_kthread+0x10/0x10[ 805.727347] ret_from_fork_asm+0x1a/0x30[ 805.727354] </TASK> Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31647 In the Linux kernel, the following vulnerability has been resolved:mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()When running stress-ng on my Arm64 machine with v7.0-rc3 kernel, Iencountered some very strange crash issues showing up as "Bad page state":"[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000index:0x4cf316 pfn:0x415735fb[ 734.496434] flags:0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)[ 734.496439] raw: 057fffe000000800 0000000000000000 dead0000000001220000000000000000[ 734.496440] raw: 00000000004cf316 0000000000000000 00000000000000000000000000000000[ 734.496442] page dumped because: nonzero mapcount"After analyzing this page’s state, it is hard to understand why themapcount is not 0 while the refcount is 0, since this page is not wherethe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I canreproduce the crash as well and captured the first warning where the issueappears:"[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187index:0x81a0 pfn:0x415735c0[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0pincount:0[ 734.469315] memcg:ffff000807a8ec00[ 734.469320] aops:ext4_da_aops ino:100b6f dentryname(?):"stress-ng-mmaptorture-9397-0-2736200540"[ 734.469335] flags:0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)......[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page +nr_pages - 1),const struct page *: (const struct folio *)_compound_head(page + nr_pages -1), struct page *:(struct folio *)_compound_head(page + nr_pages - 1))) != folio)[ 734.469390] ------------[ cut here ]------------[ 734.469393] WARNING: ./include/linux/rmap.h:351 atfolio_add_file_rmap_ptes+0x3b8/0x468,CPU#90: stress-ng-mlock/9430[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)[ 734.469555] set_pte_range+0xd8/0x2f8[ 734.469566] filemap_map_folio_range+0x190/0x400[ 734.469579] filemap_map_pages+0x348/0x638[ 734.469583] do_fault_around+0x140/0x198......[ 734.469640] el0t_64_sync+0x184/0x188"The code that triggers the warning is: "VM_WARN_ON_FOLIO(page_folio(page +nr_pages - 1) != folio, folio)", which indicates that set_pte_range()tried to map beyond the large folio’s size.By adding more debug information, I found that 'nr_pages' had overflowedin filemap_map_pages(), causing set_pte_range() to establish mappings fora range exceeding the folio size, potentially corrupting fields of pagesthat do not belong to this folio (e.g., page->_mapcount).After above analysis, I think the possible race is as follows:CPU 0 CPU 1filemap_map_pages() ext4_setattr() //get and lock folio with old inode->i_size next_uptodate_folio() ....... //shrink theinode->i_sizei_size_write(inode, attr->ia_size); //calculate the end_pgoff with the new inode->i_size file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1; end_pgoff = min(end_pgoff, file_end); ...... //nr_pages can be overflowed, cause xas.xa_index > end_pgoff end = folio_next_index(folio) - 1; nr_pages = min(end, end_pgoff) - xas.xa_index + 1; ...... //map large folio filemap_map_folio_range() ...... //truncate foliostruncate_pagecache(inode, inode->i_size);To fix this issue, move the 'end_pgoff' calculation beforenext_uptodate_folio(), so the retrieved folio stays consistent with thefile end to avoid---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31648 In the Linux kernel, the following vulnerability has been resolved:net: stmmac: fix integer underflow in chain modeThe jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax;where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax isBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()decides to invoke jumbo_frm() based on skb->len (total length includingpage fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);When a packet has a small linear portion (nopaged_len <= bmax) but alarge total length due to page fragments (skb->len > bmax), thesubtraction wraps as an unsigned integer, producing a huge len value(~0xFFFFxxxx). This causes the while (len != 0) loop to executehundreds of thousands of iterations, passing skb->data + bmax * ipointers far beyond the skb buffer to dma_map_single(). On IOMMU-lessSoCs (the typical deployment for stmmac), this maps arbitrary kernelmemory to the DMA engine, constituting a kernel memory disclosure andpotential memory corruption from hardware.Fix this by introducing a buf_len local variable clamped tomin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is thenalways safe: it is zero when the linear portion fits within a singledescriptor, causing the while (len != 0) loop to be skipped naturally,and the fragment loop in stmmac_xmit() handles page fragments afterward. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31649 In the Linux kernel, the following vulnerability has been resolved:mmc: vub300: fix use-after-free on disconnectThe vub300 driver maintains an explicit reference count for thecontroller and its driver data and the last reference can in theory bedropped after the driver has been unbound.This specifically means that the controller allocation must not bedevice managed as that can lead to use-after-free.Note that the lifetime is currently also incorrectly tied the parent USBdevice rather than interface, which can lead to memory leaks if thedriver is unbound without its device being physically disconnected (e.g.on probe deferral).Fix both issues by reverting to non-managed allocation of the controller. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31650 In the Linux kernel, the following vulnerability has been resolved:mmc: vub300: fix NULL-deref on disconnectMake sure to deregister the controller before dropping the reference tothe driver data on disconnect to avoid NULL-pointer dereferences oruse-after-free. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31651 In the Linux kernel, the following vulnerability has been resolved:mm/damon/stat: deallocate damon_call() failure leaking damon_ctxdamon_stat_start() always allocates the module's damon_ctx object(damon_stat_context). Meanwhile, if damon_call() in the function fails,the damon_ctx object is not deallocated. Hence, if the damon_call() isfailed, and the user writes Y to “enabled” again, the previouslyallocated damon_ctx object is leaked.This cannot simply be fixed by deallocating the damon_ctx object whendamon_call() fails. That's because damon_call() failure doesn't guaranteethe kdamond main function, which accesses the damon_ctx object, iscompletely finished. In other words, if damon_stat_start() deallocatesthe damon_ctx object after damon_call() failure, the not-yet-terminatedkdamond could access the freed memory (use-after-free).Fix the leak while avoiding the use-after-free by keeping returningdamon_stat_start() without deallocating the damon_ctx object afterdamon_call() failure, but deallocating it when the function is invokedagain and the kdamond is completely terminated. If the kdamond is not yetterminated, simply return -EAGAIN, as the kdamond will soon be terminated.The issue was discovered [1] by sashiko. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31652 In the Linux kernel, the following vulnerability has been resolved:mm/damon/sysfs: dealloc repeat_call_control if damon_call() failsdamon_call() for repeat_call_control of DAMON_SYSFS could fail if somehowthe kdamond is stopped before the damon_call(). It could happen, forexample, when te damon context was made for monitroing of a virtualaddress processes, and the process is terminated immediately, before thedamon_call() invocation. In the case, the dyanmically allocatedrepeat_call_control is not deallocated and leaked.Fix the leak by deallocating the repeat_call_control under thedamon_call() failure.This issue is discovered by sashiko [1]. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31653 In the Linux kernel, the following vulnerability has been resolved:mm/vma: fix memory leak in __mmap_region()commit 605f6586ecf7 ("mm/vma: do not leak memory when .mmap_prepareswaps the file") handled the success path by skipping get_file() viafile_doesnt_need_get, but missed the error path.When /dev/zero is mmap'd with MAP_SHARED, mmap_zero_prepare() callsshmem_zero_setup_desc() which allocates a new shmem file to back themapping. If __mmap_new_vma() subsequently fails, this replacementfile is never fput()'d - the original is released byksys_mmap_pgoff(), but nobody releases the new one.Add fput() for the swapped file in the error path.Reproducible with fault injection.FAULT_INJECTION: forcing a failure.name failslab, interval 1, probability 0, space 0, times 1CPU: 2 UID: 0 PID: 366 Comm: syz.7.14 Not tainted 7.0.0-rc6 #2PREEMPT(full)Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix,1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014Call Trace: <TASK> dump_stack_lvl+0x164/0x1f0 should_fail_ex+0x525/0x650 should_failslab+0xdf/0x140 kmem_cache_alloc_noprof+0x78/0x630 vm_area_alloc+0x24/0x160 __mmap_region+0xf6b/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)BUG: memory leakunreferenced object 0xffff8881118aca80 (size 360): comm "syz.7.14", pid 366, jiffies 4294913255 hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff c0 28 4d ae ff ff ff ff .........(M..... backtrace (crc db0f53bc): kmem_cache_alloc_noprof+0x3ab/0x630 alloc_empty_file+0x5a/0x1e0 alloc_file_pseudo+0x135/0x220 __shmem_file_setup+0x274/0x420 shmem_zero_setup_desc+0x9c/0x170 mmap_zero_prepare+0x123/0x140 __mmap_region+0xdda/0x2660 mmap_region+0x2eb/0x3a0 do_mmap+0xc79/0x1240 vm_mmap_pgoff+0x252/0x4c0 ksys_mmap_pgoff+0xf8/0x120 __x64_sys_mmap+0x12a/0x190 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x76/0x7eFound by syzkaller. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31654 In the Linux kernel, the following vulnerability has been resolved:pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabledKeep the NOC_HDCP clock always enabled to fix the potential hangcaused by the NoC ADB400 port power down handshake. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31655 In the Linux kernel, the following vulnerability has been resolved:drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeatA use-after-free / refcount underflow is possible when the heartbeatworker and intel_engine_park_heartbeat() race to release the sameengine->heartbeat.systole request.The heartbeat worker reads engine->heartbeat.systole and callsi915_request_put() on it when the request is complete, but clearsthe pointer in a separate, non-atomic step. Concurrently, a requestretirement on another CPU can drop the engine wakeref to zero, triggering__engine_park() -> intel_engine_park_heartbeat(). If the heartbeattimer is pending at that point, cancel_delayed_work() returns true andintel_engine_park_heartbeat() reads the stale non-NULL systole pointerand calls i915_request_put() on it again, causing a refcount underflow:```<4> [487.221889] Workqueue: i915-unordered engine_retire [i915]<4> [487.222640] RIP: 0010:refcount_warn_saturate+0x68/0xb0...<4> [487.222707] Call Trace:<4> [487.222711] <TASK><4> [487.222716] intel_engine_park_heartbeat.part.0+0x6f/0x80 [i915]<4> [487.223115] intel_engine_park_heartbeat+0x25/0x40 [i915]<4> [487.223566] __engine_park+0xb9/0x650 [i915]<4> [487.223973] ____intel_wakeref_put_last+0x2e/0xb0 [i915]<4> [487.224408] __intel_wakeref_put_last+0x72/0x90 [i915]<4> [487.224797] intel_context_exit_engine+0x7c/0x80 [i915]<4> [487.225238] intel_context_exit+0xf1/0x1b0 [i915]<4> [487.225695] i915_request_retire.part.0+0x1b9/0x530 [i915]<4> [487.226178] i915_request_retire+0x1c/0x40 [i915]<4> [487.226625] engine_retire+0x122/0x180 [i915]<4> [487.227037] process_one_work+0x239/0x760<4> [487.227060] worker_thread+0x200/0x3f0<4> [487.227068] ? __pfx_worker_thread+0x10/0x10<4> [487.227075] kthread+0x10d/0x150<4> [487.227083] ? __pfx_kthread+0x10/0x10<4> [487.227092] ret_from_fork+0x3d4/0x480<4> [487.227099] ? __pfx_kthread+0x10/0x10<4> [487.227107] ret_from_fork_asm+0x1a/0x30<4> [487.227141] </TASK>```Fix this by replacing the non-atomic pointer read + separate clear withxchg() in both racing paths. xchg() is a single indivisible hardwareinstruction that atomically reads the old pointer and writes NULL. Thisguarantees only one of the two concurrent callers obtains the non-NULLpointer and performs the put, the other gets NULL and skips it.(cherry picked from commit 13238dc0ee4f9ab8dafa2cca7295736191ae2f42) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31656 In the Linux kernel, the following vulnerability has been resolved:batman-adv: hold claim backbone gateways by referencebatadv_bla_add_claim() can replace claim->backbone_gw and drop the oldgateway's last reference while readers still follow the pointer.The netlink claim dump path dereferences claim->backbone_gw->orig andtakes claim->backbone_gw->crc_lock without pinning the underlyingbackbone gateway. batadv_bla_check_claim() still has the same nakedpointer access pattern.Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operateon a stable gateway reference until the read-side work is complete.This keeps the dump and claim-check paths aligned with the lifetimerules introduced for the other BLA claim readers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31657 In the Linux kernel, the following vulnerability has been resolved:net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()When dma_map_single() fails in tse_start_xmit(), the function returnsNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells thestack the packet was consumed, the skb is never freed, leaking memoryon every DMA mapping failure.Add dev_kfree_skb_any() before returning to properly free the skb. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31658 In the Linux kernel, the following vulnerability has been resolved:batman-adv: reject oversized global TT response buffersbatadv_tt_prepare_tvlv_global_data() builds the allocation length for aglobal TT response in 16-bit temporaries. When a remote originatoradvertises a large enough global TT, the TT payload length plus the VLANheader offset can exceed 65535 and wrap before kmalloc().The full-table response path still uses the original TT payload length whenit fills tt_change, so the wrapped allocation is too small andbatadv_tt_prepare_tvlv_global_data() writes past the end of the heap objectbefore the later packet-size check runs.Fix this by rejecting TT responses whose TVLV value length cannot fit inthe 16-bit TVLV payload length field. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31659 In the Linux kernel, the following vulnerability has been resolved:nfc: pn533: allocate rx skb before consuming bytespn532_receive_buf() reports the number of accepted bytes to the serdevcore. The current code consumes bytes into recv_skb and may already handa complete frame to pn533_recv_frame() before allocating a fresh receivebuffer.If that alloc_skb() fails, the callback returns 0 even though it hasalready consumed bytes, and it leaves recv_skb as NULL for the nextreceive callback. That breaks the receive_buf() accounting contract andcan also lead to a NULL dereference on the next skb_put_u8().Allocate the receive skb lazily before consuming the next byte instead.If allocation fails, return the number of bytes already accepted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31660 In the Linux kernel, the following vulnerability has been resolved:wifi: brcmsmac: Fix dma_free_coherent() sizedma_alloc_consistent() may change the size to align it. The new size issaved in alloced.Change the free size to match the allocation size. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31661 In the Linux kernel, the following vulnerability has been resolved:tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSGThe GRP_ACK_MSG handler in tipc_group_proto_rcv() currently decrementsbc_ackers on every inbound group ACK, even when the same member hasalready acknowledged the current broadcast round.Because bc_ackers is a u16, a duplicate ACK received after the lastlegitimate ACK wraps the counter to 65535. Once wrapped,tipc_group_bc_cong() keeps reporting congestion and later groupbroadcasts on the affected socket stay blocked until the group isrecreated.Fix this by ignoring duplicate or stale ACKs before touching bc_acked orbc_ackers. This makes repeated GRP_ACK_MSG handling idempotent andprevents the underflow path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31662 In the Linux kernel, the following vulnerability has been resolved:xfrm: hold dev ref until after transport_finish NF_HOOKAfter async crypto completes, xfrm_input_resume() calls dev_put()immediately on re-entry before the skb reaches transport_finish.The skb->dev pointer is then used inside NF_HOOK and its okfn,which can race with device teardown.Remove the dev_put from the async resumption entry and insteaddrop the reference after the NF_HOOK call in transport_finish,using a saved device pointer since NF_HOOK may consume the skb.This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skipthe okfn.For non-transport exits (decaps, gro, drop) and secondaryasync return points, release the reference inline whenasync is set. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31663 In the Linux kernel, the following vulnerability has been resolved:xfrm: clear trailing padding in build_polexpire()build_expire() clears the trailing padding bytes of structxfrm_user_expire after setting the hard field via memset_after(),but the analogous function build_polexpire() does not do this forstruct xfrm_user_polexpire.The padding bytes after the __u8 hard field are leftuninitialized from the heap allocation, and are then sent touserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,leaking kernel heap memory contents.Add the missing memset_after() call, matching build_expire(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31664 In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_ct: fix use-after-free in timeout object destroynft_ct_timeout_obj_destroy() frees the timeout object with kfree()immediately after nf_ct_untimeout(), without waiting for an RCU graceperiod. Concurrent packet processing on other CPUs may still holdRCU-protected references to the timeout object obtained viarcu_dereference() in nf_ct_timeout_data().Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to deferfreeing until after an RCU grace period, matching the approach alreadyused in nfnetlink_cttimeout.c.KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31665 In the Linux kernel, the following vulnerability has been resolved:btrfs: fix incorrect return value after changing leaf inlookup_extent_data_ref()After commit 1618aa3c2e01 ("btrfs: simplify return variables inlookup_extent_data_ref()"), the err and ret variables were merged intoa single ret variable. However, when btrfs_next_leaf() returns 0(success), ret is overwritten from -ENOENT to 0. If the first key inthe next leaf does not match (different objectid or type), the functionreturns 0 instead of -ENOENT, making the caller believe the lookupsucceeded when it did not. This can lead to operations on the wrongextent tree item, potentially causing extent tree corruption.Fix this by returning -ENOENT directly when the key does not match,instead of relying on the ret variable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31666 In the Linux kernel, the following vulnerability has been resolved:Input: uinput - fix circular locking dependency with ff-coreA lockdep circular locking dependency warning can be triggeredreproducibly when using a force-feedback gamepad with uinput (forexample, playing ELDEN RING under Wine with a Flydigi Vader 5controller): ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutexThe cycle is caused by four lock acquisition paths:1. ff upload: input_ff_upload() holds ff->mutex and calls uinput_dev_upload_effect() -> uinput_request_submit() -> uinput_request_send(), which acquires udev->mutex.2. device create: uinput_ioctl_handler() holds udev->mutex and calls uinput_create_device() -> input_register_device(), which acquires input_mutex.3. device register: input_register_device() holds input_mutex and calls kbd_connect() -> input_register_handle(), which acquires dev->mutex.4. evdev release: evdev_release() calls input_flush_device() under dev->mutex, which calls input_ff_flush() acquiring ff->mutex.Fix this by introducing a new state_lock spinlock to protectudev->state and udev->dev access in uinput_request_send() instead ofacquiring udev->mutex. The function only needs to atomically checkdevice state and queue an input event into the ring buffer viauinput_dev_event() -- both operations are safe under a spinlock(ktime_get_ts64() and wake_up_interruptible() do not sleep). Thisbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf inthe lock ordering and cannot form cycles with mutexes.To keep state transitions visible to uinput_request_send(), protectwrites to udev->state in uinput_create_device() anduinput_destroy_device() with the same state_lock spinlock.Additionally, move init_completion(&request->done) fromuinput_request_send() to uinput_request_submit() beforeuinput_request_reserve_slot(). Once the slot is allocated,uinput_flush_requests() may call complete() on it at any time fromthe destroy path, so the completion must be initialised before therequest becomes visible.Lock ordering after the fix: ff->mutex -> state_lock (spinlock, leaf) udev->mutex -> state_lock (spinlock, leaf) udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31667 In the Linux kernel, the following vulnerability has been resolved:seg6: separate dst_cache for input and output paths in seg6 lwtunnelThe seg6 lwtunnel uses a single dst_cache per encap route, sharedbetween seg6_input_core() and seg6_output_core(). These two pathscan perform the post-encap SID lookup in different routing contexts(e.g., ip rules matching on the ingress interface, or VRF tableseparation). Whichever path runs first populates the cache, and theother reuses it blindly, bypassing its own lookup.Fix this by splitting the cache into cache_input and cache_output,so each path maintains its own cached dst independently. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31668 In the Linux kernel, the following vulnerability has been resolved:mptcp: fix slab-use-after-free in __inet_lookup_establishedThe ehash table lookups are lockless and rely onSLAB_TYPESAFE_BY_RCU to guarantee socket memory stabilityduring RCU read-side critical sections. Both tcp_prot andtcpv6_prot have their slab caches created with this flagvia proto_register().However, MPTCP's mptcp_subflow_init() copies tcpv6_prot intotcpv6_prot_override during inet_init() (fs_initcall, level 5),before inet6_init() (module_init/device_initcall, level 6) hascalled proto_register(&tcpv6_prot). At that point,tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slabremains NULL permanently.This causes MPTCP v6 subflow child sockets to be allocated viakmalloc (falling into kmalloc-4k) instead of the TCPv6 slabcache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, sowhen these sockets are freed without SOCK_RCU_FREE (which iscleared for child sockets by design), the memory can beimmediately reused. Concurrent ehash lookups underrcu_read_lock can then access freed memory, triggering aslab-use-after-free in __inet_lookup_established.Fix this by splitting the IPv6-specific initialization out ofmptcp_subflow_init() into a new mptcp_subflow_v6_init(), calledfrom mptcp_proto_v6_init() before protocol registration. Thisensures tcpv6_prot_override.slab correctly inherits theSLAB_TYPESAFE_BY_RCU slab cache. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31669 In the Linux kernel, the following vulnerability has been resolved:net: rfkill: prevent unlimited numbers of rfkill events from being createdUserspace can create an unlimited number of rfkill events if the systemis so configured, while not consuming them from the rfkill filedescriptor, causing a potential out of memory situation. Prevent thisfrom bounding the number of pending rfkill events at a "large" number(i.e. 1000) to prevent abuses like this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31670 In the Linux kernel, the following vulnerability has been resolved:xfrm_user: fix info leak in build_report()struct xfrm_user_report is a __u8 proto field followed by a structxfrm_selector which means there is three "empty" bytes of padding, butthe padding is never zeroed before copying to userspace. Fix that up byzeroing the structure before setting individual member variables. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31671 In the Linux kernel, the following vulnerability has been resolved:wifi: rt2x00usb: fix devres lifetimeUSB drivers bind to USB interfaces and any device managed resourcesshould have their lifetime tied to the interface rather than parent USBdevice. This avoids issues like memory leaks when drivers are unboundwithout their devices being physically disconnected (e.g. on probedeferral or configuration changes).Fix the USB anchor lifetime so that it is released on driver unbind. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC CVE-2026-31672 In the Linux kernel, the following vulnerability has been resolved:af_unix: read UNIX_DIAG_VFS data under unix_state_lockExact UNIX diag lookups hold a reference to the socket, but not tou->path. Meanwhile, unix_release_sock() clears u->path underunix_state_lock() and drops the path reference after unlocking.Read the inode and device numbers for UNIX_DIAG_VFS while holdingunix_state_lock(), then emit the netlink attribute after dropping thelock.This keeps the VFS data stable while the reply is being built. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31673 In the Linux kernel, the following vulnerability has been resolved:netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].Validate addrnr during rule installation so malformed rules are rejectedbefore the match logic can use an out-of-range value. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31674 In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_netem: fix out-of-bounds access in packet corruptionIn netem_enqueue(), the packet corruption logic usesget_random_u32_below(skb_headlen(skb)) to select an index formodifying skb->data. When an AF_PACKET TX_RING sends fully non-linearpackets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.Passing 0 to get_random_u32_below() takes the variable-ceil slow pathwhich returns an unconstrained 32-bit random integer. Using thisunconstrained value as an offset into skb->data results in anout-of-bounds memory access.Fix this by verifying skb_headlen(skb) is non-zero before attemptingto corrupt the linear data area. Fully non-linear packets will silentlybypass the corruption logic. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31675 In the Linux kernel, the following vulnerability has been resolved:rxrpc: only handle RESPONSE during service challengeOnly process RESPONSE packets while the service connection is still inRXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock beforerunning response verification and security initialization, then use a localsecured flag to decide whether to queue the secured-connection work afterthe state transition. This keeps duplicate or late RESPONSE packets fromre-running the setup path and removes the unlocked post-transition statetest. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31676 In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - limit RX SG extraction by receive buffer budgetMake af_alg_get_rsgl() limit each RX scatterlist extraction to theremaining receive buffer budget.af_alg_get_rsgl() currently uses af_alg_readable() only as a gatebefore extracting data into the RX scatterlist. Limit each extractionto the remaining af_alg_rcvbuf(sk) budget so that receive-sideaccounting matches the amount of data attached to the request.If skcipher cannot obtain enough RX space for at least one chunk whilemore data remains to be processed, reject the recvmsg call instead ofrounding the request length down to zero. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31677 In the Linux kernel, the following vulnerability has been resolved:openvswitch: defer tunnel netdev_put to RCU releaseovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER alreadydetached the device. Dropping the netdev reference in destroy can racewith concurrent readers that still observe vport->dev.Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, letvport_netdev_free() drop the reference from the RCU callback, matchingthe non-tunnel destroy path and avoiding additional synchronizationunder RTNL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31678 In the Linux kernel, the following vulnerability has been resolved:openvswitch: validate MPLS set/set_masked payload lengthvalidate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload forSET/SET_MASKED actions. In action handling, OVS expects fixed-sizeMPLS key data (struct ovs_key_mpls).Use the already normalized key_len (masked case included) and rejectnon-matching MPLS action key sizes.Reject invalid MPLS action payload lengths early. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31679 In the Linux kernel, the following vulnerability has been resolved:net: ipv6: flowlabel: defer exclusive option free until RCU teardown`ip6fl_seq_show()` walks the global flowlabel hash under the seq-fileRCU read-side lock and prints `fl->opt->opt_nflen` when an option blockis present.Exclusive flowlabels currently free `fl->opt` as soon as `fl->users`drops to zero in `fl_release()`. However, the surrounding`struct ip6_flowlabel` remains visible in the global hash table untillater garbage collection removes it and `fl_free_rcu()` finally tears itdown.A concurrent `/proc/net/ip6_flowlabel` reader can therefore race thatearly `kfree()` and dereference freed option state, triggering a crashin `ip6fl_seq_show()`.Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matchesthe lifetime already required for the enclosing flowlabel while readerscan still reach it under RCU. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31680 In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_multiport: validate range encoding in checkentryports_match_v1() treats any non-zero pflags entry as the start of aport range and unconditionally consumes the next ports[] element asthe range end.The checkentry path currently validates protocol, flags and count, butit does not validate the range encoding itself. As a result, malformedrules can mark the last slot as a range start or place two range startsback to back, leaving ports_match_v1() to step past the last validports[] element while interpreting the rule.Reject malformed multiport v1 rules in checkentry by validating thateach range start has a following element and that the following elementis not itself marked as another range start. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31681 In the Linux kernel, the following vulnerability has been resolved:bridge: br_nd_send: linearize skb before parsing ND optionsbr_nd_send() parses neighbour discovery options from ns->opt[] andassumes that these options are in the linear part of request.Its callers only guarantee that the ICMPv6 header and target addressare available, so the option area can still be non-linear. Parsingns->opt[] in that case can access data past the linear buffer.Linearize request before option parsing and derive ns from the linearnetwork header. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31682 In the Linux kernel, the following vulnerability has been resolved:batman-adv: avoid OGM aggregation when skb tailroom is insufficientWhen OGM aggregation state is toggled at runtime, an existing forwardedpacket may have been allocated with only packet_len bytes, while a laterpacket can still be selected for aggregation. Appending in this case canhit skb_put overflow conditions.Reject aggregation when the target skb tailroom cannot accommodate the newpacket. The caller then falls back to creating a new forward packetinstead of appending. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31683 In the Linux kernel, the following vulnerability has been resolved:net: sched: act_csum: validate nested VLAN headerstcf_csum_act() walks nested VLAN headers directly from skb->data when anskb still carries in-payload VLAN tags. The current code readsvlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes withoutfirst ensuring that the full VLAN header is present in the linear area.If only part of an inner VLAN header is linearized, accessingh_vlan_encapsulated_proto reads past the linear area, and the followingskb_pull(VLAN_HLEN) may violate skb invariants.Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing andpulling each nested VLAN header. If the header still is not fullyavailable, drop the packet through the existing error path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31684 In the Linux kernel, the following vulnerability has been resolved:netfilter: ip6t_eui64: reject invalid MAC header for all packets`eui64_mt6()` derives a modified EUI-64 from the Ethernet source addressand compares it with the low 64 bits of the IPv6 source address.The existing guard only rejects an invalid MAC header when`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`can still reach `eth_hdr(skb)` even when the MAC header is not valid.Fix this by removing the `par->fragoff != 0` condition so that packetswith an invalid MAC header are rejected before accessing `eth_hdr(skb)`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-25 09:16:00 UTC CVE-2026-31685 In the Linux kernel, the following vulnerability has been resolved:mm/kasan: fix double free for kasan pXdskasan_free_pxd() assumes the page table is always struct page aligned.But that's not always the case for all architectures. E.g. In case ofpowerpc with 64K pagesize, PUD table (of size 4096) comes from slab cachenamed pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let's justdirectly pass the start of the pxd table which is passed as the 1stargument.This fixes the below double free kasan issue seen with PMEM:radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages==================================================================BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20Free of addr c0000003c38e0000 by task ndctl/2164CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARYHardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeriesCall Trace: dump_stack_lvl+0x88/0xc4 (unreliable) print_report+0x214/0x63c kasan_report_invalid_free+0xe4/0x110 check_slab_allocation+0x100/0x150 kmem_cache_free+0x128/0x6e0 kasan_remove_zero_shadow+0x9c4/0xa20 memunmap_pages+0x2b8/0x5c0 devm_action_release+0x54/0x70 release_nodes+0xc8/0x1a0 devres_release_all+0xe0/0x140 device_unbind_cleanup+0x30/0x120 device_release_driver_internal+0x3e4/0x450 unbind_store+0xfc/0x110 drv_attr_store+0x78/0xb0 sysfs_kf_write+0x114/0x140 kernfs_fop_write_iter+0x264/0x3f0 vfs_write+0x3bc/0x7d0 ksys_write+0xa4/0x190 system_call_exception+0x190/0x480 system_call_vectored_common+0x15c/0x2ec---- interrupt: 3000 at 0x7fff93b3d3f4NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000REGS: c0000003f1b07e80 TRAP: 3000 Not tainted(6.19.0-rc1-00048-gea1013c15392)MSR: 800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48888208XER: 00000000<...>NIP [00007fff93b3d3f4] 0x7fff93b3d3f4LR [00007fff93b3d3f4] 0x7fff93b3d3f4---- interrupt: 3000 The buggy address belongs to the object at c0000003c38e0000 which belongs to the cache pgtable-2^9 of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [c0000003c38e0000, c0000003c38e1000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:c0000003bfd63e01 flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff) page_type: f5(slab) raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000 head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01 head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected[ 138.953636] [ T2164] Memory state around the buggy address:[ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fcfc fc fc fc fc fc[ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fcfc fc fc fc fc fc[ 138.953661] [ T2164] >c0000003c38e0000: fc fc fc fc fc fc fc fc fc fcfc fc fc fc fc fc[ 138.953669] [ T2164] ^[ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fcfc fc fc fc fc fc[ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fcfc fc fc fc fc fc[ 138.953692] [ T2164]==================================================================[ 138.953701] [ T2164] Disabling lock debugging due to kernel taint Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 18:16:00 UTC CVE-2026-31686 In the Linux kernel, the following vulnerability has been resolved:gpio: omap: do not register driver in probe()Commit 11a78b794496 ("ARM: OMAP: MPUIO wake updates") registers theomap_mpuio_driver from omap_mpuio_init(), which is called fromomap_gpio_probe().However, it neither makes sense to register drivers from probe()callbacks of other drivers, nor does the driver core allow registeringdrivers with a device lock already being held.The latter was revealed by commit dc23806a7c47 ("driver core: enforcedevice_lock for driver_match_device()") leading to a potential deadlockcondition described in [1].Additionally, the omap_mpuio_driver is never unregistered from thedriver core, even if the module is unloaded.Hence, register the omap_mpuio_driver from the module initcall andunregister it in module_exit(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 18:16:00 UTC CVE-2026-31687 In the Linux kernel, the following vulnerability has been resolved:driver core: enforce device_lock for driver_match_device()Currently, driver_match_device() is called from three sites. One site(__device_attach_driver) holds device_lock(dev), but the other two(bind_store and __driver_attach) do not. This inconsistency means thatbus match() callbacks are not guaranteed to be called with the lockheld.Fix this by introducing driver_match_device_locked(), which guaranteesholding the device lock using a scoped guard. Replace the unlocked callsin bind_store() and __driver_attach() with this new helper. Also add alock assertion to driver_match_device() to enforce this guarantee.This consistency also fixes a known race condition. The driver_overrideimplementation relies on the device_lock, so the missing lock led to theuse-after-free (UAF) reported in Bugzilla for buses using this field.Stress testing the two newly locked paths for 24 hours withCONFIG_PROVE_LOCKING and CONFIG_LOCKDEP enabled showed no UAF recurrenceand no lockdep warnings. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 18:16:00 UTC CVE-2026-31688 In the Linux kernel, the following vulnerability has been resolved:EDAC/mc: Fix error path ordering in edac_mc_alloc()When the mci->pvt_info allocation in edac_mc_alloc() fails, the error pathwill call put_device() which will end up calling the device's releasefunction.However, the init ordering is wrong such that device_initialize() happens*after* the failed allocation and thus the device itself and the releasefunction pointer are not initialized yet when they're called: MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2PREEMPT(full) RIP: 0010:kobject_put Call Trace: <TASK> edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ...Reorder the calling sequence so that the device is initialized and thus therelease function pointer is properly set before it can be used.This was found by Claude while reviewing another EDAC patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 18:16:00 UTC CVE-2026-31689 In the Linux kernel, the following vulnerability has been resolved:firmware: thead: Fix buffer overflow and use standard endian macrosAddresses two issues in the TH1520 AON firmware protocol driver:1. Fix a potential buffer overflow where the code used unsafe pointer arithmetic to access the 'mode' field through the 'resource' pointer with an offset. This was flagged by Smatch static checker as: "buffer overflow 'data' 2 <= 3"2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard kernel endianness conversion macros (cpu_to_be16, etc.) for better portability and maintainability.The functionality was re-tested with the GPU power-up sequence,confirming the GPU powers up correctly and the driver probessuccessfully.[ 12.702370] powervr ffef400000.gpu: [drm] loaded firmwarepowervr/rogue_36.52.104.182_v1.fw[ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build6645434 OS)[ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu onminor 0 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 18:16:00 UTC CVE-2026-31690 In the Linux kernel, the following vulnerability has been resolved:igb: remove napi_synchronize() in igb_down()When an AF_XDP zero-copy application terminates abruptly (e.g., kill -9),the XSK buffer pool is destroyed but NAPI polling continues.igb_clean_rx_irq_zc() repeatedly returns the full budget, preventingnapi_complete_done() from clearing NAPI_STATE_SCHED.igb_down() calls napi_synchronize() before napi_disable() for each queuevector. napi_synchronize() spins waiting for NAPI_STATE_SCHED to clear,which never happens. igb_down() blocks indefinitely, the TX watchdogfires, and the TX queue remains permanently stalled.napi_disable() already handles this correctly: it sets NAPI_STATE_DISABLE.After a full-budget poll, __napi_poll() checks napi_disable_pending(). Ifset, it forces completion and clears NAPI_STATE_SCHED, breaking the loopthat napi_synchronize() cannot.napi_synchronize() was added in commit 41f149a285da ("igb: Fix possiblepanic caused by Rx traffic arrival while interface is down").napi_disable() provides stronger guarantees: it prevents furtherscheduling and waits for any active poll to exit.Other Intel drivers (ixgbe, ice, i40e) use napi_disable() without apreceding napi_synchronize() in their down paths.Remove redundant napi_synchronize() call and reorder napi_disable()before igb_set_queue_napi() so the queue-to-NAPI mapping is onlycleared after polling has fully stopped. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 18:16:00 UTC CVE-2026-31691 In the Linux kernel, the following vulnerability has been resolved:rtnetlink: add missing netlink_ns_capable() check for peer netnsrtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peernetwork namespace when creating paired devices (veth, vxcan,netkit). This allows an unprivileged user with a user namespaceto create interfaces in arbitrary network namespaces, includinginit_net.Add a netlink_ns_capable() check for CAP_NET_ADMIN in the peernamespace before allowing device creation to proceed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 11:16:00 UTC CVE-2026-31692 In the Linux kernel, the following vulnerability has been resolved:cifs: some missing initializations on replayIn several places in the code, we have a label to signifythe start of the code where a request can be replayed ifnecessary. However, some of these places were missing thenecessary reinitializations of certain local variablesbefore replay.This change makes sure that these variables get initializedafter the label. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 12:16:00 UTC CVE-2026-31693 In the Linux kernel, the following vulnerability has been resolved:fuse: reject oversized dirents in page cachefuse_add_dirent_to_cache() computes a serialized dirent size from theserver-controlled namelen field and copies the dirent into a singlepage-cache page. The existing logic only checks whether the dirent fitsin the remaining space of the current page and advances to a fresh pageif not. It never checks whether the dirent itself exceeds PAGE_SIZE.As a result, a malicious FUSE server can return a dirent withnamelen=4095, producing a serialized record size of 4120 bytes. On 4 KiBpage systems this causes memcpy() to overflow the cache page by 24 bytesinto the following kernel page.Reject dirents that cannot fit in a single page before copying them intothe readdir cache. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31694 In the Linux kernel, the following vulnerability has been resolved:wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-freeCurrently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` forthe virt_wifi net devices. However, unregistering a virt_wifi device innetdev_run_todo() can happen together with the device referenced bySET_NETDEV_DEV().It can result in use-after-free during the ethtool operations performedon a virt_wifi device that is currently being unregistered. Such a netdevice can have the `dev.parent` field pointing to the freed memory,but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this: ================================================================== BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606 Call Trace: <TASK> dump_stack_lvl+0x4d/0x70 print_report+0x170/0x4f3 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pm_runtime_resume+0xe2/0xf0 ? __pm_runtime_resume+0xe2/0xf0 __pm_runtime_resume+0xe2/0xf0 ethnl_ops_begin+0x49/0x270 ethnl_set_features+0x23c/0xab0 ? __pfx_ethnl_set_features+0x10/0x10 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xf/0xf0 ? local_clock+0x10/0x30 ? kasan_save_track+0x25/0x60 ? __kasan_kmalloc+0x7f/0x90 ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 genl_family_rcv_msg_doit+0x1e7/0x2c0 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 ? __pfx_cred_has_capability.isra.0+0x10/0x10 ? stack_trace_save+0x8e/0xc0 genl_rcv_msg+0x411/0x660 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_ethnl_set_features+0x10/0x10 netlink_rcv_skb+0x121/0x380 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_down_read+0x10/0x10 genl_rcv+0x23/0x30 netlink_unicast+0x60f/0x830 ? __pfx_netlink_unicast+0x10/0x10 ? __pfx___alloc_skb+0x10/0x10 netlink_sendmsg+0x6ea/0xbc0 ? __pfx_netlink_sendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 ____sys_sendmsg+0x7a2/0x950 ? copy_msghdr_from_user+0x26b/0x430 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ___sys_sendmsg+0xf8/0x180 ? __pfx____sys_sendmsg+0x10/0x10 ? __pfx_futex_wait+0x10/0x10 ? fdget+0x2e4/0x4a0 __sys_sendmsg+0x11f/0x1c0 ? __pfx___sys_sendmsg+0x10/0x10 do_syscall_64+0xe2/0x570 ? exc_page_fault+0x66/0xb0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK>This fix may be combined with another one in the ethtool subsystem:https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31695 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Fix missing validation of ticket length in non-XDR key preparsingIn rxrpc_preparse(), there are two paths for parsing key payloads: theXDR path (for large payloads) and the non-XDR path (for payloads <= 28bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctlyvalidates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDRpath fails to do so.This allows an unprivileged user to provide a very large ticket length.When this key is later read via rxrpc_read(), the totaltoken size (toksize) calculation results in a value that exceedsAFSTOKEN_LENGTH_MAX, triggering a WARN_ON().[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778rxrpc_read+0x109/0x5c0 [rxrpc]Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,bringing it into parity with the XDR parsing logic. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31696 In the Linux kernel, the following vulnerability has been resolved:crypto: ccp: Don't attempt to copy ID to userspace if PSP command failedWhen retrieving the ID for the CPU, don't attempt to copy the ID blob touserspace if the firmware command failed. If the failure was due to aninvalid length, i.e. the userspace buffer+length was too small, copyingthe number of bytes _firmware_ requires will overflow the kernel-allocatedbuffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0../lib/usercopy.c:26 Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388 CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-011/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>WARN if the driver says the command succeeded, but the firmware error codesays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on anyfirwmware error. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31697 In the Linux kernel, the following vulnerability has been resolved:crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP commandfailedWhen retrieving the PDH cert, don't attempt to copy the blobs to userspaceif the firmware command failed. If the failure was due to an invalidlength, i.e. the userspace buffer+length was too small, copying the numberof bytes _firmware_ requires will overflow the kernel-allocated buffer andleak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033 CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>WARN if the driver says the command succeeded, but the firmware error codesays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on anyfirwmware error. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31698 In the Linux kernel, the following vulnerability has been resolved:crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failedWhen retrieving the PEK CSR, don't attempt to copy the blob to userspaceif the firmware command failed. If the failure was due to an invalidlength, i.e. the userspace buffer+length was too small, copying the numberof bytes _firmware_ requires will overflow the kernel-allocated buffer andleak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-011/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK>WARN if the driver says the command succeeded, but the firmware error codesays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on anyfirwmware error. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31699 In the Linux kernel, the following vulnerability has been resolved:net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr pointsdirectly into the mmap'd TX ring buffer shared with userspace. Thekernel validates the header via __packet_snd_vnet_parse() but thenre-reads all fields later in virtio_net_hdr_to_skb(). A concurrentuserspace thread can modify the vnet_hdr fields between validationand use, bypassing all safety checks.The non-TPACKET path (packet_snd()) already correctly copies vnet_hdrto a stack-local variable. All other vnet_hdr consumers in the kernel(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TXpath is the only caller of virtio_net_hdr_to_skb() that reads directlyfrom user-controlled shared memory.Fix this by copying vnet_hdr from the mmap'd ring buffer to astack-local variable before validation and use, consistent with theapproach used in packet_snd() and all other callers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31700 In the Linux kernel, the following vulnerability has been resolved:ALSA: caiaq: take a reference on the USB device in create_card()The caiaq driver stores a pointer to the parent USB device incdev->chip.dev but never takes a reference on it. The card'sprivate_free callback, snd_usb_caiaq_card_free(), can runasynchronously via snd_card_free_when_closed() after the USBdevice has already been disconnected and freed, so any access tocdev->chip.dev in that path dereferences a freed usb_device.On top of the refcounting issue, the current card_free implementationcalls usb_reset_device(cdev->chip.dev). A reset in a free callbackis inappropriate: the device is going away, the call takes thedevice lock in a teardown context, and the reset races with thedisconnect path that the callback is already cleaning up after.Take a reference on the USB device in create_card() withusb_get_dev(), drop it with usb_put_dev() in the free callback,and remove the usb_reset_device() call. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31701 In the Linux kernel, the following vulnerability has been resolved:f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bringthe F2FS_WB_CP_DATA counter to zero, unblockingf2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmountCPU. The unmount path then proceeds to callf2fs_destroy_page_array_cache(sbi), which destroyssbi->page_array_slab via kmem_cache_destroy(), and eventuallykfree(sbi). Meanwhile, the bio completion callback is still executing:when it reaches page_array_free(sbi, ...), it dereferencessbi->page_array_slab — a destroyed slab cache — to callkmem_cache_free(), causing a use-after-free.This is the same class of bug as CVE-2026-23234 (which fixed theequivalent race in f2fs_write_end_io() in data.c), but in thecompressed writeback completion path that was not covered by that fix.Fix this by moving dec_page_count() to after page_array_free(), sothat all sbi accesses complete before the counter decrement that canunblock unmount. For non-last folios (where atomic_dec_return oncic->pending_pages is nonzero), dec_page_count is called immediatelybefore returning — page_array_free is not reached on this path, sothere is no post-decrement sbi access. For the last folio,page_array_free runs while the F2FS_WB_CP_DATA counter is stillnonzero (this folio has not yet decremented it), keeping sbi alive,and dec_page_count runs as the final operation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31702 In the Linux kernel, the following vulnerability has been resolved:writeback: Fix use after free in inode_switch_wbs_work_fn()inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... }Now adding of items to the list looks like:wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work);Because inode_switch_wbs_work_fn() loops when processing isw items, itcan happen that wb->switch_work is pending while wb->switch_wbs_ctxs isempty. This is a problem because in that case wb can get freed (no iswitems -> no wb reference) while the work is still pending causinguse-after-free issues.We cannot just fix this by cancelling work when freeing wb because thatcould still trigger problematic 0 -> 1 transitions on wb refcount due towb_get() in inode_switch_wbs_work_fn(). It could be all handled withmore careful code but that seems unnecessarily complex so let's avoidthat until it is proven that the looping actually brings practicalbenefit. Just remove the loop from inode_switch_wbs_work_fn() instead.That way when wb_queue_isw() queues work, we are guaranteed we haveadded the first item to wb->switch_wbs_ctxs and nobody is going toremove it (and drop the wb reference it holds) until the queued workruns. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31703 In the Linux kernel, the following vulnerability has been resolved:ksmbd: use check_add_overflow() to prevent u16 DACL size overflowset_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizesin u16 variables. When a file has many POSIX ACL entries, theaccumulated size can wrap past 65535, causing the pointer arithmetic(char *)pndace + *size to land within already-written ACEs. Subsequentwrites then overwrite earlier entries, and pndacl->size gets atruncated value.Use check_add_overflow() at each accumulation point to detect thewrap before it corrupts the buffer, consistent with existingcheck_mul_overflow() usage elsewhere in smbacl.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31704 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignmentsmb2_get_ea() applies 4-byte alignment padding via memset() afterwriting each EA entry. The bounds check on buf_free_len is performedbefore the value memcpy, but the alignment memset fires unconditionallyafterward with no check on remaining space.When the EA value exactly fills the remaining buffer (buf_free_len == 0after value subtraction), the alignment memset writes 1-3 NUL bytespast the buf_free_len boundary. In compound requests where the responsebuffer is shared across commands, the first command (e.g., READ) canconsume most of the buffer, leaving a tight remainder for the QUERY_INFOEA response. The alignment memset then overwrites past the physicalkvmalloc allocation into adjacent kernel heap memory.Add a bounds check before the alignment memset to ensure buf_free_lencan accommodate the padding bytes.This is the same bug pattern fixed by commit beef2634f81f ("ksmbd: fixpotencial OOB in get_file_all_info() for compound requests") andcommit fda9522ed6af ("ksmbd: fix OOB write in QUERY_INFO for compoundrequests"), both of which added bounds checks before unconditionalwrites in QUERY_INFO response handlers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31705 In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()smb_inherit_dacl() trusts the on-disk num_aces value from the parentdirectory's DACL xattr and uses it to size a heap allocation: aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...);num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces)without checking that it is consistent with the declared pdacl_size.An authenticated client whose parent directory's security.NTACL istampered (e.g. via offline xattr corruption or a concurrent path thatbypasses parse_dacl()) can present num_aces = 65535 with minimalactual ACE data. This causes a ~8 MB allocation (not kzalloc, souninitialized) that the subsequent loop only partially populates, andmay also overflow the three-way size_t multiply on 32-bit kernels.Additionally, the ACE walk loop uses the weakeroffsetof(struct smb_ace, access_req) minimum size check rather thanthe minimum valid on-wire ACE size, and does not reject ACEs whosedeclared size is below the minimum.Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path.A legitimate mount.cifs client creates a parent directory over SMB(ksmbd writes a valid security.NTACL xattr), then the NTACL blob onthe backing filesystem is rewritten to set num_aces = 0xFFFF whilekeeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'shash check still passes. A subsequent SMB2 CREATE of a child underthat parent drives smb2_open() into smb_inherit_dacl() (share has"vfs objects = acl_xattr" set), which fails the page allocator: WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0 Workqueue: ksmbd-io handle_ksmbd_work __alloc_frozen_pages_noprof+0x46c/0x9c0 ___kmalloc_large_node+0x68/0x130 __kmalloc_large_node_noprof+0x24/0x70 __kmalloc_noprof+0x4c9/0x690 smb_inherit_dacl+0x394/0x2430 smb2_open+0x595d/0xabe0 handle_ksmbd_work+0x3d3/0x1140With the patch applied the added guard rejects the tampered valuewith -EINVAL before any large allocation runs, smb2_open() falls backto smb2_create_sd_buffer(), and the child is created with a defaultSD. No warning, no splat.Fix by: 1. Validating num_aces against pdacl_size using the same formula applied in parse_dacl(). 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe allocation. 3. Tightening the per-ACE loop guard to require the minimum valid ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and rejecting under-sized ACEs, matching the hardening in smb_check_perm_dacl() and parse_dacl().v1 -> v2: - Replace the synthetic test-module splat in the changelog with a real-path UML + KASAN reproduction driven through mount.cifs and SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name in v1 since it does not exist in ksmbd. - Drop the commit-hash citation from the code comment per Namjae's review; keep the parse_dacl() pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31706 In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate response sizes in ipc_validate_msg()ipc_validate_msg() computes the expected message size for eachresponse type by adding (or multiplying) attacker-controlled fieldsfrom the daemon response to a fixed struct size in unsigned intarithmetic. Three cases can overflow: KSMBD_EVENT_RPC_REQUEST: msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz; KSMBD_EVENT_SHARE_CONFIG_REQUEST: msg_sz = sizeof(struct ksmbd_share_config_response) + resp->payload_sz; KSMBD_EVENT_LOGIN_REQUEST_EXT: msg_sz = sizeof(struct ksmbd_login_response_ext) + resp->ngroups * sizeof(gid_t);resp->payload_sz is __u32 and resp->ngroups is __s32. Each additioncan wrap in unsigned int; the multiplication by sizeof(gid_t) mixessigned and size_t, so a negative ngroups is converted to SIZE_MAXbefore the multiply. A wrapped value of msg_sz that happens toequal entry->msg_sz bypasses the size check on the next line, anddownstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz,kmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust theunverified length.Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUESTpaths to detect integer overflow without constraining functionalpayload size; userspace ksmbd-tools grows NDR responses in 4096-bytechunks for calls like NetShareEnumAll, so a hard transport cap isunworkable on the response side. For LOGIN_REQUEST_EXT, rejectresp->ngroups outside the signed [0, NGROUPS_MAX] range up front andreport the error from ipc_validate_msg() so it fires at the IPCboundary; with that bound the subsequent multiplication and additionstay well below UINT_MAX. The now-redundant ngroups check andpr_err in ksmbd_alloc_user() are removed.This is the response-side analogue of aab98e2dbd64 ("ksmbd: fixinteger overflows on 32 bit systems"), which hardened the requestside. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31707 In the Linux kernel, the following vulnerability has been resolved:smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO pathsmb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTLand the default QUERY_INFO path. The QUERY_INFO branch clampsqi.input_buffer_length to the server-reported OutputBufferLength and thencopies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, butit never verifies that the flexible-array payload actually fits withinrsp_iov[1].iov_len.A malicious server can return OutputBufferLength larger than the actualQUERY_INFO response, causing copy_to_user() to walk past the responsebuffer and expose adjacent kernel heap to userspace.Guard the QUERY_INFO copy with a bounds check on the actual Bufferpayload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)rather than an open-coded addition so the guard cannot overflow on32-bit builds. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31708 In the Linux kernel, the following vulnerability has been resolved:smb: client: validate the whole DACL before rewriting it in cifsaclbuild_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from aserver-supplied dacloffset and then use the incoming ACL to rebuild thechmod/chown security descriptor.The original fix only checked that the struct smb_acl header fits beforereading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediateheader-field OOB read, but the rewrite helpers still walk ACEs based onpdacl->num_aces with no structural validation of the incoming DACL body.A malicious server can return a truncated DACL that still contains aheader, claims one or more ACEs, and then drivereplace_sids_and_copy_aces() or set_chmod_dacl() past the validatedextent while they compare or copy attacker-controlled ACEs.Factor the DACL structural checks into validate_dacl(), extend them tovalidate each ACE against the DACL bounds, and use the shared validatorbefore the chmod/chown rebuild paths. parse_dacl() reuses the samevalidator so the read-side parser and write-side rewrite paths agree onwhat constitutes a well-formed incoming DACL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31709 In the Linux kernel, the following vulnerability has been resolved:smb: client: fix dir separator in SMB1 UNIX mountsWhen calling cifs_mount_get_tcon() with SMB1 UNIX mounts,@cifs_sb->mnt_cifs_flags needs to be read or updated only aftercalling reset_cifs_unix_caps(), otherwise it might end up with missingCIFS_MOUNT_POSIXACL and CIFS_MOUNT_POSIX_PATHS bits.This fixes the wrong dir separator used in paths caused by the missingCIFS_MOUNT_POSIX_PATHS bit in cifs_sb_info::mnt_cifs_flags. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31710 In the Linux kernel, the following vulnerability has been resolved:smb: server: fix active_num_conn leak on transport allocation failureCommit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn inksmbd_tcp_new_connection()") addressed the kthread_run() failurepath. The earlier alloc_transport() == NULL path in the samefunction has the same leak, is reachable pre-authentication via anyTCP connect to port 445, and was empirically reproduced on UML(ARCH=um, v7.0-rc7): a small number of forced allocation failureswere sufficient to put ksmbd into a state where every subsequentconnection attempt was rejected for the remainder of the boot.ksmbd_kthread_fn() increments active_num_conn before callingksmbd_tcp_new_connection() and discards the return value, so whenalloc_transport() returns NULL the socket is released and -ENOMEMreturned without decrementing the counter. Each such failurepermanently consumes one slot from the max_connections pool; oncecumulative failures reach the cap, atomic_inc_return() hits thethreshold on every subsequent accept and every new connection isrejected. The counter is only reset by module reload.An unauthenticated remote attacker can drive the server toward thememory pressure that makes alloc_transport() fail by holding openconnections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN(0x00FFFFFF); natural transient allocation failures on a loadedhost produce the same drift more slowly.Mirror the existing rollback pattern in ksmbd_kthread_fn(): on thealloc_transport() failure path, decrement active_num_conn gated onserver_conf.max_connections.Repro details: with the patch reverted, forced alloc_transport()NULL returns leaked counter slots and subsequent connectionattempts -- including legitimate connects issued after theforced-fail window had closed -- were all rejected with "Limit themaximum number of connections". With this patch applied, the sameconnect sequence produces no rejections and the counter cyclescleanly between zero and one on every accept. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31711 In the Linux kernel, the following vulnerability has been resolved:ksmbd: require minimum ACE size in smb_check_perm_dacl()Both ACE-walk loops in smb_check_perm_dacl() only guard against anunder-sized remaining buffer, not against an ACE whose declared`ace->size` is smaller than the struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break;The first check only requires the 4-byte ACE header to be in bounds;it does not require access_req (4 bytes at offset 4) to be readable.An attacker who has set a crafted DACL on a file they own can declareace->size == 4 with aces_size == 4, pass both checks, and then granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid atoffset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES* 4 bytes).Tighten both loops to require ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZEwhich is the smallest valid on-wire ACE layout (4-byte header +4-byte access_req + 8-byte sid base with zero sub-auths). Alsoreject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIESbefore letting compare_sids() dereference sub_auth[] entries.parse_sec_desc() already enforces an equivalent check (lines 441-448);smb_check_perm_dacl() simply grew weaker validation over time.Reachability: authenticated SMB client with permission to set an ACLon a file. On a subsequent CREATE against that file, the kernelwalks the stored DACL via smb_check_perm_dacl() and triggers theOOB read. Not pre-auth, and the OOB read is not reflected to theattacker, but KASAN reports and kernel state corruption arepossible. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31712 In the Linux kernel, the following vulnerability has been resolved:fuse: abort on fatal signal during sync initWhen sync init is used and the server exits for some reason (error, crash)while processing FUSE_INIT, the filesystem creation will hang. The reasonis that while all other threads will exit, the mounting thread (or process)will keep the device fd open, which will prevent an abort from happening.This is a regression from the async mount case, where the mount was donefirst, and the FUSE_INIT processing afterwards, in which case there's nosuch recursive syscall keeping the fd open. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31713 In the Linux kernel, the following vulnerability has been resolved:f2fs: fix to avoid memory leak in f2fs_rename()syzbot reported a f2fs bug as below:BUG: memory leakunreferenced object 0xffff888127f70830 (size 16): comm "syz.0.23", pid 6144, jiffies 4294943712 hex dump (first 16 bytes): 3c af 57 72 5b e6 8f ad 6e 8e fd 33 42 39 03 ff <.Wr[...n..3B9.. backtrace (crc 925f8a80): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4520 [inline] slab_alloc_node mm/slub.c:4844 [inline] __do_kmalloc_node mm/slub.c:5237 [inline] __kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250 kmalloc_noprof include/linux/slab.h:954 [inline] fscrypt_setup_filename+0x15e/0x3b0 fs/crypto/fname.c:364 f2fs_setup_filename+0x52/0xb0 fs/f2fs/dir.c:143 f2fs_rename+0x159/0xca0 fs/f2fs/namei.c:961 f2fs_rename2+0xd5/0xf20 fs/f2fs/namei.c:1308 vfs_rename+0x7ff/0x1250 fs/namei.c:6026 filename_renameat2+0x4f4/0x660 fs/namei.c:6144 __do_sys_renameat2 fs/namei.c:6173 [inline] __se_sys_renameat2 fs/namei.c:6168 [inline] __x64_sys_renameat2+0x59/0x80 fs/namei.c:6168 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe root cause is in commit 40b2d55e0452 ("f2fs: fix to create selinuxlabel during whiteout initialization"), we added a call tof2fs_setup_filename() without a matching call to f2fs_free_filename(),fix it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31714 In the Linux kernel, the following vulnerability has been resolved:f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()The xfstests case "generic/107" and syzbot have both reported a NULLpointer dereference.The concurrent scenario that triggers the panic is as follows:F2FS_WB_CP_DATA write callback umount - f2fs_write_checkpoint - f2fs_wait_on_all_pages(sbi,F2FS_WB_CP_DATA)- blk_mq_end_request - bio_endio - f2fs_write_end_io : dec_page_count(sbi, F2FS_WB_CP_DATA) : wake_up(&sbi->cp_wait) - kill_f2fs_super - kill_block_super - f2fs_put_super : iput(sbi->node_inode) : sbi->node_inode = NULL : f2fs_in_warm_node_list - is_node_folio // sbi->node_inode is NULL and panicThe root cause is that f2fs_put_super() calls iput(sbi->node_inode) andsets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] isdecremented to zero. As a result, f2fs_in_warm_node_list() maydereference a NULL node_inode when checking whether a folio belongs tothe node inode, leading to a panic.This patch fixes the issue by calling f2fs_in_warm_node_list() beforedecrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing theuse-after-free condition. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31715 In the Linux kernel, the following vulnerability has been resolved:fs/ntfs3: validate rec->used in journal-replay file record checkcheck_file_record() validates rec->total against the record size butnever validates rec->used. The do_action() journal-replay handlers readrec->used from disk and use it to compute memmove lengths: DeleteAttribute: memmove(attr, ..., used - asize - roff) CreateAttribute: memmove(..., attr, used - roff) change_attr_size: memmove(..., used - PtrOffset(rec, next))When rec->used is smaller than the offset of a validated attribute, orlarger than the record size, these subtractions can underflow allowingus to copy huge amounts of memory in to a 4kb buffer, generallyconsidered a bad idea overall.This requires a corrupted filesystem, which isn't a threat model thekernel really needs to worry about, but checking for such an obviousout-of-bounds value is good to keep things robust, especially on journalreplayFix this up by bounding rec->used correctly.This is much like commit b2bc7c44ed17 ("fs/ntfs3: Fix slab-out-of-boundsread in DeleteIndexEntryRoot") which checked different values in thissame switch statement. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31716 In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate owner of durable handle on reconnectCurrently, ksmbd does not verify if the user attempting to reconnectto a durable handle is the same user who originally opened the file.This allows any authenticated user to hijack an orphaned durable handleby predicting or brute-forcing the persistent ID.According to MS-SMB2, the server MUST verify that the SecurityContextof the reconnect request matches the SecurityContext associated withthe existing open.Add a durable_owner structure to ksmbd_file to store the original opener'sUID, GID, and account name. and catpure the owner information when a filehandle becomes orphaned. and implementing ksmbd_vfs_compare_durable_owner()to validate the identity of the requester during SMB2_CREATE (DHnC). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31717 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavengerWhen a durable file handle survives session disconnect (TCP close withoutSMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve thehandle for later reconnection. However, it did not clean up the byte-rangelocks on fp->lock_list.Later, when the durable scavenger thread times out and calls__ksmbd_close_fd(NULL, fp), the lock cleanup loop did: spin_lock(&fp->conn->llist_lock);This caused a slab use-after-free because fp->conn was NULL and theoriginal connection object had already been freed byksmbd_tcp_disconnect().The root cause is asymmetric cleanup: lock entries (smb_lock->clist) wereleft dangling on the freed conn->lock_list while fp->conn was nulled out.To fix this issue properly, we need to handle the lifetime ofsmb_lock->clist across three paths: - Safely skip clist deletion when list is empty and fp->conn is NULL. - Remove the lock from the old connection's lock_list in session_fd_check() - Re-add the lock to the new connection's lock_list in ksmbd_reopen_durable_fd(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31718 In the Linux kernel, the following vulnerability has been resolved:crypto: krb5enc - fix async decrypt skipping hash verificationkrb5enc_dispatch_decrypt() sets req->base.complete as the skciphercallback, which is the caller's own completion handler. When theskcipher completes asynchronously, this signals "done" to the callerwithout executing krb5enc_dispatch_decrypt_hash(), completely bypassingthe integrity verification (hash check).Compare with the encrypt path which correctly useskrb5enc_encrypt_done as an intermediate callback to chain into thehash computation on async completion.Fix by adding krb5enc_decrypt_done as an intermediate callback thatchains into krb5enc_dispatch_decrypt_hash() upon async skciphercompletion, matching the encrypt path's callback pattern.Also fix EBUSY/EINPROGRESS handling throughout: removekrb5enc_request_complete() which incorrectly swallowed EINPROGRESSnotifications that must be passed up to callers waiting on backloggedrequests, and add missing EBUSY checks in krb5enc_encrypt_ahash_donefor the dispatch_encrypt return value.Unset MAY_BACKLOG on the async completion path so the user won'tsee back-to-back EINPROGRESS notifications. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-31719 Buffer overflow in parallel HNSW index build in pgvector 0.6.0 through0.8.1 allows a database user to leak sensitive data from other relations orcrash the database server. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 21:16:00 UTC CVE-2026-3172 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_uac1_legacy: validate control request sizef_audio_complete() copies req->length bytes into a 4-byte stackvariable: u32 data = 0; memcpy(&data, req->buf, req->length);req->length is derived from the host-controlled USB request path,which can lead to a stack out-of-bounds write.Validate req->actual against the expected payload size for thesupported control selectors and decode only the expected amountof data.This avoids copying a host-influenced length into a fixed-sizestack object. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31720 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_hid: move list and spinlock inits from bind to allocThere was an issue when you did the following:- setup and bind an hid gadget- open /dev/hidg0- use the resulting fd in EPOLL_CTL_ADD- unbind the UDC- bind the UDC- use the fd in EPOLL_CTL_DELWhen CONFIG_DEBUG_LIST was enabled, a list_del corruption was reportedwithin remove_wait_queue (via ep_remove_wait_queue). After somedebugging I found out that the queues, which f_hid registers viapoll_wait were the problem. These were initialized usinginit_waitqueue_head inside hidg_bind. So effectively, the bind functionre-initialized the queues while there were still items in them.The solution is to move the initialization from hidg_bind to hidg_allocto extend their lifetimes to the lifetime of the function instance.Additionally, I found many other possibly problematic init calls in thebind function, which I moved as well. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31721 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_rndis: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the borrowed_net flag is used to indicate whether the network device isshared and pre-registered during the legacy driver's bind phase. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31722 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_subset: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the bound flag is used to indicate whether the network device is sharedand pre-registered during the legacy driver's bind phase. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31723 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_eem: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks:console:/ # ls -l /sys/class/net/usb0lrwxrwxrwx ... /sys/class/net/usb0 ->/sys/devices/platform/.../gadget.0/net/usb0console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the bound flag is used to indicate whether the network device is sharedand pre-registered during the legacy driver's bind phase. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31724 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_ecm: Fix net_device lifecycle with device_moveThe net_device is allocated during function instance creation andregistered during the bind phase with the gadget device as its sysfsparent. When the function unbinds, the parent device is destroyed, butthe net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directoryUse device_move() to reparent the net_device between the gadget devicetree and /sys/devices/virtual across bind and unbind cycles. During thefinal unbind, calling device_move(NULL) moves the net_device to thevirtual device tree before the gadget device is destroyed. On rebinding,device_move() reparents the device back under the new gadget, ensuringproper sysfs topology and power management ordering.To maintain compatibility with legacy composite drivers (e.g., multi.c),the bound flag is used to indicate whether the network device is sharedand pre-registered during the legacy driver's bind phase. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31725 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: uvc: fix NULL pointer dereference during unbind raceCommit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanlyshutdown") introduced two stages of synchronization waits totaling 1500msin uvc_function_unbind() to prevent several types of kernel panics.However, this timing-based approach is insufficient during powermanagement (PM) transitions.When the PM subsystem starts freezing user space processes, thewait_event_interruptible_timeout() is aborted early, which allows theunbind thread to proceed and nullify the gadget pointer(cdev->gadget = NULL):[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc:uvc_function_unbind()[ 814.178583][ T3173] PM: suspend entry (deep)[ 814.192487][ T3173] Freezing user space processes[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc:uvc_function_unbind no clean disconnect, wait for releaseWhen the PM subsystem resumes or aborts the suspend and tasks arerestarted, the V4L2 release path is executed and attempts to access thealready nullified gadget pointer, triggering a kernel panic:[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggereddhdpcie_host_wake[ 814.386727][ T3173] Restarting tasks ...[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference atvirtual address 0000000000000030[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94[ 814.404078][ T4558] Call trace:[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac[ 814.404095][ T4558] v4l2_release+0xcc/0x130Address the race condition and NULL pointer dereference by:1. State Synchronization (flag + mutex)Introduce a 'func_unbound' flag in struct uvc_device. This allowsuvc_function_disconnect() to safely skip accessing the nullifiedcdev->gadget pointer. As suggested by Alan Stern, this flag is protectedby a new mutex (uvc->lock) to ensure proper memory ordering and preventinstruction reordering or speculative loads. This mutex is also used toprotect 'func_connected' for consistent state management.2. Explicit Synchronization (completion)Use a completion to synchronize uvc_function_unbind() with theuvc_vdev_release() callback. This prevents Use-After-Free (UAF) byensuring struct uvc_device is freed after all video device resourcesare released. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31726 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfoCommit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle withdevice_move") reparents the gadget device to /sys/devices/virtual duringunbind, clearing the gadget pointer. If the userspace tool queries onthe surviving interface during this detached window, this leads to aNULL pointer dereference.Unable to handle kernel NULL pointer dereferenceCall trace: eth_get_drvinfo+0x50/0x90 ethtool_get_drvinfo+0x5c/0x1f0 __dev_ethtool+0xaec/0x1fe0 dev_ethtool+0x134/0x2e0 dev_ioctl+0x338/0x560Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,skip copying the fw_version and bus_info strings, which is nativelyhandled by ethtool_get_drvinfo for empty strings. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31727 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: u_ether: Fix race between gether_disconnect and eth_stopA race condition between gether_disconnect() and eth_stop() leads to aNULL pointer dereference. Specifically, if eth_stop() is triggeredconcurrently while gether_disconnect() is tearing down the endpoints,eth_stop() attempts to access the cleared endpoint descriptor, causingthe following NPE: Unable to handle kernel NULL pointer dereference Call trace: __dwc3_gadget_ep_enable+0x60/0x788 dwc3_gadget_ep_enable+0x70/0xe4 usb_ep_enable+0x60/0x15c eth_stop+0xb8/0x108Because eth_stop() crashes while holding the dev->lock, the threadrunning gether_disconnect() fails to acquire the same lock and spinsforever, resulting in a hardlockup: Core - Debugging Information for Hardlockup core(7) Call trace: queued_spin_lock_slowpath+0x94/0x488 _raw_spin_lock+0x64/0x6c gether_disconnect+0x19c/0x1e8 ncm_set_alt+0x68/0x1a0 composite_setup+0x6a0/0xc50The root cause is that the clearing of dev->port_usb ingether_disconnect() is delayed until the end of the function.Move the clearing of dev->port_usb to the very beginning ofgether_disconnect() while holding dev->lock. This cuts off the linkimmediately, ensuring eth_stop() will see dev->port_usb as NULL andsafely bail out. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31728 In the Linux kernel, the following vulnerability has been resolved:usb: typec: ucsi: validate connector number in ucsi_notify_common()The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a7-bit field (0-127) that is used to index into the connector array inucsi_connector_change(). However, the array is only allocated for thenumber of connectors reported by the device (typically 2-4 entries).A malicious or malfunctioning device could report an out-of-rangeconnector number in the CCI, causing an out-of-bounds array access inucsi_connector_change().Add a bounds check in ucsi_notify_common(), the central point where CCIis parsed after arriving from hardware, so that bogus connector numbersare rejected before they propagate further. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31729 In the Linux kernel, the following vulnerability has been resolved:misc: fastrpc: possible double-free of cctx->remote_heapfastrpc_init_create_static_process() may free cctx->remote_heap on theerr_map path but does not clear the pointer. Later, fastrpc_rpmsg_remove()frees cctx->remote_heap again if it is non-NULL, which can lead to adouble-free if the INIT_CREATE_STATIC ioctl hits the error path and therpmsgdevice is subsequently removed/unbound.Clear cctx->remote_heap after freeing it in the error path to prevent thelater cleanup from freeing it again.This issue was found by an in-house analysis workflow that extractsAST-basedinformation and runs static checks, with LLM assistance for triage, and wasconfirmed by manual code review.No hardware testing was performed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31730 In the Linux kernel, the following vulnerability has been resolved:thermal: core: Address thermal zone removal races with resumeSince thermal_zone_pm_complete() and thermal_zone_device_resume()re-initialize the poll_queue delayed work for the given thermal zone,the cancel_delayed_work_sync() in thermal_zone_device_unregister()may miss some already running work items and the thermal zone maybe freed prematurely [1].There are two failing scenarios that both start withrunning thermal_pm_notify_complete() right before invokingthermal_zone_device_unregister() for one of the thermal zones.In the first scenario, there is a work item already running forthe given thermal zone when thermal_pm_notify_complete() callsthermal_zone_pm_complete() for that thermal zone and it continues torun when thermal_zone_device_unregister() starts. Since the poll_queuedelayed work has been re-initialized by thermal_pm_notify_complete(), therunning work item will be missed by the cancel_delayed_work_sync() inthermal_zone_device_unregister() and if it continues to run past thefreeing of the thermal zone object, a use-after-free will occur.In the second scenario, thermal_zone_device_resume() queued up bythermal_pm_notify_complete() runs right after the thermal_zone_exit()called by thermal_zone_device_unregister() has returned. The poll_queuedelayed work is re-initialized by it before cancel_delayed_work_sync() iscalled by thermal_zone_device_unregister(), so it may continue to runafter the freeing of the thermal zone object, which also leads to ause-after-free.Address the first failing scenario by ensuring that no thermal workitems will be running when thermal_pm_notify_complete() is called.For this purpose, first move the cancel_delayed_work() call fromthermal_zone_pm_complete() to thermal_zone_pm_prepare() to preventnew work from entering the workqueue going forward. Next, switchover to using a dedicated workqueue for thermal events and updatethe code in thermal_pm_notify() to flush that workqueue afterthermal_pm_notify_prepare() has returned which will take care ofall leftover thermal work already on the workqueue (that leftoverwork would do nothing useful anyway because all of the thermal zoneshave been flagged as suspended).The second failing scenario is addressed by adding a tz->state checkto thermal_zone_device_resume() to prevent it from re-initializingthe poll_queue delayed work if the thermal zone is going away.Note that the above changes will also facilitate relocating the suspendand resume of thermal zones closer to the suspend and resume of devices,respectively. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31731 In the Linux kernel, the following vulnerability has been resolved:gpio: Fix resource leaks on errors in gpiochip_add_data_with_key()Since commit aab5c6f20023 ("gpio: set device type for GPIO chips"),`gdev->dev.release` is unset. As a result, the reference count to`gdev->dev` isn't dropped on the error handling paths.Drop the reference on errors.Also reorder the instructions to make the error handling simpler.Now gpiochip_add_data_with_key() roughly looks like: >>> Some memory allocation. Go to ERR ZONE 1 on errors. >>> device_initialize(). gpiodev_release() takes over the responsibility for freeing the resources of `gdev->dev`. The subsequent error handling paths shouldn't go through ERR ZONE 1 again which leads to double free. >>> Some initialization mainly on `gdev`. >>> The rest of initialization. Go to ERR ZONE 2 on errors. >>> Chip registration success and exit. >>> ERR ZONE 2. gpio_device_put() and exit. >>> ERR ZONE 1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31732 In the Linux kernel, the following vulnerability has been resolved:sched_ext: Fix stale direct dispatch state in ddsp_dsq_id@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering aspurious warning in mark_direct_dispatch() when the next wakeup'sops.select_cpu() calls scx_bpf_dsq_insert(), such as: WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(),which is not reached in all paths that consume or cancel a direct dispatchverdict.Fix it by clearing it at the right places: - direct_dispatch(): cache the direct dispatch state in local variables and clear it before dispatch_enqueue() on the synchronous path. For the deferred path, the direct dispatch state must remain set until process_ddsp_deferred_locals() consumes them. - process_ddsp_deferred_locals(): cache the dispatch state in local variables and clear it before calling dispatch_to_local_dsq(), which may migrate the task to another rq. - do_enqueue_task(): clear the dispatch state on the enqueue path (local/global/bypass fallbacks), where the direct dispatch verdict is ignored. - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue() to handle both the deferred dispatch cancellation and the holding_cpu race, covering all cases where a pending direct dispatch is cancelled. - scx_disable_task(): clear the direct dispatch state when transitioning a task out of the current scheduler. Waking tasks may have had the direct dispatch state set by the outgoing scheduler's ops.select_cpu() and then been queued on a wake_list via ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such tasks are not on the runqueue and are not iterated by scx_bypass(), so their direct dispatch state won't be cleared. Without this clear, any subsequent SCX scheduler that tries to direct dispatch the task will trigger the WARN_ON_ONCE() in mark_direct_dispatch(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31733 In the Linux kernel, the following vulnerability has been resolved:sched_ext: Fix is_bpf_migration_disabled() false negative onnon-PREEMPT_RCUSince commit 8e4f0b1ebcf2 ("bpf: use rcu_read_lock_dont_migrate() fortrampoline.c"), the BPF prolog (__bpf_prog_enter) calls migrate_disable()only when CONFIG_PREEMPT_RCU is enabled, via rcu_read_lock_dont_migrate().Without CONFIG_PREEMPT_RCU, the prolog never touches migration_disabled,so migration_disabled == 1 always means the task is trulymigration-disabled regardless of whether it is the current task.The old unconditional p == current check was a false negative in thiscase, potentially allowing a migration-disabled task to be dispatched toa remote CPU and triggering scx_error in task_can_run_on_remote_rq().Only apply the p == current disambiguation when CONFIG_PREEMPT_RCU isenabled, where the ambiguity with the BPF prolog still exists. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31734 In the Linux kernel, the following vulnerability has been resolved:iommupt: Fix short gather if the unmap goes into a large mappingunmap has the odd behavior that it can unmap more than requested if theending point lands within the middle of a large or contiguous IOPTE.In this case the gather should flush everything unmapped which can belarger than what was requested to be unmapped. The gather was onlyflushing the range requested to be unmapped, not extending to the extrarange, resulting in a short invalidation if the caller hits this specialcondition.This was found by the new invalidation/gather test I am adding inpreparation for ARMv8. Claude deduced the root cause.As far as I remember nothing relies on unmapping a large entry, so this islikely not a triggerable bug. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31735 In the Linux kernel, the following vulnerability has been resolved:net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabledIf the gmac0 is disabled, the precheck for a valid ingress device willcause a NULL pointer deref and crash the system. This happens becauseeth->netdev[0] will be NULL but the code will directly try to accessnetdev_ops.Instead of just checking for the first net_device, it must be checked ifany of the mtk_eth net_devices is matching the netdev_ops of the ingressdevice. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31736 In the Linux kernel, the following vulnerability has been resolved:net: ftgmac100: fix ring allocation unwind on open failureftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, andrx_scratch in stages. On intermediate failures it returned -ENOMEMdirectly, leaking resources allocated earlier in the function.Rework the failure path to use staged local unwind labels and freeallocated resources in reverse order before returning -ENOMEM. Thismatches common netdev allocation cleanup style. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31737 In the Linux kernel, the following vulnerability has been resolved:vxlan: validate ND option lengths in vxlan_na_createvxlan_na_create() walks ND options according to option-providedlengths. A malformed option can make the parser advance beyond thecomputed option span or use a too-short source LLADDR option payload.Validate option lengths against the remaining NS option area beforeadvancing, and only read source LLADDR when the option is large enoughfor an Ethernet address. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31738 In the Linux kernel, the following vulnerability has been resolved:crypto: tegra - Add missing CRYPTO_ALG_ASYNCThe tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on itsasynchronous algorithms, causing the crypto API to select them for usersthat request only synchronous algorithms. This causes crashes (atleast). Fix this by adding the flag like what the other drivers do.Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those justget ignored and overridden by the registration function anyway. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31739 In the Linux kernel, the following vulnerability has been resolved:counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev memberThe counter driver can use HW channels 1 and 2, while the PWM driver canuse HW channels 0, 1, 2, 3, 4, 6, 7.The dev member is assigned both by the counter driver and the PWM driverfor channels 1 and 2, to their own struct device instance, overwritingthe previous value.The sub-drivers race to assign their own struct device pointer to thesame struct rz_mtu3_channel's dev member.The dev member of struct rz_mtu3_channel is used by the countersub-driver for runtime PM.Depending on the probe order of the counter and PWM sub-drivers, thedev member may point to the wrong struct device instance, causing thecounter sub-driver to do runtime PM actions on the wrong device.To fix this, use the parent pointer of the counter, which is assignedduring probe to the correct struct device, not the struct device pointerinside the shared struct rz_mtu3_channel. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31740 In the Linux kernel, the following vulnerability has been resolved:counter: rz-mtu3-cnt: prevent counter from being toggled multiple timesRuntime PM counter is incremented / decremented each time the sysfsenable file is written to.If user writes 0 to the sysfs enable file multiple times, runtime PMusage count underflows, generating the following message.rz-mtu3-counter rz-mtu3-counter.0: Runtime PM usage count underflow!At the same time, hardware registers end up being accessed with clocksoff in rz_mtu3_terminate_counter() to disable an already disabledchannel.If user writes 1 to the sysfs enable file multiple times, runtime PMusage count will be incremented each time, requiring the same number of0 writes to get it back to 0.If user writes 0 to the sysfs enable file while PWM is in progress, PWMis stopped without counter being the owner of the underlying MTU3channel.Check against the cached count_is_enabled value and exit if the useris trying to set the same enable value. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31741 In the Linux kernel, the following vulnerability has been resolved:vt: discard stale unicode buffer on alt screen exit after resizeWhen enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines andsets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize()skips reallocating the unicode buffer because vc_uni_lines is NULL.However, vc_saved_uni_lines still points to the old buffer allocated forthe original dimensions.When leave_alt_screen() later restores vc_saved_uni_lines, the bufferdimensions no longer match vc_rows/vc_cols. Any operation that iteratesover the unicode buffer using the current dimensions (e.g. csi_J clearingthe screen) will access memory out of bounds, causing a kernel oops: BUG: unable to handle page fault for address: 0x0000002000000020 RIP: 0010:csi_J+0x133/0x2d0The faulting address 0x0000002000000020 is two adjacent u32 spacecharacters (0x20) interpreted as a pointer, read from the row data areapast the end of the 25-entry pointer array in a buffer allocated for80x25 but accessed with 240x67 dimensions.Fix this by checking whether the console dimensions changed while in thealternate screen. If they did, free the stale saved buffer instead ofrestoring it. The unicode screen will be lazily rebuilt viavc_uniscr_check() when next needed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31742 In the Linux kernel, the following vulnerability has been resolved:nvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpyBuffer size used in dma allocation and memcpy is wrong.It can lead to undersized DMA buffer access and possiblememory corruption. use correct buffer size in dma_alloc_coherentand memcpy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31743 In the Linux kernel, the following vulnerability has been resolved:PM: EM: Fix NULL pointer dereference when perf domain ID is not founddev_energymodel_nl_get_perf_domains_doit() callsem_perf_domain_get_by_id() but does not check the return value beforepassing it to __em_nl_get_pd_size(). When a caller supplies anon-existent perf domain ID, em_perf_domain_get_by_id() returns NULL,and __em_nl_get_pd_size() immediately dereferences pd->cpus(struct offset 0x30), causing a NULL pointer dereference.The sister handler dev_energymodel_nl_get_perf_table_doit() alreadyhandles this correctly via __em_nl_get_pd_table_id(), which returnsNULL and causes the caller to return -EINVAL. Add the same NULL checkin the get-perf-domains do handler.[ rjw: Subject and changelog edits ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31744 In the Linux kernel, the following vulnerability has been resolved:reset: gpio: fix double free in reset_add_gpio_aux_device() error pathWhen __auxiliary_device_add() fails, reset_add_gpio_aux_device()calls auxiliary_device_uninit(adev).The device release callback reset_gpio_aux_device_release() freesadev, but the current error path then calls kfree(adev) again,causing a double free.Keep kfree(adev) for the auxiliary_device_init() failure path, butavoid freeing adev after auxiliary_device_uninit(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31745 In the Linux kernel, the following vulnerability has been resolved:s390/zcrypt: Fix memory leak with CCA cards used as acceleratorTests showed that there is a memory leak if CCA cards are used asaccelerator for clear key RSA requests (ME and CRT). With the lastrework for the memory allocation the AP messages are allocated byap_init_apmsg() but for some reason on two places (ME and CRT) theolder allocation was still in place. So the first allocation simplewas never freed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31746 In the Linux kernel, the following vulnerability has been resolved:comedi: me4000: Fix potential overrun of firmware buffer`me4000_xilinx_download()` loads the firmware that was requested by`request_firmware()`. It is possible for it to overrun the sourcebuffer because it blindly trusts the file format. It reads a datastream length from the first 4 bytes into variable `file_length` andreads the data stream contents of length `file_length` from offset 16onwards.Add a test to ensure that the supplied firmware is long enough tocontain the header and the data stream. On failure, log an error andreturn `-EINVAL`.Note: The firmware loading was totally broken before commit ac584af59945("staging: comedi: me4000: fix firmware downloading"), but that is themost sensible target for this fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31747 In the Linux kernel, the following vulnerability has been resolved:comedi: me_daq: Fix potential overrun of firmware buffer`me2600_xilinx_download()` loads the firmware that was requested by`request_firmware()`. It is possible for it to overrun the sourcebuffer because it blindly trusts the file format. It reads a datastream length from the first 4 bytes into variable `file_length` andreads the data stream contents of length `file_length` from offset 16onwards. Although it checks that the supplied firmware is at least 16bytes long, it does not check that it is long enough to contain the datastream.Add a test to ensure that the supplied firmware is long enough tocontain the header and the data stream. On failure, log an error andreturn `-EINVAL`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31748 In the Linux kernel, the following vulnerability has been resolved:comedi: ni_atmio16d: Fix invalid clean-up after failed attachIf the driver's COMEDI "attach" handler function (`atmio16d_attach()`)returns an error, the COMEDI core will call the driver's "detach"handler function (`atmio16d_detach()`) to clean up. This calls`reset_atmio16d()` unconditionally, but depending on where the erroroccurred in the attach handler, the device may not have beensufficiently initialized to call `reset_atmio16d()`. It uses`dev->iobase` as the I/O port base address and `dev->private` as thepointer to the COMEDI device's private data structure. `dev->iobase`may still be set to its initial value of 0, which would result inundesired writes to low I/O port addresses. `dev->private` may still be`NULL`, which would result in null pointer dereferences.Fix `atmio16d_detach()` by checking that `dev->private` is valid(non-null) before calling `reset_atmio16d()`. This implies that`dev->iobase` was set correctly since that is set up before`dev->private`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31749 In the Linux kernel, the following vulnerability has been resolved:comedi: runflags cannot determine whether to reclaim chanlistsyzbot reported a memory leak [1], because commit 4e1da516debb ("comedi:Add reference counting for Comedi command handling") did not considerthe exceptional exit case in do_cmd_ioctl() where runflags is not set.This caused chanlist not to be properly freed by do_become_nonbusy(),as it only frees chanlist when runflags is correctly set.Added a check in do_become_nonbusy() for the case where runflags is notset, to properly free the chanlist memory.[1]BUG: memory leak backtrace (crc 844a0efa): __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline] do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31750 In the Linux kernel, the following vulnerability has been resolved:comedi: dt2815: add hardware detection to prevent crashThe dt2815 driver crashes when attached to I/O ports without actualhardware present. This occurs because syzkaller or users can attachthe driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl.When no hardware exists at the specified port, inb() operations return0xff (floating bus), but outb() operations can trigger page faults dueto undefined behavior, especially under race conditions: BUG: unable to handle page fault for address: 000000007fffff90 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page RIP: 0010:dt2815_attach+0x6e0/0x1110Add hardware detection by reading the status register before attemptingany write operations. If the read returns 0xff, assume no hardware ispresent and fail the attach with -ENODEV. This prevents crashes fromoutb() operations on non-existent hardware. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31751 In the Linux kernel, the following vulnerability has been resolved:bridge: br_nd_send: validate ND option lengthsbr_nd_send() walks ND options according to option-provided lengths.A malformed option can make the parser advance beyond the computedoption span or use a too-short source LLADDR option payload.Validate option lengths against the remaining NS option area beforeadvancing, and only read source LLADDR when the option is large enoughfor an Ethernet address. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31752 In the Linux kernel, the following vulnerability has been resolved:auxdisplay: line-display: fix NULL dereference in linedisp_releaselinedisp_release() currently retrieves the enclosing struct linedisp viato_linedisp(). That lookup depends on the attachment list, but theattachment may already have been removed before put_device() invokes therelease callback. This can happen in linedisp_unregister(), and can alsobe reached from some linedisp_register() error paths.In that case, to_linedisp() returns NULL and linedisp_release()dereferences it while freeing the display resources.The struct device released here is the embedded linedisp->dev used bylinedisp_register(), so retrieve the enclosing object directly withcontainer_of() instead. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31753 In the Linux kernel, the following vulnerability has been resolved:usb: cdns3: gadget: fix state inconsistency on gadget init failureWhen cdns3_gadget_start() fails, the DRD hardware is left in gadget modewhile software state remains INACTIVE, creating hardware/software stateinconsistency.When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/roleThe role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error,so cdns_role_stop() skips cleanup because state is still INACTIVE.This violates the DRD controller design specification (Figure22),which requires returning to idle state before switching roles.This leads to a synchronous external abort in xhci_gen_setup() whensetting up the host controller:[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19[ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget[ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed...[ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller[ 1301.377716] Internal error: synchronous external abort: 96000010 [#1]PREEMPT SMP[ 1301.382485] pc : xhci_gen_setup+0xa4/0x408[ 1301.393391] backtrace: ... xhci_gen_setup+0xa4/0x408 <-- CRASH xhci_plat_setup+0x44/0x58 usb_add_hcd+0x284/0x678 ... cdns_role_set+0x9c/0xbc <-- Role switchFix by calling cdns_drd_gadget_off() in the error path to properlyclean up the DRD gadget state. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31754 In the Linux kernel, the following vulnerability has been resolved:usb: cdns3: gadget: fix NULL pointer dereference in ep_queueWhen the gadget endpoint is disabled or not yet configured, the ep->descpointer can be NULL. This leads to a NULL pointer dereference when__cdns3_gadget_ep_queue() is called, causing a kernel crash.Add a check to return -ESHUTDOWN if ep->desc is NULL, which is thestandard return code for unconfigured endpoints.This prevents potential crashes when ep_queue is called on endpointsthat are not ready. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31755 In the Linux kernel, the following vulnerability has been resolved:usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,which expects hsotg->lock to be held since it does spin_unlock/spin_lockaround the gadget driver callback invocation.However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()without holding the lock. This leads to: - spin_unlock on a lock that is not held (undefined behavior) - The lock remaining held after dwc2_gadget_exit_clock_gating() returns, causing a deadlock when spin_lock_irqsave() is called later in the same function.Fix this by acquiring hsotg->lock before callingdwc2_gadget_exit_clock_gating() and releasing it afterwards, whichsatisfies the locking requirement of the call_gadget() macro. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31756 In the Linux kernel, the following vulnerability has been resolved:usb: misc: usbio: Fix URB memory leak on submit failureWhen usb_submit_urb() fails in usbio_probe(), the previously allocatedURB is never freed, causing a memory leak.Fix this by jumping to err_free_urb label to properly release the URBon the error path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31757 In the Linux kernel, the following vulnerability has been resolved:usb: usbtmc: Flush anchored URBs in usbtmc_releaseWhen calling usbtmc_release, pending anchored URBs must be flushed orkilled to prevent use-after-free errors (e.g. in the HCD givebackpath). Call usbtmc_draw_down() to allow anchored URBs to be completed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31758 In the Linux kernel, the following vulnerability has been resolved:usb: ulpi: fix double free in ulpi_register_interface() error pathWhen device_register() fails, ulpi_register() calls put_device() onulpi->dev.The device release callback ulpi_dev_release() drops the OF nodereference and frees ulpi, but the current error path inulpi_register_interface() then calls kfree(ulpi) again, causing adouble free.Let put_device() handle the cleanup through ulpi_dev_release() andavoid freeing ulpi again in ulpi_register_interface(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31759 In the Linux kernel, the following vulnerability has been resolved:gpib: lpvo_usb: fix memory leak on disconnectThe driver iterates over the registered USB interfaces during GPIBattach and takes a reference to their USB devices until a match isfound. These references are never released which leads to a memory leakwhen devices are disconnected.Fix the leak by dropping the unnecessary references. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31760 In the Linux kernel, the following vulnerability has been resolved:iio: gyro: mpu3050: Move iio_device_register() to correct locationiio_device_register() should be at the end of the probe function toprevent race conditions.Place iio_device_register() at the end of the probe function and placeiio_device_unregister() accordingly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31761 In the Linux kernel, the following vulnerability has been resolved:iio: gyro: mpu3050: Fix irq resource leakThe interrupt handler is setup but only a few lines down ifiio_trigger_register() fails the function returns without properlyreleasing the handler.Add cleanup goto to resolve resource leak.Detected by Smatch:drivers/iio/gyro/mpu3050-core.c:1128 mpu3050_trigger_probe() warn:'irq' from request_threaded_irq() not released on lines: 1124. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31762 In the Linux kernel, the following vulnerability has been resolved:iio: gyro: mpu3050: Fix incorrect free_irq() variableThe handler for the IRQ part of this driver is mpu3050->trig but,in the teardown free_irq() is called with handler mpu3050.Use correct IRQ handler when calling free_irq(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31763 In the Linux kernel, the following vulnerability has been resolved:iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer onlyThe st_lsm6dsx_hwfifo_odr_store() function, which is called when userspacewrites the buffer sampling frequency sysfs attribute, callsst_lsm6dsx_check_odr(), which accesses the odr_table array at index`sensor->id`; since this array is only 2 entries long, an access for anysensor type other than accelerometer or gyroscope is an out-of-boundsaccess.The motivation for being able to set a buffer frequency different from thesensor sampling frequency is to support use cases that need accurate eventdetection (which requires a high sampling frequency) while retrievingsensor data at low frequency. Since all the supported event types aregenerated from acceleration data only, do not create the buffer samplingfrequency attribute for sensor types other than the accelerometer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31764 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KBCurrently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, whileKFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with4K pages, both values match (8KB), so allocation and reserved spaceare consistent.However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,while the reserved trap area remains 8KB. This mismatch causes thekernel to crash when running rocminfo or rccl unit tests.Kernel attempted to read user page (2) - exploit attempt? (uid: 1001)BUG: Kernel NULL pointer dereference on read at 0x00000002Faulting instruction address: 0xc0000000002c8a64Oops: Kernel access of bad area, sig: 11 [#1]LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeriesCPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARYTainted: [E]=UNSIGNED_MODULEHardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeriesNIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730REGS: c0000001e0957580 TRAP: 0300 Tainted: G EMSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24008268XER: 00000036CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000IRQMASK: 1GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100c00000013d814540GPR04: 0000000000000002 c00000013d814550 00000000000000450000000000000000GPR08: c00000013444d000 c00000013d814538 c00000013d8145380000000084002268GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff0000000000020000GPR16: 0000000000000000 0000000000000002 c00000015f6530000000000000000000GPR20: c000000138662400 c00000013d814540 0000000000000000c00000013d814500GPR24: 0000000000000000 0000000000000002 c0000001e0957888c0000001e0957878GPR28: c00000013d814548 0000000000000000 c00000013d814540c0000001e0957888NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00Call Trace:0xc0000001e0957890 (unreliable)__mutex_lock.constprop.0+0x58/0xd00amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]kfd_ioctl+0x514/0x670 [amdgpu]sys_ioctl+0x134/0x180system_call_exception+0x114/0x300system_call_vectored_common+0x15c/0x2ecThis patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB andKFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve64 KB for the trap in the address space, but only allocate 8 KB withinit. With this approach, the allocation size never exceeds the reservedarea.(cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31765 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: validate doorbell_offset in user queue creationamdgpu_userq_get_doorbell_index() passes the user-provideddoorbell_offset to amdgpu_doorbell_index_on_bar() without boundschecking. An arbitrarily large doorbell_offset can cause thecalculated doorbell index to fall outside the allocated doorbell BO,potentially corrupting kernel doorbell space.Validate that doorbell_offset falls within the doorbell BO beforecomputing the BAR index, using u64 arithmetic to prevent overflow.(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31766 In the Linux kernel, the following vulnerability has been resolved:drm/i915/dsi: Don't do DSC horizontal timing adjustments in command modeStop adjusting the horizontal timing values based on thecompression ratio in command mode. Bspec seems to be tellingus to do this only in video mode, and this is also how theWindows driver does things.This should also fix a div-by-zero on some machines becausethe adjusted htotal ends up being so small that we end up withline_time_us==0 when trying to determine the vtotal value incommand mode.Note that this doesn't actually make the display on theHuawei Matebook E work, but at least the kernel no longerexplodes when the driver loads.(cherry picked from commit 0b475e91ecc2313207196c6d7fd5c53e1a878525) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31767 In the Linux kernel, the following vulnerability has been resolved:iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()Add a DMA-safe buffer and use it for spi_read() instead of a stackmemory. All SPI buffers must be DMA-safe.Since we only need up to 3 bytes, we just use a u8[] instead of __be16and __be32 and change the conversion functions appropriately. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31768 In the Linux kernel, the following vulnerability has been resolved:gpib: fix use-after-free in IO ioctl handlersThe IBRD, IBWRT, IBCMD, and IBWAIT ioctl handlers use a gpib_descriptorpointer after board->big_gpib_mutex has been released. A concurrentIBCLOSEDEV ioctl can free the descriptor via close_dev_ioctl() duringthis window, causing a use-after-free.The IO handlers (read_ioctl, write_ioctl, command_ioctl) explicitlyrelease big_gpib_mutex before calling their handler. wait_ioctl() iscalled with big_gpib_mutex held, but ibwait() releases it internallywhen wait_mask is non-zero. In all four cases, the descriptor pointerobtained from handle_to_descriptor() becomes unprotected.Fix this by introducing a kernel-only descriptor_busy reference countin struct gpib_descriptor. Each handler atomically incrementsdescriptor_busy under file_priv->descriptors_mutex before releasing thelock, and decrements it when done. close_dev_ioctl() checksdescriptor_busy under the same lock and rejects the close with -EBUSYif the count is non-zero.A reference count rather than a simple flag is necessary becausemultiple handlers can operate on the same descriptor concurrently(e.g. IBRD and IBWAIT on the same handle from different threads).A separate counter is needed because io_in_progress can be cleared fromunprivileged userspace via the IBWAIT ioctl (through general_ibstatus()with set_mask containing CMPL), which would allow an attacker to bypassa check based solely on io_in_progress. The new descriptor_busycounter is only modified by the kernel IO paths.The lock ordering is consistent (big_gpib_mutex -> descriptors_mutex)and the handlers only hold descriptors_mutex briefly during the lookup,so there is no deadlock risk and no impact on IO throughput. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31769 In the Linux kernel, the following vulnerability has been resolved:hwmon: (occ) Fix division by zero in occ_show_power_1()In occ_show_power_1() case 1, the accumulator is divided byupdate_tag without checking for zero. If no samples have beencollected yet (e.g. during early boot when the sensor block isincluded but hasn't been updated), update_tag is zero, causinga kernel divide-by-zero crash.The 2019 fix in commit 211186cae14d ("hwmon: (occ) Fix division byzero issue") only addressed occ_get_powr_avg() used byocc_show_power_2() and occ_show_power_a0(). This separate codepath in occ_show_power_1() was missed.Fix this by reusing the existing occ_get_powr_avg() helper, whichalready handles the zero-sample case and uses mul_u64_u32_div()to multiply before dividing for better precision. Move the helperabove occ_show_power_1() so it is visible at the call site.[groeck: Fix alignment problems reported by checkpatch] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31770 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_event: move wake reason storage into validated eventhandlershci_store_wake_reason() is called from hci_event_packet() immediatelyafter stripping the HCI event header but before hci_event_func()enforces the per-event minimum payload length from hci_ev_table.This means a short HCI event frame can reach bacpy() before any boundscheck runs.Rather than duplicating skb parsing and per-event length checks insidehci_store_wake_reason(), move wake-address storage into the individualevent handlers after their existing event-length validation hassucceeded. Convert hci_store_wake_reason() into a small helper that onlystores an already-validated bdaddr while the caller holds hci_dev_lock().Use the same helper after hci_event_func() with a NULL address topreserve the existing unexpected-wake fallback semantics when novalidated event handler records a wake address.Annotate the helper with __must_hold(&hdev->lock) and addlockdep_assert_held(&hdev->lock) so future call paths keep the lockcontract explicit.Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(),hci_sync_conn_complete_evt(), le_conn_complete_evt(),hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(),hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), andhci_le_past_received_evt(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31771 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_synchci_le_big_create_sync() uses DEFINE_FLEX to allocate astruct hci_cp_le_big_create_sync on the stack with room for 0x11 (17)BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31)entries — validated against ISO_MAX_NUM_BIS (0x1f) in the callerhci_conn_big_create_sync(). When conn->num_bis is between 18 and 31,the memcpy that copies conn->bis into cp->bis writes up to 14 bytespast the stack buffer, corrupting adjacent stack memory.This is trivially reproducible: binding an ISO socket withbc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() willeventually trigger hci_le_big_create_sync() from the HCI commandsync worker, causing a KASAN-detectable stack-out-of-bounds write: BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 toHCI_MAX_ISO_BIS, which matches the maximum number of BIS entries thatconn->bis can actually carry. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31772 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: SMP: derive legacy responder STK authentication from MITM stateThe legacy responder path in smp_random() currently labels the storedSTK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.That reflects what the local service requested, not what the pairingflow actually achieved.For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clearand the resulting STK should remain unauthenticated even if the localside requested HIGH security. Use the established MITM state whenstoring the responder STK so the key metadata matches the pairing result.This also keeps the legacy path aligned with the Secure Connections code,which already treats JUST_WORKS/JUST_CFM as unauthenticated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31773 In the Linux kernel, the following vulnerability has been resolved:io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs()sqe->len is __u32 but gets stored into sr->len which is int. Whenuserspace passes sqe->len values exceeding INT_MAX (e.g. 0xFFFFFFFF),sr->len overflows to a negative value. This negative value propagatesthrough the bundle recv/send path: 1. io_recv(): sel.val = sr->len (ssize_t gets -1) 2. io_recv_buf_select(): arg.max_len = sel->val (size_t gets 0xFFFFFFFFFFFFFFFF) 3. io_ring_buffers_peek(): buf->len is not clamped because max_len is astronomically large 4. iov[].iov_len = 0xFFFFFFFF flows into io_bundle_nbufs() 5. io_bundle_nbufs(): min_t(int, 0xFFFFFFFF, ret) yields -1, causing ret to increase instead of decrease, creating an infinite loop that reads past the allocated iov[] arrayThis results in a slab-out-of-bounds read in io_bundle_nbufs() fromthe kmalloc-64 slab, as nbufs increments past the allocated iovecentries. BUG: KASAN: slab-out-of-bounds in io_bundle_nbufs+0x128/0x160 Read of size 8 at addr ffff888100ae05c8 by task exp/145 Call Trace: io_bundle_nbufs+0x128/0x160 io_recv_finish+0x117/0xe20 io_recv+0x2db/0x1160Fix this by rejecting negative sr->len values early in bothio_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32,any value > INT_MAX indicates overflow and is not a valid length. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31774 In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Don't enumerate SPDIF1 at DAIO initializationThe recent refactoring of xfi driver changed the assignment ofatc->daios[] at atc_get_resources(); now it loops over all enumDAIOTYP entries while it looped formerly only a part of them.The problem is that the last entry, SPDIF1, is a special type thatis used only for hw20k1 CTSB073X model (as a replacement of SPDIFIO),and there is no corresponding definition for hw20k2. Due to the lackof the info, it caused a kernel crash on hw20k2, which was alreadyworked around by the commit b045ab3dff97 ("ALSA: ctxfi: Fix missingSPDIFI1 index handling").This patch addresses the root cause of the regression above properly,simply by skipping the incorrect SPDIF1 type in the parser loop.For making the change clearer, the code is slightly arranged, too. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31775 In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Fix missing SPDIFI1 index handlingSPDIF1 DAIO type isn't properly handled in daio_device_index() forhw20k2, and it returned -EINVAL, which ended up with the out-of-boundsarray access. Follow the hw20k1 pattern and return the proper indexfor this type, too. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31776 In the Linux kernel, the following vulnerability has been resolved:ALSA: ctxfi: Check the error for index mappingThe ctxfi driver blindly assumed a proper value returned fromdaio_device_index(), but it's not always true. Add a proper errorcheck to deal with the error from the function. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31777 In the Linux kernel, the following vulnerability has been resolved:ALSA: caiaq: fix stack out-of-bounds read in init_cardThe loop creates a whitespace-stripped copy of the card shortnamewhere `len < sizeof(card->id)` is used for the bounds check. Sincesizeof(card->id) is 16 and the local id buffer is also 16 bytes,writing 16 non-space characters fills the entire buffer,overwriting the terminating nullbyte.When this non-null-terminated string is later passed tosnd_card_set_id() -> copy_valid_id_string(), the function scansforward with `while (*nid && ...)` and reads past the end of thestack buffer, reading the contents of the stack.A USB device with a product name containing many non-ASCII, non-spacecharacters (e.g. multibyte UTF-8) will reliably trigger this as follows: BUG: KASAN: stack-out-of-bounds in copy_valid_id_string sound/core/init.c:696 [inline] BUG: KASAN: stack-out-of-bounds in snd_card_set_id_no_lock+0x698/0x74c sound/core/init.c:718The off-by-one has been present since commit bafeee5b1f8d ("ALSA:snd_usb_caiaq: give better shortname") from June 2009 (v2.6.31-rc1),which first introduced this whitespace-stripping loop. The originalcode never accounted for the null terminator when bounding the copy.Fix this by changing the loop bound to `sizeof(card->id) - 1`,ensuring at least one byte remains as the null terminator. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31778 In the Linux kernel, the following vulnerability has been resolved:wifi: iwlwifi: mvm: fix potential out-of-bounds read iniwl_mvm_nd_match_info_handler()The memcpy function assumes the dynamic array notif->matches is at leastas large as the number of bytes to copy. Otherwise, results->matches maycontain unwanted data. To guarantee safety, extend the validation in oneof the checks to ensure sufficient packet length.Found by Linux Verification Center (linuxtesting.org) with SVACE. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31779 In the Linux kernel, the following vulnerability has been resolved:wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculationThe variable valuesize is declared as u8 but accumulates the totallength of all SSIDs to scan. Each SSID contributes up to 33 bytes(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)SSIDs the total can reach 330, which wraps around to 74 when storedin a u8.This causes kmalloc to allocate only 75 bytes while the subsequentmemcpy writes up to 331 bytes into the buffer, resulting in a 256-byteheap buffer overflow.Widen valuesize from u8 to u32 to accommodate the full range. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31780 In the Linux kernel, the following vulnerability has been resolved:drm/ioc32: stop speculation on the drm_compat_ioctl pathThe drm compat ioctl path takes a user controlled pointer, and thendereferences it into a table of function pointers, the signature methodof spectre problems. Fix this up by calling array_index_nospec() on theindex to the function pointer list. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31781 In the Linux kernel, the following vulnerability has been resolved:perf/x86: Fix potential bad container_of in intel_pmu_hw_configAuto counter reload may have a group of events with software eventspresent within it. The software event PMU isn't the x86_hybrid_pmu anda container_of operation in intel_pmu_set_acr_caused_constr (via thehybrid helper) could cause out of bound memory reads. Avoid this byguarding the call to intel_pmu_set_acr_caused_constr with anis_x86_event check. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31782 In the Linux kernel, the following vulnerability has been resolved:spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove()callbackaml_sfc_probe() registers the on-host NAND ECC engine, but teardown wasmissing from both probe unwind and remove-time cleanup. Add a devm cleanupaction after successful registration sonand_ecc_unregister_on_host_hw_engine() runs automatically on probefailures and during device removal. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31783 In the Linux kernel, the following vulnerability has been resolved:drm/xe/pxp: Clear restart flag in pxp_start after jumping backIf we don't clear the flag we'll keep jumping back at the beginning ofthe function once we reach the end.(cherry picked from commit 0850ec7bb2459602351639dccf7a68a03c9d1ee0) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31784 In the Linux kernel, the following vulnerability has been resolved:drm/xe/xe_pagefault: Disallow writes to read-only VMAsThe page fault handler should reject write/atomic access to read onlyVMAs. Add code to handle this in xe_pagefault_service after the VMAlookup.v2:- Apply max line length (Matthew)(cherry picked from commit 714ee6754ac5fa3dc078856a196a6b124cd797a0) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-31785 In the Linux kernel, the following vulnerability has been resolved:Buffer overflow in drivers/xen/sys-hypervisor.cThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) isneither NUL terminated nor a string.The first causes a buffer overflow as sprintf in buildid_show willread and copy till it finds a NUL.00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50|..Q..8..eGR..q.P|00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|00000017So use a memcpy instead of sprintf to have the correct value:00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50|..Q.....eGR..q.P|00000010 b9 a8 01 42 |...B|00000014(the above have a hack to embed a zero inside and check it'sreturned correctly).This is XSA-485 / CVE-2026-31786 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 11:16:00 UTC CVE-2026-31786 In the Linux kernel, the following vulnerability has been resolved:xen/privcmd: fix double free via VMA splittingprivcmd_vm_ops defines .close (privcmd_close), but neither .may_splitnor .open. When userspace does a partial munmap() on a privcmd mapping,the kernel splits the VMA via __split_vma(). Since may_split is NULL,the split is allowed. vm_area_dup() copies vm_private_data (a pagesarray allocated in alloc_empty_pages()) into the new VMA without anyfixup, because there is no .open callback.Both VMAs now point to the same pages array. When the unmapped portionis closed, privcmd_close() calls: - xen_unmap_domain_gfn_range() - xen_free_unpopulated_pages() - kvfree(pages)The surviving VMA still holds the dangling pointer. When it is laterdestroyed, the same sequence runs again, which leads to a double free.Fix this issue by adding a .may_split callback denying the VMA split.This is XSA-487 / CVE-2026-31787 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 11:16:00 UTC CVE-2026-31787 Issue summary: Converting an excessively large OCTET STRING value toa hexadecimal string leads to a heap buffer overflow on 32 bit platforms.Impact summary: A heap buffer overflow may lead to a crash or possiblyan attacker controlled code execution or other undefined behavior.If an attacker can supply a crafted X.509 certificate with an excessivelylarge OCTET STRING value in extensions such as the Subject Key Identifier(SKID) or Authority Key Identifier (AKID) which are being converted to hex,the size of the buffer needed for the result is calculated asmultiplicationof the input length by 3. On 32 bit platforms, this multiplication mayoverflowresulting in the allocation of a smaller buffer and a heap buffer overflow.Applications and services that print or log contents of untrusted X.509certificates are vulnerable to this issue. As the certificates would haveto have sizes of over 1 Gigabyte, printing or logging such certificatesis a fairly unlikely operation and only 32 bit platforms are affected,this issue was assigned Low severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by thisissue, as the affected code is outside the OpenSSL FIPS module boundary. Update Instructions: Run `sudo pro fix CVE-2026-31789` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-07 2026-04-07 Quoc Tran https://ubuntu.com/security/notices/USN-8155-1 CVE-2026-31789 Issue summary: Applications using RSASVE key encapsulation to establisha secret encryption key can send contents of an uninitialized memory buffertoa malicious peer.Impact summary: The uninitialized buffer might contain sensitive data fromtheprevious execution of the application process which leads to sensitive dataleakage to an attacker.RSA_public_encrypt() returns the number of bytes written on success and -1on error. The affected code tests only whether the return value isnon-zero.As a result, if RSA encryption fails, encapsulation can still returnsuccess tothe caller, set the output lengths, and leave the caller to use thecontents ofthe ciphertext buffer as if a valid KEM ciphertext had been produced.If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on anattacker-supplied invalid RSA public key without first validating that key,then this may cause stale or uninitialized contents of the caller-providedciphertext buffer to be disclosed to the attacker in place of the KEMciphertext.As a workaround calling EVP_PKEY_public_check() orEVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigatethe issue.The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by thisissue. Update Instructions: Run `sudo pro fix CVE-2026-31790` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl3t64 - 3.5.5-1ubuntu3 openssl - 3.5.5-1ubuntu3 openssl-provider-legacy - 3.5.5-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 2026-04-07 Simo Sorce https://ubuntu.com/security/notices/USN-8155-1 CVE-2026-31790 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar(npm) can be tricked into creating a symlink that points outside theextraction directory by using a drive-relative symlink target such asC:../../../target.txt, which enables file overwrite outside cwd duringnormal tar.x() extraction. This vulnerability is fixed in 7.5.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 07:44:00 UTC CVE-2026-31802 pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, anattacker who uses this vulnerability can craft a PDF which leads to largememory usage. This requires parsing a content stream with a rather large/Length value, regardless of the actual data length inside the stream. Thisvulnerability is fixed in 6.8.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-10 22:16:00 UTC CVE-2026-31826 A flaw was found in util-linux. Improper hostname canonicalization in the`login(1)` utility, when invoked with the `-h` option, can modify thesupplied remote hostname before setting `PAM_RHOST`. A remote attackercould exploit this by providing a specially crafted hostname, potentiallybypassing host-based Pluggable Authentication Modules (PAM) access controlrules that rely on fully qualified domain names. This could lead tounauthorized access. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 19:17:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2442570 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129313 CVE-2026-3184 Tinyproxy through 1.11.3 is vulnerable to HTTP request parsingdesynchronization due to a case-sensitive comparison of theTransfer-Encoding header in src/reqs.c. The is_chunked_transfer() functionuses strcmp() to compare the header value against "chunked", even thoughRFC 7230 specifies that transfer-coding names are case-insensitive. Bysending a request with Transfer-Encoding: Chunked, an unauthenticatedremote attacker can cause Tinyproxy to misinterpret the request as havingno body. In this state, Tinyproxy sets content_length.client to -1, skipspull_client_data_chunked(), forwards request headers upstream, andtransitions into relay_connection() raw TCP forwarding while unread bodydata remains buffered. This leads to inconsistent request state betweenTinyproxy and backend servers. RFC-compliant backends (e.g., Node.js,Nginx) will continue waiting for chunked body data, causing connections tohang indefinitely. This behavior enables application-level denial ofservice through backend worker exhaustion. Additionally, in deploymentswhere Tinyproxy is used for request-body inspection, filtering, or securityenforcement, the unread body may be forwarded without proper inspection,resulting in potential security control bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 12:16:00 UTC https://github.com/tinyproxy/tinyproxy/issues/604 CVE-2026-31842 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, an overflowon 32-bit systems can cause a crash in the SFW decoder when processingextremely large images. This vulnerability is fixed in 7.1.2-16 and6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 17:16:00 UTC CVE-2026-31853 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.37.1, when a cpp-httplib client uses the streaming API(httplib::stream::Get, httplib::stream::Post, etc.), the library callsstd::stoull() directly on the Content-Length header value received from theserver with no input validation and no exception handling. std::stoullthrows std::invalid_argument for non-numeric strings and std::out_of_rangefor values exceeding ULLONG_MAX. Since nothing catches these exceptions,the C++ runtime calls std::terminate(), which kills the process withSIGABRT. Any server the client connects to — including servers reached viaHTTP redirects, third-party APIs, or man-in-the-middle positions can crashthe client application with a single HTTP response. No authentication isrequired. No interaction from the end user is required. The crash isdeterministic and immediate. This vulnerability is fixed in 0.37.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 18:16:00 UTC CVE-2026-31870 Cockpit is a headless content management system. Any Cockpit CMS instancerunning version 2.13.4 or earlier with API access enabled is potentiallyaffected by a a SQL Injection vulnerability in the MongoLite AggregationOptimizer. Any deployment where the `/api/content/aggregate/{model}`endpoint is publicly accessible or reachable by untrusted users may bevulnerable, and attackers in possession of a valid read-only API key (thelowest privilege level) can exploit this vulnerability — no admin access isrequired. An attacker can inject arbitrary SQL via unsanitized field namesin aggregation queries, bypass the `_state=1` published-content filter toaccess unpublished or restricted content, and extract unauthorized datafrom the underlying SQLite content database. This vulnerability has beenpatched in version 2.13.5. The fix applies the same field-name sanitizationintroduced in v2.13.3 for `toJsonPath()` to the `toJsonExtractRaw()` methodin `lib/MongoLite/Aggregation/Optimizer.php`, closing the injection vectorin the Aggregation Optimizer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 04:17:00 UTC CVE-2026-31891 CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Priorto Kozea/CairoSVG has exponential denial of service via recursive <use>element amplification in cairosvg/defs.py. This causes CPU exhaustion froma small input. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:54:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130748 CVE-2026-31899 Black is the uncompromising Python code formatter. Black provides a GitHubaction for formatting code. This action supports an option, use_pyproject:true, for reading the version of Black to use from the repositorypyproject.toml. A malicious pull request could edit pyproject.toml to use adirect URL reference to a malicious repository. This could lead toarbitrary code execution in the context of the GitHub Action. Attackerscould then gain access to secrets or permissions available in the contextof the action. Version 26.3.0 fixes this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 20:16:00 UTC CVE-2026-31900 Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to beforeversion 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata tocrash with a NULL dereference. This issue has been patched in version8.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 14:16:00 UTC CVE-2026-31931 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and8.0.4, inefficiency in KRB5 buffering can lead to performance degradation.This issue has been patched in versions 7.0.15 and 8.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 14:16:00 UTC CVE-2026-31932 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and8.0.4, specially crafted traffic can cause Suricata to slow down, affectingperformance in IDS mode. This issue has been patched in versions 7.0.15 and8.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 14:16:00 UTC CVE-2026-31933 Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to beforeversion 8.0.4, there is a quadratic complexity issue when searching forURLs in mime encoded messages over SMTP leading to a performance impact.This issue has been patched in version 8.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 15:16:00 UTC CVE-2026-31934 Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and8.0.4, flooding of craft HTTP2 continuation frames can lead to memoryexhaustion, usually resulting in the Suricata process being shut down bythe operating system. This issue has been patched in versions 7.0.15 and8.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 15:16:00 UTC CVE-2026-31935 Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15,inefficiency in DCERPC buffering can lead to a performance degradation.This issue has been patched in version 7.0.15. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 15:16:00 UTC CVE-2026-31937 two potential OOB memory accesses in virtio-snd Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 2026-03-03 fabian https://ubuntu.com/security/notices/USN-8161-1 CVE-2026-3195 Tornado is a Python web framework and asynchronous networking library. Inversions of Tornado prior to 6.5.5, the only limit on the number of partsin multipart/form-data is the max_body_size setting (default 100MB). Sinceparsing occurs synchronously on the main thread, this creates thepossibility of denial-of-service due to the cost of parsing very largemultipart bodies with many parts. This vulnerability is fixed in 6.5.5. Update Instructions: Run `sudo pro fix CVE-2026-31958` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-tornado - 6.5.4-0.1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 20:16:00 UTC 2026-03-11 20:16:00 UTC https://ubuntu.com/security/notices/USN-8198-1 https://ubuntu.com/security/notices/USN-8198-2 CVE-2026-31958 two potential OOB memory accesses in virtio-snd Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-03 2026-03-03 fabian https://ubuntu.com/security/notices/USN-8161-1 CVE-2026-3196 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data. Whilemost alignment records store DNA sequence and quality values, the formatalso allows them to omit this data in certain cases to save space. Due tosome quirks of the CRAM format, it is necessary to handle these recordscarefully as they will actually store data that needs to be consumed andthen discarded. Unfortunately the `cram_decode_seq()` did not handle thiscorrectly in some cases. Where this happened it could result in reading asingle byte from beyond the end of a heap allocation, followed by writing asingle attacker-controlled byte to the same location. Exploiting this bugcauses a heap buffer overflow. If a user opens a file crafted to exploitthis issue, it could lead to the program crashing, or overwriting of dataand heap structures in ways not expected by the program. It may bepossible to use this to obtain arbitrary code execution. Versions 1.23.1,1.22.2 and 1.21.1 include fixes for this issue. There is no workaround forthis issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC CVE-2026-31962 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data. Asone method of removing redundant data, CRAM uses reference-basedcompression so that instead of storing the full sequence for each alignmentrecord it stores a location in an external reference sequence along with alist of differences to the reference at that location as a sequence of"features". When decoding these features, an out-by-one error in a test forCRAM features that appear beyond the extent of the CRAM record sequencecould result in an invalid write of one attacker-controlled byte beyond theend of a heap buffer. Exploiting this bug causes a heap buffer overflow. Ifa user opens a file crafted to exploit this issue, it could lead to theprogram crashing, or overwriting of data and heap structures in ways notexpected by the program. It may be possible to use this to obtainarbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixesfor this issue. There is no workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 19:16:00 UTC CVE-2026-31963 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data usinga variety of encodings and compression methods. While most alignmentrecords store DNA sequence and quality values, the format also allows themto omit this data in certain cases to save space. Due to some quirks of theCRAM format, it is necessary to handle these records carefully as they willactually store data that needs to be consumed and then discarded.Unfortunately the `CONST`, `XPACK` and `XRLE` encodings did not properlyimplement the interface needed to do this. Trying to decode records withomitted sequence or quality data using these encodings would result in anattempt to write to a NULL pointer. Exploiting this bug causes a NULLpointer dereference. Typically this will cause the program to crash.Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There isno workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 19:16:00 UTC CVE-2026-31964 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data. Inthe `cram_decode_slice()` function called while reading CRAM records,validation of the reference id field occurred too late, allowing two out ofbounds reads to occur before the invalid data was detected. The bug doesallow two values to be leaked to the caller, however as the functionreports an error it may be difficult to exploit them. It is also possiblethat the program will crash due to trying to access invalid memory.Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There isno workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 19:16:00 UTC CVE-2026-31965 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data. Asone method of removing redundant data, CRAM uses reference-basedcompression so that instead of storing the full sequence for each alignmentrecord it stores a location in an external reference sequence along with alist of differences to the reference at that location as a sequence of"features". When decoding CRAM records, the reference data is stored in achar array, and parts matching the alignment record sequence are copiedover as necessary. Due to insufficient validation of the feature dataseries, it was possible to make the `cram_decode_seq()` function copy datafrom either before the start, or after the end of the stored referenceeither into the buffer used to store the output sequence for the cramrecord, or into the buffer used to build the SAM `MD` tag. This allowedarbitrary data to be leaked to the calling function. This bug may allowinformation about program state to be leaked. It may also cause a programcrash through an attempt to access invalid memory. Versions 1.23.1, 1.22.2and 1.21.1 include fixes for this issue. There is no workaround for thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 20:16:00 UTC CVE-2026-31966 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data. Inthe `cram_decode_slice()` function called while reading CRAM records, thevalue of the mate reference id field was not validated. Later use of thisvalue, for example when converting the data to SAM format, could result inthe out of bounds array reads when looking up the corresponding referencename. If the array value obtained also happened to be a valid pointer, itwould be interpreted as a string and an attempt would be made to write thedata as part of the SAM record. This bug may allow information aboutprogram state to be leaked. It may also cause a program crash through anattempt to access invalid memory. Versions 1.23.1, 1.22.2 and 1.21.1include fixes for this issue. There is no workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 20:16:00 UTC CVE-2026-31967 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data usinga variety of encodings and compression methods. For the `VARINT` and`CONST` encodings, incomplete validation of the context in which theencodings were used could result in up to eight bytes being written beyondthe end of a heap allocation, or up to eight bytes being written to thelocation of a one byte variable on the stack, possibly causing the valuesto adjacent variables to change unexpectedly. Depending on the data streamthis could result either in a heap buffer overflow or a stack overflow. Ifa user opens a file crafted to exploit this issue it could lead to theprogram crashing, overwriting of data structures on the heap or stack inways not expected by the program, or changing the control flow of theprogram. It may be possible to use this to obtain arbitrary code execution.Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There isno workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 20:16:00 UTC CVE-2026-31968 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data usinga variety of encodings and compression methods. When reading data encodedusing the `BYTE_ARRAY_STOP` method, an out-by-one error in the`cram_byte_array_stop_decode_char()` function check for a full outputbuffer could result in a single attacker-controlled byte being writtenbeyond the end of a heap allocation. Exploiting this bug causes a heapbuffer overflow. If a user opens a file crafted to exploit this issue, itcould lead to the program crashing, or overwriting of data and heapstructures in ways not expected by the program. It may be possible to usethis to obtain arbitrary code execution. Versions 1.23.1, 1.22.2 and 1.21.1include fixes for this issue. There is no workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 20:16:00 UTC CVE-2026-31969 HTSlib is a library for reading and writing bioinformatics file formats.GZI files are used to index block-compressed GZIP [BGZF] files. In the GZIloading function, `bgzf_index_load_hfile()`, it was possible to trigger aninteger overflow, leading to an under- or zero-sized buffer being allocatedto store the index. Sixteen zero bytes would then be written to thisbuffer, and, depending on the result of the overflow the rest of the filemay also be loaded into the buffer as well. If the function did attempt toload the data, it would eventually fail due to not reading the expectednumber of records, and then try to free the overflowed heap buffer.Exploiting this bug causes a heap buffer overflow. If a user opens a filecrafted to exploit this issue, it could lead to the program crashing, oroverwriting of data and heap structures in ways not expected by theprogram. It may be possible to use this to obtain arbitrary codeexecution. Versions 1.23.1, 1.22.2 and 1.21.1 include fixes for this issue.The easiest work-around is to discard any `.gzi` index files from untrustedsources, and use the `bgzip -r` option to recreate them. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 20:16:00 UTC CVE-2026-31970 HTSlib is a library for reading and writing bioinformatics file formats.CRAM is a compressed format which stores DNA sequence alignment data usinga variety of encodings and compression methods. When reading data encodedusing the `BYTE_ARRAY_LEN` method, the `cram_byte_array_len_decode()`failed to validate that the amount of data being unpacked matched the sizeof the output buffer where it was to be stored. Depending on the dataseries being read, this could result either in a heap or a stack overflowwith attacker-controlled bytes. Depending on the data stream this couldresult either in a heap buffer overflow or a stack overflow. If a useropens a file crafted to exploit this issue it could lead to the programcrashing, overwriting of data structures on the heap or stack in ways notexpected by the program, or changing the control flow of the program. Itmay be possible to use this to obtain arbitrary code execution. Versions1.23.1, 1.22.2 and 1.21.1 include fixes for this issue. There is noworkaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 20:16:00 UTC CVE-2026-31971 SAMtools is a program for reading, manipulating and writing bioinformaticsfile formats. The `mpileup` command outputs DNA sequences that have beenaligned against a known reference. On each output line it writes thereference position, optionally the reference DNA base at that position(obtained from a separate file) and all of the DNA bases that aligned tothat position. As the output is ordered by position, reference data that isno longer needed is discarded once it has been printed out. Under certainconditions the data could be discarded too early, leading to an attempt toread from a pointer to freed memory. This bug may allow information aboutprogram state to be leaked. It may also cause a program crash through anattempt to access invalid memory. This bug is fixed in versions 1.21.1 and1.22. There is no workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 21:16:00 UTC CVE-2026-31972 SAMtools is a program for reading, manipulating and writing bioinformaticsfile formats. Starting in version 1.17, in the cram-size command, used towrite information about how well CRAM files are compressed, a check to seeif the `cram_decode_compression_header()` was missing. If the functionreturned an error, this could lead to a NULL pointer dereference.Exploiting this bug causes a NULL pointer dereference. Typically this willcause the program to crash. Versions 1.23.1, 1.22.2 and 1.21.1 includefixes for this issue. There is no workaround for this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 21:16:00 UTC CVE-2026-31973 yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains anoff-by-one error in the NTFS extended timestamp extra field parser withinthe getLastModDate() function. The while loop condition checks cursor <data.length + 4 instead of cursor + 4 <= data.length, allowingreadUInt16LE() to read past the buffer boundary. A remote attacker cancause a denial of service (process crash via ERR_OUT_OF_RANGE exception) bysending a crafted zip file with a malformed NTFS extra field. This affectsany Node.js application that processes zip file uploads and callsentry.getLastModDate() on parsed entries. Fixed in version 3.2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 23:16:00 UTC CVE-2026-31988 USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 to 4.6.3and 4.4.0 to 4.4.13 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 15:20:00 UTC https://gitlab.com/wireshark/wireshark/-/issues/20972 CVE-2026-3201 NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denialof service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 15:20:00 UTC https://gitlab.com/wireshark/wireshark/-/issues/21000 CVE-2026-3202 RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and4.4.0 to 4.4.13 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-25 15:20:00 UTC https://gitlab.com/wireshark/wireshark/-/issues/21009 CVE-2026-3203 xrdp is an open source RDP server. In versions through 0.10.5, xrdp doesnot implement verification for the Message Authentication Code (MAC)signature of encrypted RDP packets when using the "Classic RDP Security"layer. While the sender correctly generates signatures, the receiving logiclacks the necessary implementation to validate the 8-byte integritysignature, causing it to be silently ignored. An unauthenticated attackerwith man-in-the-middle (MITM) capabilities can exploit this missing checkto modify encrypted traffic in transit without detection. It does notaffect connections where the TLS security layer is enforced. This issue hasbeen fixed in version 0.10.6. If users are unable to immediately upgrade,they should configure xrdp.ini to enforce TLS security (security_layer=tls)to ensure end-to-end integrity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-32105 xrdp is an open source RDP server. In versions through 0.10.5, the sessionexecution component did not properly handle an error during the privilegedrop process. This improper privilege management could allow anauthenticated local attacker to escalate privileges to root and executearbitrary code on the system. An additional exploit would be needed tofacilitate this. This issue has been fixed in version 0.10.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-32107 Magic Wormhole makes it possible to get arbitrary-sized files anddirectories from one computer to another. From 0.21.0 to before 0.23.0,receiving a file (wormhole receive) from a malicious party could result inoverwriting critical local files, including ~/.ssh/authorized_keys and.bashrc. This could be used to compromise the receiver's computer. Only thesender of the file (the party who runs wormhole send) can mount the attack.Other parties (including the transit/relay servers) are excluded by thewormhole protocol. This vulnerability is fixed in 0.23.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 18:16:00 UTC CVE-2026-32116 flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse()function uses a recursive revive() phase to resolve circular references indeserialized JSON. When given a crafted payload with deeply nested orself-referential $ indices, the recursion depth is unbounded, causing astack overflow that crashes the Node.js process. This vulnerability isfixed in 3.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 18:16:00 UTC CVE-2026-32141 Improper Certificate Validation vulnerability in Erlang OTP public_key(pubkey_ocsp module) allows OCSP designated-responder authorization bypassvia missing signature verification.The OCSP response validation in public_key:pkix_ocsp_validate/5 does notverify that a CA-designated responder certificate was cryptographicallysigned by the issuing CA. Instead, it only checks that the respondercertificate's issuer name matches the CA's subject name and that thecertificate has the OCSPSigning extended key usage. An attacker who canintercept or control OCSP responses can create a self-signed certificatewith a matching issuer name and the OCSPSigning EKU, and use it to forgeOCSP responses that mark revoked certificates as valid.This affects SSL/TLS clients using OCSP stapling, which may acceptconnections to servers with revoked certificates, potentially transmittingsensitive data to compromised servers. Applications using thepublic_key:pkix_ocsp_validate/5 API directly are also affected, with impactdepending on usage context.This vulnerability is associated with program fileslib/public_key/src/pubkey_ocsp.erl and program routinespubkey_ocsp:is_authorized_responder/3.This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and sslfrom 11.2 until 11.5.4 and 11.2.12.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 13:16:00 UTC CVE-2026-32144 Improper Limitation of a Pathname to a Restricted Directory ('PathTraversal') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows anauthenticated SFTP user to modify file attributes outside the configuredchroot directory.The SFTP daemon (ssh_sftpd) stores the raw, user-supplied path in filehandles instead of the chroot-resolved path. When SSH_FXP_FSETSTAT isissued on such a handle, file attributes (permissions, ownership,timestamps) are modified on the real filesystem path, bypassing the rootdirectory boundary entirely.Any authenticated SFTP user on a server configured with the root option canmodify file attributes of files outside the intended chroot boundary. Theprerequisite is that a target file must exist on the real filesystem at thesame relative path. Note that this vulnerability only allows modificationof file attributes; file contents cannot be read or altered through thisattack vector.If the SSH daemon runs as root, this enables direct privilege escalation:an attacker can set the setuid bit on any binary, change ownership ofsensitive files, or make system configuration world-writable.This vulnerability is associated with program fileslib/ssh/src/ssh_sftpd.erl and program routines ssh_sftpd:do_open/4 andssh_sftpd:handle_op/4.This issue affects OTP from OTP 17.0 until OTP 28.4.3, 27.3.4.11, and26.2.5.20 corresponding to ssh from 3.01 until 5.5.3, 5.2.11.7, and5.1.4.15. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 12:15:00 UTC CVE-2026-32147 Improper neutralization of special elements in .NET allows an unauthorizedattacker to perform spoofing over a network. Update Instructions: Run `sudo pro fix CVE-2026-32178` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 aspnetcore-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-apphost-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-host-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-hostfxr-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-sdk-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-10.0-source-built-artifacts - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-aot-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-templates-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet10 - 10.0.107-10.0.7-0ubuntu1~26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 2026-04-14 Ludvig Pedersen https://ubuntu.com/security/notices/USN-8176-1 https://ubuntu.com/security/notices/USN-8216-1 CVE-2026-32178 pip handles concatenated tar and ZIP files as ZIP files regardless offilename or whether a file is both a tar and ZIP file. This behavior couldresult in confusing installation behavior, such as installing "incorrect"files according to the filename of the archive. New behavior only proceedswith installation if the file identifies uniquely as a ZIP or tar archive,not as both. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134492 CVE-2026-3219 Stack-based buffer overflow in .NET and Visual Studio allows anunauthorized attacker to deny service over a network. Update Instructions: Run `sudo pro fix CVE-2026-32203` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 aspnetcore-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-apphost-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-host-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-hostfxr-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-sdk-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-10.0-source-built-artifacts - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-aot-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-templates-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet10 - 10.0.107-10.0.7-0ubuntu1~26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 2026-04-14 Ludvig Pedersen and Kevin Jones https://ubuntu.com/security/notices/USN-8176-1 https://ubuntu.com/security/notices/USN-8216-1 CVE-2026-32203 Cap'n Proto is a data interchange format and capability-based RPC system.Prior to 1.4.0, a negative Content-Length value was converted to unsigned,treating it as an impossibly large length instead. In theory, this bugcould enable HTTP request/response smuggling. This vulnerability is fixedin 1.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 20:16:00 UTC CVE-2026-32239 Cap'n Proto is a data interchange format and capability-based RPC system.Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's sizeparsed to a value of 2^64 or larger, it would be truncated to a 64-bitinteger. In theory, this bug could enable HTTP request/response smuggling.This vulnerability is fixed in 1.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 20:16:00 UTC CVE-2026-32240 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to 7.1.2-16 and 6.9.13-41, when a memoryallocation fails in the sixel encoder it would be possible to write pastthe end of a buffer on the stack. This vulnerability is fixed in 7.1.2-16and 6.9.13-41. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 20:16:00 UTC CVE-2026-32259 Black is the uncompromising Python code formatter. Prior to 26.3.1, Blackwrites a cache file, the name of which is computed from various formattingoptions. The value of the --python-cell-magics option was placed in thefilename without sanitization, which allowed an attacker who controls thevalue of this argument to write cache files to arbitrary file systemlocations. Fixed in Black 26.3.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 20:16:00 UTC CVE-2026-32274 During chain building, the amount of work that is done is not correctlylimited when a large number of intermediate certificates are passed inVerifyOptions.Intermediates, which can lead to a denial of service. Thisaffects both direct users of crypto/x509 and users of crypto/tls. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-32280 Validating certificate chains which use policies is unexpectedlyinefficient when certificates in the chain contain a very large number ofpolicy mappings, possibly causing denial of service. This only affectsvalidation of otherwise trusted certificate chains, issued by a root CA inthe VerifyOptions.Roots CertPool, or in the system certificate pool. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-32281 On Linux, if the target of Root.Chmod is replaced with a symlink while thechmod operation is in progress, Chmod can operate on the target of thesymlink, even when the target lies outside the root. The Linux fchmodatsyscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmoduses to avoid symlink traversal. Root.Chmod checks its target before actingand returns an error if the target is a symlink lying outside the root, sothe impact is limited to cases where the target is replaced with a symlinkbetween the check and operation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-32282 If one side of the TLS connection sends multiple key update messagespost-handshake in a single record, the connection can deadlock, causinguncontrolled consumption of resources. This can lead to a denial ofservice. This only affects TLS 1.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-32283 tar.Reader can allocate an unbounded amount of memory when reading amaliciously-crafted archive containing a large number of sparse regionsencoded in the "old GNU sparse map" format. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-32288 Context was not properly tracked across template branches for JS templateliterals, leading to possibly incorrect escaping of content when brancheswere used. Additionally template actions within JS template literals didnot properly track the brace depth, leading to incorrect escaping beingapplied. These issues could cause actions within JS template literals to beincorrectly or improperly escaped, leading to XSS vulnerabilities. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-32289 An integer overflow vulnerability existed in the static functionwolfssl_add_to_chain, that caused heap corruption when certificate data waswritten out of bounds of an insufficiently sized certificate buffer.wolfssl_add_to_chain is called by these API:wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert,wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibilityfeatures: enable-opensslall, enable-opensslextra, enable-lighty,enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotelyexploitable, and would require that the application context loadingcertificates is compromised. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-3229 Missing required cryptographic step in the TLS 1.3 client HelloRetryRequesthandshake logic in wolfSSL could lead to a compromise in theconfidentiality of TLS-protected communications via a craftedHelloRetryRequest followed by a ServerHello message that omits the requiredkey_share extension, resulting in derivation of predictable traffic secretsfrom (EC)DHE shared secret. This issue does not affect the client'sauthentication of the server during TLS handshakes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-3230 jq is a command-line JSON processor. An integer overflow vulnerabilityexists through version 1.8.1 within the jvp_string_append() andjvp_string_copy_replace_bad functions, where concatenating strings with acombined length exceeding 2^31 bytes causes a 32-bit unsigned integeroverflow in the buffer allocation size calculation, resulting in adrastically undersized heap buffer. Subsequent memory copy operations thenwrite the full string data into this undersized buffer, causing a heapbuffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122(Heap-based Buffer Overflow). Any system evaluating untrusted jq queries isaffected, as an attacker can crash the process or potentially achievefurther exploitation through heap corruption by crafting queries thatproduce extremely large strings. The root cause is the absence of stringsize bounds checking, unlike arrays and objects which already have sizelimits. The issue has been addressed in commite47e56d226519635768e6aab2f38f0ab037c09e5. Update Instructions: Run `sudo pro fix CVE-2026-32316` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-4ubuntu2 libjq1 - 1.8.1-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 18:16:00 UTC 2026-04-13 18:16:00 UTC https://ubuntu.com/security/notices/USN-8202-1 https://ubuntu.com/security/notices/USN-8202-2 CVE-2026-32316 Glances is an open-source system cross-platform monitoring tool. Prior to4.5.2, Glances web server runs without authentication by default whenstarted with `glances -w`, exposing REST API with sensitive systeminformation including process command-lines containing credentials(passwords, API keys, tokens) to any network client. Version 4.5.2 fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 06:16:00 UTC CVE-2026-32596 A flaw was found in Undertow. A remote attacker could exploit thisvulnerability by sending an HTTP GET request containing multipart/form-datacontent. If the underlying application processes parameters using methodslike `getParameterMap()`, the server prematurely parses and stores thiscontent to disk. This could lead to resource exhaustion, potentiallyresulting in a Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 05:16:00 UTC CVE-2026-3260 Glances is an open-source system cross-platform monitoring tool. TheGlances action system allows administrators to configure shell commandsthat execute when monitoring thresholds are exceeded. These commandssupport Mustache template variables (e.g., `{{name}}`, `{{key}}`) that arepopulated with runtime monitoring data. The `secure_popen()` function,which executes these commands, implements its own pipe, redirect, and chainoperator handling by splitting the command string before passing eachsegment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when aMustache-rendered value (such as a process name, filesystem mount point, orcontainer name) contains pipe, redirect, or chain metacharacters, therendered command is split in unintended ways, allowing an attacker whocontrols a process name or container name to inject arbitrary commands.Version 4.5.2 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 07:16:00 UTC CVE-2026-32608 Glances is an open-source system cross-platform monitoring tool. TheGHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configurationsecrets exposure on the `/api/v4/config` endpoints by introducing`as_dict_secure()` redaction. However, the `/api/v4/args` and`/api/v4/args/{item}` endpoints were not addressed by this fix. Theseendpoints return the complete command-line arguments namespace via`vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac),SNMP community strings, SNMP authentication keys, and the configurationfile path. When Glances runs without `--password` (the default), theseendpoints are accessible without any authentication. Version 4.5.2 providesa more complete fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 15:16:00 UTC CVE-2026-32609 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.2, the Glances REST API web server ships with a default CORSconfiguration that sets `allow_origins=["*"]` combined with`allow_credentials=True`. When both of these options are enabled together,Starlette's `CORSMiddleware` reflects the requesting `Origin` header valuein the `Access-Control-Allow-Origin` response header instead of returningthe literal `*` wildcard. This effectively grants any website the abilityto make credentialed cross-origin API requests to the Glances server,enabling cross-site data theft of system monitoring information,configuration secrets, and command line arguments from any user who has anactive browser session with a Glances instance. Version 4.5.2 fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 17:16:00 UTC CVE-2026-32610 Glances is an open-source system cross-platform monitoring tool. TheGHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDBexport module by converting all SQL operations to use parameterized queriesand `psycopg.sql` composable objects. However, the DuckDB export module(`glances/exports/glances_duckdb/__init__.py`) was not included in this fixand contains the same class of vulnerability: table names and column namesderived from monitoring statistics are directly interpolated into SQLstatements via f-strings. While DuckDB INSERT values already useparameterized queries (`?` placeholders), the DDL construction and tablename references do not escape or parameterize identifier names. Version4.5.3 provides a more complete fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC CVE-2026-32611 xrdp is an open source RDP server. Versions through 0.10.5 contain aheap-based buffer overflow vulnerability in the NeutrinoRDP module. Whenproxying RDP sessions from xrdp to another server, the module fails toproperly validate the size of reassembled fragmented virtual channel dataagainst its allocated memory buffer. A malicious downstream RDP server (oran attacker capable of performing a Man-in-the-Middle attack) could exploitthis flaw to cause memory corruption, potentially leading to a Denial ofService (DoS) or Remote Code Execution (RCE). The NeutrinoRDP module is notbuilt by default. This vulnerability only affects environments where themodule has been explicitly compiled and enabled. Users can verify if themodule is built by checking for --enable-neutrinordp in the output of thexrdp -v command. This issue has been fixed in version 0.10.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-32623 xrdp is an open source RDP server. Versions through 0.10.5 contain aheap-based buffer overflow vulnerability in its logon processing. Inenvironments where domain_user_separator is configured in xrdp.ini, anunauthenticated remote attacker can send a crafted, excessively longusername and domain name to overflow the internal buffer. This can corruptadjacent memory regions, potentially leading to a Denial of Service (DoS)or unexpected behavior. The domain_name_separator directive is commentedout by default, systems are not affected by this vulnerability unless it isintentionally configured. This issue has been fixed in version 0.10.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-32624 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.37.2, when a cpp-httplib client is configured with aproxy and set_follow_location(true), any HTTPS redirect it follows willhave TLS certificate and hostname verification silently disabled on the newconnection. The client will accept any certificate presented by theredirect target — expired, self-signed, or forged — without raising anerror or notifying the application. A network attacker in a position toreturn a redirect response can fully intercept the follow-up HTTPSconnection, including any credentials or session tokens in flight. Thisvulnerability is fixed in 0.37.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130876 CVE-2026-32627 Glances is an open-source system cross-platform monitoring tool. Glancesrecently added DNS rebinding protection for the MCP endpoint, but prior toversion 4.5.2, the main REST/WebUI FastAPI application still acceptsarbitrary `Host` headers and does not apply `TrustedHostMiddleware` or anequivalent host allowlist. As a result, the REST API, WebUI, and tokenendpoint remain reachable through attacker-controlled domains in classicDNS rebinding scenarios. Once the victim browser has rebound the attackerdomain to the Glances service, same-origin policy no longer protects theAPI because the browser considers the rebinding domain to be the origin.This is a distinct issue from the previously reported default CORSweakness. CORS is not required for exploitation here because DNS rebindingcauses the victim browser to treat the malicious domain as same-origin withthe rebinding target. Version 4.5.2 contains a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC CVE-2026-32632 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpointreturns raw server objects from `GlancesServersList.get_servers_list()`.Those objects are mutated in-place during background polling and cancontain a `uri` field with embedded HTTP Basic credentials for downstreamGlances servers, using the reusable pbkdf2-derived Glances authenticationsecret. If the front Glances Browser/API instance is started without`--password`, which is supported and common for internal networkdeployments, `/api/4/serverslist` is completely unauthenticated. Anynetwork user who can reach the Browser API can retrieve reusablecredentials for protected downstream Glances servers once they have beenpolled by the browser instance. Version 4.5.2 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC CVE-2026-32633 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.2, in Central Browser mode, Glances stores both theZeroconf-advertised server name and the discovered IP address for dynamicservers, but later builds connection URIs from the untrusted advertisedname instead of the discovered IP. When a dynamic server reports itself asprotected, Glances also uses that same untrusted name as the lookup key forsaved passwords and the global `[passwords] default` credential. Anattacker on the same local network can advertise a fake Glances serviceover Zeroconf and cause the browser to automatically send a reusableGlances authentication secret to an attacker-controlled host. This affectsthe background polling path and the REST/WebUI click-through path inCentral Browser mode. Version 4.5.2 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 18:16:00 UTC CVE-2026-32634 Angular is a development platform for building mobile and desktop webapplications using TypeScript/JavaScript and other languages. Prior to22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS)vulnerability has been identified in the Angular runtime and compiler. Itoccurs when the application uses a security-sensitive attribute (forexample href on an anchor tag) together with Angular's ability tointernationalize attributes. Enabling internationalization for thesensitive attribute by adding i18n-<attribute> name bypasses Angular'sbuilt-in sanitization mechanism, which when combined with a data binding tountrusted user-generated data can allow an attacker to inject a maliciousscript. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and19.2.20. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-32635 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to 7.1.2-17 and 6.9.13-42, theNewXMLTree method contains a bug that could result in a crash due to an outof write bounds of a single zero byte. Versions 7.1.2-17 and 6.9.13-42 fixthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 21:16:00 UTC 2026-03-18 21:16:00 UTC Kamil Frankowicz https://ubuntu.com/security/notices/USN-8127-1 CVE-2026-32636 SimpleEval is a library for adding evaluatable expressions into pythonprojects. Prior to 1.0.5, objects (including modules) can leak dangerousmodules through to direct access inside the sandbox. If the objects you'vepassed in as names to SimpleEval have modules or other disallowed /dangerous objects available as attrs. Additionally, dangerous functions ormodules could be accessed by passing them as callbacks to other safefunctions to call. The latest version 1.0.5 has this issue fixed. Thisvulnerability is fixed in 1.0.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC john-breton http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130875 CVE-2026-32640 Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, ApacheActiveMQ Artemis exists when an application using the OpenWire protocolattempts to create a non-durable JMS topic subscription on an address thatdoesn't exist with an authenticated user which has the "createDurableQueue"permission but does not have the "createAddress" permission and addressauto-creation is disabled. In this circumstance, a temporary address willbe created whereas the attempt to create the non-durable subscriptionshould instead fail since the user is not authorized to create thecorresponding address. When the OpenWire connection is closed the addressis removed.This issue affects Apache Artemis: from 2.50.0 through 2.52.0; ApacheActiveMQ Artemis: from 2.0.0 through 2.44.0.Users are recommended to upgrade to version 2.53.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 08:16:00 UTC CVE-2026-32642 pydicom is a pure Python package for working with DICOM files. Versions2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through amaliciously crafted DICOMDIR ReferencedFileID when it is set to a pathoutside the File-set root. pydicom resolves the path only to confirm thatit exists, but does not verify that the resolved path remains under theFile-set root. Subsequent public FileSet operations such as copy(),write(), and remove()+write(use_existing=True) use that unchecked path infile I/O operations. This allows arbitrary file read/copy and, in someflows, move/delete outside the File-set root. This issue has been fixed inversion 3.0.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 02:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131492 CVE-2026-32711 Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memrayrendered the command line of the tracked process directly into generatedHTML reports without escaping. Because there was no escaping,attacker-controlled command line arguments were inserted as raw HTML intothe generated report. This allowed JavaScript execution when a victimopened the generated report in a browser. Version 1.19.2 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 22:16:00 UTC CVE-2026-32722 SciTokens C++ is a minimal library for creating and using SciTokens from Cor C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to anauthorization bypass when processing path-based scopes in tokens. Thelibrary normalizes the scope path from the token before authorization andcollapses ".." path components instead of rejecting them. As a result, anattacker can use parent-directory traversal in the scope claim to broadenthe effective authorization beyond the intended directory. This issue hasbeen patched in version 1.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 18:16:00 UTC CVE-2026-32725 SciTokens C++ is a minimal library for creating and using SciTokens from Cor C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to anauthorization bypass in path-based scope validation. The enforcer used asimple string-prefix comparison when checking whether a requested resourcepath was covered by a token's authorized scope path. Because the check didnot require a path-segment boundary, a token scoped to one path couldincorrectly authorize access to sibling paths that merely started with thesame prefix. This issue has been patched in version 1.4.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 18:16:00 UTC CVE-2026-32726 libheif is a HEIF and AVIF file format decoder and encoder. In versions1.21.2 and below, a crafted 792-byte HEIF sequence file withsamples_per_chunk=0 in the stsc box causes an unsigned integer underflow inthe Chunk constructor (m_last_sample = 0 + 0 - 1 = UINT32_MAX), mapping allsamples to an empty chunk and resulting in a denial of service. When anysample is accessed, the library reads from index 0 of an empty std::vector,causing a guaranteed SEGV (null-page read). The file parses successfullywithout producing an error; the crash occurs on the first frame access.This issue has been fixed in version 1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 19:16:00 UTC CVE-2026-32738 libheif is a HEIF and AVIF file format decoder and encoder. In versions1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infiniteloop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitelywith zero progress, leading to DoS. The loop has no iteration limit ortimeout and is triggered during file open (parsing) - before any userinteraction or image decoding. The process stays alive (no crash, no errorlogged), making it invisible to crash-based monitoring. This issue has beenfixed in version 1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 20:16:00 UTC CVE-2026-32739 libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2and prior contain a heap-buffer-overflow (write) vulnerability in the gridtile compositing, allowing an attacker to write 64 bytes of fullyattacker-controlled data past the end of a chroma plane heap allocation bycrafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflowis triggered during normal image decoding with default build configuration.The written bytes are chroma (Cb/Cr) pixel values from the attacking tile,giving the attacker full control over the overflow content. This issue hasbeen fixed in version 1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 20:16:00 UTC CVE-2026-32740 libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2and below contain a heap buffer overflow inMaskImageCodec::decode_mask_image(). When decoding a HEIF file containing amask image (mski), the function copies the full iloc extent data into apixel buffer using memcpy(dst, data.data(), data.size()). The copy lengthdata.size() is determined by the iloc extent in the file(attacker-controlled), while the destination buffer is sized based on thedeclared image dimensions. Because no upper-bound check exists on the datalength, a crafted file whose iloc extent exceeds the pixel bufferallocation overflows the heap. The vulnerable single-memcpy branch isreached when the mskC property specifies bits_per_pixel = 8 and the ispeproperty declares an even width ≥ 64 (so that stride == width), with nochanges to default security limits or external codec plugins required. Thisissue has been fixed in version 1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 21:16:00 UTC CVE-2026-32741 telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in theLINEMODE SLC (Set Local Characters) suboption handler because add_slc doesnot check whether the buffer is full. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-13 19:55:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130742 CVE-2026-32746 Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 tobefore 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_valuesparses the RFC 7239 Forwarded header by splitting on semicolons beforehandling quoted-string values. Because quoted values may legally containsemicolons, a header can be interpreted by Rack as multiple Forwardeddirectives rather than as a single quoted for value. In deployments wherean upstream proxy, WAF, or intermediary validates or preserves quotedForwarded values differently, this discrepancy can allow an attacker tosmuggle host, proto, for, or by parameters through a single header value.This issue has been patched in versions 3.1.21 and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC 2026-04-02 18:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-32762 telnet in GNU inetutils through 2.7 allows servers to read arbitraryenvironment variables from clients via NEW_ENVIRON SEND USERVAR. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130741 CVE-2026-32772 libexif through 0.6.25 has a flaw in decoding MakerNotes. If theexif_mnote_data_get_value function gets passed in a 0 size, the passedin-buffer would be overwritten due to an integer underflow. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC https://github.com/libexif/libexif/issues/247 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131116 CVE-2026-32775 libexpat before 2.7.5 allows a NULL pointer dereference with empty externalparameter entity content. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-32776 libexpat before 2.7.5 allows an infinite loop while parsing DTD content. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-32777 libexpat before 2.7.5 allows a NULL pointer dereference in the functionsetContext on retry after an earlier ouf-of-memory condition. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-32778 NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial ofservice vulnerability when compiled with DNSCrypt support('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound'sDNSCrypt packet reading procedure that may lead to heap overflow. Amalicious actor can exploit the vulnerability with a single bad DNSCryptquery that its decrypted plaintext consists entirely of '0x00' bytes anddoes not contain the expected '0x80' marker. Unbound would then startreading more bytes than necessary until it finds a non-'0x00' byte. Basedon the underlying memory allocator and the memory layout, it could lead toheap overflow while reading followed by a crash. Likelihood of a crash islow, since it relies heavily on the underlying memory allocator and thememory layout. If the heap overflow does not happen, Unbound's later packetchecks will deny the packet. Unbound 1.25.1 contains a patch with a fix tobound reading in the given buffer space. Update Instructions: Run `sudo pro fix CVE-2026-32792` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Andrew Griffiths https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-32792 A vulnerability was detected in libvips 8.19.0. This affects the functionvips_bandrank_build of the file libvips/conversion/bandrank.c. Performing amanipulation of the argument index results in heap-based buffer overflow.The attack must be initiated from a local position. The exploit is nowpublic and may be used. The patch is namedfd28c5463697712cb0ab116a2c55e4f4d92c4088. It is suggested to install apatch to address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 02:16:00 UTC CVE-2026-3281 libheif is a HEIF and AVIF file format decoder and encoder. In versions1.21.2 and prior, when decoding a HEIF grid image withstrict_decoding=false (the default), a corrupted tile silently fails todecode and the library returns heif_error_Ok with no indication of failure,leading to an uninitialized heap memory information leak. The canvas isallocated via create_clone_image_at_new_size() → plane.alloc() → new(std::nothrow) uint8_t[allocation_size] which does not zero the memory;only the alpha plane is explicitly initialized via fill_plane(), so the Y,Cb, and Cr planes contain whatever was previously at that heap address. Thefailed tile's region of the canvas is never written. It retainsuninitialized heap data that is delivered to the caller as decoded pixelvalues (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Anyapplication using libheif to decode grid-based HEIF/AVIF files with defaultsettings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytesof heap memory to appear as pixel values in the decoded image, and thecalling application receives heif_error_Ok, so it has no indication theoutput contains heap garbage. In server-side image processing, an uploadedcrafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN,social media) can leak cross-user data such as auth tokens, databaseresults, and other users' image data. This issue has been fixed in version1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 21:16:00 UTC CVE-2026-32814 A flaw has been found in libvips 8.19.0. This vulnerability affects thefunction vips_unpremultiply_build of the filelibvips/conversion/unpremultiply.c. Executing a manipulation of theargument alpha_band can lead to out-of-bounds read. The attack needs to belaunched locally. The exploit has been published and may be used. Thispatch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should beapplied to remediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 03:16:00 UTC CVE-2026-3282 A vulnerability has been found in libvips 8.19.0. This issue affects thefunction vips_extract_band_build of the file libvips/conversion/extract.c.The manipulation of the argument extract_band leads to out-of-bounds read.The attack needs to be performed locally. The exploit has been disclosed tothe public and may be used. The identifier of the patch is24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 03:16:00 UTC CVE-2026-3283 A vulnerability was found in libvips 8.19.0. Impacted is the functionvips_extract_area_build of the file libvips/conversion/extract.c. Themanipulation of the argument extract_area results in integer overflow. Theattack requires a local approach. The exploit has been made public andcould be used. The patch is identified as24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. It is advisable to implement apatch to correct this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-02-27 03:16:00 UTC CVE-2026-3284 LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain aheap out-of-bounds read vulnerability in the UltraZip encoding handler thatallows a malicious VNC server to cause information disclosure orapplication crash. Attackers can exploit improper bounds checking in theHandleUltraZipBPP() function by manipulating subrectangle header counts toread beyond the allocated heap buffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 18:16:00 UTC CVE-2026-32853 LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) containnull pointer dereference vulnerabilities in the HTTP proxy handlers withinhttpProcessInput() in httpd.c that allow remote attackers to cause a denialof service by sending specially crafted HTTP requests. Attackers canexploit missing validation of strchr() return values in the CONNECT and GETproxy handling paths to trigger null pointer dereferences and crash theserver when httpd and proxy features are enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 18:16:00 UTC CVE-2026-32854 UltraJSON is a fast JSON encoder and decoder written in pure C withbindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain anaccumulating memory leak in JSON parsing large (outside of the range[-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string formof the integer plus an additional NULL byte. The leak occurs irrespectiveof whether the integer parses successfully or is rejected due to havingmore than sys.get_int_max_str_digits() digits, meaning that any sized leakper malicious JSON can be achieved provided that there is no limit on theoverall size of the payload. Any service that callsujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affectedand vulnerable to denial of service attacks. This issue has been fixed inversion 5.12.0. Update Instructions: Run `sudo pro fix CVE-2026-32874` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-ujson - 5.11.0-3ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 02:16:00 UTC 2026-03-20 02:16:00 UTC https://ubuntu.com/security/notices/USN-8219-1 CVE-2026-32874 UltraJSON is a fast JSON encoder and decoder written in pure C withbindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable tobuffer overflow or infinite loop through large indent handling.ujson.dumps() crashes the Python interpreter (segmentation fault) when theproduct of the indent parameter and the nested depth of the input exceedsINT32_MAX. It can also get stuck in an infinite loop if the indent is alarge negative number. Both are caused by an integer overflow/underflowwhilst calculating how much memory to reserve for indentation. And both canbe used to achieve denial of service. To be vulnerable, a service must callujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted userscontrol over the indent parameter and not restrict that indentation toreasonably small non-negative values. A service may also be vulnerable tothe infinite loop if it uses a fixed negative indent. An underflow alwaysoccurs for any negative indent when the input data is at least one levelnested but, for small negative indents, the underflow is usuallyaccidentally rectified by another overflow. This issue has been fixed inversion 5.12.0. Update Instructions: Run `sudo pro fix CVE-2026-32875` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-ujson - 5.11.0-3ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 02:16:00 UTC 2026-03-20 02:16:00 UTC https://ubuntu.com/security/notices/USN-8219-1 CVE-2026-32875 Botan is a C++ cryptography library. From version 2.3.0 to before version3.11.0, during SM2 decryption, the code that checked the authenticationcode value (C3) failed to check that the encoded value was of the expectedlength prior to comparison. An invalid ciphertext can cause a heapover-read of up to 31 bytes, resulting in a crash or potentially otherundefined behavior. This issue has been patched in version 3.11.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 21:17:00 UTC CVE-2026-32877 libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2and prior contain a heap buffer over-read in HeifPixelImage::overlay() inlibheif/pixelimage.cc. When compositing an overlay image (iovl) whose childimage has a different bit depth for the alpha channel than for the colorchannels, the function indexes into the alpha plane using the color channelstride (in_stride) instead of the previously retrieved alpha_stride,causing reads past the end of the alpha buffer (up to 3,123 bytes for a100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file canexploit this to cause a denial of service (crash) or potentially discloseadjacent heap memory through leaked bytes embedded in the decoded outputpixels. This issue has been fixed in versionThis issue has been fixed inversion 1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 21:16:00 UTC CVE-2026-32882 Botan is a C++ cryptography library. From version 3.0.0 to before version3.11.0, during X509 path validation, OCSP responses were checked for anappropriate status code, but critically omitted verifying the signature ofthe OCSP response itself. This issue has been patched in version 3.11.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 21:17:00 UTC CVE-2026-32883 Botan is a C++ cryptography library. Prior to version 3.11.0, duringprocessing of an X.509 certificate path using name constraints whichrestrict the set of allowable DNS names, if no subject alternative name isdefined in the end-entity certificate Botan would check that the CN wasallowed by the DNS name constraints, even though this check is technicallynot required by RFC 5280. However this check failed to account for thepossibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM andno subject alternative name would bypasses an excludedSubtrees constraintfor evil.com because the comparison is case-sensitive. This issue has beenpatched in version 3.11.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 21:17:00 UTC CVE-2026-32884 phpseclib is a PHP secure communications library. Projects using versions0.1.1 through 1.0.26, 2.0.0 through 2.0.51, and 3.0.0 through 3.0.49 arevulnerable to a to padding oracle timing attack when using AES in CBC mode.This issue has been fixed in versions 1.0.27, 2.0.52 and 3.0.50. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 03:16:00 UTC CVE-2026-32935 The method "sock_recvfrom_into()" of "asyncio.ProacterEventLoop" (Windowsonly) was missing a boundary check for the data buffer when using nbytesparameter. This allowed for an out-of-bounds buffer write if data waslarger than the buffer size. Non-Windows platforms are not affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 15:16:00 UTC CVE-2026-3298 Improper Input Validation vulnerability in Apache Tomcat due to anincomplete fix of CVE-2025-66614.This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-32990 A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allowsa bypass of Digest authentication by a remote attacker.Users are recommended to upgrade to version 2.4.67, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2026-33006` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Nitescu Lucian https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-33006 A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server2.4.66 and earlier allows an unauthenticated remote user to crash a childprocess in a caching forward proxy configuration.Users are recommended to upgrade to version 2.4.67, which fixes this issue. Update Instructions: Run `sudo pro fix CVE-2026-33007` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Pavel Kohout and Arkadi Vainbrand https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-33007 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability viathe load_gif() function in fromgif.c, where a single sixel_frame_t objectis reused across all frames of an animated GIF and gif_init_frame()unconditionally frees and reallocates frame->pixels between frames withoutconsulting the object's reference count. Because the public API explicitlyprovides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels()to access the raw pixel buffer, a callback following this documented usagepattern will hold a dangling pointer after the second frame is decoded,resulting in a heap use-after-free confirmed by ASAN. Any application usingsixel_helper_load_image_file() with a multi-frame callback to processuser-supplied animated GIFs is affected, with a reliable crash as theminimum impact and potential for code execution. This issue has been fixedin version 1.8.7-r1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 22:16:00 UTC CVE-2026-33018 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. Versions 1.8.7 and prior contain an integer overflow leading to anout-of-bounds heap read in the --crop option handling of img2sixel, wherepositive coordinates up to INT_MAX are accepted without overflow-safebounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_xoverflows to a large negative value when clip_x is INT_MAX, causing thebounds guard to be skipped entirely, and the unclamped coordinate is passedthrough sixel_frame_clip() to clip(), which computes a source pointer farbeyond the image buffer and passes it to memmove(). An attacker supplying aspecially crafted crop argument with any valid image can trigger anout-of-bounds read in the heap, resulting in a reliable crash and potentialinformation disclosure. This issue has been fixed in version 1.8.7-r1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 22:16:00 UTC CVE-2026-33019 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. Versions 1.8.7 and prior contain an integer overflow which leads toa heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c,where allocation size and pointer offset computations for palettised images(PAL1, PAL2, PAL4) are performed using int arithmetic before casting tosize_t. For images whose pixel count exceeds INT_MAX / 4, the overflowproduces an undersized heap allocation for the conversion buffer and anegative pointer offset for the normalization sub-buffer, after whichsixel_helper_normalize_pixelformat() writes the full image data startingfrom the invalid pointer, causing massive heap corruption confirmed byASAN. An attacker providing a specially crafted large palettised PNG cancorrupt the heap of the victim process, resulting in a reliable crash andpotential arbitrary code execution.This issue has been fixed in version 1.8.7-r1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 22:16:00 UTC CVE-2026-33020 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. Versions 1.8.7 and prior contain a use-after-free vulnerability insixel_encoder_encode_bytes() because sixel_frame_init() stores thecaller-owned pixel buffer pointer directly in frame->pixels without makinga defensive copy. When a resize operation is triggered,sixel_frame_convert_to_rgb888() unconditionally frees this caller-ownedbuffer and replaces it with a new internal allocation, leaving the callerwith a dangling pointer. Any subsequent access to the original buffer bythe caller constitutes a use-after-free, confirmed by AddressSanitizer. Anattacker who controls incoming frames can trigger this bug repeatedly andpredictably, resulting in a reliable crash with potential for codeexecution. This issue has been fixed in version 1.8.7-r1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 23:16:00 UTC CVE-2026-33021 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2option, a use-after-free vulnerability exists in load_with_gdkpixbuf() inloader.c. The cleanup path manually frees the sixel_frame_t object and itsinternal buffers without consulting the reference count, even though theobject was created via the refcounted constructor sixel_frame_new() andexposed to the public callback. A callback that callssixel_frame_ref(frame) to retain a logically valid reference will hold adangling pointer after sixel_helper_load_image_file() returns, and anysubsequent access to the frame or its fields triggers a use-after-freeconfirmed by AddressSanitizer. The root cause is a consistency failurebetween two cleanup strategies in the same codebase: sixel_frame_unref() isused in load_with_builtin() but raw free() is used inload_with_gdkpixbuf(). An attacker supplying a crafted image to anyapplication built against libsixel with gdk-pixbuf2 support can triggerthis reliably, potentially leading to information disclosure, memorycorruption, or code execution. This issue has been fixed in version1.8.7-r1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 23:16:00 UTC CVE-2026-33023 An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2before 4.2.30.`MultiPartParser` allows remote attackers to degrade performance bysubmitting multipart uploads with `Content-Transfer-Encoding: base64`including excessive whitespace.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Seokchan Yoon for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2026-33033` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu4 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 14:00:00 UTC 2026-04-07 14:00:00 UTC Seokchan Yoon https://ubuntu.com/security/notices/USN-8154-1 https://ubuntu.com/security/notices/USN-8154-2 CVE-2026-33033 fast-xml-parser allows users to process XML from JS object without C/C++based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain abypass vulnerability where numeric character references (&#NNN;, &#xHH;)and standard XML entities completely evade the entity expansion limits(e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278,enabling XML entity expansion Denial of Service. The root cause is thatreplaceEntitiesValue() in OrderedObjParser.js only enforces expansioncounting on DOCTYPE-defined entities while the lastEntities loop handlingnumeric/standard entities performs no counting at all. An attackersupplying 1M numeric entity references like &#65; can force ~147MB ofmemory allocation and heavy CPU usage, potentially crashing theprocess—even when developers have configured strict limits. This issue hasbeen fixed in version 5.5.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 06:16:00 UTC CVE-2026-33036 In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (RegularExpression Denial of Service) vulnerability in `LINK_TITLE_RE` that allowsan attacker who can supply Markdown for parsing to cause denial of service.The regular expression used for parsing link titles contains overlappingalternatives that can trigger catastrophic backtracking. In both thedouble-quoted and single-quoted branches, a backslash followed bypunctuation can be matched either as an escaped punctuation sequence or astwo ordinary characters, creating an ambiguous pattern inside a repeatedgroup. If an attacker supplies Markdown containing repeated ! sequenceswith no closing quote, the regex engine explores an exponential number ofbacktracking paths. This is reachable through normal Markdown parsing ofinline links and block link reference definitions. A small crafted inputcan therefore cause significant CPU consumption and make applications usingMistune unresponsive. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135942 CVE-2026-33079 An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDFversion 1.27.0 allows an attacker to maliciously craft a PDF that cantrigger an integer overflow within the 'pdf_load_image_imp' function. Thisallows a heap out-of-bounds write that could be exploited for arbitrarycode execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 14:16:00 UTC CVE-2026-3308 Loop with unreachable exit condition ('infinite loop') in .NET, .NETFramework, Visual Studio allows an unauthorized attacker to deny serviceover a network. Update Instructions: Run `sudo pro fix CVE-2026-33116` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 aspnetcore-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-apphost-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-host-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-hostfxr-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-sdk-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-10.0-source-built-artifacts - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-aot-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-templates-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet10 - 10.0.107-10.0.7-0ubuntu1~26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 2026-04-14 Ludvig Pedersen https://ubuntu.com/security/notices/USN-8176-1 https://ubuntu.com/security/notices/USN-8216-1 CVE-2026-33116 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 CVE-2026-3312 pypdf is a free and open-source pure-python PDF library. Versions prior to6.9.1 allow an attacker to craft a malicious PDF which leads to longruntimes and/or large memory usage. Exploitation requires accessing anarray-based stream with many entries. This issue has been fixed in version6.9.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 10:16:00 UTC CVE-2026-33123 xrdp is an open source RDP server. Versions through 0.10.5 allow anauthenticated remote user to execute arbitrary commands on the server dueto unsafe handling of the AlternateShell parameter in xrdp-sesman. When theAllowAlternateShell setting is enabled (which is the default when notexplicitly configured), xrdp accepts a client-supplied AlternateShell valueand executes it via /bin/sh -c during session initialization. This resultsin shell-interpreted execution of unsanitized, user-controlled input. Thisbehavior effectively provides a scriptable remote command executionprimitive over RDP within the security context of the authenticated user,occurring prior to normal window manager startup. This can bypass expectedsession initialization flows and operational assumptions that restrictexecution to interactive desktop environments. This issue has been fixed inversion 0.10.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-33145 libfuse is the reference implementation of the Linux FUSE. From version3.18.0 to before version 3.18.2, a use-after-free vulnerability in theio_uring subsystem of libfuse allows a local attacker to crash FUSEfilesystem processes and potentially execute arbitrary code. When io_uringthread creation fails due to resource exhaustion (e.g., cgroup pids.max),fuse_uring_start() frees the ring pool structure but stores the danglingpointer in the session state, leading to a use-after-free when the sessionshuts down. The trigger is reliable in containerized environments wherecgroup pids.max limits naturally constrain thread creation. This issue hasbeen patched in version 3.18.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC CVE-2026-33150 Socket.IO is an open source, real-time, bidirectional, event-based,communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, aspecially crafted Socket.IO packet can make the server wait for a largenumber of binary attachments and buffer them, which can be exploited tomake the server run out of memory. This issue has been patched in versions3.3.5, 3.4.4, and 4.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131477 CVE-2026-33151 dynaconf is a configuration management tool for Python. Prior to version3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) dueto unsafe template evaluation in the @Jinja resolver. When the jinja2package is installed, Dynaconf evaluates template expressions embedded inconfiguration values without a sandboxed environment. This issue has beenpatched in version 3.2.13. Update Instructions: Run `sudo pro fix CVE-2026-33154` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-dynaconf - 3.2.12-1ubuntu0.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC 2026-03-20 21:17:00 UTC federicoquattrin https://ubuntu.com/security/notices/USN-8231-1 CVE-2026-33154 DeepDiff is a project focused on Deep Difference and search of any Pythondata. From version 5.0.0 to before version 8.6.2, the pickle unpickler_RestrictedUnpickler validates which classes can be loaded but does notlimit their constructor arguments. A few of the types in SAFE_TO_IMPORThave constructors that allocate memory proportional to their input(builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payloadcan force 10+ GB of memory, which crashes applications that load deltaobjects or call pickle_load with untrusted data. This issue has beenpatched in version 8.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC CVE-2026-33155 libde265 is an open source implementation of the h.265 video codec. Priorto version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentationfault in pic_parameter_set::set_derived_values(). This issue has beenpatched in version 1.0.17. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC CVE-2026-33164 libde265 is an open source implementation of the h.265 video codec. Priorto version 1.0.17, a crafted HEVC bitstream causes an out-of-bounds heapwrite confirmed by AddressSanitizer. The trigger is a stalectb_info.log2unitSize after an SPS change where PicWidthInCtbsY andPicHeightInCtbsY stay constant but Log2CtbSizeY changes, causingset_SliceHeaderIndex to index past the allocated image metadata array andwrite 2 bytes past the end of a heap allocation. This issue has beenpatched in version 1.0.17. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC CVE-2026-33165 Action Pack is a Rubygem for building web applications on the Railsframework. In versions on the 8.1 branch prior to 8.1.2.1, the debugexceptions page does not properly escape exception messages. A carefullycrafted exception message could inject arbitrary HTML and JavaScript intothe page, leading to XSS. This affects applications with detailed exceptionpages enabled (`config.consider_all_requests_local = true`), which is thedefault in development. Version 8.1.2.1 contains a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 23:17:00 UTC CVE-2026-33167 Action View provides conventions and helpers for building web pages withthe Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, whena blank string is used as an HTML attribute name in Action View taghelpers, the attribute escaping is bypassed, producing malformed HTML. Acarefully crafted attribute value could then be misinterpreted by thebrowser as a separate attribute name, possibly leading to XSS. Applicationsthat allow users to specify custom HTML attributes are affected. Versions8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 23:17:00 UTC CVE-2026-33168 Active Support is a toolkit of support libraries and Ruby core extensionsextracted from the Rails framework. `NumberToDelimitedConverter` uses alookahead-based regular expression with `gsub!` to insert thousandsdelimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, theinteraction between the repeated lookahead group and `gsub!` can producequadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1,and 7.2.3.1 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33169 Active Support is a toolkit of support libraries and Ruby core extensionsextracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to thenewly created buffer. If a `SafeBuffer` is mutated in place (e.g. via`gsub!`) and then formatted with `%` using untrusted arguments, the resultincorrectly reports `html_safe? == true`, bypassing ERB auto-escaping andpossibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain apatch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33170 Active Storage allows users to attach cloud and local files in Railsapplications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1,`DirectUploadsController` accepts arbitrary metadata from the client andpersists it on the blob. Because internal flags like `identified` and`analyzed` are stored in the same metadata hash, a direct-upload client canset these flags to skip MIME detection and analysis. This allows anattacker to upload arbitrary content while claiming a safe `content_type`,bypassing any validations that rely on Active Storage's automatic contenttype identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain apatch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33173 Active Storage allows users to attach cloud and local files in Railsapplications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when servingfiles through Active Storage's proxy delivery mode, the proxy controllerloads the entire requested byte range into memory before sending it. Arequest with a large or unbounded Range header (e.g. `bytes=0-`) couldcause the server to allocate memory proportional to the file size, possiblyresulting in a DoS vulnerability through memory exhaustion. Versions8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33174 Active Support is a toolkit of support libraries and Ruby core extensionsextracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and7.2.3.1, Active Support number helpers accept strings containing scientificnotation (e.g. `1e10000`), which `BigDecimal` expands into extremely largedecimal representations. This can cause excessive memory allocation and CPUconsumption when the expanded number is formatted, possibly resulting in aDoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33176 libfuse is the reference implementation of the Linux FUSE. From version3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leakin fuse_uring_init_queue allows a local user to crash the FUSE daemon orcause resource exhaustion. When numa_alloc_local fails during io_uringqueue entry setup, the code proceeds with NULL pointers. Whenfuse_uring_register_queue fails, NUMA allocations are leaked and thefunction incorrectly returns success. Only the io_uring transport isaffected; the traditional /dev/fuse path is not affected. PoC confirmedwith AddressSanitizer/LeakSanitizer. This issue has been patched in version3.18.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 21:17:00 UTC CVE-2026-33179 gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3have an authorization bypass resulting from improper input validation ofthe HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in itsrouting logic, accepting requests where the `:path` omitted the mandatoryleading slash (e.g., `Service/Method` instead of `/Service/Method`). Whilethe server successfully routed these requests to the correct handler,authorization interceptors (including the official `grpc/authz` package)evaluated the raw, non-canonical path string. Consequently, "deny" rulesdefined using canonical paths (starting with `/`) failed to match theincoming request, allowing it to bypass the policy if a fallback "allow"rule was present. This affects gRPC-Go servers that use path-basedauthorization interceptors, such as the official RBAC implementation in`google.golang.org/grpc/authz` or custom interceptors relying on`info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policycontains specific "deny" rules for canonical paths but allows otherrequests by default (a fallback "allow" rule). The vulnerability isexploitable by an attacker who can send raw HTTP/2 frames with malformed`:path` headers directly to the gRPC server. The fix in version 1.79.3ensures that any request with a `:path` that does not start with a leadingslash is immediately rejected with a `codes.Unimplemented` error,preventing it from reaching authorization interceptors or handlers with anon-canonical path string. While upgrading is the most secure andrecommended path, users can mitigate the vulnerability using one of thefollowing methods: Use a validating interceptor (recommended mitigation);infrastructure-level normalization; and/or policy hardening. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-03-20 23:16:00 UTC CVE-2026-33186 Active Storage allows users to attach cloud and local files in Railsapplications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, ActiveStorage's `DiskService#path_for` does not validate that the resolvedfilesystem path remains within the storage root directory. If a blob keycontaining path traversal sequences (e.g. `../`) is used, it could allowreading, writing, or deleting arbitrary files on the server. Blob keys areexpected to be trusted strings, but some applications could be passing userinput as keys and would be affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33195 Active Storage allows users to attach cloud and local files in Railsapplications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, ActiveStorage's `DiskService#delete_prefixed` passes blob keys directly to`Dir.glob` without escaping glob metacharacters. If a blob key containsattacker-controlled input or custom-generated keys with globmetacharacters, it may be possible to delete unintended files from thestorage directory. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC CVE-2026-33202 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Prior to version 9.6.0, a Server-SideRequest Forgery vulnerability in the background-image endpoint of calibree-book reader's web view allows an attacker to perform blind GET requeststo arbitrary URLs and exfiltrate information out from the ebook sandbox.Version 9.6.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 15:16:00 UTC CVE-2026-33205 calibre is a cross-platform e-book manager for viewing, converting,editing, and cataloging e-books. Prior to version 9.6.0, a path traversalvulnerability exists in Calibre' handling of images in Markdown and othersimilar text-based files allowing an attacker to include arbitrary filesfrom the file system into the converted book. Additionally, missingauthentication and server-side request forgery in the background-imageendpoint in the ebook reader web view allow the files to be exfiltratedwithout additional interaction. Version 9.6.0 contains a fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 15:16:00 UTC CVE-2026-33206 Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to beforeversions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injectionvulnerability can lead to denial of service attacks or informationdisclosure, when the allow_duplicate_key: false parsing option is used toparse user supplied documents. This issue has been patched in versions2.15.2.1, 2.17.1.2, and 2.19.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 23:16:00 UTC CVE-2026-33210 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. The nats-server provides an MQTT client interface.Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijackedvia MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch theissue. No known workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 21:16:00 UTC CVE-2026-33215 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTTdeployments using usercodes/passwords: MQTT passwords are incorrectlyclassified as a non-authenticating identity statement (JWT) and exposed viamonitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As aworkaround, ensure monitoring end-points are adequately secured. Bestpractice remains to not expose the monitoring endpoint to the Internet orother untrusted network users. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-33216 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, when usingACLs on message subjects, these ACLs were not applied in the `$MQTT.>`namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds areavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-33217 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, a clientwhich can connect to the leafnode port can crash the nats-server with acertain malformed message pre-authentication. Versions 2.11.15 and 2.12.6contain a fix. As a workaround, disable leafnode support if not needed orrestrict network connections to the leafnode port, if plausible withoutcompromising the service offered. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-33218 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, a maliciousclient which can connect to the WebSockets port can cause unbounded memoryuse in the nats-server before authentication; this requires sending acorresponding amount of data. This is a milder variant of CVE-2026-27571.That earlier issue was a compression bomb, this vulnerability is not.Attacks against this new issue thus require significant client bandwidth.Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disablewebsockets if not required for project deployment. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-33219 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, users withJetStream admin API access to restore one stream could restore to otherstream names, impacting data which should have been protected against them.Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, if developershave configured users to have limited JetStream restore permissions,temporarily remove those permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 21:16:00 UTC CVE-2026-33222 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, the NATSmessage header `Nats-Request-Info:` is supposed to be a guarantee ofidentity by the NATS server, but the stripping of this header from inboundmessages was not fully effective. An attacker with valid credentials forany regular client interface could thus spoof their identity to serviceswhich rely upon this header. Versions 2.11.15 and 2.12.6 contain a fix. Noknown workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 21:16:00 UTC CVE-2026-33223 Improper validation and restriction of a classpath path name vulnerabilityin Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All,Apache ActiveMQ Web, Apache ActiveMQ.In two instances (when creating a Stomp consumer and also browsing messagesin the Web console) an authenticated user provided "key" value could beconstructed to traverse the classpath due to path concatenation. As aresult, the application is exposed to a classpath path resource loadingvulnerability that could potentially be chained together with anotherattack to lead to exploit.This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2;Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; ApacheActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ:before 5.19.3, from 6.0.0 before 6.2.2.Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixesthe issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limitedto non-Windows environments due to a path separator resolution bug fixed in5.19.4 and 6.2.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 09:16:00 UTC CVE-2026-33227 flatted is a circular JSON parser. Prior to version 3.4.2, the parse()function in flatted can use attacker-controlled string values from theparsed JSON as direct array index keys, without validating that they arenumeric. Since the internal input buffer is a JavaScript Array, accessingit with the key "__proto__" returns Array.prototype via the inheritedgetter. This object is then treated as a legitimate parsed value andassigned as a property of the output object, effectively leaking a livereference to Array.prototype to the consumer. Any code that subsequentlywrites to that property will pollute the global prototype. This issue hasbeen patched in version 3.4.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 23:16:00 UTC CVE-2026-33228 NLTK (Natural Language Toolkit) is a suite of open source Python modules,data sets, and tutorials supporting research and development in NaturalLanguage Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app`contains a reflected cross-site scripting issue in the `lookup_...` route.A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript intothe response page because attacker-controlled `word` data is reflected intoHTML without escaping. This impacts users running the local WordNet Browserserver and can lead to script execution in the browser origin of thatapplication. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 23:16:00 UTC ej7367 CVE-2026-33230 NLTK (Natural Language Toolkit) is a suite of open source Python modules,data sets, and tutorials supporting research and development in NaturalLanguage Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app`allows unauthenticated remote shutdown of the local WordNet Browser HTTPserver when it is started in its default mode. A simple `GET/SHUTDOWN%20THE%20SERVER` request causes the process to terminateimmediately via `os._exit(0)`, resulting in a denial of service. Commitbbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 23:16:00 UTC ej7367 CVE-2026-33231 NLTK (Natural Language Toolkit) is a suite of open source Python modules,data sets, and tutorials supporting research and development in NaturalLanguage Processing. In versions 3.9.3 and prior, the NLTK downloader doesnot validate the `subdir` and `id` attributes when processing remote XMLindex files. Attackers can control a remote XML index server to providemalicious values containing path traversal sequences (such as `../`), whichcan lead to arbitrary directory creation, arbitrary file creation, andarbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8apatches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 23:16:00 UTC ej7367 CVE-2026-33236 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. The nats-server offers a `Nats-Request-Info:`message header, providing information about a request. This is supposed toprovide enough information to allow for account/user identification, suchthat NATS clients could make their own decisions on how to trust a message,provided that they trust the nats-server as a broker. A leafnode connectingto a nats-server is not fully trusted unless the system account is bridgedtoo. Thus identity claims should not have propagated unchecked. Prior toversions 2.11.15 and 2.12.6, NATS clients relying upon theNats-Request-Info: header could be spoofed. This does not directly affectthe nats-server itself, but the CVSS Confidentiality and Integrity scoresare based upon what a hypothetical client might choose to do with this NATSheader. Versions 2.11.15 and 2.12.6 contain a fix. No known workarounds areavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-33246 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, if anats-server is run with static credentials for all clients provided viaargv (the command-line), then those credentials are visible to any user whocan see the monitoring port, if that too is enabled. The `/debug/vars`end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6contain a fix. As a workaround, configure credentials inside aconfiguration file instead of via argv, and do not enable the monitoringport if using secrets in argv. Best practice remains to not expose themonitoring port to the Internet, or to untrusted network sources. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 20:16:00 UTC CVE-2026-33247 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Prior to versions 2.11.15 and 2.12.6, when usingmTLS for client identity, with `verify_and_map` to derive a NATS identityfrom the client certificate's Subject DN, certain patterns of RDN would notbe correctly enforced, allowing for authentication bypass. This doesrequire a valid certificate from a CA already trusted for clientcertificates, and `DN` naming patterns which the NATS maintainers considerhighly unlikely. So this is an unlikely attack. Nonetheless, administratorswho have been very sophisticated in their `DN` construction patterns mightconceivably be impacted. Versions 2.11.15 and 2.12.6 contain a fix. As aworkaround, developers should review their CA issuing practices. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 21:16:00 UTC CVE-2026-33248 NATS-Server is a High-Performance server for NATS.io, a cloud and edgenative messaging system. Starting in version 2.11.0 and prior to versions2.11.15 and 2.12.6, a valid client which uses message tracing headers canindicate that the trace messages can be sent to an arbitrary valid subject,including those to which the client does not have publish permission. Thepayload is a valid trace message and not chosen by the attacker. Versions2.11.15 and 2.12.6 contain a fix. No known workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 21:16:00 UTC CVE-2026-33249 Freeciv21 is a free open source, turn-based, empire-building strategy game.Versions prior to 3.1.1 crash with a stack overflow when receivingspecially-crafted packets. A remote attacker can use this to take down anypublic server. A malicious server can use this to crash the game on theplayer's machine. Authentication is not needed and, by default, logs do notcontain any useful information. All users should upgrade to Freeciv21version 3.1.1. Running the server behind a firewall can help mitigate theissue for non-public servers. For local games, Freeciv21 restrictsconnections to the current user and is therefore not affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131524 CVE-2026-33250 An attacker can create a large number of concurrent DoQ or DoH3connections, causing unlimited memory allocation in DNSdist and leading toa denial of service. DOQ and DoH3 are disabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33254 An attacker can send a web request that causes unlimited memory allocationin the internal web server, leading to a denial of service. The internalweb server is disabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33256 An attacker can send a web request that causes unlimited memory allocationin the internal web server, leading to a denial of service. The internalweb server is disabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33257 By publishing and querying a crafted zone an attacker can cause allocationof large entries in the negative and aggressive NSEC(3) caches. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33258 Having many concurrent transfers of the same RPZ can lead to inconsistentRPZ data, use after free and/or a crash of the recursor. Normallyconcurrent transfers of the same RPZ zone can only occur with amalfunctioning RPZ provider. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33259 An attacker can send a web request that causes unlimited memory allocationin the internal web server, leading to a denial of service. The internalweb server is disabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33260 A zone transition from NSEC to NSEC3 might trigger an internalinconsistency and cause a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33261 An attacker can send replies that result in a null pointer dereference,caused by a missing consistency check and leading to a denial of service.Cookies are disabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33262 NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has avulnerability in the DNSSEC validator that enables denial of service andpossible remote code execution as a result of deep copying a data structureand erroneously overwriting a destination pointer. An adversary can exploitthe vulnerability by controlling a malicious signed zone and querying avulnerable Unbound. When DS sub-queries need to suspend validation due toNSEC3 computational budget exhaustion (introduced in Unbound 1.19.1),Unbound deep-copies response messages to preserve them across memory regionteardown. A struct-assignment bug overwrites the destination's pointer withthe source's pointer. After the sub-query region is freed, the resumedvalidator dereferences this dangling pointer, triggering a crash orpotentially enabling arbitrary code execution. Unbound 1.25.1 contains apatch with a fix to preserve the correct pointer when deep copying the datastructure. Update Instructions: Run `sudo pro fix CVE-2026-33278` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-33278 llama.cpp is an inference of several LLM models in C/C++. Prior to b7824,an integer overflow vulnerability in the `ggml_nbytes` function allows anattacker to bypass memory validation by crafting a GGUF file with specifictensor dimensions. This causes `ggml_nbytes` to return a significantlysmaller size than required (e.g., 4MB instead of Exabytes), leading to aheap-based buffer overflow when the application subsequently processes thetensor. This vulnerability allows potential Remote Code Execution (RCE) viamemory corruption. b7824 contains a fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 01:17:00 UTC CVE-2026-33298 OP-TEE is a Trusted Execution Environment (TEE) designed as companion to anon-secure Linux kernel running on Arm; Cortex-A cores using the TrustZonetechnology. In versions 3.13.0 through 4.10.0, missing checks in`entry_get_attribute_value()` in `ta/pkcs11/src/object.c` can lead toout-of-bounds read from the PKCS#11 TA heap or a crash. When chained withthe OOB read, the PKCS#11 TA function `PKCS11_CMD_GET_ATTRIBUTE_VALUE` or`entry_get_attribute_value()` can, with a bad template parameter, betricked into reading at most 7 bytes beyond the end of the template bufferand writing beyond the end of the template buffer with the content of anattribute value of a PKCS#11 object. Commitse031c4e562023fd9f199e39fd2e85797e4cbdca9,16926d5a46934c46e6656246b4fc18385a246900, and149e8d7ecc4ef8bb00ab4a37fd2ccede6d79e1ca contain patches and areanticipated to be part of version 4.11.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135621 CVE-2026-33317 Dasel is a command-line tool and library for querying, modifying, andtransforming data structures. Starting in version 3.0.0 and prior toversion 3.3.1, Dasel's YAML reader allows an attacker who can supply YAMLfor processing to trigger extreme CPU and memory consumption. The issue isin the library's own `UnmarshalYAML` implementation, which manuallyresolves alias nodes by recursively following `yaml.Node.Alias` pointerswithout any expansion budget, bypassing go-yaml v4's built-in aliasexpansion limit. Version 3.3.2 contains a patch for the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 01:17:00 UTC CVE-2026-33320 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slicepacket, the xdr_datum() function does not validate that a cstring lengthconforms to the slice descriptor bounds, allowing a cstring longer than theallocated buffer to overflow it. An unauthenticated attacker can exploitthis by sending a crafted packet to the server, potentially causing a crashor other security impact. This issue has been fixed in versions 5.0.4,4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-33337 etcd is a distributed key-value store for the data of a distributed system.Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user withRBAC restricted permissions on key ranges can use nested transactions tobypass all key-level authorization. This allows any authenticated user withdirect access to etcd to effectively ignore all key range restrictions,accessing the entire etcd data store. Kubernetes does not rely on etcd’sbuilt-in authentication and authorization. Instead, the API server handlesauthentication and authorization itself, so typical Kubernetes deploymentsare not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. Ifupgrading is not immediately possible, reduce exposure by treating theaffected RPCs as unauthenticated in practice. Restrict network access toetcd server ports so only trusted components can connect and require strongclient identity at the transport layer, such as mTLS with tightly scopedclient certificate distribution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132037 CVE-2026-33343 league/commonmark is a PHP Markdown parser. From version 2.3.0 to beforeversion 2.8.2, the DomainFilteringAdapter in the Embed extension isvulnerable to an allowlist bypass due to a missing hostname boundaryassertion in the domain-matching regex. An attacker-controlled domain likeyoutube.com.evil passes the allowlist check when youtube.com is an alloweddomain. This issue has been patched in version 2.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 20:16:00 UTC 2026-03-24 20:16:00 UTC https://ubuntu.com/security/notices/USN-8194-1 CVE-2026-33347 fast-xml-parser allows users to process XML from JS object without C/C++based libraries or callbacks. From version 4.0.0-beta.3 to before version5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checksto evaluate maxEntityCount and maxEntitySize configuration limits. When adeveloper explicitly sets either limit to 0 — intending to disallow allentities or restrict entity size to zero bytes — the falsy nature of 0 inJavaScript causes the guard conditions to short-circuit, completelybypassing the limits. An attacker who can supply XML input to such anapplication can trigger unbounded entity expansion, leading to memoryexhaustion and denial of service. This issue has been patched in version5.5.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 20:16:00 UTC CVE-2026-33349 etcd is a distributed key-value store for the data of a distributed system.Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypassauthentication or authorization checks and call certain etcd functions inclusters that expose the gRPC API to untrusted or partially trustedclients. In unpatched etcd clusters with etcd auth enabled, unauthorizedusers are able to call MemberList and learn cluster topology, includingmember IDs and advertised endpoints; call Alarm, which can be abused foroperational disruption or denial of service; use Lease APIs, interferingwith TTL-based keys and lease ownership; and/or trigger compaction,permanently removing historical revisions and disrupting watch, audit, andrecovery workflows. Kubernetes does not rely on etcd’s built-inauthentication and authorization. Instead, the API server handlesauthentication and authorization itself, so typical Kubernetes deploymentsare not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. Ifupgrading is not immediately possible, reduce exposure by treating theaffected RPCs as unauthenticated in practice. Restrict network access toetcd server ports so only trusted components can connect and/or requirestrong client identity at the transport layer, such as mTLS with tightlyscoped client certificate distribution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132038 CVE-2026-33413 Podman is a tool for managing OCI containers and pods. Versions 4.8.0through 5.8.1 contain a command injection vulnerability in the HyperVmachine backend in pkg/machine/hyperv/stubber.go, where the VM image pathis inserted into a PowerShell double-quoted string without sanitization,allowing $() subexpression injection. Because PowerShell evaluatessubexpressions inside double-quoted strings before executing the outercommand, an attacker who can control the VM image path through a craftedmachine name or image directory can execute arbitrary PowerShell commandswith the privileges of the Podman process. On typical Windows installationsthis means SYSTEM-level code execution, and only Windows is affected as thecode is exclusive to the HyperV backend. This issue has been patched inversion 5.8.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 23:16:00 UTC CVE-2026-33414 xrdp is an open source RDP server. Versions through 0.10.5 contain anout-of-bounds read vulnerability during the RDP capability exchange phase.The issue occurs when memory is accessed before validating the remainingbuffer length. A remote, unauthenticated attacker can trigger thisvulnerability by sending a specially crafted Confirm Active PDU. Successfulexploitation could lead to a denial of service (process crash) or potentialdisclosure of sensitive information from the process memory. This issue hasbeen fixed in version 0.10.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-33516 HTTP response splitting vulnerability in multiple Apache HTTP Servermodules with untrusted or compromised backend servers.This issue affects Apache HTTP Server: from through 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-33523` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Haruki Oyama, Merih Mengisteab, Dawit Jeong https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-33523 `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAMLdocument with a version of `yaml` on the 1.x branch prior to 1.10.3 or onthe 2.x branch prior to 2.8.3 may throw a RangeError due to a stackoverflow. The node resolution/composition phase uses recursive functioncalls without a depth bound. An attacker who can supply YAML for parsingcan trigger a `RangeError: Maximum call stack size exceeded` with a smallpayload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, soapplications that only catch YAML-specific errors will encounter anunexpected exception type. Depending on the host application's exceptionhandling, this can fail requests or terminate the Node.js process. Flowsequences allow deep nesting with minimal bytes (2 bytes per level: one `[`and one `]`). On the default Node.js stack, approximately 1,000–5,000levels of nesting (2–10 KB input) exhaust the call stack. The exactthreshold is environment-dependent (Node.js version, stack size, call stackdepth at invocation). Note: the library's `Parser` (CST phase) uses astack-based iterative approach and is not affected. Only thecompose/resolve phase uses actual call-stack recursion. All three publicparsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and`YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132040 CVE-2026-33532 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.3, the Glances XML-RPC server (activated with glances -s orglances --server) sends Access-Control-Allow-Origin: * on every HTTPresponse. Because the XML-RPC handler does not validate the Content-Typeheader, an attacker-controlled webpage can issue a CORS "simple request"(POST with Content-Type: text/plain) containing a valid XML-RPC payload.The browser sends the request without a preflight check, the serverprocesses the XML body and returns the full system monitoring dataset, andthe wildcard CORS header lets the attacker's JavaScript read the response.The result is complete exfiltration of hostname, OS version, IP addresses,CPU/memory/disk/network stats, and the full process list including commandlines (which often contain tokens, passwords, or internal paths). Thisissue has been patched in version 4.5.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 15:16:00 UTC CVE-2026-33533 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, anout-of-bounds write of a zero byte exists in the X11 `display` interactionpath that could lead to a crash. Versions 7.1.2-18 and 6.9.13-43 patch theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 20:16:00 UTC CVE-2026-33535 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to anincorrect return value on certain platforms a pointer is incremented pastthe end of a buffer that is on the stack and that could result in an out ofbounds write. Versions 7.1.2-18 and 6.9.13-43 patch the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 20:16:00 UTC CVE-2026-33536 Distribution is a toolkit to pack, ship, store, and deliver containercontent. Prior to 3.1.0, in pull-through cache mode, distribution discoverstoken auth endpoints by parsing WWW-Authenticate challenges returned by theconfigured upstream registry. The realm URL from a bearer challenge is usedwithout validating that it matches the upstream registry host. As a result,an attacker-controlled upstream (or an attacker with MitM position to theupstream) can cause distribution to send the configured upstreamcredentials via basic auth to an attacker-controlled realm URL. Thisvulnerability is fixed in 3.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 15:17:00 UTC CVE-2026-33540 Incus is a system container and virtual machine manager. Prior to version6.23.0, a lack of validation of the image fingerprint when downloading fromsimplestreams image servers opens the door to image cache poisoning andunder very narrow circumstances exposes other tenants to running attackercontrolled images rather than the expected one. Version 6.23.0 patches theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 23:16:00 UTC CVE-2026-33542 SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilegeassignment (of administrator privileges) during the editing of an authordata structure because of STATUT mishandling. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 03:16:00 UTC CVE-2026-33549 SOGo before 5.12.5 does not renew the OTP if a user disables/enables it,and has a too short length (only 12 digits instead of the 20 recommended). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 03:16:00 UTC CVE-2026-33550 An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1,27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can createEC2 credentials. By using a restricted application credential to call theEC2 credential creation API, an authenticated user with only a reader rolemay obtain an EC2/S3 credential that carries the full set of the parentuser's S3 permissions, effectively bypassing the role restrictions imposedon the application credential. Only deployments that use restrictedapplication credentials in combination with the EC2/S3 compatibility API(swift3 / s3api) are affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 03:16:00 UTC https://launchpad.net/bugs/2142138 CVE-2026-33551 ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows onresponse messages. The Intelligent Platform Management Interface (IPMI)specification defines a set of interfaces for platform management. It isimplemented by a large number of hardware manufacturers to support systemmanagement. It is most commonly used for sensor reading (e.g., CPUtemperatures through the ipmi-sensors command within FreeIPMI) and remotepower control (the ipmipower command). The ipmi-oem client commandimplements a set of a IPMI OEM commands for specific hardware vendors. If auser has supported hardware, they may wish to use the ipmi-oem command tosend a request to a server to retrieve specific information. Threesubcommands were found to have exploitable buffer overflows on responsemessages. They are: "ipmi-oem dell get-last-post-code - get the last POSTcode and string describing the error on some Dell servers," "ipmi-oemsupermicro extra-firmware-info - get extra firmware info on Supermicroservers," and "ipmi-oem wistron read-proprietary-string - read aproprietary string on Wistron servers." Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-24 15:16:00 UTC Zhihan Zheng https://savannah.gnu.org/bugs/?68140 https://savannah.gnu.org/bugs/?68141 https://savannah.gnu.org/bugs/?68142 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132018 CVE-2026-33554 An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does notcheck that the received body length matches a previously announcedcontent-length when the stream is closed via a frame with an empty payload.This can cause desynchronization issues with the backend server and couldbe used for request smuggling. The earliest affected version is 2.6. Update Instructions: Run `sudo pro fix CVE-2026-33555` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: haproxy - 3.2.9-1ubuntu2.1 vim-haproxy - 3.2.9-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 17:16:00 UTC 2026-04-13 17:16:00 UTC Martino Spagnuolo https://ubuntu.com/security/notices/USN-8208-1 CVE-2026-33555 A client can trigger a divide by zero error leading to crash by sending acrafted DNSCrypt query. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33593 A client can trigger excessive memory allocation by generating a lot ofqueries that are routed to an overloaded DoH backend, causing queries toaccumulate into a buffer that will not be released until the end of theconnection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33594 A client can trigger excessive memory allocation by generating a lot oferrors responses over a single DoQ and DoH3 connection, as some resourceswere not properly released until the end of the connection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33595 A client might theoretically be able to cause a mismatch between queriessent to a backend and the received responses by sending a flood ofperfectly timed queries that are routed to a TCP-only or DNS over TLSbackend. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33596 PRSD detection denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33597 A cached crafted response can cause an out-of-bounds read if custom Luacode calls getDomainListByAddress() or getAddressListByDomain() on a packetcache. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33598 A rogue backend can send a crafted SVCB response to a Discovery ofDesignated Resolvers request, when requested via either the autoUpgrade(Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade isnot enabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33599 An RPZ sent by a malicious authoritative server can result in a nullpointer dereference, caused by a missing consistency check and leading to adenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33600 If you use the zoneToCache function with a malicious authoritative server,an attacker can send a zone that result in a null pointer dereference,caused by a missing consistency check and leading to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 10:16:00 UTC CVE-2026-33601 A rogue backend can send a crafted UDP response with a query ID off by onerelated to the maximum configured value, triggering an out-of-bounds writeleading to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33602 Attacker can use a specially crafted base64 exchange between Dovecot andClient to fake SCRAM TLS channel binding. This requires that the attackeris able to position itself between Dovecot and the client connection. Ifsuccessful, the attacker can eavesdrop communications between Dovecot andclient as MITM proxy. Install fixed version. No publicly available exploitsare known. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 14:17:00 UTC CVE-2026-33603 An attacker can send a notify request that causes a new secondary domain tobe added to the bind backend, but causes said backend to update itsconfiguration to an invalid one, leading to the backend no longer able torun on the next restart, requiring manual operation to fix it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33608 Incomplete escaping of LDAP queries when running with 8bit-dns enabledallows users to perform queries of internal domain subtrees. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33609 A rogue primary server may cause file descriptor exhaustion and eventuallya denial of service, when a PowerDNS secondary server forwards a DNS updaterequest to it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33610 An operator allowed to use the REST API can cause the Authoritative serverto produce invalid HTTPS or SVCB record data, which can in turn cause LMDBdatabase corruption, if using the LMDB backend. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:16:00 UTC CVE-2026-33611 Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and belowcontain a heap buffer overflow in load_image_data() that allows any processwhich can write to the terminal's stdin to crash kitty immediately. Thevulnerability is triggered by a single APC graphics protocol command with aPNG format declaration (f=100) whose payload exceeds twice the initialbuffer capacity. The overflow is attacker-controlled in both length andcontent, causing DoS and potentially escalation to RCE itself. This issuehas been fixed in version 0.47.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 18:16:00 UTC CVE-2026-33633 Faraday is an HTTP client library abstraction layer that provides a commoninterface over many adapters. Versions 2.0.0 through 2.14.1 still allowprotocol-relative host override when the request target is passed as a URIobject (rather than a String) to Faraday::Connection#build_exclusive_url.This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enablesoff-host request forgery: a request built from a fixed-baseFaraday::Connection can be redirected to an attacker-controlled host,forwarding connection-scoped values such as Authorization headers anddefault query parameters. This issue has been fixed in version 2.14.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 19:16:00 UTC CVE-2026-33637 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.3, Glances supports dynamic configuration values in whichsubstrings enclosed in backticks are executed as system commands duringconfiguration parsing. This behavior occurs in Config.get_value() and isimplemented without validation or restriction of the executed commands. Ifan attacker can modify or influence configuration files, arbitrary commandswill execute automatically with the privileges of the Glances processduring startup or configuration reload. In deployments where Glances runswith elevated privileges (e.g., as a system service), this may lead toprivilege escalation. This issue has been patched in version 4.5.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 15:16:00 UTC CVE-2026-33641 Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below,the handle_compose_command() function in kitty/graphics.c performs boundsvalidation on composition offsets using unsigned 32-bit arithmetic that issubject to integer wrapping, potentially leading to Heap BufferOver-Read/Write. An attacker who can write escape sequences to a kittyterminal (e.g., via a malicious file, SSH login banner, or piped content)can supply crafted x_offset/y_offset values that pass the bounds checkafter wrapping but cause massive out-of-bounds heap memory access incompose_rectangles(). No user interaction is required. No non-defaultconfiguration is required. The attacker only needs the ability to produceoutput in a kitty terminal window. This issue has been fixed in version0.47.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 19:16:00 UTC CVE-2026-33642 Active Storage allows users to attach cloud and local files in Railsapplications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1Active Storage's proxy controller does not limit the number of byte rangesin an HTTP Range header. A request with thousands of small ranges causesdisproportionate CPU usage compared to a normal request for the same file,possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and7.2.3.1 contain a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035 CVE-2026-33658 OP-TEE is a Trusted Execution Environment (TEE) designed as companion to anon-secure Linux kernel running on Arm; Cortex-A cores using the TrustZonetechnology. From 3.8.0 to 4.10, in the function emsa_pkcs1_v1_5_encode() incore/drivers/crypto/crypto_api/acipher/rsassa.c, the amount of paddingneeded, "PS size", is calculated by subtracting the size of the digest andother fields required for the EMA-PKCS1-v1_5 encoding from the size of themodulus of the key. By selecting a small enough modulus, this subtractioncan overflow. The padding is added as a string of 0xFF bytes with a call tomemset(), and an underflowed integer will cause the memset() call tooverwrite until OP-TEE crashes. This only affects platforms registering RSAacceleration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 19:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134896 CVE-2026-33662 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4,3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service(ReDoS) when processing crafted extglob patterns. Certain patterns usingextglob quantifiers such as `+()` and `*()`, especially when combined withoverlapping alternatives or nested extglobs, are compiled into regularexpressions that can exhibit catastrophic backtracking on non-matchinginput. Applications are impacted when they allow untrusted users to supplyglob patterns that are passed to `picomatch` for compilation or matching.In those cases, an attacker can cause excessive CPU consumption and blockthe Node.js event loop, resulting in a denial of service. Applications thatonly use trusted, developer-controlled glob patterns are much less likelyto be exposed in a security-relevant way. This issue is fixed in picomatch4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions orlater, depending on their supported release line. If upgrading is notimmediately possible, avoid passing untrusted glob patterns to `picomatch`.Possible mitigations include disabling extglob support for untrustedpatterns by using `noextglob: true`, rejecting or sanitizing patternscontaining nested extglobs or extglob quantifiers such as `+()` and `*()`,enforcing strict allowlists for accepted pattern syntax, running matchingin an isolated worker or separate process with time and resource limits,and applying application-level request throttling and input validation forany endpoint that accepts glob patterns. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132160 CVE-2026-33671 Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4,3.0.2, and 2.3.2 are vulnerable to a method injection vulnerabilityaffecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from`Object.prototype`, specially crafted POSIX bracket expressions (e.g.,`[[:constructor:]]`) can reference inherited method names. These methodsare implicitly converted to strings and injected into the generated regularexpression. This leads to incorrect glob matching behavior (integrityimpact), where patterns may match unintended filenames. The issue does notenable remote code execution, but it can cause security-relevant logicerrors in applications that rely on glob matching for filtering,validation, or access control. All users of affected `picomatch` versionsthat process untrusted or user-controlled glob patterns are potentiallyimpacted. This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Usersshould upgrade to one of these versions or later, depending on theirsupported release line. If upgrading is not immediately possible, avoidpassing untrusted glob patterns to picomatch. Possible mitigations includesanitizing or rejecting untrusted glob patterns, especially thosecontaining POSIX character classes like `[[:...:]]`; avoiding the use ofPOSIX bracket expressions if user input is involved; and manually patchingthe library by modifying `POSIX_REGEX_SOURCE` to use a null prototype. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132160 CVE-2026-33672 xrdp is an open source RDP server. Versions through 0.10.5 have anout-of-bounds read vulnerability in the pre-authentication RDP messageparsing logic. A remote, unauthenticated attacker can trigger this flaw bysending a specially crafted sequence of packets during the initialconnection phase. This vulnerability results from insufficient validationof input buffer lengths before processing dynamic channel communication.Successful exploitation can lead to a denial-of-service (DoS) condition viaa process crash or potential disclosure of sensitive information from theservice's memory space. This issue has been fixed in version 0.10.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-33689 The OWASP core rule set (CRS) is a set of generic attack detection rulesfor use with compatible web application firewalls. Prior to versions 3.3.9and 4.25.0, a bypass was identified in OWASP CRS that allows uploadingfiles with dangerous extensions (.php, .phar, .jsp, .jspx) by insertingwhitespace padding in the filename (e.g. photo. php or shell.jsp ). Theaffected rules do not normalize whitespace before evaluating the fileextension regex, so the dot-extension check fails to match. This issue hasbeen patched in versions 3.3.9 and 4.25.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 16:16:00 UTC CVE-2026-33691 pypdf is a free and open-source pure-python PDF library. Versions prior to6.9.2 have a vulnerability in which an attacker can craft a PDF which leadsto an infinite loop. This requires reading a file in non-strict mode. Thishas been fixed in pypdf 6.9.2. If users cannot upgrade yet, considerapplying the changes from the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 01:16:00 UTC CVE-2026-33699 JupyterHub is software that allows one to create a multi-user server forJupyter notebooks. Prior to version 5.4.4, an open redirect vulnerabilityin JupyterHub allows attackers to construct links which, when clicked, takeusers to the JupyterHub login page, after which they are sent to anarbitrary attacker-controlled site outside JupyterHub instead of aJupyterHub page, bypassing JupyterHub's check to prevent this. This issuehas been patched in version 5.4.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132715 CVE-2026-33709 Incus is a system container and virtual machine manager. Incus provides anAPI to retrieve VM screenshots. That API relies on the use of a temporaryfile for QEMU to write the screenshot to which is then picked up and sentto the user prior to deletion. As versions prior to 6.23.0 use predictablepaths under /tmp for this, an attacker with local access to the system canabuse this mechanism by creating their own symlinks ahead of time. On thevast majority of Linux systems, this will result in a "Permission denied"error when requesting a screenshot. That's because the Linux kernel has asecurity feature designed to block such attacks, `protected_symlinks`. Onthe rare systems with this purposefully disabled, it's then possible totrick Incus intro truncating and altering the mode and permissions ofarbitrary files on the filesystem, leading to a potential denial of serviceor possible local privilege escalation. Version 6.23.0 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 23:16:00 UTC CVE-2026-33711 MapServer is a system for developing web-based GIS applications. Startingin version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write inMapServer’s SLD (Styled Layer Descriptor) parser lets a remote,unauthenticated attacker crash the MapServer process by sending a craftedSLD with more than 100 Threshold elements inside a ColorMap/Categorizestructure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 01:16:00 UTC CVE-2026-33721 Incus is a system container and virtual machine manager. Prior to version6.23.0, a specially crafted storage bucket backup can be used by an userwith access to Incus' storage bucket feature to crash the Incus daemon.Repeated use of this attack can be used to keep the server offline causinga denial of service of the control plane API. This does not impact anyrunning workload, existing containers and virtual machines will keepoperating. Version 6.23.0 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 23:16:00 UTC CVE-2026-33743 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored BasicAuth, Bearer Token, and Digest Auth credentials to arbitrary hosts whenfollowing cross-origin HTTP redirects (301/302/307/308). A malicious orcompromised server can redirect the client to an attacker-controlled host,which then receives the plaintext credentials in the `Authorization`header. Version 0.39.0 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132162 CVE-2026-33745 BuildKit is a toolkit for converting source code to build artifacts in anefficient, expressive and repeatable manner. Prior to version 0.28.1, whenusing a custom BuildKit frontend, the frontend can craft an API messagethat causes files to be written outside of the BuildKit state directory forthe execution context. The issue has been fixed in v0.28.1. Thevulnerability requires using an untrusted BuildKit frontend set with`#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with awell-known frontend image like `docker/dockerfile` is not affected. Update Instructions: Run `sudo pro fix CVE-2026-33747` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: docker.io - 29.1.3-0ubuntu4.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 2026-04-22 https://ubuntu.com/security/notices/USN-8230-1 CVE-2026-33747 BuildKit is a toolkit for converting source code to build artifacts in anefficient, expressive and repeatable manner. Prior to version 0.28.1,insufficient validation of Git URL fragment subdir components may allowaccess to files outside the checked-out Git repository root. Possibleaccess is limited to files on the same mounted filesystem. The issue hasbeen fixed in version v0.28.1 The issue affects only builds that use GitURLs with a subpath component. As a workaround, avoid building Dockerfilesfrom untrusted sources or using the subdir component from an untrusted Gitrepository where the subdir component could point to a symlink. Update Instructions: Run `sudo pro fix CVE-2026-33748` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: docker.io - 29.1.3-0ubuntu4.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 2026-04-22 https://ubuntu.com/security/notices/USN-8230-1 CVE-2026-33748 The brace-expansion library generates arbitrary strings containing a commonprefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, abrace pattern with a zero step value (e.g., `{1..2..0}`) causes thesequence generation loop to run indefinitely, making the process hang forseconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and1.1.13 fix the issue. As a workaround, sanitize strings passed to`expand()` to ensure a step value of `0` is not used. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163 CVE-2026-33750 go-git is an extensible git implementation library written in pure Go.Prior to version 5.17.1, go-git’s index decoder for format version 4 failsto validate the path name prefix length before applying it to thepreviously decoded path name. A maliciously crafted index file can triggeran out-of-bounds slice operation, resulting in a runtime panic duringnormal index parsing. This issue only affects Git index format version 4.Earlier formats (go-git supports only v2 and v3) are not vulnerable to thisissue. This issue has been patched in version 5.17.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 15:16:00 UTC CVE-2026-33762 A maliciously crafted TIFF file can cause image decoding to attempt toallocate up 4GiB of memory, causing either excessive resource consumptionor an out-of-memory error. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 19:16:00 UTC CVE-2026-33809 When verifying a certificate chain containing excluded DNS constraints,these constraints are not correctly applied to wildcard DNS SANs which usea different case than the constraint. This only affects validation ofotherwise trusted certificate chains, issued by a root CA in theVerifyOptions.Roots CertPool, or in the system certificate pool. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 02:16:00 UTC CVE-2026-33810 When using LookupCNAME with the cgo DNS resolver, a very long CNAMEresponse can trigger a double-free of C memory and a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-33811 Parsing a malicious font file can cause excessive memory allocation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 20:16:00 UTC CVE-2026-33812 Parsing a WEBP image with an invalid, large size panics on 32-bitplatforms. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 20:16:00 UTC CVE-2026-33813 When processing HTTP/2 SETTINGS frames, transport will enter an infiniteloop of writing CONTINUATION frames if it receives aSETTINGS_MAX_FRAME_SIZE with a value of 0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136030 CVE-2026-33814 A flaw in GnuTLS DTLS handshake parsing allows malformed fragments withzero length and non-zero offset, leading to an integer underflow duringreassembly and resulting in an out-of-bounds read. This issue is remotelyexploitable and may cause information disclosure or denial of service. Update Instructions: Run `sudo pro fix CVE-2026-33845` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 18:16:00 UTC 2026-04-30 18:16:00 UTC Joshua Rogers https://gitlab.com/gnutls/gnutls/-/issues/1811 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-33845 A heap buffer overflow vulnerability exists in the DTLS handshake fragmentreassembly logic of GnuTLS. The issue arises in merge_handshake_packet()where incoming handshake fragments are matched and merged based solely onhandshake type, without validating that the message_length field remainsconsistent across all fragments of the same logical message. An attackercan exploit this by sending crafted DTLS fragments with conflictingmessage_length values, causing the implementation to allocate a bufferbased on a smaller initial fragment and subsequently write beyond itsbounds using larger, inconsistent fragments. Because the merge operationdoes not enforce proper bounds checking against the allocated buffer size,this results in an out-of-bounds write on the heap. The vulnerability isremotely exploitable without authentication via the DTLS handshake path andcan lead to application crashes or potential memory corruption. Update Instructions: Run `sudo pro fix CVE-2026-33846` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 10:15:00 UTC 2026-05-04 10:15:00 UTC Haruto Kimura, Oscar Reparaz, Zou Dikai https://gitlab.com/gnutls/gnutls/-/work_items/1816 https://gitlab.com/gnutls/gnutls/-/work_items/1838 https://gitlab.com/gnutls/gnutls/-/work_items/1839 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-33846 Out-of-bounds Read vulnerability in mod_proxy_ajp ofApache HTTP Server.This issue affects Apache HTTP Server: through 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-33857` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Elhanan Haenel https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-33857 Netty is an asynchronous, event-driven network application framework. Inversions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parsesquoted strings in HTTP/1.1 chunked transfer encoding extension values,enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Finalfix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132229 CVE-2026-33870 Netty is an asynchronous, event-driven network application framework. Inversions prior to 4.1.132.Final and 4.2.10.Final, a remote user can triggera Denial of Service (DoS) against a Netty HTTP/2 server by sending a floodof `CONTINUATION` frames. The server's lack of a limit on the number of`CONTINUATION` frames, combined with a bypass of existing size-basedmitigations using zero-byte frames, allows an user to cause excessive CPUconsumption with minimal bandwidth, rendering the server unresponsive.Versions 4.1.132.Final and 4.2.10.Final fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132230 CVE-2026-33871 A vulnerability was found in Squirrel up to 3.2. This affects the functionSQCompiler::Factor/SQCompiler::UnaryOP of the file squirrel/sqcompiler.cpp.Performing a manipulation results in uncontrolled recursion. The attackneeds to be approached locally. The exploit has been made public and couldbe used. The project was informed of the problem early through an issuereport but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-01 10:16:00 UTC CVE-2026-3388 A vulnerability was determined in Squirrel up to 3.2. This vulnerabilityaffects the function sqstd_rex_newnode in the librarysqstdlib/sqstdrex.cpp. Executing a manipulation can lead to null pointerdereference. The attack can only be executed locally. The exploit has beenpublicly disclosed and may be utilized. The project was informed of theproblem early through an issue report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-01 10:16:00 UTC CVE-2026-3389 Incus is a system container and virtual machine manager. Prior to version6.23.0, instance template files can be used to cause arbitrary read orwrites as root on the host server. Incus allows for pongo2 templates withininstances which can be used at various times in the instance lifecycle totemplate files inside of the instance. This particular implementation ofpongo2 within Incus allowed for file read/write but with the expectationthat the pongo2 chroot feature would isolate all such access to theinstance's filesystem. This was allowed such that a template couldtheoretically read a file and then generate a new version of said file.Unfortunately the chroot isolation mechanism is entirely skipped by pongo2leading to easy access to the entire system's filesystem with rootprivileges. Version 6.23.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 23:16:00 UTC CVE-2026-33897 Incus is a system container and virtual machine manager. Prior to version6.23.0, the web server spawned by `incus webui` incorrectly validates theauthentication token such that an invalid value will be accepted. `incuswebui` runs a local web server on a random localhost port. Forauthentication, it provides the user with a URL containing anauthentication token. When accessed with that token, Incus creates a cookiepersisting that token without needing to include it in subsequent HTTPrequests. While the Incus client correctly validates the value of thecookie, it does not correctly validate the token when passed int the URL.This allows for an attacker able to locate and talk to the temporary webserver on localhost to have as much access to Incus as the user who ran`incus webui`. This can lead to privilege escalation by another local useror an access to the user's Incus instances and possibly system resources bya remote attack able to trick the local user into interacting with theIncus UI web server. Version 6.23.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 00:16:00 UTC CVE-2026-33898 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below 7.1.2-189 and 6.9.13-44,when `Magick` parses an XML file it is possible that a single zero byte iswritten out of the bounds. This issue has been fixed in versions 6.9.13-44and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 21:16:00 UTC CVE-2026-33899 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44,the viff encoder contains an integer truncation/wraparound issue on 32-bitbuilds that could trigger an out of bounds heap write, potentially causinga crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 21:16:00 UTC CVE-2026-33900 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44,a heap buffer overflow occurs in the MVG decoder that could result in anout of bounds write when processing a crafted image. This issue has beenfixed in versions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 21:16:00 UTC CVE-2026-33901 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44,a stack overflow vulnerability in ImageMagick's FX expression parser allowsan attacker to crash the process by providing a deeply nested expression.This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-33902 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44,the -sample operation has an out of bounds read when an specific offset isset through the `sample:offset` define that could lead to an out of boundsread. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-33905 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44,Magick frees the memory of the XML tree via the `DestroyXMLTree()`function; however, this process is executed recursively with no depth limitimposed. When Magick processes an XML file with deeply nested structures,it will exhaust the stack memory, resulting in a Denial of Service (DoS)attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-33908 Handlebars provides the power necessary to let users build semantictemplates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in theHandlebars runtime resolves partial names via a plain property lookup on`options.partials` without guarding against prototype-chain traversal. When`Object.prototype` has been polluted with a string value whose key matchesa partial reference in a template, the polluted string is used as thepartial body and rendered without HTML escaping, resulting in reflected orstored XSS. Version 4.7.9 fixes the issue. Some workarounds are available.Apply `Object.freeze(Object.prototype)` early in application startup toprevent prototype pollution. Note: this may break other libraries, and/oruse the Handlebars runtime-only build (`handlebars/runtime`), which doesnot compile templates and reduces the attack surface. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 21:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141 CVE-2026-33916 Improper Limitation of a Pathname to a Restricted Directory ('PathTraversal') vulnerability in Apache PDFBox Examples.This issue affects theExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36,from 3.0.0 through 3.0.7.Users are recommended to update to version 2.0.37 or 3.0.8 onceavailable. Until then, they should apply the fix provided in GitHub PR427.The ExtractEmbeddedFiles example contained a path traversal vulnerability(CWE-22) mentioned in CVE-2026-23907. However the change in the releases2.0.36 and 3.0.7 is flawed because it doesn't consider the file pathseparator. Because of that, a user having writing rights on /home/ABC couldbe victim to a malicious PDF resulting in a write attempt to any pathstarting with /home/ABC, e.g. "/home/ABCDEF".Users who have copied this example into their production code should applythe mentioned change. The examplehas been changed accordingly and is available in the project repository. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 09:16:00 UTC CVE-2026-33929 The `ecdsa` PyPI package is a pure Python implementation of ECC (EllipticCurve Cryptography) with support for ECDSA (Elliptic Curve DigitalSignature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) andECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue inthe low-level DER parsing functions can cause unexpected exceptions to beraised from the public API functions. `ecdsa.der.remove_octet_string()`accepts truncated DER where the encoded length exceeds the availablebuffer. For example, an OCTET STRING that declares a length of 4096 bytesbut provides only 3 bytes is parsed successfully instead of being rejected.Because of that, a crafted DER input can cause `SigningKey.from_der()` toraise an internal exception (`IndexError: index out of bounds on dimension1`) rather than cleanly rejecting malformed DER (e.g., raising`UnexpectedDER` or `ValueError`). Applications that parse untrusted DERprivate keys may crash if they do not handle unexpected exceptions,resulting in a denial of service. Version 0.19.2 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 23:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132164 CVE-2026-33936 Handlebars provides the power necessary to let users build semantictemplates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` acceptsa pre-parsed AST object in addition to a template string. The `value` fieldof a `NumberLiteral` AST node is emitted directly into the generatedJavaScript without quoting or sanitization. An attacker who can supply acrafted AST to `compile()` can therefore inject and execute arbitraryJavaScript, leading to Remote Code Execution on the server. Version 4.7.9fixes the issue. Some workarounds are available. Validate input type beforecalling `Handlebars.compile()`; ensure the argument is always a `string`,never a plain object or JSON-deserialized value. Use the Handlebarsruntime-only build (`handlebars/runtime`) on the server if templates arepre-compiled at build time; `compile()` will be unavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 21:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141 CVE-2026-33937 Handlebars provides the power necessary to let users build semantictemplates. In versions 4.0.0 through 4.7.8, the `@partial-block` specialvariable is stored in the template data context and is reachable andmutable from within a template via helpers that accept arbitrary objects.When a helper overwrites `@partial-block` with a crafted Handlebars AST, asubsequent invocation of `{{> @partial-block}}` compiles and executes thatAST, enabling arbitrary JavaScript execution on the server. Version 4.7.9fixes the issue. Some workarounds are available. First, use theruntime-only build (`require('handlebars/runtime')`). The `compile()`method is absent, eliminating the vulnerable fallback path. Second, auditregistered helpers for any that write arbitrary values to context objects.Helpers should treat context data as read-only. Third, avoid registeringhelpers from third-party packages (such as `handlebars-helpers`) incontexts where templates or context data can be influenced by untrustedinput. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 21:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141 CVE-2026-33938 Handlebars provides the power necessary to let users build semantictemplates. In versions 4.0.0 through 4.7.8, when a Handlebars templatecontains decorator syntax referencing an unregistered decorator (e.g.`{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`,which returns `undefined`. The runtime then immediately invokes the resultas a function, causing an unhandled `TypeError: ... is not a function` thatcrashes the Node.js process. Any application that compiles user-suppliedtemplates without wrapping the call in a `try/catch` is vulnerable to asingle-request Denial of Service. Version 4.7.9 fixes the issue. Someworkarounds are available. Wrap compilation and rendering in `try/catch`.Validate template input before passing it to `compile()`; reject templatescontaining decorator syntax (`{{*...}}`) if decorators are not used inyour application. Use the pre-compilation workflow; compile templates atbuild time and serve only pre-compiled templates; do not call `compile()`at request time. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141 CVE-2026-33939 Handlebars provides the power necessary to let users build semantictemplates. In versions 4.0.0 through 4.7.8, a crafted object placed in thetemplate context can bypass all conditional guards in `resolvePartial()`and cause `invokePartial()` to return `undefined`. The Handlebars runtimethen treats the unresolved partial as a source that needs to be compiled,passing the crafted object to `env.compile()`. Because the object is avalid Handlebars AST containing injected code, the generated JavaScriptexecutes arbitrary commands on the server. The attack requires theadversary to control a value that can be returned by a dynamic partiallookup. Version 4.7.9 fixes the issue. Some workarounds are available.First, use the runtime-only build (`require('handlebars/runtime')`).Without `compile()`, the fallback compilation path in `invokePartial` isunreachable. Second, sanitize context data before rendering: Ensure novalue in the context is a non-primitive object that could be passed to adynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup...)}}`) when context data is user-controlled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141 CVE-2026-33940 Handlebars provides the power necessary to let users build semantictemplates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler(`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlledstrings — template file names and several CLI options — directly into theJavaScript it emits, without any escaping or sanitization. An attacker whocan influence template filenames or CLI arguments can inject arbitraryJavaScript that executes when the generated bundle is loaded in Node.js ora browser. Version 4.7.9 fixes the issue. Some workarounds are available.First, validate all CLI inputs before invoking the precompiler. Rejectfilenames and option values that contain characters with JavaScriptstring-escaping significance (`"`, `'`, `;`, etc.). Second, use a fixed,trusted namespace string passed via a configuration file rather thancommand-line arguments in automated pipelines. Third, run the precompilerin a sandboxed environment (container with no write access to sensitivepaths) to limit the impact of successful exploitation. Fourth, audittemplate filenames in any repository or package that is consumed by anautomated build pipeline. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141 CVE-2026-33941 Incus is a system container and virtual machine manager. Incus instanceshave an option to provide credentials to systemd in the guest. Forcontainers, this is handled through a shared directory. Prior to version6.23.0, an attacker can set a configuration key named something like`systemd.credential.../../../../../../root/.bashrc` to cause Incus to writeoutside of the `credentials` directory associated with the container. Thismakes use of the fact that the Incus syntax for such credentials is`systemd.credential.XYZ` where `XYZ` can itself contain more periods. Whileit's not possible to read any data this way, it's possible to write toarbitrary files as root, enabling both privilege escalation and denial ofservice attacks. Version 6.23.0 fixes the issue. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-03-27 00:16:00 UTC CVE-2026-33945 jq is a command-line JSON processor. In versions 1.8.1 and below, functionsjv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c useunbounded recursion whose depth is controlled by the length of acaller-supplied path array, with no depth limit enforced. An attacker cansupply a JSON document containing a flat array of ~65,000 integers (~200KB) that, when used as a path argument by a trusted jq filter, exhausts theC call stack and crashes the process with a segmentation fault (SIGSEGV).This bypass works because the existing MAX_PARSING_DEPTH (10,000) limitonly protects the JSON parser, not runtime path operations where arrays canbe programmatically constructed to arbitrary lengths. The impact is denialof service (unrecoverable crash) affecting any application or service thatprocesses untrusted JSON input through jq's setpath, getpath, or delpathsbuiltins. This issue has been addressed in commitfb59f1491058d58bdc3e8dd28f1773d1ac690a1f. Update Instructions: Run `sudo pro fix CVE-2026-33947` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-4ubuntu2 libjq1 - 1.8.1-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC 2026-04-13 22:16:00 UTC https://ubuntu.com/security/notices/USN-8202-1 https://ubuntu.com/security/notices/USN-8202-2 CVE-2026-33947 jq is a command-line JSON processor. Commits before6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLIinput parsing allows validation bypass via embedded NUL bytes. When readingJSON from files or stdin, jq uses strlen() to determine buffer lengthinstead of the actual byte count from fgets(), causing it to truncate inputat the first NUL byte and parse only the preceding prefix. This enables anattacker to craft input with a benign JSON prefix before a NUL bytefollowed by malicious trailing data, where jq validates only the prefix asvalid JSON while silently discarding the suffix. Workflows relying on jq tovalidate untrusted JSON before forwarding it to downstream consumers aresusceptible to parser differential attacks, as those consumers may processthe full input including the malicious trailing bytes. This issue has beenpatched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. Update Instructions: Run `sudo pro fix CVE-2026-33948` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-4ubuntu2 libjq1 - 1.8.1-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 00:16:00 UTC 2026-04-14 00:16:00 UTC https://ubuntu.com/security/notices/USN-8202-1 https://ubuntu.com/security/notices/USN-8202-2 CVE-2026-33948 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, an unvalidated auth_length field read from the networktriggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(),causing any FreeRDP client connecting through a malicious RDP Gateway tocrash with SIGABRT. This is a pre-authentication denial of serviceaffecting all FreeRDP clients using RPC-over-HTTP gateway transport. Theassertion is active in default release builds(WITH_VERBOSE_WINPR_ASSERT=ON). This issue has been patched in version3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33952 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, a malicious RDP server can crash the FreeRDP client bysending audio data in IMA ADPCM format with an invalid initial step indexvalue (>= 89). The unvalidated step index is read directly from the networkand used to index into a 89-entry lookup table, triggering a WINPR_ASSERT()failure and process abort via SIGABRT. This affects any FreeRDP client thathas audio redirection (RDPSND) enabled, which is the default configuration.This issue has been patched in version 3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33977 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24bytes before the allocation, in winpr_aligned_offset_recalloc(). This issuehas been patched in version 3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33982 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, progressive_decompress_tile_upgrade() detects a mismatchvia progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, executioncontinues. The wrapped value (247) is used as a shift exponent, causingundefined behavior and an approximately 80 billion iteration loop (CPUDoS). This issue has been patched in version 3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33983 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, in resize_vbar_entry() in libfreerdp/codec/clear.c,vBarEntry->size is updated to vBarEntry->count before thewinpr_aligned_recalloc() call. If realloc fails, size is inflated whilepixels still points to the old, smaller buffer. On a subsequent call wherecount <= size (the inflated value), realloc is skipped. The caller thenwrites count * bpp bytes of attacker-controlled pixel data into theundersized buffer, causing a heap buffer overflow. This issue has beenpatched in version 3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33984 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, pixel data from adjacent heap memory is rendered to screen,potentially leaking sensitive data to the attacker. This issue has beenpatched in version 3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33985 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, in yuv_ensure_buffer() in libfreerdp/codec/h264.c,h264->width and h264->height are updated before the reallocation loop. Ifany winpr_aligned_recalloc() call fails, the function returns FALSE butwidth/height are already inflated. This issue has been patched in version3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33986 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, in persistent_cache_read_entry_v3() inlibfreerdp/cache/persistent.c, persistent->bmpSize is updated beforewinpr_aligned_recalloc(). If realloc fails, bmpSize is inflated whilebmpData points to the old buffer. This issue has been patched in version3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33987 Docker Model Runner (DMR) is software used to manage, run, and deploy AImodels using Docker. Prior to version 1.1.25, Docker Model Runner containsan SSRF vulnerability in its OCI registry token exchange flow. When pullinga model, Model Runner follows the realm URL from the registry'sWWW-Authenticate header without validating the scheme, hostname, or IPrange. A malicious OCI registry can set the realm to an internal URL (e.g.,http://127.0.0.1:3000/), causing Model Runner running on the host to makearbitrary GET requests to internal services and reflect the full responsebody back to the caller. Additionally, the token exchange mechanism canrelay data from internal services back to the attacker-controlled registryvia the Authorization: Bearer header. This issue has been patched inversion 1.1.25. For Docker Desktop users, enabling Enhanced ContainerIsolation (ECI) blocks container access to Model Runner, preventingexploitation. However, if the Docker Model Runner is exposed to localhostover TCP in specific configurations, the vulnerability is stillexploitable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 17:28:00 UTC CVE-2026-33990 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior toversion 3.24.2, a double-free vulnerability inkerberos_AcceptSecurityContext() and kerberos_InitializeSecurityContextA()(WinPR, winpr/libwinpr/sspi/Kerberos/kerberos.c) can cause a crash in anyFreeRDP clients on systems where Kerberos and/or Kerberos U2U is configured(Samba AD member, or krb5 for NFS). The crash is triggered during NLAconnection teardown and requires a failed authentication attempt. Thisissue has been patched in version 3.24.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 22:16:00 UTC CVE-2026-33995 LibJWT is a C JSON Web Token Library. Starting in version 3.0.0 and priorto version 3.3.0, the JWK parsing for RSA-PSS did not protect against aNULL value when expecting to parse JSON string values. A specially craftedJWK file could exploit this behavior by using integers in places where thecode expected a string. This was fixed in v3.3.0. A workaround isavailable. Users importing keys through a JWK file should not do so fromuntrusted sources. Use the `jwk2key` tool to check for validity of a JWKfile. Likewise, if possible, do not use JWK files with RSA-PSS keys. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 23:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132165 CVE-2026-33996 Moby is an open source container framework. Prior to version 29.3.1, asecurity vulnerability has been detected that allows plugins privilegevalidation to be bypassed during docker plugin install. Due to an error inthe daemon's privilege comparison logic, the daemon may incorrectly accepta privilege set that differs from the one approved by the user. Pluginsthat request exactly one privilege are also affected, because no comparisonis performed at all. This issue has been patched in version 29.3.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 03:15:00 UTC CVE-2026-33997 A flaw was found in the X.Org X server. This integer underflowvulnerability, specifically in the XKB compatibility map handling, allowsan attacker with local or remote X11 server access to trigger a buffer readoverrun. This can lead to memory-safety violations and potentially a denialof service (DoS) or other severe impacts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 Jan-Niklas Sohn CVE-2026-33999 A flaw was found in the X.Org X server. This out-of-bounds readvulnerability in the XKB geometry processing, specifically within the`CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker toread uninitialized or out-of-bounds memory. An attacker with a connectionto the X11 server, either locally or remotely, can exploit this withoutuser interaction. This could lead to the disclosure of memory contents orcause a denial of service by crashing the server. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 Jan-Niklas Sohn CVE-2026-34000 A flaw was found in the X.Org X server. This use-after-free vulnerabilityoccurs in the XSYNC fence triggering logic, specifically within themiSyncTriggerFence() function. An attacker with access to the X11 servercan exploit this without user interaction, leading to a server crash andpotentially enabling memory corruption. This could result in a denial ofservice or further compromise of the system. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 Jan-Niklas Sohn CVE-2026-34001 A flaw was found in the X.Org X server. This vulnerability, anout-of-bounds read, affects the XKB (X Keyboard Extension) modifier maphandling. An attacker with access to the X11 server can exploit this bysending a malformed request, which causes the server to read beyond itsintended memory boundaries. This can lead to the exposure of sensitiveinformation or cause the server to crash, resulting in a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 Jan-Niklas Sohn CVE-2026-34002 A flaw was found in the X.Org X server's XKB key types request validation.A local attacker could send a specially crafted request to the X server,leading to an out-of-bounds memory access vulnerability. This could resultin the disclosure of sensitive information or cause the server to crash,leading to a Denial of Service (DoS). In certain configurations, higherimpact outcomes may be possible. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 Jan-Niklas Sohn CVE-2026-34003 Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTPServer.This issue affects Apache HTTP Server: through 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-34032` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Tianshuo Han, Jérôme Djouder https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-34032 Moby is an open source container framework. Prior to version 29.3.1, asecurity vulnerability has been detected that allows attackers to bypassauthorization plugins (AuthZ). This issue has been patched in version29.3.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 03:15:00 UTC CVE-2026-34040 Serialize JavaScript to a superset of JSON that includes regularexpressions and functions. Prior to version 7.0.5, there is a Denial ofService (DoS) vulnerability caused by CPU exhaustion. When serializing aspecially crafted "array-like" object (an object that inherits fromArray.prototype but has a very large length property), the process entersan intensive loop that consumes 100% CPU and hangs indefinitely. This issuehas been patched in version 7.0.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 03:15:00 UTC CVE-2026-34043 Buffer Over-read vulnerability in Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.66.Users are recommended to upgrade to version 2.4.67, which fixes the issue. Update Instructions: Run `sudo pro fix CVE-2026-34059` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: apache2 - 2.4.66-2ubuntu2.1 apache2-bin - 2.4.66-2ubuntu2.1 apache2-data - 2.4.66-2ubuntu2.1 apache2-suexec-custom - 2.4.66-2ubuntu2.1 apache2-suexec-pristine - 2.4.66-2ubuntu2.1 apache2-utils - 2.4.66-2ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Elhanan Haenel https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-34059 Flatpak is a Linux application sandboxing and distribution framework. Priorto 1.16.4, the Flatpak portal accepts paths in the sandbox-expose optionswhich can be app-controlled symlinks pointing at arbitrary paths. Flatpakrun mounts the resolved host path in the sandbox. This gives apps access toall host files and can be used as a primitive to gain code execution in thehost context. This vulnerability is fixed in 1.16.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132943 CVE-2026-34078 Flatpak is a Linux application sandboxing and distribution framework. Priorto 1.16.4, the caching for ld.so removes outdated cache files withoutproperly checking that the app controlled path to the outdated cache is inthe cache directory. This allows Flatpak apps to delete arbitrary files onthe host. This vulnerability is fixed in 1.16.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132944 CVE-2026-34079 A vulnerability was identified in Open Babel up to 3.1.1. This impacts thefunction OBAtom::GetExplicitValence of the file isrc/atom.cpp of thecomponent CDXML File Handler. Such manipulation leads to null pointerdereference. The attack can be launched remotely. The exploit is publiclyavailable and might be used. The name of the patch ise23a224b8fd9d7c2a7cde9ef4ec6afb4c05aa08a. It is best practice to apply apatch to resolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-02 04:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129566 CVE-2026-3408 Vulnerability in Wikimedia Foundation AbuseFilter.This issue affects AbuseFilter: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34086 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation OATHAuth.This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34087 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki.This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34088 Vulnerability in Wikimedia Foundation Scribunto.This issue affects Scribunto: from 1.45.0 before 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34089 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation CheckUser.This issue affects CheckUser: from 1.45.0 before 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34090 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki.This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34091 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki. This vulnerability is associated with program filesincludes/Skin/Skin.Php.This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 16:17:00 UTC CVE-2026-34092 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation MediaWiki. This vulnerability is associated with program filesincludes/Specials/SpecialUserRights.Php.This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-34093 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program filesincludes/Page/Article.Php.This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-34094 Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program filesincludes/Actions/ActionEntryPoint.Php, includes/Request/FauxResponse.Php.This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-34095 RAUC controls the update process on embedded Linux systems. Prior toversion 1.15.2, RAUC bundles using the 'plain' format exceeding a payloadsize of 2 GiB cause an integer overflow which results in a signature whichcovers only the first few bytes of the payload. Given such a bundle with alegitimate signature, an attacker can modify the part of the payload whichis not covered by the signature. This issue has been patched in version1.15.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 14:16:00 UTC CVE-2026-34155 go-git is an extensible git implementation library written in pure Go. Fromversion 5.0.0 to before version 5.17.1, a vulnerability has been identifiedin which a maliciously crafted .idx file can cause asymmetric memoryconsumption, potentially exhausting available memory and resulting in adenial-of-service (DoS) condition. Exploitation requires write access tothe local repository's .git directory, it order to create or alter existing.idx files. This issue has been patched in version 5.17.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 15:16:00 UTC CVE-2026-34165 In Canonical LXD before 6.8, the backup import path validates projectrestrictions against backup/index.yaml in the supplied tar archive butcreates the instance from backup/container/backup.yaml, a separate file inthe same archive that is never checked against project restrictions. Anauthenticated remote attacker with instance-creation permission in arestricted project can craft a backup archive where backup.yaml carriesrestricted settings such as security.privileged=true or raw.lxc directives,bypassing all project restriction enforcement and allowing full hostcompromise. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 10:16:00 UTC CVE-2026-34178 In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdatefunction in lxd/certificates.go does not validate the Type field whenhandling PUT/PATCH requests to /1.0/certificates/{fingerprint} forrestricted TLS certificate users, allowing a remote authenticated attackerto escalate privileges to cluster admin. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 10:16:00 UTC CVE-2026-34179 Improper Input Validation, Improper Control of Generation of Code ('CodeInjection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ.Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at/api/jolokia/ on the web console. The default Jolokia access policy permitsexec operations on all ActiveMQ MBeans (org.apache.activemq:*), includingBrokerService.addNetworkConnector(String) andBrokerService.addConnector(String).An authenticated attacker can invoke these operations with a crafteddiscovery URI that triggers the VM transport's brokerConfig parameter toload a remote Spring XML application context usingResourceXmlApplicationContext.Because Spring's ResourceXmlApplicationContext instantiates all singletonbeans before the BrokerService validates the configuration, arbitrary codeexecution occurs on the broker's JVM through bean factory methods such asRuntime.exec().This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; ApacheActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3.Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixesthe issue Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-04-07 09:16:00 UTC CVE-2026-34197 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processesAccept-Encoding values with quadratic time complexity when the headercontains many wildcard (*) entries. Because this method is used byRack::Deflater to choose a response encoding, an unauthenticated attackercan send a single request with a crafted Accept-Encoding header and causedisproportionate CPU consumption on the compression middleware path. Thisresults in a denial of service condition for applications usingRack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34230 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() functiondoes not handle the isc_arg_cstring type when decoding an op_responsepacket, causing a server crash when one is encountered in the statusvector. An unauthenticated attacker can exploit this by sending a craftedop_response packet to the server. This issue has been fixed in versions5.0.4, 4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-34232 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44,an integer overflow in the despeckle operation causes a heap bufferoverflow on 32-bit builds that will result in an out of bounds write. Thisissue has been fixed in versions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-34238 A buffer underflow vulnerability has been identified in the ogg123 utilityfrom the vorbis-tools 1.4.3 package in function remotethread in remote.c.This vulnerability occurs in the remote control functionality whenprocessing malformed input, leading to a stack buffer underflow that cancause application crashes and potentially allow code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136943 CVE-2026-34253 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Security).Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50,8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficultto exploit vulnerability allows unauthenticated attacker with logon to theinfrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition executes to compromise Oracle Java SE, Oracle GraalVMfor JDK, Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized read access to a subset of OracleJava SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Editionaccessible data. Note: This vulnerability can be exploited by using APIs inthe specified Component, e.g., through a web service which supplies data tothe APIs. This vulnerability also applies to Java deployments, typically inclients running sandboxed Java Web Start applications or sandboxed Javaapplets, that load and run untrusted code (e.g., code that comes from theinternet) and rely on the Java sandbox for security. CVSS 3.1 Base Score2.9 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34268 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Group Replication Plugin). Supported versions that are affectedare 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitablevulnerability allows low privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 6.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34270 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Group Replication Plugin). Supported versions that are affectedare 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitablevulnerability allows low privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 6.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34271 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Group Replication Plugin). Supported versions that are affectedare 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitablevulnerability allows low privileged attacker with network access viamultiple protocols to compromise MySQL Server. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 BaseScore 6.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34276 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVMEnterprise Edition product of Oracle Java SE (component: Networking).Supported versions that are affected are Oracle Java SE: 8u481-perf,11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitablevulnerability allows unauthenticated attacker with network access viamultiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,Oracle GraalVM Enterprise Edition. Successful attacks of thisvulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of Oracle Java SE, OracleGraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: Thisvulnerability can be exploited by using APIs in the specified Component,e.g., through a web service which supplies data to the APIs. Thisvulnerability also applies to Java deployments, typically in clientsrunning sandboxed Java Web Start applications or sandboxed Java applets,that load and run untrusted code (e.g., code that comes from the internet)and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5(Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34282 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34303 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34304 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: JSON). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows lowprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34308 Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell:Core Client). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where MySQL Shellexecutes to compromise MySQL Shell. Successful attacks require humaninteraction from a person other than the attacker. Successful attacks ofthis vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 BaseScore 5.0 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34317 Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell:Core Client). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Difficult to exploit vulnerability allowshigh privileged attacker with network access via multiple protocols tocompromise MySQL Shell. While the vulnerability is in MySQL Shell, attacksmay significantly impact additional products (scope change). Successfulattacks of this vulnerability can result in unauthorized access tocritical data or complete access to all MySQL Shell accessible data. CVSS3.1 Base Score 5.8 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34318 Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell:Core Client). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows lowprivileged attacker with logon to the infrastructure where MySQL Shellexecutes to compromise MySQL Shell. Successful attacks require humaninteraction from a person other than the attacker. Successful attacks ofthis vulnerability can result in unauthorized ability to cause a hang orfrequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 BaseScore 5.0 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-34319 In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users toobserve or manipulate the screen contents, or cause an application crash,because of incorrect permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132166 CVE-2026-34352 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry. From3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow existsin undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377.The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integerbefore casting to uint64_t. When w is large, this multiplicationconstitutes undefined behavior under the C standard. On tested builds(clang/gcc without sanitizers), two's-complement wraparound commonlyoccurs, and for specific values of w the wrapped result is a small positiveinteger, which may allow the subsequent bounds check to pass incorrectly.If the check is bypassed, the decoding loop proceeds to write pixel datathrough dout, potentially extending far beyond the allocated output buffer.This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. Update Instructions: Run `sudo pro fix CVE-2026-34380` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenexr-3-1-30 - 3.1.13-2ubuntu0.26.04.1~esm1 openexr - 3.1.13-2ubuntu0.26.04.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 16:16:00 UTC 2026-04-06 16:16:00 UTC https://ubuntu.com/security/notices/USN-8259-1 CVE-2026-34380 A flaw was found in GNU Binutils. This heap-based buffer overflowvulnerability, specifically an out-of-bounds read in the bfd linker, allowsan attacker to gain access to sensitive information. By convincing a userto process a specially crafted XCOFF object file, an attacker can triggerthis flaw, potentially leading to information disclosure or an applicationlevel denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-3441 A flaw was found in GNU Binutils. This vulnerability, a heap-based bufferoverflow, specifically an out-of-bounds read, exists in the bfd linkercomponent. An attacker could exploit this by convincing a user to process aspecially crafted malicious XCOFF object file. Successful exploitation maylead to the disclosure of sensitive information or cause the application tocrash, resulting in an application level denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-3442 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPSlibrary. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP RequestSmuggling. The server's static file handler serves GET responses withoutconsuming the request body. On HTTP/1.1 keep-alive connections, the unreadbody bytes remain on the TCP stream and are interpreted as the start of anew HTTP request. An attacker can embed an arbitrary HTTP request insidethe body of a GET request, which the server processes as a separaterequest. This issue has been patched in version 0.40.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 22:16:00 UTC CVE-2026-34441 Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 andearlier, attribute_filter is not consistently applied when attributes areaccessed through built-in functions like getattr and setattr. This allowsan attacker to bypass the intended restrictions and eventually achievearbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 16:16:00 UTC CVE-2026-34444 Open Neural Network Exchange (ONNX) is an open standard for machinelearning interoperability. Prior to version 1.21.0, the ExternalDataInfoclass in ONNX was using Python’s setattr() function to load metadata (likefile paths or data lengths) directly from an ONNX model file. It didn’tcheck if the "keys" in the file were valid. Due to this, an attacker couldcraft a malicious model that overwrites internal object properties. Thisissue has been patched in version 1.21.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 18:16:00 UTC CVE-2026-34445 Open Neural Network Exchange (ONNX) is an open standard for machinelearning interoperability. Prior to version 1.21.0, there is an issue inonnx.load, the code checks for symlinks to prevent path traversal, butcompletely misses hardlinks because a hardlink looks exactly like a regularfile on the filesystem. This issue has been patched in version 1.21.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 18:16:00 UTC CVE-2026-34446 Open Neural Network Exchange (ONNX) is an open standard for machinelearning interoperability. Prior to version 1.21.0, there is a symlinktraversal vulnerability in external data loading allows reading filesoutside the model directory. This issue has been patched in version 1.21.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 18:16:00 UTC CVE-2026-34447 When calling base64.b64decode() or related functions the decoding processwould stop after encountering the first padded quad regardless of whetherthere was more information to be processed. This can lead to data beingaccepted which may be processed differently by other implementations. Use"validate=True" to enable stricter processing of base64 data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 19:16:00 UTC CVE-2026-3446 Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, incertain unchecked req.url scenarios, mishandle URLs with a path of / forHTTP/1.1, potentially leading to cache poisoning or authentication bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132231 CVE-2026-34475 The fix for CVE-2025-68161https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: itaddressed hostname verification only when enabled via thelog4j2.sslVerifyHostNamehttps://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostNamehttps://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element.Although the verifyHostName configuration attribute was introduced in Log4jCore 2.12.0, it was silently ignored in all versions through 2.25.3,leaving TLS connections vulnerable to interception regardless of theconfigured value.A network-based attacker may be able to perform a man-in-the-middle attackwhen all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by theappender's configured trust store, or by the default Java trust store ifnone is configured.This issue does not affect users of the HTTP appender, which uses aseparate verifyHostnamehttps://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names bydefault.Users are advised to upgrade to Apache Log4j Core 2.25.4, which correctsthis issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-34477 Apache Log4j Core's Rfc5424Layouthttps://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , inversions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLFsequences due to undocumented renames of security-relevant configurationattributes.Two distinct issues affect users of stream-based syslog services whoconfigure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newlineescaping to stop working for users of TCP framing (RFC 6587), exposing themto CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing usersof TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC6587), without newline escaping.Users of the SyslogAppender are not affected, as its configurationattributes were not modified.Users are advised to upgrade to Apache Log4j Core 2.25.4, which correctsthis issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-34478 The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails toescape characters forbidden by the XML 1.0 standard, producing malformedXML output. Conforming XML parsers are required to reject documentscontaining such characters with a fatal error, which may cause downstreamlog processing systems to drop or fail to index affected records.Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configurationfile. * Those using the Log4j 1 configuration compatibility layer withorg.apache.log4j.xml.XMLLayout specified as the layout class.Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version2.25.4, which corrects this issue.Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not bepresent in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2migration guidehttps://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , andspecifically the section on eliminating reliance on the bridge. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-34479 Apache Log4j Core's XmlLayouthttps://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , inversions up to and including 2.25.3, fails to sanitize characters forbiddenby the XML 1.0 specification https://www.w3.org/TR/xml/#charsetsproducing invalid XML output whenever a log message or MDC value containssuch characters.The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to theoutput, producing malformed XML. Conforming parsers must reject suchdocuments with a fatal error, which may cause downstream log-processingsystems to drop the affected records. * Alternative StAX implementations (e.g., Woodstoxhttps://github.com/FasterXML/woodstox , a transitive dependency of theJackson XML Dataformat module): An exception is thrown during the loggingcall, and the log event is never delivered to its intended appender, onlyto Log4j's internal status logger.Users are advised to upgrade to Apache Log4j Core 2.25.4, which correctsthis issue by sanitizing forbidden characters before XML output. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-34480 Apache Log4j's JsonTemplateLayouthttps://logging.apache.org/log4j/2.x/manual/json-template-layout.html , inversions up to and including 2.25.3, produces invalid JSON output when logevents contain non-finite floating-point values (NaN, Infinity, or-Infinity), which are prohibited by RFC 8259. This may cause downstream logprocessing systems to reject or fail to index affected records.An attacker can exploit this issue only if both of the following conditionsare met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlledfloating-point value.Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4,which corrects this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-34481 Improper Encoding or Escaping of Output vulnerability in theJsonAccessLogValve component of Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 ,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-34483 Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due tothe fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-34486 Insertion of Sensitive Information into Log File vulnerability in the cloudmembership for clustering component of Apache Tomcat exposed the Kubernetesbearer token.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-34487 CLIENT_CERT authentication does not fail as expected for some scenarioswhen soft fail is disabled and FFM is used in Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117,which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-34500 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, an unbounded DNS cache could result inexcessive memory usage possibly resulting in a DoS situation. This issuehas been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:16:00 UTC CVE-2026-34513 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, an attacker who controls the content_typeparameter in aiohttp could use this to inject extra headers or similarexploits. This issue has been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:16:00 UTC CVE-2026-34514 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, on Windows the static resource handler mayexpose information about a NTLMv2 remote path. This issue has been patchedin version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:16:00 UTC CVE-2026-34515 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, a response with an excessive number ofmultipart headers may be allowed to use more memory than intended,potentially allowing a DoS vulnerability. This issue has been patched inversion 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:16:00 UTC CVE-2026-34516 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, for some multipart form fields, aiohttpread the entire field into memory before checking client_max_size. Thisissue has been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:16:00 UTC CVE-2026-34517 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, when following redirects to a differentorigin, aiohttp drops the Authorization header, but retains the Cookie andProxy-Authorization headers. This issue has been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:17:00 UTC CVE-2026-34518 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, an attacker who controls the reasonparameter when creating a Response may be able to inject extra headers orsimilar exploits. This issue has been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:17:00 UTC CVE-2026-34519 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, the C parser (the default for mostinstalls) accepted null bytes and control characters in response headers.This issue has been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:17:00 UTC CVE-2026-34520 AIOHTTP is an asynchronous HTTP client/server framework for asyncio andPython. Prior to version 3.13.4, multiple Host headers were allowed inaiohttp. This issue has been patched in version 3.13.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:17:00 UTC CVE-2026-34525 Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication forFlask routes. Prior to version 4.8.1, in a situation where the client makesa request to a token protected resource without passing a token, or passingan empty token, Flask-HTTPAuth would invoke the application's tokenverification callback function with the token argument set to an emptystring. If the application had any users in its database with an emptystring set as their token, then it could potentially authenticate theclient request against any of those users. This issue has been patched inversion 4.8.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:17:00 UTC CVE-2026-34531 Botan is a C++ cryptography library. In 3.11.0, the functionCertificate_Store::certificate_known had a misleading name; it would returntrue if any certificate in the store had a DN (and subject key identifier,if set) matching that of the argument. It did not check that the cert itfound and the cert it was passed were actually the same certificate. In3.11.0 an extension of path validation logic was made which assumed thatcertificate_known only returned true if the certificates were in factidentical. The impact is that if an end entity certificate is presented,and its DN (and subject key identifier, if set) match that of any trustedroot, the end entity certificate is accepted immediately as if it itselfwere a trusted root. , This vulnerability is fixed in 3.11.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 22:16:00 UTC CVE-2026-34580 Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3implementation allowed ApplicationData records to be processed prior to theFinished message being received. A server which is attempting to enforceclient authentication via certificates can by bypassed by a client whichentirely omits Certificate, CertificateVerify, and the Finished message andinstead sends application data records. This vulnerability is fixed in3.11.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 22:16:00 UTC CVE-2026-34582 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry. From3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advancesthe working wavelet pointer with signed 32-bit arithmetic. Because nx, ny,and wcount are int, a crafted EXR file can make this product overflow andwrap. The next channel then decodes from an incorrect address. The waveletdecode path operates in place, so this yields both out-of-bounds reads andout-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and3.4.9. Update Instructions: Run `sudo pro fix CVE-2026-34588` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenexr-3-1-30 - 3.1.13-2ubuntu0.26.04.1~esm1 openexr - 3.1.13-2ubuntu0.26.04.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 16:16:00 UTC 2026-04-06 16:16:00 UTC https://ubuntu.com/security/notices/USN-8259-1 CVE-2026-34588 Poetry is a dependency manager for Python. From version 1.4.0 to beforeversion 2.3.3, a crafted wheel can contain ../ paths that Poetry writes todisk without containment checks, allowing arbitrary file write with theprivileges of the Poetry process. It is reachable from untrusted packageartifacts during normal install flows. (Normally, installing a maliciouswheel is not sufficient for execution of malicious code. Malicious codewill only be executed after installation if the malicious package isimported or invoked by the user.). This issue has been patched in version2.3.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC CVE-2026-34591 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)`DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and priorand @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allowsattacker-controlled strings containing the CDATA terminator ]]> to beinserted into a CDATASection node. During serialization, XMLSerializeremitted the CDATA content verbatim without rejecting or safely splittingthe terminator. As a result, data intended to remain text-only becameactive XML markup in the serialized output, enabling XML structureinjection and downstream business-logic manipulation. This issue has beenpatched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and0.9.9. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC CVE-2026-34601 HDF5 is software for managing data. In 1.14.1-2 and earlier, aheap-use-after-free was found in the h5dump helper utility. An attacker whocan supply a malicious h5 file can trigger a heap use-after-free. The freedobject is referenced in a memmove call from H5T__conv_struct. The originalobject was allocated by H5D__typeinfo_init_phase3 and freed byH5D__typeinfo_term. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-34734 XZ Utils provide a general-purpose data-compression library pluscommand-line tools. Prior to version 5.8.3, if lzma_index_decoder() wasused to decode an Index that contained no Records, the resulting lzma_indexwas left in a state where where a subsequent lzma_index_append() wouldallocate too little memory, and a buffer overflow would occur. This issuehas been patched in version 5.8.3. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-02 19:21:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132497 CVE-2026-34743 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Directory interpolates the configured root pathdirectly into a regular expression when deriving the displayed directorypath. If root contains regex metacharacters such as +, *, or ., the prefixstripping can fail and the generated directory listing may expose the fullfilesystem path in the HTML output. This issue has been patched in versions2.2.23, 3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34763 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Static determines whether a request should beserved as a static file using a simple string prefix check. When configuredwith URL prefixes such as "/css", it matches any request path that beginswith that string, including unrelated paths such as "/css-config.env" or"/css-backup.sql". As a result, files under the static root whose namesmerely share the configured prefix may be served unintentionally, leadingto information disclosure. This issue has been patched in versions 2.2.23,3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34785 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates severalheader_rules types against the raw URL-encoded PATH_INFO, while theunderlying file-serving path is decoded before the file is served. As aresult, a request for a URL-encoded variant of a static path can serve thesame file without the headers that header_rules were intended to apply. Indeployments that rely on Rack::Static to attach security-relevant responseheaders to static content, this can allow an attacker to bypass thoseheaders by requesting an encoded form of the path. This issue has beenpatched in versions 2.2.23, 3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34786 DISPUTED: The project has clarified that the documentation was incorrect,and that pkgutil.get_data() has the same security model as open(). Thedocumentation has been updated to clarify this point. There is novulnerability in the function if following the intended security model.pkgutil.get_data() did not validate the resource argument as documented,allowing path traversals. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 19:16:00 UTC CVE-2026-3479 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range headerwithout limiting the number of individual byte ranges. Although theexisting fix for CVE-2024-26141 rejects ranges whose total byte coverageexceeds the file size, it does not restrict the count of ranges. Anattacker can supply many small overlapping ranges such as 0-0,0-0,0-0,...to trigger disproportionate CPU, memory, I/O, and bandwidth consumption perrequest. This results in a denial of service condition in Rack file-servingpaths that process multipart byte range responses. This issue has beenpatched in versions 2.2.23, 3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34826 Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 tobefore 3.1.21, and 3.2.0 to before 3.2.6,Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameterssuch as Content-Disposition: form-data; name="..." using repeatedString#index searches combined with String#slice! prefix deletion. Forescape-heavy quoted values, this causes super-linear processing. Anunauthenticated attacker can send a crafted multipart/form-data requestcontaining many parts with long backslash-escaped parameter values totrigger excessive CPU usage during multipart parsing. This results in adenial of service condition in Rack applications that accept multipart formdata. This issue has been patched in versions 3.1.21 and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC 2026-04-02 18:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34827 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in aBoundedIO when CONTENT_LENGTH is present. When a multipart/form-datarequest is sent without a Content-Length header, such as with HTTP chunkedtransfer encoding, multipart parsing continues until end-of-stream with nototal size limit. For file parts, the uploaded body is written directly toa temporary file on disk rather than being constrained by the bufferedin-memory upload limit. An unauthenticated attacker can therefore stream anarbitrarily large multipart file upload and consume unbounded disk space.This results in a denial of service condition for Rack applications thataccept multipart form data. This issue has been patched in versions 2.2.23,3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34829 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value ofthe X-Accel-Mapping request header directly into a regular expression whenrewriting file paths for X-Accel-Redirect. Because the header value is notescaped, an attacker who can supply X-Accel-Mapping to the backend caninject regex metacharacters and control the generated X-Accel-Redirectresponse header. In deployments using Rack::Sendfile with x-accel-redirect,this can allow an attacker to cause nginx to serve unintended files fromconfigured internal locations. This issue has been patched in versions2.2.23, 3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34830 Rack is a modular Ruby web server interface. Prior to versions 2.2.23,3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response headerusing String#size instead of String#bytesize. When the response bodycontains multibyte UTF-8 characters, the declared Content-Length is smallerthan the number of bytes actually sent on the wire. Because Rack::Filesreflects the requested path in 404 responses, an attacker can trigger thismismatch by requesting a non-existent path containing percent-encoded UTF-8characters. This results in incorrect HTTP response framing and may causeresponse desynchronization in deployments that rely on the incorrectContent-Length value. This issue has been patched in versions 2.2.23,3.1.21, and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34831 Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 tobefore 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Hostheader using an AUTHORITY regular expression that accepts characters notpermitted in RFC-compliant hostnames, including /, ?, #, and @. Becausereq.host returns the full parsed value, applications that validate hostsusing naive prefix or suffix checks can be bypassed. This can lead to hostheader poisoning in applications that use req.host, req.url, orreq.base_url for link generation, redirects, or origin validation. Thisissue has been patched in versions 3.1.21 and 3.2.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC 2026-04-02 18:16:00 UTC https://ubuntu.com/security/notices/USN-8182-1 CVE-2026-34835 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) thatis accessible without authentication and allows cross-origin requests fromany origin due to a permissive CORS policy (`Access-Control-Allow-Origin:*`). This allows a malicious website to read sensitive system informationfrom a running Glances instance in the victim’s browser, leading tocross-origin data exfiltration. While a previous advisory exists forXML-RPC CORS issues, this report demonstrates that the REST API(`/api/4/*`) is also affected and exposes significantly more sensitivedata. Version 4.5.4 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 00:16:00 UTC CVE-2026-34839 An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 andTF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-RandomNumber Generator (PRNG). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 19:16:00 UTC CVE-2026-34871 An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 andTF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due toimproper input validation. Using finite-field Diffie-Hellman, the otherparty can force the shared secret into a small set of values (lack ofcontributory behavior). This is a problem for protocols that depend oncontributory behavior (which is not the case for TLS). The attack can becarried by the peer, or depending on the protocol by an active networkattacker (person in the middle). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 20:16:00 UTC CVE-2026-34872 An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Clientimpersonation can occur while resuming a TLS 1.3 session. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 21:17:00 UTC CVE-2026-34873 An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0.There is a NULL pointer dereference in distinguished name parsing thatallows an attacker to write to address 0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 19:16:00 UTC CVE-2026-34874 An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0.A buffer overflow can occur in public key export for FFDH keys. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 18:16:00 UTC CVE-2026-34875 An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds readvulnerability in mbedtls_ccm_finish() in library/ccm.c allows attackers toobtain adjacent CCM context data via invocation of the multipart CCM APIwith an oversized tag_len parameter. This is caused by missing validationof the tag_len parameter against the size of the internal 16-byteauthentication buffer. The issue affects the public multipart CCM API inMbed TLS 3.x, where mbedtls_ccm_finish() can be invoked directly byapplications. In Mbed TLS 4.x versions prior to the fix, the same missingvalidation exists in the internal implementation; however, the function isnot exposed as part of the public API. Exploitation requiresapplication-level invocation of the multipart CCM API. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 16:16:00 UTC CVE-2026-34876 An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, MbedTLS 4.0.0. Insufficient protection of serialized SSL context or sessionstructures allows an attacker who can modify the serialized structures toinduce memory corruption, leading to arbitrary code execution. This iscaused by Incorrect Use of Privileged APIs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC CVE-2026-34877 Avahi is a system which facilitates service discovery on a local networkvia the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, anyunprivileged local user can crash avahi-daemon by sending a single D-Busmethod call with conflicting publish flags. This issue has been patched inversion 0.9-rc4. Update Instructions: Run `sudo pro fix CVE-2026-34933` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: avahi-autoipd - 0.8-18ubuntu1.1 avahi-daemon - 0.8-18ubuntu1.1 avahi-discover - 0.8-18ubuntu1.1 avahi-dnsconfd - 0.8-18ubuntu1.1 avahi-ui-utils - 0.8-18ubuntu1.1 avahi-utils - 0.8-18ubuntu1.1 gir1.2-avahi-0.6 - 0.8-18ubuntu1.1 libavahi-client3 - 0.8-18ubuntu1.1 libavahi-common-data - 0.8-18ubuntu1.1 libavahi-common3 - 0.8-18ubuntu1.1 libavahi-compat-libdnssd1 - 0.8-18ubuntu1.1 libavahi-core7 - 0.8-18ubuntu1.1 libavahi-glib1 - 0.8-18ubuntu1.1 libavahi-gobject0 - 0.8-18ubuntu1.1 libavahi-ui-gtk3-0 - 0.8-18ubuntu1.1 python3-avahi - 0.8-18ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 23:17:00 UTC 2026-04-03 23:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132712 https://ubuntu.com/security/notices/USN-8269-1 CVE-2026-34933 A flaw was found in Open vSwitch. When Open vSwitch is configured with aconntrack flow using FTP helpers over the userspace datapath, a remoteattacker can send a specially crafted FTP stream with an EPASV commandexceeding 255 characters. This heap access error can lead to a crash,resulting in a Denial of Service (DoS) for the affected system. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC Seiji Sakurai http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132449 CVE-2026-34956 Vulnerability in the OpenSSH GSSAPI delta included in various Linuxdistributions. This vulnerability affects the GSSAPI patches added byvarious Linux distributions and does not affect the OpenSSH upstreamproject itself. The usage of sshpkt_disconnect() on an error, which doesnot terminate the process, allows an attacker to send an unexpected GSSAPImessage type during the GSSAPI key exchange to the server, which will callthe underlying function and continue the execution of the program withoutsetting the related connection variables. As the variables are notinitialized to NULL the code later accesses those uninitialized variables,accessing random memory, which could lead to undefined behavior. Therecommended workaround is to use ssh_packet_disconnect() instead, whichdoes terminate the process. The impact of the vulnerability depends heavilyon the compiler flag hardening configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 18:00:00 UTC 2026-03-12 18:00:00 UTC Jeremy Brown https://ubuntu.com/security/notices/USN-8090-1 https://ubuntu.com/security/notices/USN-8090-2 CVE-2026-3497 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, the RSS notifierallows .. path traversal in notify-recipient-uri (e.g.,rss:///../job.cache), letting a remote IPP client write RSS XML bytesoutside CacheDir/rss (anywhere that is lp-writable). In particular, becauseCacheDir is group-writable by default (typically root:lp and mode 0770),the notifier (running as lp) can replace root-managed state files viatemp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML,and after restarting cupsd the scheduler fails to parse the job cache andpreviously queued jobs disappear. At time of publication, there are nopublicly available patches. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC mdeslaur(main) Asim Viladi Oglu Manizada http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132716 CVE-2026-34978 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, there is aheap-based buffer overflow in the CUPS scheduler when building filteroption strings from job attribute. At time of publication, there are nopublicly available patches. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC mdeslaur(main) Jacob Newman http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132716 https://github.com/OpenPrinting/cups/issues/1532 (regression) CVE-2026-34979 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, in anetwork-exposed cupsd with a shared target queue, an unauthorized clientcan send a Print-Job to that shared PostScript queue withoutauthentication. The server accepts a page-border value supplied astextWithoutLanguage, preserves an embedded newline through option escapingand reparse, and then reparses the resulting second-line PPD: text as atrusted scheduler control record. A follow-up raw print job can thereforemake the server execute an attacker-chosen existing binary such as/usr/bin/vim as lp. At time of publication, there are no publicly availablepatches. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC mdeslaur(main) Asim Viladi Oglu Manizada http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132729 CVE-2026-34980 Go JOSE provides an implementation of the Javascript Object Signing andEncryption set of standards in Go, including support for JSON WebEncryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT)standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE)object will panic if the alg field indicates a key wrapping algorithm (oneending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW)and the encrypted_key field is empty. The panic happens whencipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zeroor negative length based on the length of the encrypted_key. This code pathis reachable from ParseEncrypted() / ParseEncryptedJSON() /ParseEncryptedCompact() followed by Decrypt() on the resulting object. Notethat the parse functions take a list of accepted key algorithms. If theaccepted key algorithms do not include any key wrapping algorithms, parsingwill fail and the application will be unaffected. This panic is alsoreachable by calling cipher.KeyUnwrap() directly with any ciphertextparameter less than 16 bytes long, but calling this function directly isless common. Panics can lead to denial of service. This vulnerability isfixed in 4.1.4 and 3.0.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 17:17:00 UTC CVE-2026-34986 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, a localunprivileged user can coerce cupsd into authenticating to anattacker-controlled localhost IPP service with a reusable Authorization:Local ... token. That token is enough to drive /admin/ requests onlocalhost, and the attacker can combine CUPS-Create-Local-Printer withprinter-is-shared=true to persist a file:///... queue even though thenormal FileDevice policy rejects such URIs. Printing to that queue gives anarbitrary root file overwrite; the PoC below uses that primitive to drop asudoers fragment and demonstrate root command execution. At time ofpublication, there are no publicly available patches. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 22:16:00 UTC mdeslaur(main) Asim Viladi Oglu Manizada http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132729 CVE-2026-34990 Protection mechanism failure in wolfCrypt post-quantum implementations(ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows aphysical attacker to compromise key material and/or cryptographic outcomesvia induced transient faults that corrupt or redirect seed/pointer valuesduring Keccak-based expansion.This issue affects wolfSSL (wolfCrypt): commit hashd86575c766e6e67ef93545fa69c04d6eb49400c6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 19:16:00 UTC CVE-2026-3503 Allocation of resources without limits or throttling, Uncontrolled ResourceConsumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpgon all (pg modules). This vulnerability is associated with program filesAEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java,OperatorHelper.Java.This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before1.81.1, from 1.82 before 1.84. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 10:16:00 UTC CVE-2026-3505 server ASSERT() on receiving a suitably malformed packet with a validtls-crypt-v2 key Update Instructions: Run `sudo pro fix CVE-2026-35058` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openvpn - 2.7.0-1ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 2026-04-23 Guannan Wang, Zhanpeng Liu, Guancheng Li, Emma Reuter https://ubuntu.com/security/notices/USN-8286-1 CVE-2026-35058 A flaw was found in libinput. A local attacker who can place a speciallycrafted Lua bytecode file in certain system or user configurationdirectories can bypass security restrictions. This allows the attacker torun unauthorized code with the same permissions as the program usinglibinput, such as a graphical compositor. This could lead to the attackermonitoring keyboard input and sending that information to an externallocation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 14:16:00 UTC https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132550 CVE-2026-35093 A flaw was found in libinput. An attacker capable of deploying a Lua pluginfile in specific system directories can exploit a dangling pointervulnerability. This occurs when a garbage collection cleanup function iscalled, leaving a pointer that can then be printed to system logs. Thiscould potentially expose sensitive data if the memory location is re-used,leading to information disclosure. For this exploit to work, Lua pluginsmust be enabled in libinput and loaded by the compositor. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 14:16:00 UTC CVE-2026-35094 Hugo is a static site generator. From 0.60.0 to before 0.159.2, links andimage links in the default markdown to HTML renderer are not properlyescaped. Hugo users who trust their Markdown content or have custom renderhooks for links and images are not affected. This vulnerability is fixed in0.159.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 18:16:00 UTC CVE-2026-35166 Distribution is a toolkit to pack, ship, store, and deliver containercontent. Prior to 3.1.0, distribution can restore read access in repo aafter an explicit delete when storage.cache.blobdescriptor: redis andstorage.delete.enabled: true are both enabled. The delete path clears theshared digest descriptor but leaves stale repo-scoped membership behind, soa later Stat or Get from repo b repopulates the shared descriptor and makesthe deleted blob readable from repo a again. This vulnerability is fixed in3.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 20:16:00 UTC CVE-2026-35172 Vim is an open source, command line text editor. Prior to 9.2.0280, a pathtraversal bypass in Vim's zip.vim plugin allows overwriting of arbitraryfiles when opening specially crafted zip archives, circumventing theprevious fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280. Update Instructions: Run `sudo pro fix CVE-2026-35177` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu4.1 vim-common - 2:9.1.2141-1ubuntu4.1 vim-gtk3 - 2:9.1.2141-1ubuntu4.1 vim-gui-common - 2:9.1.2141-1ubuntu4.1 vim-motif - 2:9.1.2141-1ubuntu4.1 vim-nox - 2:9.1.2141-1ubuntu4.1 vim-runtime - 2:9.1.2141-1ubuntu4.1 vim-tiny - 2:9.1.2141-1ubuntu4.1 xxd - 2:9.1.2141-1ubuntu4.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 18:16:00 UTC 2026-04-06 18:16:00 UTC federicoquattrin https://ubuntu.com/security/notices/USN-8213-1 https://ubuntu.com/security/notices/USN-8246-1 CVE-2026-35177 An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.Response headers do not vary on cookies if a session is not modified, but`SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal auser's session after that user visits a cached public page.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Cantina for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2026-35192` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu4.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 14:00:00 UTC 2026-05-05 14:00:00 UTC https://ubuntu.com/security/notices/USN-8232-1 CVE-2026-35192 Discount is an implementation of John Gruber's Markdown markup language inC. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes anout-of-bounds read in the default Markdown parse path. Inputs larger thanINT_MAX are truncated to a signed int before entering the native parser,allowing the parser to read past the end of the supplied buffer and crashthe process. This vulnerability is fixed in 2.2.7.4. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-06 20:16:00 UTC CVE-2026-35201 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does notvalidate the length of a decoded SDL descriptor from a slice packet. Azero-length descriptor is later used to calculate the number of sliceitems, causing a division by zero. An unauthenticated attacker can exploitthis by sending a crafted slice packet to crash the server. This issue hasbeen fixed in versions 5.0.4, 4.0.7 and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-35215 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Difficult to exploit vulnerability allows high privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35230 An unprivileged attacker can craft a user-space process with a maliciousELF binary containing an out-of-range sh_link field. When root-level dtraceattaches to -- or instruments -- that process (via dtrace -p , pid probes,or USDT), the ELF parser reads heap memory beyond the allocated sectioncache array without any bounds check. This results in anuninitialized/out-of-bounds heap read that can cause a NULL pointerdereference crash of the dtrace process (DoS), or -- depending on heaplayout -- a read-then-use of a garbage pointer controlled by adjacentallocations, providing a foothold toward further exploitation in aprivileged context. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135619 CVE-2026-35233 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35236 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35237 Vulnerability in the MySQL Server product of Oracle MySQL (component:InnoDB). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35238 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: DML). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35239 Vulnerability in the MySQL Server product of Oracle MySQL (component:Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45,8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows highprivileged attacker with network access via multiple protocols tocompromise MySQL Server. Successful attacks of this vulnerability canresult in unauthorized ability to cause a hang or frequently repeatablecrash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availabilityimpacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35240 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Difficult to exploit vulnerability allows high privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35242 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Easily exploitable vulnerability allows unauthenticated attacker withnetwork access via RDP to compromise Oracle VM VirtualBox. Successfulattacks of this vulnerability can result in unauthorized ability to cause ahang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35245 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Difficult to exploit vulnerability allows high privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35246 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in unauthorized accessto critical data or complete access to all Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35247 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Difficult to exploit vulnerability allows high privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle VMVirtualBox accessible data as well as unauthorized read access to a subsetof Oracle VM VirtualBox accessible data and unauthorized ability to cause apartial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSSVector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35248 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox,attacks may significantly impact additional products (scope change).Successful attacks of this vulnerability can result in unauthorizedupdate, insert or delete access to some of Oracle VM VirtualBox accessibledata. CVSS 3.1 Base Score 3.2 (Integrity impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35249 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Easily exploitable vulnerability allows high privileged attacker with logonto the infrastructure where Oracle VM VirtualBox executes to compromiseOracle VM VirtualBox. Successful attacks of this vulnerability can resultin unauthorized ability to cause a partial denial of service (partial DOS)of Oracle VM VirtualBox. CVSS 3.1 Base Score 2.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35250 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization(component: Core). The supported version that is affected is 7.2.6.Difficult to exploit vulnerability allows high privileged attacker withlogon to the infrastructure where Oracle VM VirtualBox executes tocompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VMVirtualBox, attacks may significantly impact additional products (scopechange). Successful attacks of this vulnerability can result in takeoverof Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality,Integrity and Availability impacts). CVSS Vector:(CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-35251 Infinite Loop When Handling Supported Versions TLS Extension Update Instructions: Run `sudo pro fix CVE-2026-35328` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Haruto Kimura https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35328 NULL-Pointer Dereference When Processing Padding in PKCS#7 Update Instructions: Run `sudo pro fix CVE-2026-35329` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Haruto Kimura https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35329 Integer Underflow When Handling EAP-SIM/AKA Attributes Update Instructions: Run `sudo pro fix CVE-2026-35330` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Lukas Johannes Moeller https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35330 Accepting Certificates Violating Name Constraints Update Instructions: Run `sudo pro fix CVE-2026-35331` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Haruto Kimura https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35331 NULL-Pointer Dereference When Handling ECDH Public Value in TLS Update Instructions: Run `sudo pro fix CVE-2026-35332` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Haruto Kimura https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35332 Integer Underflow When Handling RADIUS Attributes Update Instructions: Run `sudo pro fix CVE-2026-35333` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Lukas Johannes Moeller https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35333 Possible NULL-Pointer Dereference in RSA Decryption Update Instructions: Run `sudo pro fix CVE-2026-35334` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: charon-cmd - 6.0.4-1ubuntu3 charon-systemd - 6.0.4-1ubuntu3 libcharon-extauth-plugins - 6.0.4-1ubuntu3 libcharon-extra-plugins - 6.0.4-1ubuntu3 libstrongswan - 6.0.4-1ubuntu3 libstrongswan-extra-plugins - 6.0.4-1ubuntu3 libstrongswan-standard-plugins - 6.0.4-1ubuntu3 strongswan - 6.0.4-1ubuntu3 strongswan-charon - 6.0.4-1ubuntu3 strongswan-libcharon - 6.0.4-1ubuntu3 strongswan-nm - 6.0.4-1ubuntu3 strongswan-pki - 6.0.4-1ubuntu3 strongswan-starter - 6.0.4-1ubuntu3 strongswan-swanctl - 6.0.4-1ubuntu3 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 12:00:00 UTC 2026-04-22 12:00:00 UTC Ryo Shimada https://ubuntu.com/security/notices/USN-8196-1 https://ubuntu.com/security/notices/USN-8196-2 CVE-2026-35334 A vulnerability in uutils coreutils mkfifo allows for the unauthorizedmodification of permissions on existing files. When mkfifo fails to createa FIFO because a file already exists at the target path, it fails toterminate the operation for that path and continues to execute a follow-upset_permissions call. This results in the existing file's permissions beingchanged to the default mode (often 644 after umask), potentially exposingsensitive files such as SSH private keys to other users on the system. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35341 The dd utility in uutils coreutils suppresses errors during file truncationoperations by unconditionally calling Result::ok() on truncation attempts.While intended to mimic GNU behavior for special files like /dev/null, theuutils implementation also hides failures on regular files and directoriescaused by full disks or read-only file systems. This can lead to silentdata corruption in backup or migration scripts, as the utility may report asuccessful operation even when the destination file contains old or garbagedata. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35344 A vulnerability in the tail utility of uutils coreutils allows for theexfiltration of sensitive file contents when using the --follow=nameoption. Unlike GNU tail, the uutils implementation continues to monitor apath after it has been replaced by a symbolic link, subsequently outputtingthe contents of the link's target. In environments where a privileged user(e.g., root) monitors a log directory, a local attacker with write accessto that directory can replace a log file with a symlink to a sensitivesystem file (such as /etc/shadow), causing tail to disclose the contents ofthe sensitive file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35345 The sort utility in uutils coreutils is vulnerable to a process panic whenusing the --files0-from option with inputs containing non-UTF-8 filenames.The implementation enforces UTF-8 encoding and utilizes expect(), causingan immediate crash when encountering valid but non-UTF-8 paths. Thisdiverges from GNU sort, which treats filenames as raw bytes. A localattacker can exploit this to crash the utility and disrupt automatedpipelines. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35348 The cp utility in uutils coreutils fails to properly handle setuid andsetgid bits when ownership preservation fails. When copying with the -p(preserve) flag, the utility applies the source mode bits even if the chownoperation is unsuccessful. This can result in a user-owned copy retainingoriginal privileged bits, creating unexpected privileged executables thatviolate local security policies. This differs from GNU cp, which clearsthese bits when ownership cannot be preserved. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35350 The mv utility in uutils coreutils fails to preserve file ownership duringmoves across different filesystem boundaries. The utility falls back to acopy-and-delete routine that creates the destination file using thecaller's UID/GID rather than the source's metadata. This flaw breaksbackups and migrations, causing files moved by a privileged user (e.g.,root) to become root-owned unexpectedly, which can lead to informationdisclosure or restricted access for the intended owners. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35351 A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifoutility of uutils coreutils. The utility creates a FIFO and then performs apath-based chmod to set permissions. A local attacker with write access tothe parent directory can swap the newly created FIFO for a symbolic linkbetween these two operations. This redirects the chmod call to an arbitraryfile, potentially enabling privilege escalation if the utility is run withelevated privileges. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35352 A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mvutility of uutils coreutils during cross-device moves. The extendedattribute (xattr) preservation logic uses multiple path-based system callsthat perform fresh path-to-inode lookups for each operation. A localattacker with write access to the directory can exploit this race to swapfiles between calls, causing the destination file to receive aninconsistent mix of security xattrs, such as SELinux labels or filecapabilities. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35354 The cp utility in uutils coreutils is vulnerable to an informationdisclosure race condition. Destination files are initially created withumask-derived permissions (e.g., 0644) before being restricted to theirfinal mode (e.g., 0600) later in the process. A local attacker can race toopen the file during this window; once obtained, the file descriptorremains valid and readable even after the permissions are tightened,exposing sensitive or private file contents. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35357 A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility ofuutils coreutils allows an attacker to bypass no-dereference intent. Theutility checks if a source path is a symbolic link using path-basedmetadata but subsequently opens it without the O_NOFOLLOW flag. An attackerwith concurrent write access can swap a regular file for a symbolic linkduring this window, causing a privileged cp process to copy the contents ofarbitrary sensitive files into a destination controlled by the attacker. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35359 The touch utility in uutils coreutils is vulnerable to a Time-of-Check toTime-of-Use (TOCTOU) race condition during file creation. When the utilityidentifies a missing path, it later attempts creation using File::create(),which internally uses O_TRUNC. An attacker can exploit this window tocreate a file or swap a symlink at the target path, causing touch totruncate an existing file and leading to permanent data loss. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35360 A vulnerability in the rm utility of uutils coreutils allows the bypass ofsafeguard mechanisms intended to protect the current directory. While theutility correctly refuses to delete . or .., it fails to recognizeequivalent paths with trailing slashes, such as ./ or .///. An accidentalor malicious execution of rm -rf ./ results in the silent recursivedeletion of all contents within the current directory. The command furtherobscures the data loss by reporting a misleading 'Invalid input' error,which may cause users to miss the critical window for data recovery. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35363 A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mvutility of uutils coreutils during cross-device operations. The utilityremoves the destination path before recreating it through a copy operation.A local attacker with write access to the destination directory can exploitthis window to replace the destination with a symbolic link. The subsequentprivileged move operation will follow the symlink, allowing the attacker toredirect the write and overwrite an arbitrary target file with contentsfrom the source. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35364 The nohup utility in uutils coreutils creates its default output file,nohup.out, without specifying explicit restricted permissions. This causesthe file to inherit umask-based permissions, typically resulting in aworld-readable file (0644). In multi-user environments, this allows anyuser on the system to read the captured stdout/stderr output of a command,potentially exposing sensitive information. This behavior diverges from GNUcoreutils, which creates nohup.out with owner-only (0600) permissions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35367 A vulnerability exists in the chroot utility of uutils coreutils when usingthe --userspec option. The utility resolves the user specification viagetpwnam() after entering the chroot but before dropping root privileges.On glibc-based systems, this can trigger the Name Service Switch (NSS) toload shared libraries (e.g., libnss_*.so.2) from the new root directory. Ifthe NEWROOT is writable by an attacker, they can inject a malicious NSSmodule to execute arbitrary code as root, facilitating a full containerescape or privilege escalation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35368 The id utility in uutils coreutils miscalculates the groups= section of itsoutput. The implementation uses a user's real GID instead of theireffective GID to compute the group list, leading to potentially divergentoutput compared to GNU coreutils. Because many scripts and automatedprocesses rely on the output of id to make security-critical access-controlor permission decisions, this discrepancy can lead to unauthorized accessor security misconfigurations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35370 The id utility in uutils coreutils exhibits incorrect behavior in its"pretty print" output when the real UID and effective UID differ. Theimplementation incorrectly uses the effective GID instead of the effectiveUID when performing a name lookup for the effective user. This results inmisleading diagnostic output that can cause automated scripts or systemadministrators to make incorrect decisions regarding file permissions oraccess control. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35371 A logic error in the ln utility of uutils coreutils causes the program toreject source paths containing non-UTF-8 filename bytes when usingtarget-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treatsfilenames as raw bytes and creates the links correctly, the uutilsimplementation enforces UTF-8 encoding, resulting in a failure to stat thefile and a non-zero exit code. In environments where automated scripts orsystem tasks process valid but non-UTF-8 filenames common on Unixfilesystems, this divergence causes the utility to fail, leading to a localdenial of service for those specific operations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35373 A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the splitutility of uutils coreutils. The program attempts to prevent data loss bychecking for identity between input and output files using their file pathsbefore initiating the split operation. However, the utility subsequentlyopens the output file with truncation after this path-based validation iscomplete. A local attacker with write access to the directory can exploitthis race window by manipulating mutable path components (e.g., swapping apath with a symbolic link). This can cause split to truncate and write toan unintended target file, potentially including the input file itself orother sensitive files accessible to the process, leading to permanent dataloss. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35374 A logic error in the env utility of uutils coreutils causes a failure tocorrectly parse command-line arguments when utilizing the -S (split-string)option. In GNU env, backslashes within single quotes are treated literally(with the exceptions of \\ and \'). However, the uutils implementationincorrectly attempts to validate these sequences, resulting in an "invalidsequence" error and an immediate process termination with an exit status of125 when encountering valid but unrecognized sequences like \a or \x. Thisdivergence from GNU behavior breaks compatibility for automated scripts andadministrative workflows that rely on standard split-string semantics,leading to a local denial of service for those operations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 17:16:00 UTC CVE-2026-35377 In OpenSSH before 10.3, a file downloaded by scp may be installed setuid orsetgid, an outcome contrary to some users' expectations, if the download isperformed as root with -O (legacy scp protocol) and without -p (preservemode). Update Instructions: Run `sudo pro fix CVE-2026-35385` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu3.2 openssh-client-gssapi - 1:10.2p1-2ubuntu3.2 openssh-server - 1:10.2p1-2ubuntu3.2 openssh-server-gssapi - 1:10.2p1-2ubuntu3.2 openssh-sftp-server - 1:10.2p1-2ubuntu3.2 openssh-tests - 1:10.2p1-2ubuntu3.2 ssh - 1:10.2p1-2ubuntu3.2 ssh-askpass-gnome - 1:10.2p1-2ubuntu3.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC Christos Papakonstantinou https://ubuntu.com/security/notices/USN-8222-1 CVE-2026-35385 In OpenSSH before 10.3, command execution can occur via shellmetacharacters in a username within a command line. This requires ascenario where the username on the command line is untrusted, and alsorequires a non-default configurations of % in ssh_config. Update Instructions: Run `sudo pro fix CVE-2026-35386` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu3.2 openssh-client-gssapi - 1:10.2p1-2ubuntu3.2 openssh-server - 1:10.2p1-2ubuntu3.2 openssh-server-gssapi - 1:10.2p1-2ubuntu3.2 openssh-sftp-server - 1:10.2p1-2ubuntu3.2 openssh-tests - 1:10.2p1-2ubuntu3.2 ssh - 1:10.2p1-2ubuntu3.2 ssh-askpass-gnome - 1:10.2p1-2ubuntu3.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC Florian Kohnhäuser https://ubuntu.com/security/notices/USN-8222-1 CVE-2026-35386 OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of anyECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithmsis misinterpreted to mean all ECDSA algorithms. Update Instructions: Run `sudo pro fix CVE-2026-35387` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu3.2 openssh-client-gssapi - 1:10.2p1-2ubuntu3.2 openssh-server - 1:10.2p1-2ubuntu3.2 openssh-server-gssapi - 1:10.2p1-2ubuntu3.2 openssh-sftp-server - 1:10.2p1-2ubuntu3.2 openssh-tests - 1:10.2p1-2ubuntu3.2 ssh - 1:10.2p1-2ubuntu3.2 ssh-askpass-gnome - 1:10.2p1-2ubuntu3.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC Christos Papakonstantinou https://ubuntu.com/security/notices/USN-8222-1 CVE-2026-35387 OpenSSH before 10.3 omits connection multiplexing confirmation forproxy-mode multiplexing sessions. Update Instructions: Run `sudo pro fix CVE-2026-35388` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu3.2 openssh-client-gssapi - 1:10.2p1-2ubuntu3.2 openssh-server - 1:10.2p1-2ubuntu3.2 openssh-server-gssapi - 1:10.2p1-2ubuntu3.2 openssh-sftp-server - 1:10.2p1-2ubuntu3.2 openssh-tests - 1:10.2p1-2ubuntu3.2 ssh - 1:10.2p1-2ubuntu3.2 ssh-askpass-gnome - 1:10.2p1-2ubuntu3.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 17:16:00 UTC 2026-04-02 17:16:00 UTC Michalis Vasileiadis https://ubuntu.com/security/notices/USN-8222-1 CVE-2026-35388 Jupyter Server is the backend for Jupyter web applications. In versions2.17.0 and earlier, a path traversal vulnerability in the REST API allowsan authenticated user to escape the configured root_dir and access siblingdirectories whose names begin with the same prefix as the root_dir. Forexample, with a root_dir named "test", the API permits access to a siblingdirectory named "testtest" through a crafted request to the /api/contentsendpoint using encoded path components. An attacker can read, write, anddelete files in affected sibling directories. Multi-tenant deploymentsusing predictable naming schemes are particularly at risk, as a user with adirectory named "user1" could access directories for user10 through user19and beyond. A user who can choose a single-character folder name could gainaccess to a significant number of sibling directories.Version 2.18.0 contains a fix. As a workaround, ensure folder names do notshare a common prefix with any sibling directory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 20:16:00 UTC CVE-2026-35397 Aardvark-dns is an authoritative dns server for A/AAAA container records.From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connectionreset causes aardvark-dns to enter an unrecoverable infinite error loop at100% CPU. This vulnerability is fixed in 1.17.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 22:16:00 UTC CVE-2026-35406 OpenSSH before 10.3 mishandles the authorized_keys principals option inuncommon scenarios involving a principals list in conjunction with aCertificate Authority that makes certain use of comma characters. Update Instructions: Run `sudo pro fix CVE-2026-35414` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openssh-client - 1:10.2p1-2ubuntu3.2 openssh-client-gssapi - 1:10.2p1-2ubuntu3.2 openssh-server - 1:10.2p1-2ubuntu3.2 openssh-server-gssapi - 1:10.2p1-2ubuntu3.2 openssh-sftp-server - 1:10.2p1-2ubuntu3.2 openssh-tests - 1:10.2p1-2ubuntu3.2 ssh - 1:10.2p1-2ubuntu3.2 ssh-askpass-gnome - 1:10.2p1-2ubuntu3.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 18:16:00 UTC 2026-04-02 18:16:00 UTC Vladimir Tokarev https://ubuntu.com/security/notices/USN-8222-1 CVE-2026-35414 SDL_image is a library to load images of various formats as SDL surfaces.In do_layer_surface() in src/IMG_xcf.c, pixel index values from decoded XCFtile data are used directly as colormap indices without validating themagainst the colormap size (cm_num). A crafted .xcf file with a smallcolormap and out-of-range pixel indices causes heap out-of-bounds reads ofup to 762 bytes past the colormap allocation. Both IMAGE_INDEXED code pathsare affected (bpp=1 and bpp=2). The leaked heap bytes are written into theoutput surface pixel data, making them potentially observable in therendered image. This vulnerability is fixed with commit996bf12888925932daace576e09c3053410896f8. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 22:16:00 UTC CVE-2026-35444 Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL5.8.4 and earlier contained an out-of-bounds read in ALPN handling whenbuilt with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPNprotocol list could trigger an out-of-bounds read, leading to a potentialprocess crash (denial of service). Note that ALPN is disabled by default,but is enabled for these 3rd party compatibility features:enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch,enable-lighty, enable-jni, enable-nginx, enable-quic. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-3547 Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser whenparsing CRL numbers: a heap-based buffer overflow could occur whenimproperly storing the CRL number as a hexadecimal string, and astack-based overflow for sufficiently sized CRL numbers. With appropriatelycrafted CRLs, either of these out of bound writes could be triggered. Notethis only affects builds that specifically enable CRL support, and the userwould need to load a CRL from an untrusted source. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 18:16:00 UTC CVE-2026-3548 Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECHextension parsing logic when calculating a buffer length, which resulted inwriting beyond the bounds of an allocated buffer. Note that in wolfSSL, ECHis off by default, and the ECH standard is still evolving. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-3549 xrdp is an open source RDP server. Versions through 0.10.5 have aheap-based buffer overflow in the EGFX (graphics dynamic virtual channel)implementation due to insufficient validation of client-controlled sizeparameters, allowing an out-of-bounds write via crafted PDUs.Pre-authentication exploitation can crash the process, whilepost-authentication exploitation may achieve remote code execution. Thisissue has been fixed in version 0.10.6. If users are unable to immediatelyupdate, they should run xrdp as a non-privileged user (default since0.10.2) to limit the impact of successful exploitation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134339 CVE-2026-35512 Incus is an open source container and virtual machine manager. In versionsprior to 7.0.0, the image import flow issues an outbound HEAD request to auser-supplied URL before validating the request against projectrestrictions such as restricted.images.servers. The imgPostURLInfo functionconstructs and sends a HEAD request directly from the attacker-suppliedsource URL to resolve image metadata, and this network interaction occursbefore the flow reaches the point where the import would be rejected bypolicy. Although the actual image download is blocked by the projectrestriction, an authenticated user can coerce the daemon into making blindHEAD requests to arbitrary destinations.These requests include server metadata in custom headers(Incus-Server-Architectures, Incus-Server-Version), which disclosesinformation about the host environment to the attacker-controlled endpoint.This blind SSRF primitive can be used to probe internal services,unroutable address space, or cloud metadata endpoints reachable from thehost.This vulnerability pattern is similar to CVE-2026-24767. This issue hasbeen fixed in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 21:16:00 UTC CVE-2026-35527 In Tornado before 6.5.5, cookie attribute injection could occur because thedomain, path, and samesite arguments to .RequestHandler.set_cookie were notchecked for crafted characters. Update Instructions: Run `sudo pro fix CVE-2026-35536` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-tornado - 6.5.4-0.1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 04:16:00 UTC 2026-04-03 04:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132367 https://ubuntu.com/security/notices/USN-8198-1 https://ubuntu.com/security/notices/USN-8198-2 CVE-2026-35536 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14.Unsafe deserialization in the redis/memcache session handler may lead toarbitrary file write operations by unauthenticated attackers via craftedsession data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 04:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35537 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14.Unsanitized IMAP SEARCH command arguments could lead to IMAP injection orCSRF bypass during mail search. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35538 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSSexists because of insufficient HTML attachment sanitization in previewmode. A victim must preview a text/html attachment. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35539 An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14.Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mailmessages may lead to SSRF or Information Disclosure, e.g., if stylesheetlinks point to local network hosts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35540 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14.Incorrect password comparison in the password plugin could lead to typeconfusion that allows a password change without knowing the old password. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35541 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Theremote image blocking feature can be bypassed via a crafted backgroundattribute of a BODY element in an e-mail message. This may lead toinformation disclosure or access-control bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35542 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Theremote image blocking feature can be bypassed via SVG content (with animateattributes) in an e-mail message. This may lead to information disclosureor access-control bypass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35543 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14.Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mailmessages may lead to a fixed-position mitigation bypass via the use of!important. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131182 CVE-2026-35544 An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. Theremote image blocking feature can be bypassed via SVG content in an e-mailmessage. This may lead to information disclosure or access-control bypass.This involves the animate element with attributeName=fill/filter/stroke. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-03 05:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132268 CVE-2026-35545 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists inthe Glances IP plugin due to improper validation of the public_apiconfiguration parameter. The value of public_api is used directly inoutbound HTTP requests without any scheme restriction or hostname/IPvalidation. An attacker who can modify the Glances configuration can forcethe application to send requests to arbitrary internal or externalendpoints. Additionally, when public_username and public_password are set,Glances automatically includes these credentials in the Authorization:Basic header, resulting in credential leakage to attacker-controlledservers. This vulnerability can be exploited to access internal networkservices, retrieve sensitive data from cloud metadata endpoints, and/orexfiltrate credentials via outbound HTTP requests. The issue arises becausepublic_api is passed directly to the HTTP client (urlopen_auth) withoutvalidation, allowing unrestricted outbound connections and unintendeddisclosure of sensitive information. Version 4.5.4 contains a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 00:16:00 UTC CVE-2026-35587 Glances is an open-source system cross-platform monitoring tool. Prior toversion 4.5.4, the Cassandra export module(`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`,`table`, and `replication_factor` configuration values directly into CQLstatements without validation. A user with write access to `glances.conf`can redirect all monitoring data to an attacker-controlled Cassandrakeyspace. Version 4.5.4 contains a fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 00:16:00 UTC CVE-2026-35588 Addressable is an alternative implementation to the URI implementation thatis part of Ruby's standard library. From 2.3.0 to before 2.9.0, within theURI template implementation in Addressable, two classes of URI templategenerate regular expressions vulnerable to catastrophic backtracking.Templates using the * (explode) modifier with any expansion operator (e.g.,{foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*})generate patterns with nested unbounded quantifiers that are O(2^n) whenmatched against a maliciously crafted URI. Templates using multiplevariables with the + or # operators (e.g., {+v1,v2,v3}) generate patternswith O(n^k) complexity due to the comma separator being within the matchedcharacter class, causing ambiguous backtracking across k variables. Whenmatched against a maliciously crafted URI, this can result in catastrophicbacktracking and uncontrolled resource consumption, leading to denial ofservice. This vulnerability is fixed in 2.9.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 17:16:00 UTC CVE-2026-35611 wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time softwareimplementation for 64-bit multiplication. The compiler-inserted __muldi3subroutine executes in variable time based on operand values. This affectsmultiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to atiming side-channel that may expose sensitive cryptographic data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 20:16:00 UTC CVE-2026-3579 In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 isoptimized into conditional branches (bnez) by GCC when targeting RISC-VRV32I with -O3. This transformation breaks the side-channel resistance ofECC scalar multiplication, potentially allowing a local attacker to recoversecret keys via timing analysis. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 20:16:00 UTC CVE-2026-3580 A use-after-return vulnerability exists in the `named` server when handlingDNS queries signed with SIG(0). Using a specially-crafted DNS request, anattacker may be able to cause an ACL to improperly (mis)match an IPaddress. In a default-allow ACL (denying only specific IP addresses), thismay lead to unauthorized access. Default-deny ACLs should fail-secure.This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through9.21.19, and 9.20.9-S1 through 9.20.20-S1.BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1are NOT affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-25 2026-03-25 Mcsky23 https://ubuntu.com/security/notices/USN-8124-1 CVE-2026-3591 Amplification vulnerabilities via self-pointed glue records Update Instructions: Run `sudo pro fix CVE-2026-3592` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.18-1ubuntu2.1 bind9-dnsutils - 1:9.20.18-1ubuntu2.1 bind9-host - 1:9.20.18-1ubuntu2.1 bind9-libs - 1:9.20.18-1ubuntu2.1 bind9-utils - 1:9.20.18-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 mdeslaur(main) Shuhan Zhang https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-3592 Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation Update Instructions: Run `sudo pro fix CVE-2026-3593` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.18-1ubuntu2.1 bind9-dnsutils - 1:9.20.18-1ubuntu2.1 bind9-host - 1:9.20.18-1ubuntu2.1 bind9-libs - 1:9.20.18-1ubuntu2.1 bind9-utils - 1:9.20.18-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 mdeslaur(main) Naresh Kandula Parmar https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-3593 A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by thisvulnerability is the function add_data_segment of the filesrc/ettercap/utils/etterfilter/ef_output.c of the component etterfilter.The manipulation leads to out-of-bounds read. Local access is required toapproach this attack. The exploit has been disclosed to the public and maybe used. The project was informed of the problem early through an issuereport but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-05 22:16:00 UTC CVE-2026-3606 A flaw was found in libsoup, a library used by applications to send networkrequests. This vulnerability occurs because libsoup does not properlyvalidate hostnames, allowing special characters to be injected into HTTPheaders. A remote attacker could exploit this to perform HTTP smuggling,where they can send hidden, malicious requests alongside legitimate ones.In certain situations, this could lead to Server-Side Request Forgery(SSRF), enabling an attacker to force the server to make unauthorizedrequests to other internal or external systems. The impact is low, asSoupServer is not actually used in internet infrastructure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-17 10:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2445127 https://gitlab.gnome.org/GNOME/libsoup/-/issues/483 CVE-2026-3632 A flaw was found in libsoup. A remote attacker, by controlling the methodparameter of the `soup_message_new()` function, could inject arbitraryheaders and additional request data. This vulnerability, known as CRLF(Carriage Return Line Feed) injection, occurs because the method value isnot properly escaped during request line construction, potentially leadingto HTTP request injection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-17 10:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2445128 https://gitlab.gnome.org/GNOME/libsoup/-/issues/484 CVE-2026-3633 A flaw was found in libsoup. An attacker controlling the value used to setthe Content-Type header can inject a Carriage Return Line Feed (CRLF)sequence due to improper input sanitization in the`soup_message_headers_set_content_type()` function. This vulnerabilityallows for the injection of arbitrary header-value pairs, potentiallyleading to HTTP header injection and response splitting attacks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-17 10:16:00 UTC https://gitlab.gnome.org/GNOME/libsoup/-/issues/485 https://gitlab.gnome.org/GNOME/libsoup/-/issues/486 (dupe, or similar?) https://bugzilla.redhat.com/show_bug.cgi?id=2445129 CVE-2026-3634 The fix for CVE-2026-0672, which rejected control characters inhttp.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, andunpickling paths were not patched, allowing control characters to bypassinput validation. Additionally, BaseCookie.js_output() lacked the outputvalidation applied to BaseCookie.output(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 18:16:00 UTC CVE-2026-3644 A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurswhen parsing malformed DICOM files with non-standard VR types in file metainformation. The vulnerability leads to vast memory allocations andresource depletion, triggering a denial-of-service condition. A maliciouslycrafted file can fill the heap in a single read operation without properlyreleasing it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132042 CVE-2026-3650 A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted isthe function unpackneg of the file src/curve25519.c of the component SRange Check. This manipulation causes improper verification ofcryptographic signature. The attack can be initiated remotely. The attackis considered to have high complexity. The exploitability is considereddifficult. The actual existence of this vulnerability is currently inquestion. Patch name: fdec3c90a15447bd538641d85e5a3e3ac981011d. To fix thisissue, it is recommended to deploy a patch. The project maintainerexplains: "Signature Malleability is not exploitable in SSH protocol. (...)[A] PoC doesn't exist for SSH implementation, but rather it's against theinternal API." Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-08 05:16:00 UTC CVE-2026-3706 A weakness has been identified in libssh up to 0.11.3. The impacted elementis the function sftp_extensions_get_name/sftp_extensions_get_data of thefile src/sftp.c of the component SFTP Extension Name Handler. Executing amanipulation of the argument idx can lead to out-of-bounds read. The attackmay be performed from remote. Upgrading to version 0.11.4 and 0.12.0 issufficient to resolve this issue. This patch is called855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affectedcomponent. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-08 11:15:00 UTC 2026-03-08 11:15:00 UTC iconstantin https://ubuntu.com/security/notices/USN-8093-1 CVE-2026-3731 An off-by-one out-of-bounds write vulnerability in thebgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting(FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) viasupplying a crafted FlowSpec component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 18:16:00 UTC CVE-2026-37457 Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR)stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denialof Service (DoS) via supplying a crafted UPDATE message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 16:16:00 UTC CVE-2026-37458 An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allowsattackers to cause a Denial of Service (DoS) via supplying a crafted BGPUPDATE message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 18:16:00 UTC CVE-2026-37459 An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) ofgobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) viasupplying a crafted BGP UPDATE message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 17:16:00 UTC CVE-2026-37461 An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF codepath (line 241) was fixed with (sf_count_t) cast, but the WAV code path(line 235) and close path (line 167) were not. When samplesperblock (int) *blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows beforebeing assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000and blocks=50000, the product 2500000000 overflows to -1794967296. Thiscauses incorrect frame count leading to heap buffer overflow or denial ofservice. Both values come from the WAV file header and areattacker-controlled. This issue was discovered after an incomplete fix forCVE-2022-33065. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 16:16:00 UTC CVE-2026-37555 When an OAuth2 bearer token is used for an HTTP(S) transfer, and thattransferperforms a redirect to a second URL, curl could leak that token to thesecondhostname under some circumstances.If the hostname that the first request is redirected to has information intheused .netrc file, with either of the `machine` or `default` keywords, curlwould pass on the bearer token set for the first host also to the secondone. Update Instructions: Run `sudo pro fix CVE-2026-3783` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2 libcurl3t64-gnutls - 8.18.0-1ubuntu2 libcurl4t64 - 8.18.0-1ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 18:00:00 UTC 2026-03-11 18:00:00 UTC https://ubuntu.com/security/notices/USN-8084-1 https://ubuntu.com/security/notices/USN-8099-1 CVE-2026-3783 curl would wrongly reuse an existing HTTP proxy connection doing CONNECT toaserver, even if the new request uses different credentials for the HTTPproxy.The proper behavior is to create or use a separate connection. Update Instructions: Run `sudo pro fix CVE-2026-3784` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2 libcurl3t64-gnutls - 8.18.0-1ubuntu2 libcurl4t64 - 8.18.0-1ubuntu2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-11 18:00:00 UTC 2026-03-11 18:00:00 UTC Muhamad Arga Reksapati https://ubuntu.com/security/notices/USN-8084-1 https://ubuntu.com/security/notices/USN-8099-1 CVE-2026-3784 A flaw was found in gnutls. A remote attacker could exploit thisvulnerability by presenting a specially crafted Online Certificate StatusProtocol (OCSP) response during a TLS handshake. Due to a logic error inhow gnutls processes multi-record OCSP responses, a client with OCSPverification enabled may incorrectly accept a revoked server certificate,potentially leading to a compromise of trust. Update Instructions: Run `sudo pro fix CVE-2026-3832` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 18:16:00 UTC 2026-04-30 18:16:00 UTC Oleh Konko, Joshua Rogers http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135319 https://gitlab.com/gnutls/gnutls/-/issues/1801 https://gitlab.com/gnutls/gnutls/-/issues/1812 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-3832 A flaw was found in gnutls. This vulnerability occurs because gnutlsperforms case-sensitive comparisons of `nameConstraints` labels,specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within`excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploitthis by crafting a leaf certificate with casing differences in the SubjectAlternative Name (SAN), leading to a policy bypass where a certificate thatshould be rejected is instead accepted. This could result in unauthorizedaccess or information disclosure. Update Instructions: Run `sudo pro fix CVE-2026-3833` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 18:16:00 UTC 2026-04-30 18:16:00 UTC Oleh Konko, Joshua Rogers https://gitlab.com/gnutls/gnutls/-/work_items/1223 https://gitlab.com/gnutls/gnutls/-/issues/1803 https://gitlab.com/gnutls/gnutls/-/issues/1852 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-3833 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-26 CVE-2026-3836 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 2026-03-20 fabian https://ubuntu.com/security/notices/USN-8161-1 CVE-2026-3842 Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. Avulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello)support, where a maliciously crafted ECH config could cause a stack bufferoverflow on the client side, leading to potential remote execution andclient program crash. This could be exploited by a malicious TLS serversupporting ECH. Note that ECH is off by default, and is only enabled withenable-ech. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-3849 Versions of the package spin.js before 3.0.0 are vulnerable to Cross-siteScripting (XSS) via the spin() function that allows a creation of more than1 alert for each 'target' element. An attacker would need to set anarbitrary key-value pair on Object.prototype through a crafted URLachieving a prototype pollution first, before being able to executearbitrary JavaScript in the context of the user's browser. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 06:17:00 UTC CVE-2026-3884 Local privilege escalation in snapd on Linux allows local attackers to getroot privilege by re-creating snap's private /tmp directory whensystemd-tmpfiles is configured to automatically clean up this directory.This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and24.04 LTS. Update Instructions: Run `sudo pro fix CVE-2026-3888` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: snapd - 2.74.1+ubuntu26.04.3 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-03-17 14:00:00 UTC 2026-03-17 14:00:00 UTC Qualys https://ubuntu.com/security/notices/USN-8102-1 https://ubuntu.com/security/notices/USN-8102-2 CVE-2026-3888 [hcd-ohci: infinite loop] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 CVE-2026-3890 WordPress core is vulnerable to unauthorized access in versions 6.9 through6.9.1. The Notes feature (block-level collaboration annotations) wasintroduced in WordPress 6.9 to allow editorial comments directly on postsin the block editor. However, the REST API`create_item_permissions_check()` method in the comments controller did notverify that the authenticated user has `edit_post` permission on the targetpost when creating a note. This makes it possible for authenticatedattackers with Subscriber-level access to create notes on any post,including posts authored by other users, private posts, and posts in anystatus. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 10:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131148 CVE-2026-3906 ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 16:16:00 UTC CVE-2026-39087 Denial of Service via Out of Memory vulnerability in Apache ActiveMQClient, Apache ActiveMQ Broker, Apache ActiveMQ.ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshakeKeyUpdates triggered by clients. This makes it possible for a client torapidly trigger updates which causes the broker to exhaust all its memoryin the SSL engine leading to DoS.Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are notvulnerable to OOM. Previous TLS versions require a full handshakerenegotiation which causes a connection to hang but not OOM. This is fixedas well.This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4;Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 11:16:00 UTC CVE-2026-39304 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, an integerunderflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allowsany unprivileged local user to crash the cupsd root process by supplying anegative job-password-supported IPP attribute. The bounds check only capsthe upper bound, so a negative value passes validation, is cast to size_t(wrapping to ~2^64), and is used as the length argument to memset() on a33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd rootprocess. Combined with systemd's Restart=on-failure, an attacker can repeatthe crash for sustained denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 17:16:00 UTC mdeslaur(main) Tomer Fichman CVE-2026-39314 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. In versions 2.4.16 and prior, a use-after-freevulnerability exists in the CUPS scheduler (cupsd) when temporary printersare automatically deleted. cupsdDeleteTemporaryPrinters() inscheduler/printers.c calls cupsdDeletePrinter() without first expiringsubscriptions that reference the printer, leaving cupsd_subscription_t.destas a dangling pointer to freed heap memory. The dangling pointer issubsequently dereferenced at multiple code sites, causing a crash (denialof service) of the cupsd daemon. With heap grooming, this can be leveragedfor code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 17:16:00 UTC mdeslaur(main) Tomer Fichman CVE-2026-39316 Rack::Session is a session management implementation for Rack. From 2.0.0to before 2.1.2, Rack::Session::Cookie incorrectly handles decryptionfailures when configured with secrets:. If cookie decryption fails, theimplementation falls back to a default decoder instead of rejecting thecookie. This allows an unauthenticated attacker to supply a crafted sessioncookie that is accepted as valid session data without knowledge of anyconfigured secret. Because this mechanism is used to load session state, anattacker can manipulate session contents and potentially gain unauthorizedaccess. This vulnerability is fixed in 2.1.2. Update Instructions: Run `sudo pro fix CVE-2026-39324` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: ruby-rack-session - 2.1.1-0.1ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 18:16:00 UTC 2026-04-07 18:16:00 UTC https://ubuntu.com/security/notices/USN-8190-1 https://ubuntu.com/security/notices/USN-8190-2 CVE-2026-39324 JWCrypto implements JWK, JWS, and JWE specifications usingpython-cryptography. Prior to 1.5.7, an unauthenticated attacker canexhaust server memory by sending crafted JWE tokens with ZIP compression.The existing patch for CVE-2024-28102 limits input token size to 250KB butdoes not validate the decompressed output size. An unauthenticated attackercan cause memory exhaustion on memory-constrained systems. A token underthe 250KB input limit can decompress to approximately 100MB. Thisvulnerability is fixed in 1.5.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 20:16:00 UTC CVE-2026-39373 The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks tovarious other formats via Jinja templates. Versions 6.5 through 7.17.0allow arbitrary file writes to locations outside the intended outputdirectory when processing notebooks containing crafted cell attachmentfilenames. The `ExtractAttachmentsPreprocessor` passes attachment filenamesdirectly to the filesystem without sanitization, enabling path traversalattacks. This vulnerability provides complete control over both thedestination path and file extension. Version 7.17.1 contains a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 01:16:00 UTC CVE-2026-39377 The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks tovarious other formats via Jinja templates. In versions 6.5 through 7.17.0,when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allowsarbitrary file read via path traversal in image references. A maliciousnotebook can exfiltrate sensitive files from the conversion host byembedding them as base64 data URIs in the output HTML. nbconvert 7.17.1contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`;it is not enabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 01:16:00 UTC CVE-2026-39378 Cosign provides code signing and transparency for containers and binaries.Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneouslyreport a "Verified OK" result for attestations with malformed payloads ormismatched predicate types. For old-format bundles and detached signatures,this was due to a logic flaw in the error handling of the predicate typevalidation. For new-format bundles, the predicate type validation wasbypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 20:16:00 UTC CVE-2026-39395 lxc is a Linux container runtime. In the setuid helper lxc-user-nic, thedelete path contains a logic flaw in the find_line() function that allowsan unprivileged user to delete OVS-attached network interfaces belonging toother users. When lxc-user-nic delete scans its NIC database to authorize adeletion request, the interface name comparison can set the authorizationflag based on a name match alone, even when the ownership, type, and linkfields in that database entry belong to a different user. The vulnerablecheck sits after the goto next label handling, meaning it is reachable onlines where earlier ownership checks failed or were skipped. Becausenothing downstream of this authorization signal re-verifies that thematched database line actually belongs to the caller, an unprivilegedattacker with a valid lxc-usernet policy entry can trigger deletion ofanother user's OVS port on the same bridge.This is limited to multi-tenant environments using lxc-user-nic withOpenVSwitch bridges. The impact is denial of service - one tenant canrepeatedly disconnect networking from containers run by another tenant onshared infrastructure. This is patched in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 21:16:00 UTC CVE-2026-39402 An integer overflow vulnerability in the HTTP chunked transfer encodingparser in tinyproxy up to and including version 1.11.3 allows anunauthenticated remote attacker to cause a denial of service (DoS). Theissue occurs because chunk size values are parsed using strtol() withoutproperly validating overflow conditions (e.g., errno == ERANGE). A craftedchunk size such as 0x7fffffffffffffff (LONG_MAX) bypasses the existingvalidation check (chunklen < 0), leading to a signed integer overflowduring arithmetic operations (chunklen + 2). This results in incorrect sizecalculations, causing the proxy to attempt reading an extremely largeamount of request-body data and holding worker connections openindefinitely. An attacker can exploit this behavior to exhaust allavailable worker slots, preventing new connections from being accepted andcausing complete service unavailability. Upstream addressed this issue incommit bb7edc4; however, the latest stable release (1.11.3) remainsaffected at the time of publication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 08:16:00 UTC CVE-2026-3945 A vulnerability was identified in strukturag libheif up to 1.21.2. Thisimpacts the function Track::load of the file libheif/sequences/track.cc ofthe component stsz/stts. The manipulation leads to out-of-bounds read. Theattack needs to be performed locally. The exploit is publicly available andmight be used. Applying a patch is the recommended action to fix thisissue. The patch available is inofficial and not approved yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-11 20:16:00 UTC https://github.com/strukturag/libheif/issues/1715 CVE-2026-3950 A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects thefunction js_iterator_concat_return of the file quickjs.c. This manipulationcauses use after free. The attack requires local access. The exploit hasbeen published and may be used. Patch name:daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is therecommended action to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 04:16:00 UTC CVE-2026-3979 The "go tool pack" subcommand (usually used only by the compiler as aninternal tool with known-good inputs) does not sanitize output filenames.Extracting a malicious archive file with the "pack" subcommand can writefiles to arbitrary locations on the filesystem. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39817 The "go bug" command writes to two files with predictable names in thesystem temporary directory (for example, "/tmp"). An attacker with accessto the temporary directory can create a symlink in one of these names,causing "go bug" to overwrite the target of the symlink. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39819 Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDatewere able to trigger excessive CPU exhaustion and memory allocations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39820 CVE-2026-27142 fixed a vulnerability in which URLs were not correctlyescaped inside of a <meta> tag's <content> attribute. If the URL contentwere to insert ASCII whitespaces around the '=' rune inside of the<content> attribute, the escaper would fail to similarly escape it, leadingto XSS. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39823 ReverseProxy can forward queries containing parameters not visible toRewrite functions. When used with a Rewrite function, or a Directorfunction which parses query parameters, ReverseProxy sanitizes theforwarded request to remove query parameters which are not parsed byurl.ParseQuery. ReverseProxy does not take ParseQuery's limit on the totalnumber of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) intoaccount. This can permit ReverseProxy to forward a request containing aquery parameter that is not visible to the Rewrite function. For example,the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter"hidden=y" while hiding it from the proxy's Rewrite function. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39825 If a trusted template author were to write a <script> tag containing anempty 'type' attribute or a 'type' attribute with an ASCII whitespace, theexecution of the template would incorrectly escape any data passed into the<script> block. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39826 The Dial and LookupPort functions panic on Windows when provided with aninput containing a NUL (0). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-39836 Nix is a package manager for Linux and other Unix systems. A bug in the fixfor CVE-2024-27297 allowed for arbitrary overwrites of files writable bythe Nix process orchestrating the builds (typically the Nix daemon runningas root in multi-user installations) by following symlinks duringfixed-output derivation output registration. This affects sandboxed Linuxbuilds - sandboxed macOS builds are unaffected. The location of thetemporary output used for the output copy was located inside the buildchroot. A symlink, pointing to an arbitrary location in the filesystem,could be created by the derivation builder at that path. During outputregistration, the Nix process (running in the host mount namespace) wouldfollow that symlink and overwrite the destination with the derivation'soutput contents. In multi-user installations, this allows all users able tosubmit builds to the Nix daemon (allowed-users - defaulting to all users)to gain root privileges by modifying sensitive files. This vulnerability isfixed in 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 21:17:00 UTC CVE-2026-39860 Kamailio is an open source implementation of a SIP Signaling Server. Priorto 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio(formerly OpenSER and SER) allows remote attackers to cause a denial ofservice (process crash) via a specially crafted data packet sent over TCP.The issue impacts Kamailio instances having TCP or TLS listeners. Thisvulnerability is fixed in 5.1.1, 6.0.6, and 5.8.8. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 20:16:00 UTC CVE-2026-39863 Vim is an open source, command line text editor. Prior to 9.2.0316, acommand injection vulnerability in Vim's netbeans interface allows amalicious netbeans server to execute arbitrary Ex commands when Vimconnects to it, via unsanitized strings in the defineAnnoType andspecialKeys protocol messages. This vulnerability is fixed in 9.2.0316. Update Instructions: Run `sudo pro fix CVE-2026-39881` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu4.1 vim-common - 2:9.1.2141-1ubuntu4.1 vim-gtk3 - 2:9.1.2141-1ubuntu4.1 vim-gui-common - 2:9.1.2141-1ubuntu4.1 vim-motif - 2:9.1.2141-1ubuntu4.1 vim-nox - 2:9.1.2141-1ubuntu4.1 vim-runtime - 2:9.1.2141-1ubuntu4.1 vim-tiny - 2:9.1.2141-1ubuntu4.1 xxd - 2:9.1.2141-1ubuntu4.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 21:17:00 UTC 2026-04-08 21:17:00 UTC federicoquattrin https://ubuntu.com/security/notices/USN-8213-1 https://ubuntu.com/security/notices/USN-8246-1 CVE-2026-39881 A vulnerability was detected in rui314 mold up to 2.40.4. This issueaffects the function mold::ObjectFilemold::X86_64::initialize_sections ofthe file src/input-files.cc of the component Object File Handler.Performing a manipulation results in heap-based buffer overflow. Attackinglocally is a requirement. The exploit is now public and may be used. Theproject was informed of the problem early through an issue report but hasnot responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-12 06:16:00 UTC CVE-2026-3994 jq is a command-line JSON processor. In commits after69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq'ssrc/builtin.c passes its arguments directly to jv_string_indexes() withoutverifying they are strings, and jv_string_indexes() in src/jv.c reliessolely on assert() checks that are stripped in release builds compiled with-DNDEBUG. This allows an attacker to crash jq trivially with input like_strindices(0), and by crafting a numeric value whose IEEE-754 bit patternmaps to a chosen pointer, achieve a controlled pointer dereference andlimited memory read/probe primitive. Any deployment that evaluatesuntrusted jq filters against a release build is vulnerable. This issue hasbeen patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03. Update Instructions: Run `sudo pro fix CVE-2026-39956` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-4ubuntu2 libjq1 - 1.8.1-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 23:16:00 UTC 2026-04-13 23:16:00 UTC https://ubuntu.com/security/notices/USN-8202-1 https://ubuntu.com/security/notices/USN-8202-2 CVE-2026-39956 Apktool is a tool for reverse engineering Android APK files. In versions3.0.0 and 3.0.1, a path traversal vulnerability in`brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciouslycrafted APK to write arbitrary files to the filesystem during standarddecoding (`apktool d`). This is a security regression introduced in commite10a045 (PR #4041, December 12, 2025), which removed the`BrutIO.sanitizePath()` call that previously prevented path traversal inresource file output paths. An attacker can embed `../` sequences in the`resources.arsc` Type String Pool to escape the output directory and writefiles to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, orWindows Startup folders, escalating to RCE. The fix in version 3.0.2re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before filewrite operations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 02:16:00 UTC CVE-2026-39973 flatpak-builder is a tool to build flatpaks from source. From 1.4.5 tobefore 1.4.8, the license-files manifest key takes an array of paths touser defined licence files relative to the source directory of the module.The paths from that array are resolved using g_file_resolve_relative_path()and validated to stay inside the source directory using two checks -g_file_get_relative_path() which does not resolve symlinks andg_file_query_file_type() with G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS whichonly applies to the final path component. The copy operation runs on host.This can be exploited by using a crafted manifest and/or source to readarbitrary files from the host and capture them into the build output. Thisvulnerability is fixed in 1.4.8. Update Instructions: Run `sudo pro fix CVE-2026-39977` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: flatpak-builder - 1.4.8-1 flatpak-builder-tests - 1.4.8-1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133099 CVE-2026-39977 jq is a command-line JSON processor. In commits before2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjqaccepts a counted buffer with an explicit length parameter, but itserror-handling path formats the input buffer using %s in jv_string_fmt(),which reads until a NUL terminator is found rather than respecting thecaller-supplied length. This means that when malformed JSON is passed in anon-NUL-terminated buffer, the error construction logic performs anout-of-bounds read past the end of the buffer. The vulnerability isreachable by any libjq consumer calling jv_parse_sized() with untrustedinput, and depending on memory layout, can result in memory disclosure orprocess termination. The issue has been patched in commit2f09060afab23fe9390cce7cb860b10416e1bf5f. Update Instructions: Run `sudo pro fix CVE-2026-39979` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-4ubuntu2 libjq1 - 1.8.1-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 23:16:00 UTC 2026-04-13 23:16:00 UTC https://ubuntu.com/security/notices/USN-8202-1 https://ubuntu.com/security/notices/USN-8202-2 CVE-2026-39979 basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allowsFTP command injection via CRLF sequences (\r\n) in file path parameterspassed to high-level path APIs such as cd(), remove(), rename(),uploadFrom(), downloadTo(), list(), and removeDir(). The library'sprotectWhitespace() helper only handles leading spaces and returns otherpaths unchanged, while FtpContext.send() writes the resulting commandstring directly to the control socket with \r\n appended. This letsattacker-controlled path strings split one intended FTP command intomultiple commands. This vulnerability is fixed in 5.2.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 18:17:00 UTC CVE-2026-39983 Attacker can upload a malicious Sieve script over ManageSieve service (orlocally) to bypass configured CPU time limits for Sieve up to 130 times ofthe configured limit. Attacker can use this to degrade server performanceand bypass configured CPU time limits for Sieve scripts. Install fixedversion, or alternatively prevent direct access to Sieve scripts viaManageSieve or local access. No publicly available exploits are known. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 14:17:00 UTC CVE-2026-40016 Attacker can use the IMAP SETACL command to inject the anyone permission touser's dovecot-acl file even if imap_acl_allow_anyone=no. This causesfolders to be spammed to all users. The impact is limited to being able tospam folders to other users, no unexpected access is gained. Install tofixed version. No publicly available exploits are known. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 14:17:00 UTC CVE-2026-40020 Apache Log4net's XmlLayouthttps://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4Jhttps://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list, in versions before 3.3.0, fail to sanitize characters forbidden by theXML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC propertykeys and values, as well as the identity field that may carryattacker-influenced data. This causes an exception during serialization andthe silent loss of the affected log event.An attacker who can influence any of these fields can exploit this tosuppress individual log records, impairing audit trails and detection ofmalicious activity.Users are advised to upgrade to Apache Log4net 3.3.0, which fixes thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133360 CVE-2026-40021 Apache Log4cxx's XMLLayouthttps://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html, in versions before 1.7.0, fails to sanitize characters forbidden by theXML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages,NDC, and MDC property keys and values, producing invalid XML output.Conforming XML parsers must reject such documents with a fatal error, whichmay cause downstream log processing systems to drop or fail to indexaffected records.An attacker who can influence logged data can exploit this to suppressindividual log records, impairing audit trails and detection of maliciousactivity.Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes thisissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133368 CVE-2026-40023 The Sleuth Kit through 4.14.0 contains a path traversal vulnerability intsk_recover that allows an attacker to write files to arbitrary locationsoutside the intended recovery directory via crafted filenames or directorypaths with path traversal sequences in a filesystem image. An attacker cancraft a malicious filesystem image with embedded /../ sequences infilenames that, when processed by tsk_recover, writes files outside theoutput directory, potentially achieving code execution by overwriting shellconfiguration or cron entries. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 22:16:00 UTC CVE-2026-40024 The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerabilityin the APFS filesystem keybag parser where the wrapped_key_parser classfollows attacker-controlled length fields without bounds checking, causingheap reads past the allocated buffer. An attacker can craft a maliciousAPFS disk image that triggers information disclosure or crashes whenprocessed by any Sleuth Kit tool that parses APFS volumes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 22:16:00 UTC CVE-2026-40025 The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerabilityin the ISO9660 filesystem parser where the parse_susp() function trustslen_id, len_des, and len_src fields from the disk image to memcpy data intoa stack buffer without verifying that the source data falls within theparsed SUSP block. An attacker can craft a malicious ISO image that causesreads past the end of the SUSP data buffer, and a zero-length SUSP entrycan trigger an infinite parsing loop. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 22:16:00 UTC CVE-2026-40026 Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, ApacheActiveMQ All, Apache ActiveMQ MQTT.The fix for "CVE-2025-66168: MQTT control packet remaining length field isnot properly validated" was only applied to 5.19.2 (and future 5.19.x)releases but was missed for all 6.0.0+ versions.This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; ApacheActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0before 6.2.4.Users are recommended to upgrade to version 6.2.4 or a 5.19.x versionstarting with 5.19.2 or later (currently latest is 5.19.5), which fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 17:16:00 UTC CVE-2026-40046 Jupyter Server is the backend for Jupyter web applications. In versions2.17.0 and earlier, the Origin header validation uses Python's re.match()to check incoming origins against the allow_origin_pat configuration value.Because re.match() only anchors at the start of the string and does notrequire a full match, a pattern intended to match only a trusted domain(e.g., trusted.example.com) will also match any origin that begins withthat domain followed by additional characters (e.g.,trusted.example.com.evil.com). An attacker who controls such a domain canbypass the CORS origin restriction and make cross-origin requests to theJupyter Server API from an untrusted site. This issue has been fixed inversion 2.18.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 22:16:00 UTC CVE-2026-40110 jq is a command-line JSON processor. Before commit0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with ahardcoded, publicly visible seed (0x432A9843) for all JSON object hashtable operations, which allowed an attacker to precompute key collisionsoffline. By supplying a crafted JSON object (~100 KB) where all keys hashedto the same bucket, hash table lookups degraded from O(1) to O(n), turningany jq expression into an O(n²) operation and causing significant CPUexhaustion. This affected common jq use cases such as CI/CD pipelines, webservices, and data processing scripts, and was far more practical toexploit than existing heap overflow issues since it required only a smallpayload. This issue has been patched in commit0c7d133c3c7e37c00b6d46b658a02244fdd3c784. Update Instructions: Run `sudo pro fix CVE-2026-40164` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: jq - 1.8.1-4ubuntu2 libjq1 - 1.8.1-4ubuntu2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 00:16:00 UTC 2026-04-14 00:16:00 UTC https://ubuntu.com/security/notices/USN-8202-1 https://ubuntu.com/security/notices/USN-8202-2 CVE-2026-40164 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below 7.1.2-19, a crafted imagecould result in an out of bounds heap write when writing a yaml or jsonoutput, resulting in a crash. This issue has been fixed in version7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-40169 ngtcp2 is a C implementation of the IETF QUIC protocol. In versions priorto 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peertransport parameters into a fixed 1024-byte stack buffer without boundschecking. When qlog is enabled, a remote peer can send sufficiently largetransport parameters during the QUIC handshake to cause writes beyond thebuffer boundary, resulting in a stack buffer overflow. This affectsdeployments that enable the qlog callback and process untrusted peertransport parameters. This issue has been fixed in version 1.22.1. Ifdevelopers are unable to immediately upgrade, they can disable the qlog onclient. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 22:16:00 UTC CVE-2026-40170 In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6and earlier, and the corresponding @jupyter-notebook/help-extension and@jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a storedcross-site scripting issue in the help command linker can be chained withattacker-controlled notebook content to steal authentication tokens with asingle click.An attacker can craft a malicious notebook file containing elements thatappear indistinguishable from legitimate controls and trigger executionwhen a user interacts with them. Successful exploitation allows theft ofthe user's authentication token and complete takeover of the Jupytersession through the REST API, including reading files, creating ormodifying files, accessing kernels to execute arbitrary code, and creatingterminals for shell access. This issue has been fixed in Notebook 7.5.6,JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and@jupyterlab/help-extension 4.5.7. As a workaround, disable the affectedhelp extensions or set allowCommandLinker to false in the sanitizerconfiguration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 20:16:00 UTC CVE-2026-40171 Axios is a promise based HTTP client for the browser and Node.js. Versionsprior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attackchain in which prototype pollution in a third-party dependency may beleveraged to inject unsanitized header values into outbound requests. Thisvulnerability is fixed in 1.15.0 and 0.3.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 20:16:00 UTC CVE-2026-40175 Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and2.3 through 2.9.5 contain a command injection vulnerability in thePerforce::generateP4Command() method, which constructs shell commands byinterpolating user-supplied Perforce connection parameters (port, user,client) without proper escaping. An attacker can inject arbitrary commandsthrough these values in a malicious composer.json declaring a Perforce VCSrepository, leading to command execution in the context of the user runningComposer, even if Perforce is not installed. VCS repositories are onlyloaded from the root composer.json or the composer config directory, sothis cannot be exploited through composer.json files of packages installedas dependencies. Users are at risk if they run Composer commands onuntrusted projects with attacker-supplied composer.json files. This issuehas been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 21:17:00 UTC CVE-2026-40176 Prometheus is an open-source monitoring system and time series database.Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-sitescripting vulnerabilities in multiple components of the Prometheus web UIwhere metric names and label values are injected into innerHTML withoutescaping. In both the Mantine UI and old React UI, chart tooltips on theGraph page render metric names containing HTML/JavaScript withoutsanitization. In the old React UI, the Metric Explorer fuzzy search resultsuse dangerouslySetInnerHTML without escaping, and heatmap cell tooltipsinterpolate le label values without sanitization. With Prometheus v3.xdefaulting to UTF-8 metric and label name validation, characters like <, >,and " are now valid in metric names and labels. An attacker who can injectmetrics via a compromised scrape target, remote write, or OTLP receiverendpoint can execute arbitrary JavaScript in the browser of any Prometheususer who views the metric in the Graph UI, potentially enablingconfiguration exfiltration, data deletion, or Prometheus shutdown dependingon enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2.If developers are unable to immediately update, the following workaroundsare recommended: ensure that the remote write receiver(--web.enable-remote-write-receiver) and the OTLP receiver(--web.enable-otlp-receiver) are not exposed to untrusted sources; verifythat all scrape targets are trusted and not under attacker control; avoidenabling admin or mutating API endpoints (e.g., --web.enable-admin-api or--web.enable-lifecycle) in environments where untrusted data may beingested; and refrain from clicking untrusted links, particularly thosecontaining functions such as label_replace, as they may generate poisonedlabel names and values. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 23:16:00 UTC CVE-2026-40179 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below 7.1.2-19, the JXL encoderhas an heap write overflow when a user specifies that the image should beencoded as 16 bit floats. This issue has been fixed in version 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-40183 Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did notlimit the amount of GZIP-compressed data read when decoding a FITS image,making them vulnerable to decompression bomb attacks. A specially craftedFITS file could cause unbounded memory consumption, leading to denial ofservice (OOM crash or severe performance degradation). If users are unableto immediately upgrade, they should only open specific image formats,excluding FITS, as a workaround. Update Instructions: Run `sudo pro fix CVE-2026-40192` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-pil - 12.1.1-2ubuntu1.1 python3-pil.imagetk - 12.1.1-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 2026-04-17 https://ubuntu.com/security/notices/USN-8211-1 CVE-2026-40192 phpseclib is a PHP secure communications library. Starting in 0.1.1 andprior to 3.0.51, 2.0.53, and 1.0.28,phpseclib\Net\SSH2::get_binary_packet() uses PHP's != operator to compare areceived SSH packet HMAC against the locally computed HMAC. != onequal-length binary strings in PHP uses memcmp(), which short-circuits onthe first differing byte. This is a real variable-time comparison(CWE-208), proven by scaling benchmarks. This vulnerability is fixed in3.0.51, 2.0.53, and 1.0.28. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 21:16:00 UTC CVE-2026-40194 Incus is a system container and virtual machine manager. In versions before7.0.0, missing validation logic in the storage bucket import logic allowsan authenticated user with access to the storage bucket feature to causethe Incus daemon to crash. The vulnerability is present in the backupmetadata handling logic, where the daemon processes the index.yaml filefrom an imported archive and accesses members of the parsed backupconfiguration without first verifying that the configuration object wasinitialized. A malicious or malformed index.yaml that omits the configblock causes a nil-pointer dereference during bucket import operations andterminates the daemon. Repeated use of this issue can be used to keep Incusoffline, causing a denial of service. This issue is fixed in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-40195 Incus is a system container and virtual machine manager. In versions before7.0.0, missing validation logic in the storage volume import logic allowsan authenticated user with access to the storage volume feature to causethe Incus daemon to crash. The custom volume backup import subsystemcontains a nil-pointer dereference vulnerability during import operations.In the snapshot import loop, the daemon iterates over entries from`srcBackup.Config.VolumeSnapshots` and assumes that each slice element isinitialized, then dereferences fields such as `Name`, `Config`,`Description`, `CreatedAt`, and `ExpiresAt` without first validating theelement itself. Because the yaml unmarshaler accepts explicit null arrayelements from an attacker-controlled index.yaml and converts them into nilpointers inside the slice, an attacker can supply a backup archivecontaining a null entry in the volume_snapshots array. This causes anil-pointer dereference during custom volume import and terminates thedaemon, resulting in denial of service on the affected node. Repeated useof this issue can be used to keep Incus offline, causing a denial ofservice. This issue is fixed in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-40197 Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 groupcount, which may allow IP ACL bypass._pack_ipv6() does not check that uncompressed IPv6 addresses (without ::)have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7"are accepted and produce packed values of wrong length (3, 7, or 15 bytesinstead of 17).The packed values are used internally for mask and comparison operations.find() and bin_find() use Perl string comparison (lt/gt) on these values,and comparing strings of different lengths gives wrong results. This cancause find() to incorrectly report an address as inside or outside a range.Example: my $cidr = Net::CIDR::Lite->new("::/8"); $cidr->find("1:2:3"); # invalid input, incorrectly returns trueThis is the same class of input validation issue as CVE-2021-47154 (IPv4leading zeros) previously fixed in this module.See also CVE-2026-40199, a related issue in the same function affectingIPv4 mapped IPv6 addresses. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 22:16:00 UTC CVE-2026-40198 Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6addresses, which may allow IP ACL bypass._pack_ipv6() includes the sentinel byte from _pack_ipv4() when building thepacked representation of IPv4 mapped addresses like ::ffff:192.168.1.1.This produces an 18 byte value instead of 17 bytes, misaligning the IPv4part of the address.The wrong length causes incorrect results in mask operations (bitwise ANDtruncates to the shorter operand) and in find() / bin_find() which use Perlstring comparison (lt/gt). This can cause find() to incorrectly match ormiss addresses.Example: my $cidr = Net::CIDR::Lite->new("::ffff:192.168.1.0/120"); $cidr->find("::ffff:192.168.2.0"); # incorrectly returns trueThis is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).See also CVE-2026-40198, a related issue in the same function affectingmalformed IPv6 addresses. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 22:16:00 UTC CVE-2026-40199 An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-basedmemory corruption can occur during qsort of very large arrays, due toincorrectly implemented double-word primitives. The number of elements mustexceed about seven million, i.e., the 32nd Leonardo number on 32-bitplatforms (or the 64th Leonardo number on 64-bit platforms, which is notpractical). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 17:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133372 CVE-2026-40200 OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as thedefault policy for multiple API endpoints. This unconditionally authorizesany request carrying a valid Keystone token regardless of roles, projectmembership, or scope. An authenticated user with zero role assignments cancomplete various actions such as reprogramming FPGA bitstreams on arbitrarycompute nodes via agent RPC. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 22:16:00 UTC https://bugs.launchpad.net/openstack-cyborg/+bug/2143263 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136006 CVE-2026-40213 In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API doesnot enforce project ownership at any layer. The project_id column in thedatabase is never populated (NULL for every ARQ), database queries have noproject filtering, and policy checks are self-referential (theauthorize_wsgi decorator compares the caller's project_id with itselfrather than the target resource). Any authenticated non-admin user cancomplete various actions such as deleting ARQs bound to other projects'instances, aka cross-tenant denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 22:16:00 UTC https://bugs.launchpad.net/openstack-cyborg/+bug/2144056 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136006 CVE-2026-40214 race condition in TLS handshake that could lead to leaking of packet datafrom a previous handshake under specific circumstances Update Instructions: Run `sudo pro fix CVE-2026-40215` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: openvpn - 2.7.0-1ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 2026-04-23 Guannan Wang, Zhanpeng Liu, Guancheng Li https://ubuntu.com/security/notices/USN-8286-1 CVE-2026-40215 In systemd 258 before 260, a local unprivileged user can trigger an assertwhen a Delegate=yes and User=<unset> unit exists and is running. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-40223 In systemd 259 before 260, there is local privilege escalation insystemd-machined because varlink can be used to reach the root namespace. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-40224 In udev in systemd before 260, local root execution can occur via malicioushardware devices and unsanitized kernel output. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-40225 In nspawn in systemd 233 through 259 before 260, an escape-to-host actioncan occur via a crafted optional config file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-40226 In systemd 260 before 261, a local unprivileged user can trigger an assertvia an IPC API call with an array or map that has a null element. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-40227 In systemd 259, systemd-journald can send ANSI escape sequences to theterminals of arbitrary users when a "logger -p emerg" command is executed,if ForwardToWall=yes is set. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 16:16:00 UTC CVE-2026-40228 Incus is a system container and virtual machine manager. In versions before7.0.0, broken TLS validation logic in the OVN database connection logic canallow connections to an attacker's OVN database. The OVN clientimplementations disable Go standard TLS server verification and replace itwith custom peer-certificate verification logic. That replacement verifierdoes not anchor trust in the configured CA certificate. Instead, itconstructs the verification root set from certificates supplied by the peerduring the handshake, so the configured CA is parsed but not used as thetrust anchor for the final verification decision.In OVN-enabled deployments that use these SSL database connection paths, anattacker able to impersonate or intercept the OVN endpoint on themanagement network can present a rogue self-signed certificate chain, andIncus will accept this certificate as valid. This issue defeats theintended CA-based trust model for OVN database connections and permitsendpoint impersonation by an active attacker in a suitable networkposition. This issue is fixed in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-40243 Incus is a system container and virtual machine manager. In versions before7.0.0, missing validation logic in the storage volume import logic allowsan authenticated user with access to the storage volume feature to causethe Incus daemon to crash. The backup restore subsystem contains anout-of-bounds panic vulnerability caused by an invalid bounds check whenindexing snapshot metadata arrays, and the same flawed pattern also appearsin the migration path. When iterating through physical snapshots providedin a backup archive, the loop uses the index to look up correspondingmetadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots`slices. The guard condition `len(slice) >= i-1` is incorrect because it canstill evaluate to true when the subsequent slice[i] access is out ofbounds.An attacker can submit a backup archive that contains physical snapshotdirectories while supplying a tampered `index.yaml` with an empty ortruncated snapshot metadata array, causing the daemon to index beyond theend of the metadata slice and crash. Repeated use of this issue can be usedto keep Incus offline, causing a denial of service. This issue is fixed inversion 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-40251 openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX.In versions 3.26.0 and below, the BER/DER decoding functions in the sharedcommon library (asn1.c) accept a raw pointer but no buffer lengthparameter, and trust attacker-controlled BER length fields withoutvalidating them against actual buffer boundaries. All primitive decodersare affected: ber_decode_INTEGER, ber_decode_SEQUENCE,ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE.Additionally, ber_decode_INTEGER can produce integer underflows when theencoded length is zero. An attacker supplying a malformed BER-encodedcryptographic object through PKCS#11 operations such as C_CreateObject orC_UnwrapKey, token loading from disk, or remote backend communication cantrigger out-of-bounds reads. This affects all token backends (Soft, ICA,CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared commonlibrary. A patch is available thorugh commited378f463ef73364c89feb0fc923f4dc867332a3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 23:16:00 UTC CVE-2026-40253 FreeRDP is a free implementation of the Remote Desktop Protocol. Versionsprior to 3.25.0 have an off-by-one in the path traversal filter in`channels/drive/client/drive_file.c`. The `contains_dotdot()` functioncatches `../` and `..\` mid-path but misses `..` when it's the lastcomponent with no trailing separator. A rogue RDP server can read, list, orwrite files one directory above the client's shared folder through RDPDRrequests. This requires the victim to connect with drive redirectionenabled. Version 3.25.0 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 03:16:00 UTC CVE-2026-40254 pypdf is a free and open-source pure-python PDF library. In versions priorto 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. Anattacker who exploits this vulnerability can craft a PDF which leads tolarge memory usage. This requires parsing the XMP metadata. This issue hasbeen fixed in version 6.10.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 01:17:00 UTC CVE-2026-40260 Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and2.3 through 2.9.5 contain a command injection vulnerability in thePerforce::syncCodeBase() method, which appends the $sourceReferenceparameter to a shell command without proper escaping, and additionally inthe Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p /CVE-2026-40176, which interpolates user-supplied Perforce connectionparameters (port, user, client) from the source url field without properescaping. An attacker can inject arbitrary commands through crafted sourcereference or source url values containing shell metacharacters, even ifPerforce is not installed. Unlike CVE-2026-40176, the source reference andurl are provided as part of package metadata, meaning any compromised ormalicious Composer repository can serve package metadata declaring perforceas a source type with malicious values. This vulnerability is exploitablewhen installing or updating dependencies from source, including the defaultbehavior when installing dev-prefixed versions. This issue has been fixedin Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unableto immediately update, they can avoid installing dependencies from sourceby using --prefer-dist or the preferred-install: dist config setting, andonly use trusted Composer repositories as a workaround. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 21:17:00 UTC CVE-2026-40261 ImageMagick is free and open-source software used for editing andmanipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44,contain a heap out-of-bounds write in the JP2 encoder with when a userspecifies an invalid sampling index. This issue has been fixed in versions6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-40310 ImageMagick is free and open-source software used for editing andmanipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 containa heap use-after-free vulnerability that can cause a crash when reading andprinting values from an invalid XMP profile. This issue has been fixed inversions 6.9.13-44 and 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-40311 ImageMagick is free and open-source software used for editing andmanipulating digital images. In versions below 7.1.2-19, an off by oneerror in the MSL decoder could result in a crash when a malicous MSL fileis read. This issue has been fixed in version 7.1.2-19. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-40312 libgphoto2 is a camera access and control library. In versions up to andincluding 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a datapointer but no length parameter, performing unbounded reads. Their callersin ptp_unpack_EOS_events() have xsize available but never pass it, leavingboth functions unable to validate reads against the actual buffer boundary.Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40333 libgphoto2 is a camera access and control library. In versions up to andincluding 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE()in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename intoa 13-byte buffer using strncpy without explicitly null-terminating theresult. If the source data is exactly 13 bytes with no null terminator, thebuffer is left unterminated, leading to out-of-bounds reads in anysubsequent string operation. Commit259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40334 libgphoto2 is a camera access and control library. Versions up to andincluding 2.5.33 have an out-of-bounds read in `ptp_unpack_DPV()` in`camlibs/ptp2/ptp-pack.c` (lines 622–629). The UINT128 and INT128 casesadvance `*offset += 16` without verifying that 16 bytes remain in thebuffer. The entry check at line 609 only guarantees `*offset < total` (atleast 1 byte available), leaving up to 15 bytes unvalidated. Commit433bde9888d70aa726e32744cd751d7dbe94379a patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40335 libgphoto2 is a camera access and control library. Versions up to andincluding 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in`camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondaryenumeration list (introduced in 2024+ Sony cameras), the functionoverwrites dpd->FORM.Enum.SupportedValue with a new calloc() withoutfreeing the previous allocation from line 857. The original array and anystring values it contains are leaked on every property descriptor parse.Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40336 libgphoto2 is a camera access and control library. Versions up to andincluding 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumerationcase of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856).The function reads a 2-byte enumeration count N via `dtoh16o(data,*poffset)` without verifying that 2 bytes remain in the buffer. Thestandard `ptp_unpack_DPD()` at line 704 has this exact check, confirmingthe Sony variant omitted it by oversight. Commit3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40338 libgphoto2 is a camera access and control library. Versions up to andincluding 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in`camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag bytevia `dtoh8o(data, *poffset)` without a prior bounds check. The standard`ptp_unpack_DPD()` at lines 686–687 correctly validates `*offset +sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omitsthis check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40339 libgphoto2 is a camera access and control library. Versions up to andincluding 2.5.33 have an out-of-bounds read vulnerability in`ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). Thefunction validates `len < PTP_oi_SequenceNumber` (i.e., len < 48) butsubsequently accesses offsets 48–56, up to 9 bytes beyond the validatedboundary, via the Samsung Galaxy 64-bit objectsize detection heuristic.Commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40340 libgphoto2 is a camera access and control library. In versions up to andincluding 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx couldbe used to crash libgphoto2 when processing input from untrusted USBdevices. Commit c385b34af260595dfbb5f9329526be5158985987 contains a patch.No known workarounds are available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134329 CVE-2026-40341 Firebird is an open-source relational database management system. Inversions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine pluginloader concatenates a user-supplied engine name into a filesystem pathwithout filtering path separators or .. components. An authenticated userwith CREATE FUNCTION privileges can use a crafted ENGINE name to load anarbitrary shared library from anywhere on the filesystem via pathtraversal. The library's initialization code executes immediately duringloading, before Firebird validates the module, achieving code execution asthe server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7and 3.0.14. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134333 CVE-2026-40342 Python-Multipart is a streaming multipart parser for Python. Versions priorto 0.0.26 have a denial of service vulnerability when parsing crafted`multipart/form-data` requests with large preamble or epilogue sections.Upgrade to version 0.0.26 or later, which skips ahead to the next boundarycandidate when processing leading CR/LF data and immediately discardsepilogue data after the closing boundary. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 00:16:00 UTC CVE-2026-40347 In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointerdereference if an application calls gss_accept_sec_context() on a systemwith a NegoEx mechanism registered in /etc/gss/mech. An unauthenticatedremote attacker can trigger this, causing the process to terminate inparse_nego_message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 06:16:00 UTC CVE-2026-40355 In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflowand resultant out-of-bounds read if an application callsgss_accept_sec_context() on a system with a NegoEx mechanism registered in/etc/gss/mech. An unauthenticated remote attacker can trigger this,possibly causing the process to terminate in parse_message. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 07:16:00 UTC CVE-2026-40356 Improper verification of cryptographic signature in ASP.NET Core allows anunauthorized attacker to elevate privileges over a network. Update Instructions: Run `sudo pro fix CVE-2026-40372` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: aspnetcore-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 aspnetcore-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-apphost-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-host-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-hostfxr-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-runtime-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-targeting-pack-10.0 - 10.0.7-0ubuntu1~26.04.1 dotnet-sdk-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-10.0-source-built-artifacts - 10.0.107-0ubuntu1~26.04.1 dotnet-sdk-aot-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet-templates-10.0 - 10.0.107-0ubuntu1~26.04.1 dotnet10 - 10.0.107-10.0.7-0ubuntu1~26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 2026-04-21 https://ubuntu.com/security/notices/USN-8215-1 https://ubuntu.com/security/notices/USN-8216-1 CVE-2026-40372 In libexif through 0.6.25, an unsigned 32bit integer overflow in NikonMakerNote handling could be used by local attackers to cause crashes orinformation leaks. This only affects 32bit systems. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-12 19:16:00 UTC CVE-2026-40385 In libexif through 0.6.25, an integer underflow in size checking for Fujiand Olympus MakerNote decoding could be used by attackers to crash or leakinformation out of libexif-using programs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-12 19:16:00 UTC CVE-2026-40386 Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allowsa "workspace overflow" denial of service (daemon panic) for certain amountsof prefetched data. The setup of an HTTP/2 session starts with aspeculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 requestis repurposed as stream zero. During the upgrade, a buffer allocation ismade to reserve space to send frames to the client. This allocation wouldsplit the original workspace, and depending on the amount of prefetcheddata, the next fetch could perform a pipelining operation that would runout of workspace. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-12 20:16:00 UTC CVE-2026-40394 Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial ofservice (daemon panic) for shared VCL. The headerplus.write_req0() functionfrom vmod_headerplus updates the underlying req0, which is normally theoriginal read-only request from which req is derived (readable and writablefrom VCL). This is useful in the active VCL, after amending req, to preparea refined req0 before switching to a different VCL with the return(vcl(<label>)) action. This is for example how the Varnish Controlleroperates shared VCL deployments. If the amended req contained too manyheader fields for req0, this would have resulted in a workspace overflowthat would in turn trigger a panic and crash the Varnish Enterprise server.This could be used as a Denial of Service attack vector by maliciousclients. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-12 20:16:00 UTC CVE-2026-40395 Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial ofservice (daemon panic) after timeout_linger. A malicious client could sendan HTTP/1 request, wait long enough until the session releases its workerthread (timeout_linger) and resume traffic before the session is closed(timeout_idle) sending more than one request at once to trigger apipelining operation between requests. This vulnerability affecting VarnishCache 9.0.0 emerged from a port of the Varnish Enterprise non-blockingarchitecture for HTTP/2. New code was needed to adapt to a more recentworkspace API that formalizes the pipelining operation. In addition to theworkspace change on the Varnish Cache side, other differences created mergeconflicts, like partial support for trailers in Varnish Enterprise. Theconflict resolution missed one code path configuring pipelining to performa complete workspace rollback, losing the guarantee that prefetched datawould fit inside workspace_client during the transition from one request tothe next. This can result in a workspace overflow, triggering a panic andcrashing the Varnish server. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-12 20:16:00 UTC CVE-2026-40396 The iconv() function in the GNU C Library versions 2.43 and earlier maycrash due to an assertion failure when converting inputs from the IBM1390or IBM1399 character sets, which may be used to remotely crash anapplication.This vulnerability can be trivially mitigated by removing the IBM1390 andIBM1399 character sets from systems that do not need them. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 18:16:00 UTC CVE-2026-4046 When NGINX Plus or NGINX Open Source are configured to use the HTTP/3QUIC module, an attacker may be able to spoof their source IP addressallowing for bypass of authorization or bypass of rate limiting.  Note:Software versions which have reached End of Technical Support (EoTS) arenot evaluated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-40460 Improper Input Validation, Improper Control of Generation of Code ('CodeInjection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All,Apache ActiveMQ.An authenticated attacker may bypass the fix in CVE-2026-34197 by adding aconnector using an HTTP Discovery transportvia BrokerView.addNetworkConnector or BrokerView.addConnectorthrough Jolokia if the activemq-http module is on the classpath.A malicious HTTP endpoint can return a VM transport through the HTTP URIwhich will bypass the validation added in CVE-2026-34197. The attacker canthen use the VM transport's brokerConfig parameter to load a remote SpringXML application context using ResourceXmlApplicationContext.Because Spring's ResourceXmlApplicationContext instantiates all singletonbeans before the BrokerService validates the configuration, arbitrary codeexecution occurs on the broker's JVM through bean factory methods such asRuntime.exec().This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; ApacheActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5.Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 11:16:00 UTC CVE-2026-40466 editorconfig-core-c is an EditorConfig core library for use by pluginssupporting EditorConfig parsing. Versions up to and including 0.12.10 havea stack-based buffer overflow in ec_glob() that allows an attacker to crashany application using libeditorconfig by providing a specially crafteddirectory structure and .editorconfig file. This is an incomplete fix forCVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacentl_pattern[8194] stack buffer received no equivalent protection. On Ubuntu24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version0.12.11 contains an updated fix. Update Instructions: Run `sudo pro fix CVE-2026-40489` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: editorconfig - 0.12.10+~0.17.1-3ubuntu0.1 libeditorconfig0 - 0.12.10+~0.17.1-3ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 2026-04-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134338 https://ubuntu.com/security/notices/USN-8238-1 CVE-2026-40489 The AsyncHttpClient (AHC) library allows Java applications to easilyexecute HTTP requests and asynchronously process HTTP responses. Whenredirect following is enabled (followRedirect(true)), versions ofAsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization andProxy-Authorization headers along with Realm credentials to arbitraryredirect targets regardless of domain, scheme, or port changes. This leakscredentials on cross-domain redirects and HTTPS-to-HTTP downgrades.Additionally, even when stripAuthorizationOnRedirect is set to true, theRealm object containing plaintext credentials is still propagated to theredirect request, causing credential re-generation for Basic and Digestauthentication schemes via NettyRequestFactory. An attacker who controls aredirect target (via open redirect, DNS rebinding, or MITM on HTTP) cancapture Bearer tokens, Basic auth credentials, or any other Authorizationheader value. The fix in versions 3.0.9 and 2.14.5 automatically stripsAuthorization and Proxy-Authorization headers and clears Realm credentialswhenever a redirect crosses origin boundaries (different scheme, host, orport) or downgrades from HTTPS to HTTP. For users unable to upgrade, set`(stripAuthorizationOnRedirect(true))` in the client config and avoid usingRealm-based authentication with redirect following enabled. Note that`(stripAuthorizationOnRedirect(true))` alone is insufficient on versionsprior to 3.0.9 and 2.14.5 because the Realm bypass still re-generatescredentials. Alternatively, disable redirect following(`followRedirect(false)`) and handle redirects manually with originvalidation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 02:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134337 CVE-2026-40490 gdown is a Google Drive public file/folder downloader. Versions prior to5.2.2 are vulnerable to a Path Traversal attack within the extractallfunctionality. When extracting a maliciously crafted ZIP or TAR archive,the library fails to sanitize or validate the filenames of the archivemembers. This allow files to be written outside the intended destinationdirectory, potentially leading to arbitrary file overwrite and Remote CodeExecution (RCE). Version 5.2.2 contains a fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 03:16:00 UTC CVE-2026-40491 SAIL is a cross-platform library for loading and saving images with supportfor animation, metadata, and ICC profiles. Prior to commit36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixelformat based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel`independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer)but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`,reading/writing 4x the allocated buffer size. This is a differentvulnerability from the previously reported GHSA-3g38-x2pj-mv55(CVE-2026-27168), which addressed `bytes_per_line` validation. Commit36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134336 CVE-2026-40492 SAIL is a cross-platform library for loading and saving images with supportfor animation, metadata, and ICC profiles. Prior to commitc930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computesbytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but thepixel buffer is allocated based on the resolved pixel format. For LAB modewith `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format`BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel writeovershoots, causing a deterministic heap buffer overflow on every row.Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134336 CVE-2026-40493 SAIL is a cross-platform library for loading and saving images with supportfor animation, metadata, and ICC profiles. Prior to commit45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in`tga.c` has an asymmetric bounds check vulnerability. The run-packet path(line 297) correctly clamps the repeat count to the remaining buffer space,but the raw-packet path (line 305-311) has no equivalent bounds check. Thisallows writing up to 496 bytes of attacker-controlled data past the end ofa heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-18 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134336 CVE-2026-40494 radare2 prior to version 6.1.4 contains a command injection vulnerabilityin the PDB parser's print_gvars() function that allows attackers to executearbitrary commands by embedding a newline byte in the PE section headername field. Attackers can craft a malicious PDB file with specially craftedsection names to inject r2 commands that are executed when the idp commandprocesses the file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 04:17:00 UTC CVE-2026-40499 MuPDF before 1.27 contains an ANSI injection vulnerability in mutool thatallows attackers to inject arbitrary ANSI escape sequences through craftedPDF metadata fields. Attackers can embed malicious ANSI escape codes in PDFmetadata that are passed unsanitized to terminal output when running mutoolinfo, enabling them to manipulate terminal display for social engineeringattacks such as presenting fake prompts or spoofed commands. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 02:16:00 UTC CVE-2026-40505 radare2 prior to 6.1.4 contains a command injection vulnerability in thePDB parser's print_gvars() function that allows attackers to executearbitrary commands by crafting a malicious PDB file with newline charactersin symbol names. Attackers can inject arbitrary radare2 commands throughunsanitized symbol name interpolation in the flag rename command, which arethen executed when a user runs the idp command against the malicious PDBfile, enabling arbitrary OS command execution through radare2's shellexecution operator. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 22:16:00 UTC CVE-2026-40517 radare2 prior to commit bc5a890 contains a command injection vulnerabilityin the afsv/afsvj command path where crafted ELF binaries can embedmalicious r2 command sequences as DWARF DW_TAG_formal_parameter names.Attackers can craft a binary with shell commands in DWARF parameter namesthat execute when radare2 analyzes the binary with aaa and subsequentlyruns afsvj, allowing arbitrary shell command execution through theunsanitized parameter interpolation in the pfq command string. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 21:16:00 UTC CVE-2026-40527 Missing critical step in authentication in Apache HttpClient 5.6 allows anattacker to cause the client to accept SCRAM-SHA-256 authentication withoutproper mutual authentication verification. Users are recommended to upgradeto version 5.6.1, which fixes this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 08:16:00 UTC CVE-2026-40542 Starman versions before 0.4018 for Perl allows HTTP Request Smuggling viaImproper Header Precedence.Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding:chunked" when both headers are present in an HTTP request. Per RFC 72303.3.3, Transfer-Encoding must take precedence.An attacker could exploit this to smuggle malicious HTTP requests via afront-end reverse proxy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 00:16:00 UTC CVE-2026-40560 Starlet versions through 0.31 for Perl allows HTTP Request Smuggling viaImproper Header Precedence.Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding:chunked" when both headers are present in an HTTP request. Per RFC 72303.3.3, Transfer-Encoding must take precedence.An attacker could exploit this to smuggle malicious HTTP requests via afront-end reverse proxy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-03 01:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135584 CVE-2026-40561 mitmproxy is a interactive TLS-capable intercepting HTTP proxy forpenetration testers and software developers and mitmweb is a web-basedinterface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAPproxy authentication does not correctly sanitize the username when queryingthe LDAP server. This allows a malicious client to bypass authentication.Only mitmproxy instances using the proxyauth option with LDAP are affected.This option is not enabled by default. The vulnerability has been fixed inmitmproxy 12.2.2 and above. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 18:16:00 UTC CVE-2026-40606 Let's Encrypt client and ACME library written in Go (Lego). Prior to4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable toarbitrary file write and deletion via path traversal. A malicious ACMEserver can supply a crafted challenge token containing ../ sequences,causing lego to write attacker-influenced content to any path writable bythe lego process. This vulnerability is fixed in 4.34.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134643 CVE-2026-40611 jq is a command-line JSON processor. In 1.8.1 and earlier, jv_containsrecurses into nested arrays/objects with no depth limit. With asufficiently nested input structure (built programmatically with reduce,since the JSON parser caps at depth 10000), the C stack is exhausted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-40612 Coturn is a free open source implementation of TURN and STUN Server. Priorto 4.10.0, the STUN/TURN attribute parsing functions in coturn performunsafe pointer casts from uint8_t * to uint16_t * without alignment checks.When processing a crafted STUN message with odd-aligned attributeboundaries, this results in misaligned memory reads at ns_turn_msg.c. OnARM64 architectures (AArch64) with strict alignment enforcement, thiscauses a SIGBUS signal that immediately kills the turnserver process. Anunauthenticated remote attacker can crash any ARM64 coturn deployment bysending a single crafted UDP packet. This vulnerability is fixed in 4.10.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 19:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134577 CVE-2026-40613 PJSIP is a free and open source multimedia communication library written inC. In 2.16 and earlier, there is a buffer overflow when decoding Opus audioframes due to insufficient buffer size validation in the Opus codec decodepath. The FEC decode buffers (dec_frame[].buf) were allocated based on aPCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHzmono this yields only 960 bytes, but codec_parse() can output encodedframes up to MAX_ENCODED_PACKET_SIZE (1280) bytes viaopus_repacketizer_out_range(). The three pj_memcpy() calls incodec_decode() copied input->size bytes without bounds checking, causing aheap buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 19:16:00 UTC CVE-2026-40614 NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has avulnerability of the 'ghost domain names' family of attacks that couldextend the ghost domain window by up to one cached TTL configured value.Similar to other 'ghost domain names' attacks, an adversary needs tocontrol a (ghost) zone and be able to query a vulnerable Unbound. A singleclient NS query can cause Unbound to overwrite the cached expiredparent-side referral NS rrset with the child-side apex NS rrset andessentially extend the ghost domain window by up to one cached TTLconfigured value ('cache-max-ttl'). In configurations where'harden-referral-path: yes' is used (non-default configuration), no clientNS query is required since Unbound implicitly performs that query. Unbound1.25.1 contains a patch with a fix that does not allow extension of TTLsfor (parent) NS records regardless of their trust. Update Instructions: Run `sudo pro fix CVE-2026-40622` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-40622 XML External Entity (XXE) via Unsanitized Dictionary Parsing in ApacheOpenNLP DictionaryEntryPersistorVersions Affected: before 2.5.9, before 3.0.0-M3Description: The DictionaryEntryPersistor class initializes a staticSAXParserFactory at class-load time without enablingFEATURE_SECURE_PROCESSING or disabling DTD processing. Whencreate(InputStream, EntryInserter) is invoked, the only feature set on theXMLReader is namespace support — external entity resolution and DOCTYPEdeclarations remain fully enabled. An attacker who can supply a crafteddictionary file (e.g., a stop-word list or domain dictionary) containing amalicious DOCTYPE declaration can trigger local file disclosure via file://entity references or server-side request forgery via http:// entityreferences during SAX parsing, before the application processes a singledictionary entry. This is inconsistent with the project's ownXmlUtil.createSaxParser() helper, which correctly setsFEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by allother XML parsing paths in the codebase. The public Dictionary(InputStream)constructor delegates directly to this method and is the documented API forloading user-supplied dictionaries, making untrusted input a realisticscenario.Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to3.0.0-M3. Users who cannot upgrade immediately should ensure that alldictionary files are sourced from trusted origins and should considerwrapping the Dictionary(InputStream) constructor with input validation thatrejects any XML containing a DOCTYPE declaration before it reaches theparser. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135782 CVE-2026-40682 In OpenStack Keystone before 28.0.1, the LDAP identity backend does notconvert the user enabled attribute to a boolean when theuser_enabled_invert configuration option is False (the default). The_ldap_res_to_model method in the UserApi class only performedstring-to-boolean conversion when user_enabled_invert was True. When False,the raw string value from LDAP (e.g., "FALSE") was used directly. Sincenon-empty strings are truthy in Python, users marked as disabled in LDAPwere treated as enabled by Keystone, allowing them to authenticate andperform actions. All deployments using the LDAP identity backend withoutuser_enabled_invert=True or user_enabled_emulation are affected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 20:16:00 UTC https://bugs.launchpad.net/keystone/+bug/2121152 https://bugs.launchpad.net/keystone/+bug/2141713 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133884 CVE-2026-40683 In Exim before 4.99.2, when JSON lookup is enabled, an out-of-bounds heapwrite can occur when a JSON operator encounters malformed JSON in anuntrusted header, because of an incorrect implementation of \ skipping. Update Instructions: Run `sudo pro fix CVE-2026-40685` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: exim4 - 4.99.1-1ubuntu1.1 exim4-base - 4.99.1-1ubuntu1.1 exim4-config - 4.99.1-1ubuntu1.1 exim4-daemon-heavy - 4.99.1-1ubuntu1.1 exim4-daemon-light - 4.99.1-1ubuntu1.1 eximon4 - 4.99.1-1ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 12:00:00 UTC 2026-04-29 12:00:00 UTC https://ubuntu.com/security/notices/USN-8228-1 CVE-2026-40685 In Exim before 4.99.2, when utf8 operators are enabled, there is anout-of-bounds read if large UTF-8 trailing characters are present(malformed UTF-8 header data). Information might be divulged within anerror message produced during handling of an unrelated e-mail message. Update Instructions: Run `sudo pro fix CVE-2026-40686` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: exim4 - 4.99.1-1ubuntu1.1 exim4-base - 4.99.1-1ubuntu1.1 exim4-config - 4.99.1-1ubuntu1.1 exim4-daemon-heavy - 4.99.1-1ubuntu1.1 exim4-daemon-light - 4.99.1-1ubuntu1.1 eximon4 - 4.99.1-1ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 12:00:00 UTC 2026-04-29 12:00:00 UTC https://ubuntu.com/security/notices/USN-8228-1 CVE-2026-40686 In Exim before 4.99.2, when the SPA authentication driver is used with anadversarial SPA resource, there can be an out-of-bounds write that crashesthe connection instance, or erroneous data processing that divulges datafrom uninitialized heap memory. Update Instructions: Run `sudo pro fix CVE-2026-40687` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: exim4 - 4.99.1-1ubuntu1.1 exim4-base - 4.99.1-1ubuntu1.1 exim4-config - 4.99.1-1ubuntu1.1 exim4-daemon-heavy - 4.99.1-1ubuntu1.1 exim4-daemon-light - 4.99.1-1ubuntu1.1 eximon4 - 4.99.1-1ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 12:00:00 UTC 2026-04-29 12:00:00 UTC https://ubuntu.com/security/notices/USN-8228-1 CVE-2026-40687 NGINX Plus and NGINX Open Source have a vulnerability in thengx_http_ssl_module module when the ssl_verify_client directive is set to"on" or "optional," and the ssl_ocsp directive is set to "on" or theleaf parameters are configured with a resolver. With this configuration, anunauthenticated attacker can send requests along with conditions beyond itscontrol that may cause a heap-use-after-free error in the NGINX workerprocess. This vulnerability may result in limited modification of data orthe NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS)are not evaluated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-40701 In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists inntfs_build_permissions_posix() in acls.c that allows an attacker to corruptheap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFSimage. The overflow is triggered on the READ path (stat, readdir, open)when processing a security descriptor with multiple ACCESS_DENIED ACEscontaining WRITE_OWNER from distinct group SIDs. Update Instructions: Run `sudo pro fix CVE-2026-40706` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libntfs-3g89t64 - 1:2022.10.3-5ubuntu1 ntfs-3g - 1:2022.10.3-5ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 12:00:00 UTC 2026-04-21 12:00:00 UTC Andrea Bocchetti https://ubuntu.com/security/notices/USN-8192-1 https://ubuntu.com/security/notices/USN-8192-2 CVE-2026-40706 PJSIP is a free and open source multimedia communication library written inC. In 2.16 and earlier, a stack buffer overflow exists inpjsip_auth_create_digest2() in PJSIP when using pre-computed digestcredentials (PJSIP_CRED_DATA_DIGEST). The function copies credential datausing cred_info->data.slen as the length without an upper-bound check,which can overflow the fixed-size ha1 stack buffer (128 bytes) if data.slenexceeds the expected digest string length. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC CVE-2026-40892 follow-redirects is an open source, drop-in replacement for Node's `http`and `https` modules that automatically follows redirects. Prior to 1.16.0,when an HTTP request follows a cross-domain redirect (301/302/307/308),follow-redirects only strips authorization, proxy-authorization, and cookieheaders (matched by regex at index.js). Any custom authentication header(e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim tothe redirect target. This vulnerability is fixed in 1.16.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134646 CVE-2026-40895 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-40930 Jupyter Server is the backend for Jupyter web applications. In versions2.17.0 and earlier, the secret used to sign authentication cookies ispersisted to a static file at~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotatedwhen a user changes their password. After a password reset and serverrestart, any previously issued authentication cookie remainscryptographically valid because the signing key has not changed. Anattacker who has captured a session cookie through any means retains fullauthenticated access to the server regardless of subsequent passwordchanges. This affects deployments using password-based authentication,particularly shared or public-facing servers where credential rotation isexpected to revoke existing sessions. This issue has been fixed in version2.18.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 22:16:00 UTC CVE-2026-40934 Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escapevia a crafted mod. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133919 CVE-2026-40959 Luanti 5 before 5.15.2 sometimes allows unintended access to an insecureenvironment. If at least one mod is listed as secure.trusted_mods orsecure.http_mods, then a crafted mod can intercept the request for theinsecure environment or HTTP API, and also receive access to it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133919 CVE-2026-40960 FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds writevia CENC (Common Encryption) subsample data to libavformat/mov.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 02:16:00 UTC CVE-2026-40962 radare2 before 9236f44, when configured on UNIX without SSL, allows commandinjection via a PDB name to rabin2 -PP. NOTE: although users are supposedto use the latest version from git (not a release), the date range for thevulnerable code was less than a week, occurring after 6.1.2 but before6.1.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 03:16:00 UTC CVE-2026-41015 In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted lengthvalue during a qsort call, leading to a receiver use-after-free. The victimmust run rsync with -X (aka --xattrs). On Linux, many (but not all) commonconfigurations are vulnerable. Non-Linux platforms are more widelyvulnerable. Update Instructions: Run `sudo pro fix CVE-2026-41035` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-16 07:16:00 UTC 2026-04-16 07:16:00 UTC https://github.com/RsyncProject/rsync/issues/871 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134617 https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-41035 Improper Neutralization of Script-Related HTML Tags in a Web Page (BasicXSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web.An authenticated attacker can show malicious content when browsing queuesin the web console by overriding the content type to be HTML (instead ofXML) and by injecting HTML into a JMS selector field.This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5;Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5.Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 11:16:00 UTC CVE-2026-41043 Improper Input Validation, Improper Control of Generation of Code ('CodeInjection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker,Apache ActiveMQ All.An authenticated attacker can use the admin web console page to construct amalicious broker name that bypasses name validation to include an xbeanbinding that can be later used by a VM transport to load a remote SpringXML application.The attacker can then use the DestinationView mbean to send a message totrigger a VM transport creation that will reference this malicious brokername which can lead to loading the malicious Spring XML context file.Because Spring's ResourceXmlApplicationContext instantiates all singletonbeans before the BrokerService validates the configuration, arbitrary codeexecution occurs on the broker's JVM through bean factory methods such asRuntime.exec().This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5;Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; ApacheActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5.Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 11:16:00 UTC CVE-2026-41044 csync2 uses insecure temporary directories when compiled with C99 or later,allowing for TOCTOU style attacks on the temporary directories. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 13:01:00 UTC CVE-2026-41051 In `src/havegecmd.c`, the `socket_handler` function performs a credentialcheck on the abstract UNIX socket (`\0/sys/entropy/haveged`). However,while it detects if the connecting user is not root (`cred.uid != 0`) andprepares a negative acknowledgement (`ASCII_NAK`), it **fails to stopexecution**. The code proceeds to the `switch` statement, allowing anylocal unprivileged user to execute privileged commands such as`MAGIC_CHROOT`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 10:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137096 CVE-2026-41054 lxml is a library for processing XML and HTML in the Python language. Priorto 6.1.0, using either of the two parsers in the default configuration(with resolve_entities=True) allows untrusted XML input to read localfiles. Setting the resolve_entities option explicitly toresolve_entities='internal' or resolve_entities=False disables the localfile access. This vulnerability is fixed in 6.1.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 17:16:00 UTC https://bugs.launchpad.net/lxml/+bug/2146291 CVE-2026-41066 openvpn-auth-oauth2 is a plugin/management interface client for OpenVPNserver to handle an OIDC based single sign-on (SSO) auth flows. Fromversion 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 isdeployed in the experimental plugin mode (shared library loaded by OpenVPNvia the plugin directive), clients that do not support WebAuth/SSO (e.g.,the openvpn CLI on Linux) are incorrectly admitted to the VPN despite beingdenied by the authentication logic. The default management-interface modeis not affected because it does not use the OpenVPN plugin return-codemechanism. This issue has been patched in version 1.27.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 16:16:00 UTC CVE-2026-41070 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-41073 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-41075 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-41076 OpenPrinting CUPS is an open source printing system for Linux and otherUnix-like operating systems. Prior to 2.4.17, a network-adjacent attackercan send a crafted SNMP response to the CUPS SNMP backend that causes anout-of-bounds read of up to 176 bytes past a stack buffer. The leakedmemory is converted from UTF-16 to UTF-8 and stored as printer supplydescription strings, which are subsequently visible to authenticated usersvia IPP Get-Printer-Attributes responses and the CUPS web interface. Thisvulnerability is fixed in 2.4.17. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 17:16:00 UTC CVE-2026-41079 libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding canoccur via a crafted XML document. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 17:16:00 UTC CVE-2026-41080 In OCaml opam before 2.5.1, a .install field containing a destinationfilepath can use ../ to reach a parent directory. Update Instructions: Run `sudo pro fix CVE-2026-41082` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: opam - 2.5.0-1ubuntu0.1~esm1 opam-installer - 2.5.0-1ubuntu0.1~esm1 Available with Ubuntu Pro: https://ubuntu.com/pro Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 2026-04-17 https://ubuntu.com/security/notices/USN-8256-1 CVE-2026-41082 Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall()function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballswithout path traversal protection on Python versions wheretarfile.data_filter is unavailable. Considering only Python versions whichare still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 -3.11.4. This vulnerability is fixed in 2.3.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC CVE-2026-41140 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry. Fromversions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before3.4.11, there is an integer overflow in ImageChannel::resize that leads toheap OOB write via OpenEXRUtil public API. This issue has been patched inversions 3.2.9, 3.3.11, and 3.4.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135946 CVE-2026-41142 A vulnerability was detected in PuTTY 0.83. Affected is the functioneddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519Signature Handler. The manipulation results in improper verification ofcryptographic signature. The attack may be performed from remote. Theattack requires a high level of complexity. The exploitability is told tobe difficult. The exploit is now public and may be used. The real existenceof this vulnerability is still doubted at the moment. The patch isidentified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable toimplement a patch to correct this issue. The vendor was contacted early,responded in a very professional manner and quickly released a patch forthe affected product. However, at the moment there is no proof that thisflaw might have any real-world impact. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 13:16:00 UTC CVE-2026-4115 bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0to before version 0.11.2, if bubblewrap is installed in setuid mode thenthe user can use ptrace to attach to bubblewrap and control theunprivileged part of the sandbox setup phase. This allows the attacker toarbitrarily use the privileged operations, and in particular the "overlaymount" operation, allowing the creation of overlay mounts which isotherwise not allowed in the setuid version of bubblewrap. This issue hasbeen patched in version 0.11.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 04:16:00 UTC kkernick http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134704 CVE-2026-41163 pypdf is a free and open-source pure-python PDF library. An attacker whouses a vulnerability present in versions prior to 6.10.1 can craft a PDFwhich leads to long runtimes. This requires cross-reference streams withwrong large `/Size` values or object streams with wrong large `/N` values.This has been fixed in pypdf 6.10.1. As a workaround, one may apply thechanges from the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 21:17:00 UTC CVE-2026-41168 Rclone is a command-line program to sync files and directories to and fromdifferent cloud storage providers. The RC endpoint `options/set` is exposedwithout `AuthRequired: true`, but it can mutate global runtimeconfiguration, including the RC option block itself. Starting in version1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set`rc.NoAuth=true`, which disables the authorization gate for many RC methodsregistered with `AuthRequired: true` on reachable RC servers that arestarted without global HTTP authentication. This can lead to unauthorizedaccess to sensitive administrative functionality, including configurationand operational RC methods. Version 1.73.5 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 00:16:00 UTC ebarretto CVE-2026-41176 Rclone is a command-line program to sync files and directories to and fromdifferent cloud storage providers. Starting in version 1.48.0 and prior toversion 1.73.5, the RC endpoint `operations/fsinfo` is exposed without`AuthRequired: true` and accepts attacker-controlled `fs` input. Because`rc.GetFs(...)` supports inline backend definitions, an unauthenticatedattacker can instantiate an attacker-controlled backend on demand. For theWebDAV backend, `bearer_token_command` is executed during backendinitialization, making single-request unauthenticated local commandexecution possible on reachable RC deployments without global HTTPauthentication. Version 1.73.5 patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 00:16:00 UTC ebarretto CVE-2026-41179 Luanti (formerly Minetest) is an open source voxel game-creation platform.Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod cantrivially escape the sandboxed Lua environment to execute arbitrary codeand gain full filesystem access on the user's device. This applies to theserver-side mod, async and mapgen as well as the client-side (CSM)environments. This vulnerability is only exploitable when using LuaJIT.Version 5.15.2 contains a patch. On release versions, one can also patchthis issue without recompiling by editing `builtin/init.lua` and adding theline `getfenv = nil` at the end. Note that this will break mods relying onthis function (which is not inherently unsafe). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 02:16:00 UTC CVE-2026-41196 Mako is a template library written in Python. Prior to 1.3.11,TemplateLookup.get_template() is vulnerable to path traversal when a URIstarts with // (e.g., //../../../secret.txt). The root cause is aninconsistency between two slash-stripping implementations. Any filereadable by the process can be returned as rendered template content whenan application passes untrusted input directly toTemplateLookup.get_template(). This vulnerability is fixed in 1.3.11. Update Instructions: Run `sudo pro fix CVE-2026-41205` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-mako - 1.3.10-3ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 2026-04-24 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134729 https://ubuntu.com/security/notices/USN-8234-1 CVE-2026-41205 DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML,and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototypepollution-based XSS bypass. When an application uses `DOMPurify.sanitize()`with the default configuration (no `CUSTOM_ELEMENT_HANDLING` option), aprior prototype pollution gadget can inject permissive `tagNameCheck` and`attributeNameCheck` regex values into `Object.prototype`, causingDOMPurify to allow arbitrary custom elements with arbitrary attributes —including event handlers — through sanitization. Version 3.4.0 fixes theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 16:16:00 UTC CVE-2026-41238 DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML,and SVG. Starting in version 1.0.10 and prior to version 3.4.0,`SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. Thisworks in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGMENT`,allowing XSS via template-evaluating frameworks like Vue 2. Version 3.4.0patches the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 16:16:00 UTC CVE-2026-41239 DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML,and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGSand FORBID_ATTR handling when function-based ADD_TAGS is used. Commitc361baa added an early exit for FORBID_ATTR at line 1214. The same fix wasnot applied to FORBID_TAGS. At line 1118-1123, whenEXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluationskips the FORBID_TAGS check entirely. This allows forbidden elements tosurvive sanitization with their attributes intact. Version 3.4.0 patchesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 16:16:00 UTC CVE-2026-41240 Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize incmslut.c because the overflow check is performed after the multiplication. Update Instructions: Run `sudo pro fix CVE-2026-41254` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: liblcms2-2 - 2.17-1ubuntu0.1 liblcms2-utils - 2.17-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 2026-04-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134335 https://ubuntu.com/security/notices/USN-8209-1 CVE-2026-41254 jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jqprograms loaded from a file with -f are truncated at the first embedded NULbyte on current upstream HEAD. A crafted filter file such as . followed by\x00 and arbitrary suffix compiles and executes as only the prefix beforethe NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffermismatch on the compilation path even though the JSON parser path hasalready been fixed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-41256 jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecodeVM's data stack tracks its allocation size in a signed int. When the stackgrows beyond ≈1 GiB (via deeply nested generator forks), the doublingarithmetic overflows. The wrapped value is passed to realloc and then usedfor a memmove with attacker-influenced offsets. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-41257 Allocation of Resources Without Limits or Throttling vulnerability inApache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.Older, unsupported versions may also be affected.Users are recommended to upgrade to version [FIXED_VERSION], which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 16:16:00 UTC CVE-2026-41284 NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to adegradation of service attack related to parsing long lists of incomingEDNS options. An adversary sending queries with too many EDNS options canhold Unbound threads hostage while they are parsing and creating internaldata structures for the options. Coordinated attacks can result indegradation and/or denial of service. Unbound 1.25.1 contains a patch witha fix to limit acceptable incoming EDNS options (100). Update Instructions: Run `sudo pro fix CVE-2026-41292` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 N0zoM1z0 and Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-41292 Improper Input Validation vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1through 10.0.27.Older, end of support versions may also be affected.Users are recommended to upgrade to version [FIXED_VERSION], which fixesthe issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 16:16:00 UTC CVE-2026-41293 PostCSS takes a CSS file and provides an API to analyze and modify itsrules by transforming the rules into an Abstract Syntax Tree. Versionsprior to 8.5.10 do not escape `</style>` sequences when stringifying CSSASTs. When user-submitted CSS is parsed and re-stringified for embedding inHTML `<style>` tags, `</style>` in CSS values breaks out of the stylecontext, enabling XSS. Version 8.5.10 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 03:16:00 UTC CVE-2026-41305 pypdf is a free and open-source pure-python PDF library. An attacker whouses a vulnerability present in versions prior to 6.10.2 can craft a PDFwhich leads to the RAM being exhausted. This requires accessing a streamcompressed using `/FlateDecode` with a `/Predictor` unequal 1 and largepredictor parameters. This has been fixed in pypdf 6.10.2. As a workaround,one may apply the changes from the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 22:16:00 UTC CVE-2026-41312 pypdf is a free and open-source pure-python PDF library. An attacker whouses a vulnerability present in versions prior to 6.10.2 can craft a PDFwhich leads to long runtimes. This requires loading a PDF with a largetrailer `/Size` value in incremental mode. This has been fixed in pypdf6.10.2. As a workaround, one may apply the changes from the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 22:16:00 UTC CVE-2026-41313 pypdf is a free and open-source pure-python PDF library. An attacker whouses a vulnerability present in versions prior to 6.10.2 can craft a PDFwhich leads to the RAM being exhausted. This requires accessing an imageusing `/FlateDecode` with large size values. This has been fixed in pypdf6.10.2. As a workaround, one may apply the changes from the patch manually. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 22:16:00 UTC CVE-2026-41314 ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 waspublished on rubygems.org) introduced an `@_init` instance variable guardin `ERB#result` and `ERB#run` to prevent code execution when an ERB objectis reconstructed via `Marshal.load` (deserialization). However, three otherpublic methods that also evaluate `@src` via `eval()` were not given thesame guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. Anattacker who can trigger `Marshal.load` on untrusted data in a Rubyapplication that has `erb` loaded can use `ERB#def_module` (zero-arg,default parameters) as a code execution sink, bypassing the `@_init`protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch theissue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 03:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134920 CVE-2026-41316 basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 arevulnerable to denial of service through unbounded memory growth whileprocessing directory listings from a remote FTP server. A malicious orcompromised server can send an extremely large or never-ending listingresponse to `Client.list()`, causing the client process to consume memoryuntil it becomes unstable or crashes. Version 5.3.0 fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 04:16:00 UTC CVE-2026-41324 The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() wasincomplete. The classname allowlist of classes allowed to be deserializedwas applied too late after a static initializer in a class to be read mightalready have been executed.Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and2.2.0 <= 2.2.5.The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 byapplying the classname allowlist earlier.Affected are applications using Apache MINA that call IoBuffer.getObject().Applications using Apache MINA are advised to upgrade Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 10:16:00 UTC CVE-2026-41409 Vim is an open source, command line text editor. Prior to 9.2.0357, Acommand injection vulnerability exists in Vim's tag file processing. Whenresolving a tag, the filename field from the tags file is passed throughwildcard expansion to resolve environment variables and wildcards. If thefilename field contains backtick syntax (e.g., `command`), Vim executes theembedded command via the system shell with the full privileges of therunning user. Update Instructions: Run `sudo pro fix CVE-2026-41411` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: vim - 2:9.1.2141-1ubuntu4.1 vim-common - 2:9.1.2141-1ubuntu4.1 vim-gtk3 - 2:9.1.2141-1ubuntu4.1 vim-gui-common - 2:9.1.2141-1ubuntu4.1 vim-motif - 2:9.1.2141-1ubuntu4.1 vim-nox - 2:9.1.2141-1ubuntu4.1 vim-runtime - 2:9.1.2141-1ubuntu4.1 vim-tiny - 2:9.1.2141-1ubuntu4.1 xxd - 2:9.1.2141-1ubuntu4.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 2026-04-28 federicoquattrin http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134906 https://ubuntu.com/security/notices/USN-8246-1 CVE-2026-41411 PJSIP is a free and open source multimedia communication library written inC. In 2.16 and earlier, there is an out-of-bounds read when parsing amalformed Content-ID URI in SIP multipart message body. Insufficient lengthvalidation can cause reads beyond the intended buffer bounds. Thisvulnerability is fixed in 2.17. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 19:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134884 CVE-2026-41415 PJSIP is a free and open source multimedia communication library written inC. In 2.16 and earlier, there is an integer overflow in media stream buffersize calculation when processing SDP with asymmetric ptime configuration.The overflow may result in an undersized buffer allocation, which can leadto unexpected application termination or memory corruption Thisvulnerability is fixed in 2.17. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 19:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134884 CVE-2026-41416 Netty allows request-line validation to be bypassed when a`DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and itsURI is later changed via `setUri()`. The constructors reject CRLF andwhitespace characters that would break the start-line, but `setUri()` doesnot apply the same validation. `HttpRequestEncoder` and `RtspEncoder` thenwrite the URI into the request line verbatim. If attacker-controlled inputreaches `setUri()`, this enables CRLF injection and insertion of additionalHTTP or RTSP requests, leading to HTTP request smuggling ordesynchronization on the HTTP side and request injection on the RTSP side.This issue is fixed in versions 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 22:16:00 UTC CVE-2026-41417 Authlib is a Python library which builds OAuth and OpenID Connect servers.Prior to 1.6.11, there is no CSRF protection on the cache feature inauthlib.integrations.starlette_client.OAuth. This vulnerability is fixedin 1.6.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 20:16:00 UTC CVE-2026-41425 KissFFT before commit 8a8e66e contains an integer overflow vulnerability inthe kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation sizecalculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed32-bit integer arithmetic before being widened to size_t, causing malloc()to allocate an undersized buffer. Attackers can trigger heap bufferoverflow by providing crafted dimensions that cause the multiplication toexceed INT_MAX, allowing writes beyond the allocated buffer region whenkiss_fftndr() processes the data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134493 CVE-2026-41445 Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, aremote memory-safety vulnerability in Deskflow's clipboard deserializationallows a connected peer to trigger an out-of-bounds read by sending amalformed clipboard update. The issue is in the implementation ofsrc/lib/deskflow/IClipboard.cpp. This is reachable becauseClipboardChunk::assemble() in src/lib/deskflow/ClipboardChunk.cpp validatesonly the outer clipboard transfer size. It does not validate the internalstructure of the serialized clipboard blob, so malformed inner lengthsreach IClipboard::unmarshall() unchanged. This vulnerability is fixed in1.26.0.138. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 20:16:00 UTC CVE-2026-41476 YARD is a Ruby Documentation tool. Prior to version 0.9.42, a pathtraversal vulnerability was discovered in YARD when using yard server toserve documentation. This bug would allow unsanitized HTTP requests toaccess arbitrary files on the machine of a yard server host under certainconditions. This issue has been patched in version 0.9.42. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136076 CVE-2026-41493 go-git is an extensible git implementation library written in pure Go.Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTPauthentication credentials when following redirects during smart-HTTP cloneand fetch operations. This issue has been patched in versions 5.18.0 and6.0.0-alpha.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136095 CVE-2026-41506 KDE Dolphin before 25.12.3 allows applications in a Flatpak (or withAppArmor confinement) to open folders outside of the application sandboxwithout additional scrutiny. Dolphin's implementation of the FileManager1protocol allows the path given to be any type of file, including scripts orexecutables. (By default, Dolphin will then prompt the user to determine ifthey want to launch a script or executable; however, the intended behavioris to block the attempted action, not present a consent prompt.) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 08:16:00 UTC CVE-2026-41525 In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safelyquote arguments so that they can be passed to a shell command. This parsingdoes not adequately handle metacharacters, leading to an escape from theshell. All applications relying on this method in a security-critical pathto handle user input are affected and could be exploited. In particular,because sendInput() sends a string to a terminal, a control character suchas \x01 can be used during injection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 08:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135179 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135178 CVE-2026-41526 CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNGstate after forking.The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC,Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNGstate in their constructors and reuse it without fork detection. ACrypt::PK::* object created before `fork()` shares byte-identical PRNGstate with every child process, and any randomized operation they performcan produce identical output, including key generation. Two ECDSA or DSAsignatures from different processes are enough to recover the signingprivate key through nonce-reuse key recovery.This affects preforking services such as the Starman web server, where aCrypt::PK::* object loaded at startup is inherited by every worker process. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 08:16:00 UTC CVE-2026-41564 PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5,PHPUnit forwards PHP INI settings to child processes (used forisolated/PHPT test execution) as -d name=value command-line argumentswithout neutralizing INI metacharacters. Because PHP's INI parserinterprets " as a string delimiter, ; as the start of a comment, and mostimportantly a newline as a directive separator, a value containing anewline is parsed by the child process as multiple INI directives. Anattacker able to influence a single INI value can therefore injectarbitrary additional directives into the child's configuration, includingauto_prepend_file, extension, disable_functions, open_basedir, and others.Setting auto_prepend_file to an attacker-controlled path yields remote codeexecution in the child process. This issue has been patched in versions12.5.22 and 13.1.6. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-41570 KeePassXC OpenSSL Configuration Uncontrolled Search Path Element LocalPrivilege Escalation Vulnerability. This vulnerability allows localattackers to escalate privileges on affected installations of KeePassXC. Anattacker must first obtain the ability to execute low-privileged code onthe target system in order to exploit this vulnerability.The specific flaw exists within the configuration of OpenSSL. The productloads configuration from an unsecured location. An attacker can leveragethis vulnerability to escalate privileges and execute arbitrary code in thecontext of KeePassXC when run by a target user on the system. WasZDI-CAN-29156. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-11 01:16:00 UTC CVE-2026-4158 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-lengthencrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier,where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedDatacould be triggered by a crafted CMS EnvelopedData message with zero-lengthencrypted content. Note that PKCS7 support is disabled by default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 22:16:00 UTC CVE-2026-4159 Integer Overflow or Wraparound vulnerability in Apache ThriftTFramedTransport Go language implementationThis issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41602 Improper Validation of Certificate with Host Mismatch vulnerability inApache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41603 Out-of-bounds Read vulnerability in Apache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41604 Integer Overflow or Wraparound vulnerability in Apache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41605 Uncontrolled Recursion vulnerability in Apache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41606 Out-of-bounds Read vulnerability in Apache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41607 Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one ofthem (for static classes or primitive types) does not check the class atall, bypassing the classname allowlist and allowing arbitrary code to beexecuted.The fix checks if the class is present in the accepted class filter beforecalling Class.forName().Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and2.2.0 <= 2.2.5.The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 byapplying the classname allowlist earlier.Affected are applications using Apache MINA that callIoBuffer.getObject().Applications using Apache MINA are advised to upgrade. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 09:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135167 CVE-2026-41635 Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindingsThis issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 10:16:00 UTC CVE-2026-41636 GoBGP is an open source Border Gateway Protocol (BGP) implementation in theGo Programming Language. In version 4.3.0, a remote Denial of Service (DoS)vulnerability exists in GoBGP due to a nil pointer dereference. When amalformed BGP UPDATE message contains an unrecognized Path Attribute markedas "Well-known," the daemon fails to interrupt the message handling flow.This results in an illegal memory access and a full process crash (panic).This issue has been patched in version 4.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 12:16:00 UTC CVE-2026-41642 GoBGP is an open source Border Gateway Protocol (BGP) implementation in theGo Programming Language. Prior to version 4.3.0, a remote Denial of Service(DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE messagecan trigger a runtime error: index out of range panic. This occurs duringthe processing of 4-byte AS attributes when the message structure causes aninternal slice index shift that is not properly handled. This issue hasbeen patched in version 4.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 12:16:00 UTC CVE-2026-41643 Incus is a system container and virtual machine manager. Prior to version7.0.0, a missing error handling could lead an authenticated Incus user tocause a daemon crash through the import of a truncated storage bucketbackup file. This issue has been patched in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-41647 Incus is a system container and virtual machine manager. Prior to version7.0.0, user provided image and backup tarballs would be unpacked and YAMLfiles parsed without any size restrictions. This was making it easy for anauthenticated user to provide a crafted image or backup tarball that whenparsed by Incus would lead to a very large YAML document being loaded intomemory, potentially causing the entire server to run out of memory. Thisissue has been patched in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-41648 fast-xml-parser allows users to process XML from JS object without C/C++based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does notescape the "-->" sequence in comment content or the "]]>" sequence in CDATAsections when building XML from JavaScript objects. This allows XMLinjection when user-controlled data flows into comments or CDATA elements,leading to XSS, SOAP injection, or data manipulation. This issue has beenpatched in version 5.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 15:16:00 UTC CVE-2026-41650 PackageKit is a a D-Bus abstraction layer that allows the user to managepackages in a secure way using a cross-distro, cross-architecture API.PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable toa time-of-check time-of-use (TOCTOU) race condition on transaction flagsthat allows unprivileged users to install packages as root and thus leadsto a local privilege escalation. This is patched in version 1.3.5.A local unprivileged user can install arbitrary RPM packages as root,including executing RPM scriptlets, without authentication. Thevulnerability is a TOCTOU race condition on`transaction->cached_transaction_flags` combined with a silentstate-machine guard that discards illegal backward transitions whileleaving corrupted flags in place. Three bugs exist in`src/pk-transaction.c`:1. Unconditional flag overwrite (line 4036): `InstallFiles()` writescaller-supplied flags to `transaction->cached_transaction_flags` withoutchecking whether the transaction has already been authorized/started. Asecond call blindly overwrites the flags even while the transaction isRUNNING.2. Silent state-transition rejection (lines 873–882):`pk_transaction_set_state()` silently discards backward state transitions(e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1already happened. The transaction continues running with corrupted flags.3. Late flag read at execution time (lines 2273–2277): The scheduler's idlecallback reads cached_transaction_flags at dispatch time, not atauthorization time. If flags were overwritten between authorization andexecution, the backend sees the attacker's flags. Update Instructions: Run `sudo pro fix CVE-2026-41651` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gir1.2-packagekitglib-1.0 - 1.3.4-3ubuntu1 gstreamer1.0-packagekit - 1.3.4-3ubuntu1 libpackagekit-glib2-18 - 1.3.4-3ubuntu1 packagekit - 1.3.4-3ubuntu1 packagekit-command-not-found - 1.3.4-3ubuntu1 packagekit-gtk3-module - 1.3.4-3ubuntu1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-04-23 2026-04-23 iconstantin https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/2149908 https://ubuntu.com/security/notices/USN-8195-1 https://ubuntu.com/security/notices/USN-8195-2 https://ubuntu.com/security/notices/USN-8195-3 CVE-2026-41651 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)`DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allowsattacker-controlled comment content to be serialized into XML withoutvalidating or neutralizing comment-breaking sequences. As a result, anattacker can terminate the comment early and inject arbitrary XML nodesinto the serialized output. This issue has been patched in versions@xmldom/xmldom versions 0.9.10 and 0.8.13. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-41672 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)`DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursivetraversals in lib/dom.js operate without a depth limit. A sufficientlydeeply nested DOM tree causes a RangeError: Maximum call stack sizeexceeded, crashing the application. This issue has been patched in versions@xmldom/xmldom versions 0.9.10 and 0.8.13. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-41673 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)`DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the packageserializes DocumentType node fields (internalSubset, publicId, systemId)verbatim without any escaping or validation. When these fields are setprogrammatically to attacker-controlled strings,XMLSerializer.serializeToString can produce output where the DOCTYPEdeclaration is terminated early and arbitrary markup appears outside it.This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and0.8.13. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-41674 xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)`DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allowsattacker-controlled processing instruction data to be serialized into XMLwithout validating or neutralizing the PI-closing sequence ?>. As a result,an attacker can terminate the processing instruction early and injectarbitrary XML nodes into the serialized output. This issue has been patchedin versions @xmldom/xmldom versions 0.9.10 and 0.8.13. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-41675 pupnp is an SDK for development of UPnP device and control pointapplications. Prior to version 1.18.5, pupnp is vulnerable to SRRF portconfusion due to port truncation via atoi() cast in parse_uri(). This issuehas been patched in version 1.18.5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 23:16:00 UTC CVE-2026-41682 Incus is a system container and virtual machine manager. Prior to version7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config whenpresent and only falls back to parsing the legacybackup/container/backup.yaml file if result.Config == nil. As a result, anarchive can carry a valid inline config that passes the initial importpreflight while also carrying a malformed legacybackup/container/backup.yaml file that is reparsed later from the restoredfile system. ParseConfigYamlFile() accepts YAML documents with no containersection, and multiple downstream consumers then dereference. Containerwithout checking for nil. Confirmed examples in the instance restore andimport flow include backup.UpdateInstanceConfig() andinternalImportFromBackup(). An authenticated user with permission to importinstance backups may be able to crash the Incus daemon with a craftedbackup archive whose inline backup/index.yaml is valid but whose extractedlegacy backup.yaml omits container. The crash occurs in the restore pathafter archive extraction has begun. This issue has been patched in version7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-41684 Incus is a system container and virtual machine manager. Prior to version7.0.0, uploads of large amount of data by authenticated users can run theIncus server out of disk space, potentially taking down the host system.The impact here is limited for anyone using storage.images_volume andstorage.backups_volume as those users will have large uploads be stored onthose volumes rather than directly on the host filesystem. This is thedefault behavior on IncusOS. This issue has been patched in version 7.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135644 CVE-2026-41685 A vulnerability has been found in Radare2 5.9.9. This issue affects thefunction walk_exports_trie of the file libr/bin/format/mach0/mach0.c of thecomponent Mach-O File Parser. Such manipulation leads to resourceconsumption. The attack can only be performed from a local environment. Theexploit has been disclosed to the public and may be used. The existence ofthis vulnerability is still disputed at present. Upgrading to version 6.1.2is capable of addressing this issue. The name of the patch is4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affectedcomponent. The code maintainer states that, "[he] wont consider this bug aDoS". Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 14:19:00 UTC CVE-2026-4174 YAML::Syck versions through 1.36 for Perl has several potential securityvulnerabilities including a high-severity heap buffer overflow in the YAMLemitter.The heap overflow occurs when class names exceed the initial 512-byteallocation.The base64 decoder could read past the buffer end on trailing newlines.strtok mutated n->type_id in place, corrupting shared node data.A memory leak occurred in syck_hdlr_add_anchor when a node already had ananchor. The incoming anchor string 'a' was leaked on early return. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 23:16:00 UTC CVE-2026-4177 Distribution is a toolkit to pack, ship, store, and deliver containercontent. Prior to 3.1.1, tag deletion via the DELETE/v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled:false configuration, allowing any API client to remove tags fromrepositories even when the operator has explicitly disabled deletion. Thisvulnerability is fixed in 3.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 18:16:00 UTC CVE-2026-41888 uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to14.0.0, v3, v5, and v6 accept external output buffers but do not rejectout-of-range writes (small buf or large offset). This allows silent partialwrites into caller-provided buffers. This vulnerability is fixed in 14.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 19:17:00 UTC CVE-2026-41907 uuid before 14.0.0 can make unexpected writes when external output buffersare used, and the UUID version is 3, 5, or 6. In particular, UUID version4, which is very commonly used, is unaffected by this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 05:16:00 UTC CVE-2026-41988 Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow anddenial of service via crafted ECDH ciphertext to gcry_pk_decrypt. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 05:16:00 UTC mdeslaur(main) https://dev.gnupg.org/T8211 CVE-2026-41989 Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a staticarray lack a bounds check but do not use attacker-controlled data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 05:16:00 UTC mdeslaur(main) https://dev.gnupg.org/T8208 CVE-2026-41990 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-41999 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-42000 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-42001 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-42002 An attacker can cause uncontrolled memory usage with excessive bracing overIMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way ofdoing this, so there was still another way left open. In particular, thefix was for closing braces, but you could still use open braces to bypassthe limit. Using excessive bracing, attacker can cause memory usage up toconfigured memory limit. Install fixed version, or configure vsz_limit forimap process to low value. No publicly available exploits are known. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 14:17:00 UTC CVE-2026-42006 A flaw was found in gnutls. A remote attacker could exploit an issue in theDatagram Transport Layer Security (DTLS) packet reordering logic. Thecomparator function, responsible for ordering DTLS packets by sequencenumbers, did not correctly handle packets with duplicate sequence numbers.This could lead to unstable packet ordering or undefined behavior,resulting in a denial of service. Update Instructions: Run `sudo pro fix CVE-2026-42009` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Joshua Rogers https://gitlab.com/gnutls/gnutls/-/issues/1848 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42009 A flaw was found in gnutls. Servers configured with RSA-PSK(Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernamescontaining a NUL character with truncated usernames. A remote attackercould exploit this by sending a specially crafted username, leading to anauthentication bypass. This vulnerability allows an attacker to gainunauthorized access by circumventing the authentication process. Update Instructions: Run `sudo pro fix CVE-2026-42010` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 12:16:00 UTC 2026-05-07 12:16:00 UTC Joshua Rogers https://gitlab.com/gnutls/gnutls/-/issues/1850 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42010 A flaw was found in gnutls. This vulnerability occurs because permittedname constraints were incorrectly ignored when previous CertificateAuthorities (CAs) only had excluded name constraints. A remote attackercould exploit this to bypass critical name constraint checks duringcertificate validation. This bypass could lead to the acceptance of invalidcertificates, potentially enabling spoofing or man-in-the-middle attacksagainst affected systems. Update Instructions: Run `sudo pro fix CVE-2026-42011` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 15:16:00 UTC 2026-05-07 15:16:00 UTC Haruto Kimura https://gitlab.com/gnutls/gnutls/-/work_items/1824 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42011 Certificates containing URI or SRV Subject Alternative Names would fallback to checking DNS hostnames against Common Name, allowing potentialmisuse of such certificates beyond their original purpose. Update Instructions: Run `sudo pro fix CVE-2026-42012` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Oleh Konko https://gitlab.com/gnutls/gnutls/-/issues/1802 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42012 Validation of certificates with oversized Subject Alternative Names wouldfall back to checking DNS hostnames against Common Name. Update Instructions: Run `sudo pro fix CVE-2026-42013` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Haruto Kimura, Joshua Rogers https://gitlab.com/gnutls/gnutls/-/work_items/1825 https://gitlab.com/gnutls/gnutls/-/issues/1849 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42013 Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() witholdpin == NULL for a token lacking a protected authentication path led toa use-after-free. Update Instructions: Run `sudo pro fix CVE-2026-42014` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Luigino Camastra and Joshua Rogers https://gitlab.com/gnutls/gnutls/-/issues/1766 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42014 Appending to a PKCS#12 bag that already contained 32 elements could writepast the bag's internal array. Update Instructions: Run `sudo pro fix CVE-2026-42015` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Zou Dikai https://gitlab.com/gnutls/gnutls/-/work_items/1840 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-42015 Arbitrary Class Instantiation via Model Manifest in Apache OpenNLPExtensionLoaderVersions Affected: before 2.5.9, before 3.0.0-M3Description:The ExtensionLoader.instantiateExtension(Class, String) method loads aclass by its fully-qualified name via Class.forName() and invokes itsno-arg constructor, with the class name sourced from themanifest.properties entry of a model archive. The existingisAssignableFrom check correctly rejects classes that are not subtypes ofthe expected extension interface (BaseToolFactory for factory=,ArtifactSerializer for serializer-class-*), but the check runsafter Class.forName() has already loaded and initialized the named class.Class.forName() with default initialization semantics executes the targetclass's static initializer before returning, so an attacker who can supplya crafted model archive can cause the static initializer of any class onthe classpath to run during model loading, regardless of whether that classpasses the subsequent type check.Exploitation requires a class with attacker-useful side effects in itsstatic initializer (for example, JNDI lookup, outbound network I/O, orfilesystem access) to be present on the classpath, so this is not a drop-inremote code execution; however, the attack surface grows as third-partymodel distribution becomes more common (community model repositories,Hugging Face-style sharing), where users routinely load model files fromorigins they do not control. A secondary, narrower vector affectsdeployments that ship legitimate BaseToolFactory orArtifactSerializer subclasses with side-effecting no-arg constructors: amalicious manifest can name such a class and force its constructor to runduring model load.Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3.Note: The fix introduces a package-prefix allowlist that is consultedbefore Class.forName() is invoked, so the static initializer of adisallowed class is never executed. Classes under the opennlp. prefixremain permitted by default. Deployments that load models referencingfactories or serializers outside opennlp.* must opt those packages in,either programmatically viaExtensionLoader.registerAllowedPackage(String) before the first model load,or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to acomma-separated list of allowed package prefixes.Users who cannot upgrade immediately should ensure that all model files aresourced from trusted origins and should audit their classpath for classeswith side-effecting static initializers or constructors, particularly anythat perform JNDI lookups, network requests, or filesystem operationsduring class initialization. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135782 CVE-2026-42027 MapServer is a system for developing web-based GIS applications. Fromversion 6.0 to before version 8.6.2, a reflected XSS vulnerability inMapServer's WMS server allows an unauthenticated attacker to injectarbitrary HTML/JavaScript into the browser of any user who opens a craftedWMS URL. The vulnerability is triggered via FORMAT=application/openlayerscombined with an unsanitized SRS parameter in WMS 1.3.0 requests. Thisissue has been patched in version 8.6.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 17:16:00 UTC CVE-2026-42030 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, when Object.prototype has been polluted by anyco-dependency with keys that axios reads without a hasOwnProperty guard, anattacker can (a) silently intercept and modify every JSON response beforethe application sees it, or (b) fully hijack the underlying HTTP transport,gaining access to request credentials, headers, and body. The preconditionis prototype pollution from a separate source in the same process. Thisvulnerability is fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42033 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassedwhen maxRedirects is set to 0 (native http/https transport path). Oversizedstreamed uploads are sent fully even when the caller sets strict bodylimits. This vulnerability is fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42034 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTPadapter (lib/adapters/http.js) that allows an attacker to inject arbitraryHTTP headers into outgoing requests. The vulnerability exploits duck-typechecking of the data payload, where if Object.prototype is polluted withgetHeaders, append, pipe, on, once, and Symbol.toStringTag, Axiosmisidentifies any plain object payload as a FormData instance and calls theattacker-controlled getHeaders() function, merging the returned headersinto the outgoing request. The vulnerable code resides exclusively inlib/adapters/http.js. The prototype pollution source does not need tooriginate from Axios itself — any prototype pollution primitive in anydependency in the application's dependency tree is sufficient to triggerthis gadget. This vulnerability is fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42035 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns theresponse stream without enforcing maxContentLength. This bypassesconfigured response-size limits and allows unbounded downstreamconsumption. This vulnerability is fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42036 Axios is a promise based HTTP client for the browser and Node.js. From1.0.0 to before 1.15.1, the FormDataPart constructor inlib/helpers/formDataToStream.js interpolates value.type directly into theContent-Type header of each multipart part without sanitizing CRLF (\r\n)sequences. An attacker who controls the .type property of a Blob/File-likeobject (e.g., via a user-uploaded file in a Node.js proxy service) caninject arbitrary MIME part headers into the multipart form-data body. Thisbypasses Node.js v18+ built-in header protections because the injectiontargets the multipart body structure, not HTTP request headers. Thisvulnerability is fixed in 1.15.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42037 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass isincomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1]still route through the proxy instead of bypassing it. TheshouldBypassProxy() function does pure string matching — it does notresolve IP aliases or loopback equivalents. This vulnerability is fixed in1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42038 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, toFormData recursively walks nested objects with nodepth limit, so a deeply nested value passed as request data crashes theNode.js process with a RangeError. This vulnerability is fixed in 1.15.1and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42039 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, the encode() function inlib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap)at line 21 that reverses the safe percent-encoding of null bytes. AfterencodeURIComponent('\x00') correctly produces the safe sequence %00, thecharMap entry '%00': '\x00' converts it back to a raw null byte. Primaryimpact is limited because the standard axios request flow is not affected.This vulnerability is fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42040 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution"Gadget" attack that allows any Object.prototype pollution to silentlysuppress all HTTP error responses (401, 403, 500, etc.), causing them to betreated as successful responses. This completely bypasses application-levelauthentication and error handling. The root cause is that validateStatus isthe only config property using the mergeDirectKeys merge strategy, whichuses JavaScript's in operator — an operator that inherently traverses theprototype chain. When Object.prototype.validateStatus is polluted with ()=> true, all HTTP status codes are accepted as success. This vulnerabilityis fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42041 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, the Axios library's XSRF token protection logic usesJavaScript truthy/falsy semantics instead of strict boolean comparison forthe withXSRFToken config property. When this property is set to any truthynon-boolean value (via prototype pollution or misconfiguration), thesame-origin check (isURLSameOrigin) is short-circuited, causing XSRF tokensto be sent to all request targets including cross-origin servers controlledby an attacker. This vulnerability is fixed in 1.15.1 and 0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42042 Axios is a promise based HTTP client for the browser and Node.js. Prior to1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axiosrequest can use any address in the 127.0.0.0/8 range (other than 127.0.0.1)to completely bypass the NO_PROXY protection. This vulnerability is due toan incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and0.31.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42043 Axios is a promise based HTTP client for the browser and Node.js. From1.0.0 to before 1.15.2, he Axios library is vulnerable to a PrototypePollution "Gadget" attack that allows any Object.prototype pollution in theapplication's dependency tree to be escalated into surgical, invisiblemodification of all JSON API responses — including privilege escalation,balance manipulation, and authorization bypass. The defaulttransformResponse function at lib/defaults/index.js:124 callsJSON.parse(data, this.parseReviver), where this is the merged configobject. Because parseReviver is not present in Axios defaults, notvalidated by assertOptions, and not subject to any constraints, a pollutedObject.prototype.parseReviver function is called for every key-value pairin every JSON response, allowing the attacker to selectively modifyindividual values while leaving the rest of the response intact. Thisvulnerability is fixed in 1.15.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134878 CVE-2026-42044 libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, aninteger overflow vulnerability in libcaca's canvas import functionalityallows an attacker to cause a controlled heap out-of-bounds write (heapoverflow) by supplying a crafted file in the "caca" format. Depending onthe build configuration and memory allocator, this may lead to memorycorruption or remote code execution. This is the same vulnerability asCVE-2021-3410 but the fix at that time was not fully correct. Commitfb77acff9ba6bb01d53940da34fb10f20b156a23 fixes this vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 22:22:00 UTC https://github.com/cacalabs/libcaca/issues/86 CVE-2026-42046 ImageMagick is free and open-source software used for editing andmanipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a maliciousMIFF file could trigger an overflow when a user opens it in the displaytool and right-clicks a tile to invoke the Load / Update menu item. Thisvulnerability is fixed in 7.1.2-21 and 6.9.13-46. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 20:25:00 UTC CVE-2026-42050 Beets is the media library management system. Prior to version 2.10.0, thebundled web UI uses Underscore template interpolation mode <%= ... %> foruntrusted metadata fields. In this runtime, <%= ... %> is raw insertion andHTML escaping is only performed by <%- ... %>. Rendered output is theninserted with .html(...), allowing attacker-controlled markup to becomeactive DOM. This issue has been patched in version 2.10.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779 CVE-2026-42052 bookserver in KDE Arianna before 26.04.1 allows attackers to read filesover a socket connection by guessing a URL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134880 CVE-2026-42095 CImg Library is a C++ library for image processing. Prior to commit4ca26bc, there is an integer overflow vulnerability in the W*H*D sizecomputation inside _load_pnm() that can bypass the memory allocation guard.A crafted PNM/PGM/PPM file with large dimension values causes the overflowto wrap around, allocating an undersized buffer and potentially triggeringa heap buffer overflow. Any application using CImg to load untrusted imagefiles is affected. This issue has been patched via commit 4ca26bc. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135778 CVE-2026-42144 CImg Library is a C++ library for image processing. Prior to commitc3aacf5, the nb_colors field read from the BMP file header is used directlyto compute an allocation size without validating it against the remainingfile size. A crafted BMP file with a large nb_colors value triggers anout-of-memory condition, crashing any application that uses CImg to loaduntrusted BMP files. This issue has been patched via commit c3aacf5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135778 CVE-2026-42146 wlc is a Weblate command-line client using Weblate's REST API. Prior toversion 2.0.0, the HTML output format in wlc embeds API response data intoHTML without escaping, allowing cross-site scripting when the output isrendered in a browser. This issue has been patched in version 2.0.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 04:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136000 CVE-2026-42150 Prometheus is an open-source monitoring system and time series database.Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure ADremote write OAuth configuration (storage/remote/azuread) was typed asstring instead of Secret. Prometheus redacts fields of type Secret whenserving the configuration via the /-/config HTTP API endpoint. Because thefield was a plain string, the Azure OAuth client secret was exposed inplaintext to any user or process with access to that endpoint. This issuehas been patched in versions 3.5.3 and 3.11.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 19:16:00 UTC CVE-2026-42151 Prometheus is an open-source monitoring system and time series database.Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read)does not validate the declared decoded length in a snappy-compressedrequest body before allocating memory. An unauthenticated attacker can senda small payload that causes a huge heap allocation per request. Underconcurrent load this can exhaust available memory and crash the Prometheusprocess. This issue has been patched in versions 3.5.3 and 3.11.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 19:16:00 UTC CVE-2026-42154 mod_sql in ProFTPD before 1.3.9a allows remote attackers to executearbitrary code via a username, in scenarios where there is logging of USERrequests with an expansion such as %U, and the SQL backend allows commands(e.g., COPY TO PROGRAM). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135119 CVE-2026-42167 NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes usesthe Low IL temp directory when executing as SYSTEM, allowing localattackers to gain privileges (if they can cause my_GetTempFileName toreturn 0, as shown in the references). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-24 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134955 CVE-2026-42171 pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 tobefore version 42.7.11, pgjdbc is vulnerable to a client-side denial ofservice during SCRAM-SHA-256 authentication. A malicious server caninstruct the driver to perform SCRAM authentication with a very largeiteration count. With a large enough value, the client spends an unboundedamount of CPU time inside PBKDF2 before authentication can fail. A singleattempt ties up a CPU core. Repeated or concurrent attempts exhaust clientCPU and can wedge connection pools. In affected versions, loginTimeout didnot fully mitigate this problem. When loginTimeout expired, the callercould stop waiting, but the worker thread performing the connection attemptcould continue running and burning CPU inside the SCRAM PBKDF2 computation.This issue has been patched in version 42.7.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 16:16:00 UTC CVE-2026-42198 GitPython is a python library used to interact with Git repositories. Fromversion 3.1.30 to before version 3.1.47, GitPython blocks dangerous Gitoptions such as --upload-pack and --receive-pack by default, but theequivalent Python kwargs upload_pack and receive_pack bypass that check. Ifan application passes attacker-controlled kwargs into Repo.clone_from(),Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrarycommand execution even when allow_unsafe_options is left at its defaultvalue of False. This issue has been patched in version 3.1.47. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-42215 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry. Fromversions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before3.4.11, IDManifest::init() reconstructs strings from a prefix-compressedrepresentation. If the previous string is longer than 255 bytes, the nextstring is expected to begin with a 2-byte prefix length. The code readsstringList[i][0] and stringList[i][1] without checking that the currentstring has at least two bytes. This issue has been patched in versions3.2.9, 3.3.11, and 3.4.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-42216 OpenEXR provides the specification and reference implementation of the EXRfile format, an image storage format for the motion picture industry. Fromversions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before3.4.11, readVariableLengthInteger() decodes a variable-length integer fromuntrusted EXR input without bounding the shift count. After enoughcontinuation bytes, the code executes a left shift by 70 on a 64-bit value,which is undefined behavior. This issue has been patched in versions 3.2.9,3.3.11, and 3.4.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-42217 PJSIP is a free and open source multimedia communication library written inC. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport(sip_transport_tls) can accept connections with invalid or untrustedcertificates even when the application explicitly enables certificateverification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. Thisissue has been patched in version 2.17. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136007 CVE-2026-42225 When an Expat parser with a registered ElementDeclHandler parses an inlinedocument type definition containing a deeply nested content model a C stackoverflow occurs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-16 18:16:00 UTC CVE-2026-4224 Net::IMAP implements Internet Message Access Protocol (IMAP) clientfunctionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4,Net::IMAP::ResponseReader has quadratic time complexity when reading largeresponses containing many string literals. A hostile server can sendresponses which are crafted to exhaust the client's CPU for a denial ofservice attack. This issue has been patched in versions 0.4.24, 0.5.14, and0.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 20:16:00 UTC CVE-2026-42245 Net::IMAP implements Internet Message Access Protocol (IMAP) clientfunctionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4,a man-in-the-middle attacker can cause Net::IMAP#starttls to return"successfully", without starting TLS. This issue has been patched inversions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 20:16:00 UTC CVE-2026-42246 Net::IMAP implements Internet Message Access Protocol (IMAP) clientfunctionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 tobefore 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connectionwith SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform acomputational denial-of-service attack on the client process by sending abig iteration count value. This issue has been patched in versions 0.4.24,0.5.14, and 0.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 20:16:00 UTC CVE-2026-42256 Net::IMAP implements Internet Message Access Protocol (IMAP) clientfunctionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, severalNet::IMAP commands accept a raw string argument that is sent to the serverwithout validation or escaping. If this string is derived fromuser-controlled input, it may contain contain CRLF sequences, which anattacker can use to inject arbitrary IMAP commands. This issue has beenpatched in versions 0.4.24, 0.5.14, and 0.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 20:16:00 UTC CVE-2026-42257 Net::IMAP implements Internet Message Access Protocol (IMAP) clientfunctionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbolarguments to commands are vulnerable to a CRLF Injection / IMAP Commandinjection via Symbol arguments passed to IMAP commands. This issue has beenpatched in versions 0.4.24, 0.5.14, and 0.6.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 20:16:00 UTC CVE-2026-42258 Axios is a promise based HTTP client for the browser and Node.js. Fromversion 1.0.0 to before version 1.15.2, fFive config properties (auth,baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTPadapter are read via direct property access without hasOwnProperty guards,making them exploitable as prototype pollution gadgets. WhenObject.prototype is polluted by another dependency in the same process,axios silently picks up these polluted values on every outbound HTTPrequest. This issue has been patched in version 1.15.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 04:16:00 UTC CVE-2026-42264 jupyterlab is an extensible environment for interactive and reproduciblecomputing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6,the allow-list of extensions that can be installed from PyPI ExtensionManager (allowed_extensions_uris) is not correctly enforced by JupyterLab.The PyPI Extension Manager was not contained to packages listed on thedefault PyPI index. This vulnerability is fixed in 4.5.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-42266 ModSecurity is an open source, cross platform web application firewall(WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, thereis an unhandled exception (std::out_of_range) caused by unsigned integerunderflow in libmodsecurity3 if the user (administrator) uses a rule any of@verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in3.0.15. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 22:16:00 UTC CVE-2026-42268 GitPython is a python library used to interact with Git repositories. Priorto version 3.1.47, _clone() validates multi_options as the original list,then executes shlex.split(" ".join(multi_options)). A string like "--branchmain --config core.hooksPath=/x" passes validation (starts with --branch),but after split becomes ["--branch", "main", "--config","core.hooksPath=/x"]. Git applies the config and executes attacker hooksduring clone. This issue has been patched in version 3.1.47. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-42284 GoBGP is an open source Border Gateway Protocol (BGP) implementation in theGo Programming Language. In version 4.4.0, an unauthenticated remote BGPpeer can trigger a fatal panic in GoBGP by sending a specially crafted BGPUPDATE message. When the server receives a message with inconsistentattribute lengths, it improperly handles the internal state transition to a"withdraw" action, leading to a nil pointer dereference in theAdjRib.Update function. This causes the entire GoBGP process to crash,resulting in a complete loss of service availability. This issue has beenpatched in version 4.5.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 12:16:00 UTC CVE-2026-42285 Twisted is an event-based framework for internet applications, supportingPython 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable toa Denial of Service (DoS) attack via resource exhaustion during DNS namedecompression. A remote, unauthenticated attacker can exploit this bysending a crafted TCP DNS packet containing deeply chained compressionpointers. This flaw bypasses previous loop-prevention logic, causing thesingle-threaded Twisted reactor to hang while processing millions ofrecursive lookups, effectively freezing the server. This vulnerability isfixed in 26.4.0rc2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 21:16:00 UTC CVE-2026-42304 Vim is an open source, command line text editor. Prior to version 9.2.0383,an OS command injection vulnerability exists in the netrw standard pluginbundled with Vim. By inducing a user to open a crafted URL (e.g., using thesftp:// or file:// protocol handlers), an attacker can execute arbitraryshell commands with the privileges of the Vim process. This issue has beenpatched in version 9.2.0383. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 23:16:00 UTC kkernick Joshua Rogers CVE-2026-42307 Pillow is a Python imaging library. Prior to version 12.2.0, if a fontadvances for each glyph by an exceeding large amount, when Pillow keepstrack of the current position, it may lead to an integer overflow. Thisissue has been patched in version 12.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 06:16:00 UTC CVE-2026-42308 Pillow is a Python imaging library. From version 11.2.1 to before version12.2.0, passing nested lists as coordinates to APIs that accept coordinatessuch as ImagePath.Path, ImageDraw.ImageDraw.polygon andImageDraw.ImageDraw.line could cause a heap buffer overflow, as nestedlists were recursively unpacked beyond the allocated buffer. Coordinatelists are now validated to contain exactly two numeric coordinates. Thisissue has been patched in version 12.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 06:16:00 UTC CVE-2026-42309 Pillow is a Python imaging library. From version 4.2.0 to before version12.2.0, an attacker can supply a malicious PDF that causes the process tohang indefinitely, consuming 100% CPU and making the applicationunresponsive. This issue has been patched in version 12.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 06:16:00 UTC CVE-2026-42310 Pillow is a Python imaging library. From version 10.3.0 to before version12.2.0, processing a malicious PSD file could lead to memory corruption,potentially resulting in a crash or arbitrary code execution. This issuehas been patched in version 12.2.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 06:16:00 UTC CVE-2026-42311 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-42326 ip-address is a library for parsing and manipulating IPv4 and IPv6addresses in JavaScript. Prior to 10.1.1, Address6.group() andAddress6.link() do not HTML-escape attacker-controlled content beforeembedding it in the HTML strings they return, and AddressError.parseMessage(emitted by the Address6 constructor for invalid input) can containunescaped attacker-controlled content in one branch. An application that(1) passes untrusted input to Address6 and (2) renders the output of thesemethods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML)is vulnerable to cross-site scripting. This vulnerability is fixed in10.1.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 20:16:00 UTC CVE-2026-42338 uriparser before 1.0.1 has numeric truncation in text range comparison, ifan application accepts URIs with a length in gigabytes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135109 CVE-2026-42371 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-42396 OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLPAbstractModelReaderVersions Affected:before 2.5.9before 3.0.0-M3Description:The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), andgetPredicates() each read a 32-bit signed integer count field from a binarymodel stream and pass that value directly to an array allocation (newString[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) withoutvalidating that the value is non-negative or within a reasonable bound. Thecount is therefore fully attacker-controlled when the model file originatesfrom an untrusted source.A crafted .bin model file in which any of these count fields is set toInteger.MAX_VALUE (or any value large enough to exhaust the available heap)triggers an OutOfMemoryError at the array allocation itself, before thecorresponding label or pattern data is consumed from the stream. The erroroccurs very early in deserialization: for a GIS model, getOutcomes() isreached after only the model-type string, the correction constant, and thecorrection parameter have been read; so the attacker pays no meaningfulsize cost to weaponize a payload, and a single small file can crash a JVMthat loads it. Any code path that deserializes a .bin model is affected,including direct use of GenericModelReader and any higher-level componentthat delegates to it during model load.The practical impact is denial of service against processes that load modelfiles from untrusted or semi-trusted origins.Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3.Note: The fix introduces an upper bound on each of the three count fields,checked before array allocation; counts that are negative or exceed thebound cause an IllegalArgumentException to be thrown and the read to failfast with no large allocation. The default bound is 10,000,000, which iswell above the entry counts of legitimate OpenNLP models but far below anyvalue that would threaten heap exhaustion. Deployments that legitimatelyneed to load models with more entries than the default can raise the limitat JVM startup by setting the OPENNLP_MAX_ENTRIES system property to thedesired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid ornon-positive values fall back to the default.Users who cannot upgrade immediately should treat all .bin model files asuntrusted input unless their provenance is verified, and should avoidloading models supplied by end users or fetched from third-partyrepositories without integrity checks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135782 CVE-2026-42440 Two heap-based out-of-bounds read vulnerabilities in the STL ASCII fileparser in Open CASCADE Technology (OCCT) V8_0_0_rc5 exist inRWStl_Reader::ReadAscii because buffers returned byStandard_ReadLineBuffer::ReadLine() are not properly length-validatedbefore strncasecmp or direct byte access. User-assisted attackers cantrigger these issues by persuading a victim to open a crafted STL file withextremely short lines, resulting in a denial of service or possibleinformation disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-42476 A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in theOBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allowsuser-assisted attackers to cause a denial of service or obtain sensitiveinformation by persuading a victim to open a crafted OBJ file. The issueoccurs because Standard_ReadLineBuffer::ReadLine() can return a 1-bytebuffer for a minimal OBJ line, and RWObj_Reader::read() callspushIndices(aLine + 2) without validating the buffer length. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-42477 An issue was discovered in VrmlData_IndexedFaceSet::TShape in the VRML V2.0parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows attackers tocause a denial of service via a crafted VRML file. The issue occurs becausemalformed VRML input can trigger dereference of a corrupt or unvalidatedpointer during shape construction in libTKDEVRML.so. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-42478 An out-of-bounds read vulnerability in VrmlData_IndexedLineSet::TShape inthe VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allowsattackers to cause a denial of service via a crafted VRML file. The issueoccurs because coordIndex values from parsed input are used as direct arrayindices without validation against the size of the coordinate array duringgeometry processing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-42479 A stack-based out-of-bounds read vulnerability in VrmlData_Scene::ReadLinein the VRML parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allowsattackers to cause a denial of service via a crafted VRML file. The issueoccurs because the quoted-string escape handler uses ptr[++anOffset]without proper bounds checking, which can read past the end of a fixed-sizestack buffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 16:16:00 UTC CVE-2026-42480 Open CASCADE Technology (OCCT) V8_0_0_rc5 contains multiple vulnerabilitiesin its IGES and STEP file parsers that can be triggered by crafted IGES orSTEP files. These issues include an out-of-bounds read inGeom2d_BSplineCurve::EvalD0 during IGES B-spline curve evaluation, anout-of-bounds read in MakeBSplineCurveCommon during STEP B-spline curveconstruction, and infinite recursion in StepShape_OrientedEdge::EdgeStartwhen processing a self-referential OrientedEdge entity. Successfulexploitation may result in denial of service or unintended memorydisclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 16:16:00 UTC CVE-2026-42481 A stack-based buffer overflow in mangle_to_hex_lower() andmangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attackerto cause a denial of service or possibly execute arbitrary code via acrafted rule file, or via the -j or -k rule options used with passwordcandidates of 128 or more characters. The vulnerability is caused by abounds check that fails to account for the 2x expansion that occurs whenpassword bytes are converted to hexadecimal. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-42482 A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2allows an attacker to cause a denial of service or possibly executearbitrary code via a crafted Kerberos hash file. The issue affectsmodule_hash_decode in multiple Kerberos-related modules becauseaccount_info_len is calculated from untrusted delimiter positions withoutupper-bound validation before memcpy copies the data into a fixed-sizeaccount_info buffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-42483 A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser inhashcat v7.1.2 allows an attacker to cause a denial of service or possiblyexecute arbitrary code via a crafted PKZIP hash file. The issue affectsmodules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1,attacker-controlled hex data from a user-supplied hash string is decodedinto a fixed-size buffer without proper input-length validation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC CVE-2026-42484 Exposure of HTTP Authentication Header to unexpected hosts during WebSocketauthentication vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through8.5.100, from 7.0.83 through 7.0.109.Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118,which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 16:16:00 UTC CVE-2026-42498 Pathological inputs could cause DoS through consumePhrase when parsing anemail address according to RFC 5322. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-42499 A malicious module proxy can exploit a flaw in the go command's validationof module checksums to bypass checksum database validation. Thisvulnerability affects any user using an untrusted module proxy (GOMODPROXY)or checksum database (GOSUMDB). A malicious module proxy can serve alteredversions of the Go toolchain. When selecting a different version of the Gotoolchain than the currently installed toolchain (due to the GOTOOLCHAINenvironment variable, or a go.work or go.mod with a toolchain line), the gocommand will download and execute a toolchain provided by the module proxy.A malicious module proxy can bypass checksum database validation for thisdownloaded toolchain. Since this vulnerability affects the security oftoolchain downloads, setting GOTOOLCHAIN to a fixed version is notsufficient. You must upgrade your base Go toolchain. The go tool alwaysvalidates the hash of a toolchain before executing it, so fixed versionswill refuse to execute any cached, altered versions of the toolchain. Thego tool trusts go.sum files to contain accurate hashes of the currentmodule's dependencies. A malicious proxy exploiting this vulnerability toserve an altered module will have caused an incorrect hash to be recordedin the go.sum. Users who have configured a non-trusted GOPROXY candetermine if they have been affected by running "rm go.sum ; go mod tidy ;go mod verify", which will revalidate all dependencies of the currentmodule. The specific flaw in more detail: The go command consults thechecksum database to validate downloaded modules, when a module is notlisted in the go.sum file. It verifies that the module hash reported by thechecksum database matches the hash of the downloaded module. If, however,the checksum database returns a successful response that contains no entryfor the module, the go command incorrectly permitted validation to succeed.A module proxy may mirror or proxy the checksum database, in which case thego command will not connect to the checksum database directly. Checksumsreported by the checksum database are cryptographically signed, so amalicious proxy cannot alter the reported checksum for a module. However, aproxy which returns an empty checksum response, or a checksum response foran unrelated module, could cause the go command to proceed as if adownloaded module has been validated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC CVE-2026-42501 gopls by default communicates via pipe. However, -port and -listen flagsare supported as means of debugging.If -listen is given a value without an explicit host (e.g. :8080), or -portis used, gopls will listen on 0.0.0.0.As a result, users might inadvertently cause gopls to bind 0.0.0.0.This can allow a malicious party on the same network to execute codearbitrarily via gopls. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 17:16:00 UTC CVE-2026-42503 OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-defaultconfiguration that has a console interface. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 06:16:00 UTC CVE-2026-42510 NLnet Labs Unbound up to and including version 1.25.0 has a vulnerabilityin the jostle logic that could defeat its purpose and degrade resolutionperformance. Retransmits of the same query could renew the age of slowrunning queries and not allow the jostle logic to see them as aged andpotential targets for replacement with new queries. An adversary who canquery a vulnerable Unbound and who can control a domain name server thatreplies slowly and/or maliciously to Unbound's queries can exploit thevulnerability and degrade the resolution performance of Unbound. WhenUnbound's 'num-queries-per-thread' reaches its limit, the jostle logickicks in. When a new query comes in, half of the available queries that arealso slow to resolve are candidates for replacement. The vulnerability thenhappens because duplicate queries that need resolution would skew the agingresult by using the timestamp of the latest duplicate query instead of theoriginal one that started the resolution effort. Cache and local dataresponse performance remains unaffected. Coordinated attacks could raisethis to a denial of resolution service. Unbound 1.25.1 contains a patchwith a fix to attach an initial, non-updatable start time for incomingqueries that allow the jostle logic to work as intended. Update Instructions: Run `sudo pro fix CVE-2026-42534` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-42534 jupyterlab is an extensible environment for interactive and reproduciblecomputing, based on the Jupyter Notebook Architecture. Prior to 4.5.7,JupyterLab's HTML sanitizer allowlists data-commandlinker-command anddata-commandlinker-args on button elements, while CommandLinker listens forall click events on document.body and executes the named command withoutchecking whether the element came from trusted JupyterLab UI. A notebookwith a pre-saved HTML cell output containing a deceptive button can triggerarbitrary JupyterLab commands - including arbitrary code execution - on asingle user click, without any code being submitted for execution by theuser. This vulnerability is fixed in 4.5.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-42557 Python-Multipart is a streaming multipart parser for Python. Prior to0.0.27, python-multipart has a denial of service vulnerability in multipartpart header parsing. When parsing multipart/form-data, MultipartParserpreviously had no limit on the number of part headers or the size of anindividual part header. An attacker could send a request with either manyrepeated headers without terminating the header block or a single verylarge header value, causing excessive CPU work before request rejection orcompletion. This vulnerability is fixed in 0.0.27. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136702 CVE-2026-42561 Netty is an asynchronous, event-driven network application framework. From4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect andclose TCP connections that receive a RST after being half-closed, leadingto stale channels that are never cleaned up and, in some code paths, a 100%CPU busy-loop in the event loop thread. This vulnerability is fixed in4.2.13.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42577 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTPCONNECT requests with header validation explicitly disabled. ThenewInitialMessage() method creates headers usingDefaultHttpHeadersFactory.headersFactory().withValidation(false), then addsuser-provided outboundHeaders without any CRLF validation. This allows anattacker who can influence the outbound headers to inject arbitrary HTTPheaders into the CONNECT request sent to the proxy server. Thisvulnerability is fixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42578 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC1035 domain name constraints during either encoding or decoding. Thiscreates a bidirectional attack surface: malicious DNS responses can exploitthe decoder, and user-influenced hostnames can exploit the encoder. Thisvulnerability is fixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42579 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silentlyoverflows int, enabling request smuggling attacks. This vulnerability isfixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42580 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflictingContent-Length header when a request carries both Transfer-Encoding:chunked and Content-Length, but only for HTTP/1.1 messages. The guard isabsent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with bothheaders causes Netty to decode the body as chunked while leavingContent-Length intact in the forwarded HttpMessage. Any downstream proxy orhandler that trusts Content-Length over Transfer-Encoding will disagree onmessage boundaries, enabling request smuggling. This vulnerability is fixedin 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42581 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final, when decoding header blocks, the non-Huffman branch ofio.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral mayexecute new byte[length] for a string literal before verifying that lengthbytes are actually present in the compressed field section. The wireencoding allows a very large length to be expressed in few bytes. There isno check that length <= in.readableBytes() before new byte[length]. Thisvulnerability is fixed in 4.2.13.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42582 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf ofsize decompressedLength (up to 32 MB per block) before LZ4 runs. A peeronly needs a 21-byte header plus compressedLength payload bytes - 22 bytesif compressedLength == 1 - to force that allocation. This vulnerability isfixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42583 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inboundresponse with an outbound request by queue.poll() once per response,including for 1xx. If the client pipelines GET then HEAD and the serversends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEADwith the first 200. The HEAD rule then skips reading that message’s body,so the GET entity bytes stay on the stream and the following 200 is parsedfrom the wrong offset. This vulnerability is fixed in 4.2.13.Final and4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42584 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformedTransfer-Encoding, enabling request smuggling attacks. This vulnerabilityis fixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42585 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder(RedisEncoder) writes user-controlled string content directly to thenetwork output buffer without validating or sanitizing CRLF (\r\n)characters. Since the Redis Serialization Protocol (RESP) uses CRLF as thecommand/response delimiter, an attacker who can control the content of aRedis message can inject arbitrary Redis commands or forge fake responses.This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42586 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts amaxAllocation parameter to limit decompression buffer size and preventdecompression bomb attacks. This limit is correctly enforced for gzip anddeflate encodings via ZlibDecoder, but is silently ignored when the contentencoding is br (Brotli), zstd, or snappy. An attacker can bypass theconfigured decompression limit by sending a compressed payload withContent-Encoding: br instead of Content-Encoding: gzip, causing unboundedmemory allocation and out-of-memory denial of service. The samevulnerability exists in DelegatingDecompressorFrameListener for HTTP/2connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-42587 A flaw was found in libsoup, a library for handling HTTP requests. Thisvulnerability, known as a Use-After-Free, occurs in the HTTP/2 serverimplementation. A remote attacker can exploit this by sending speciallycrafted HTTP/2 requests that cause authentication failures. This can leadto the application attempting to access memory that has already been freed,potentially causing application instability or crashes, resulting in aDenial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-17 12:16:00 UTC CVE-2026-4271 Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overflow inParseCube in cmscgats.c. Update Instructions: Run `sudo pro fix CVE-2026-42798` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: liblcms2-2 - 2.17-1ubuntu0.2 liblcms2-utils - 2.17-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135320 https://ubuntu.com/security/notices/USN-8250-1 CVE-2026-42798 NLnet Labs Unbound up to and including version 1.25.0 has a vulnerabilityin the DNSSEC validator where the code path to consult the negative cachefor DS records does not take into account the limit on NSEC3 hashcalculations introduced in 1.19.1. This leads to degradation of serviceduring the attack. An adversary that controls a DNSSEC signed zone canexploit this by signing NSEC3 records with acceptably high iterations forchild delegations and querying a vulnerable Unbound. Unbound will keepperforming the allowed hash calculations on the NSEC3 records and will notlimit the work by the mitigation introduced in 1.19.1. As a side effect, aglobal lock for the negative cache will be held for the duration of thehashing, blocking other threads that need to consult the negative cache.Coordinated attacks could raise the vulnerability to denial of service.Unbound 1.25.1 contains a patch with a fix to bound the vulnerable codepath with the existing limit for NSEC3 hash calculations. Update Instructions: Run `sudo pro fix CVE-2026-42923` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-42923 When NGINX Open Source is configured to proxy HTTP/2 traffic by settingproxy_http_version to 2, and also uses proxy_set_body, an attacker may beable to inject frame headers and payload bytes to the upstream peer.  Note:Software versions which have reached End of Technical Support (EoTS) arenot evaluated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-42926 NGINX Plus and NGINX Open Source have a vulnerability in thengx_http_charset_module module. When charset, source_charset, andcharset_map and proxy_pass with disabled buffering ("off") directives areconfigured, unauthenticated attackers can send requests that withconditions beyond the attackers' control to cause a heap buffer over-readin the NGINX worker process, leading to limited disclosure of memory or arestart. Note: Software versions which have reached End of Technical Support (EoTS)are not evaluated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-42934 NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has avulnerability that results in heap overflow when encoding multiple NSIDand/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. Therelevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) needto be enabled for the vulnerability to be exploited. An adversary who canquery Unbound can exploit the vulnerability by attaching multiple NSIDand/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw inthe size calculation of the EDNS field truncates the correct value whichallows the encoder to overflow the available space when writing. Those twocombined lead to a heap overflow write of Unbound controlled data andeventually a crash. Unbound 1.25.1 contains a patch with a fix tode-duplicate the EDNS options and a fix to prevent truncation of the EDNSfield size calculation. Update Instructions: Run `sudo pro fix CVE-2026-42944` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-42944 NGINX Plus and NGINX Open Source have a vulnerability in thengx_http_rewrite_module module. This vulnerability exists when therewrite directive is followed by a rewrite, if, or set directive and anunnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1,$2) with a replacement string that includes a question mark (?). Anunauthenticated attacker along with conditions beyond its control canexploit this vulnerability by sending crafted HTTP requests. This may causea heap buffer overflow in the NGINX worker process leading to a restart.Additionally, for systems with Address Space Layout Randomization (ASLR )disabled, code execution is possible.  Note: Software versions which havereached End of Technical Support (EoTS) are not evaluated. Update Instructions: Run `sudo pro fix CVE-2026-42945` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libnginx-mod-http-geoip - 1.28.3-2ubuntu1.1 libnginx-mod-http-image-filter - 1.28.3-2ubuntu1.1 libnginx-mod-http-perl - 1.28.3-2ubuntu1.1 libnginx-mod-http-xslt-filter - 1.28.3-2ubuntu1.1 libnginx-mod-mail - 1.28.3-2ubuntu1.1 libnginx-mod-stream - 1.28.3-2ubuntu1.1 libnginx-mod-stream-geoip - 1.28.3-2ubuntu1.1 nginx - 1.28.3-2ubuntu1.1 nginx-common - 1.28.3-2ubuntu1.1 nginx-core - 1.28.3-2ubuntu1.1 nginx-extras - 1.28.3-2ubuntu1.1 nginx-full - 1.28.3-2ubuntu1.1 nginx-light - 1.28.3-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-14 2026-05-14 https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2152577 https://ubuntu.com/security/notices/USN-8271-1 CVE-2026-42945 A vulnerability exists in the ngx_http_scgi_module andngx_http_uwsgi_module modules that may result in excessive memoryallocation or an over-read of data. When scgi_pass or uwsgi_pass isconfigured, an unauthenticated attacker with man-in-the-middle (MITM)ability to control responses from an upstream server may be able to readthe memory of the NGINX worker process or restart it.  Note: Softwareversions which have reached End of Technical Support (EoTS) are notevaluated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-42946 NLnet Labs Unbound up to and including version 1.25.0 has a denial ofservice vulnerability in the DNSSEC validator that can lead to a crashgiven malicious upstream replies. When Unbound constructs chase-replymessages for validation, the code uses the wrong counter to calculate writeoffsets for ADDITIONAL section rrsets. DNAME duplication could increase theANSWER section count and authority filtering could decrease the AUTHORITYsection count and create an uninitialized array slot. Combining these two,the validator later dereferences this uninitialized pointer, causing animmediate process crash. An adversary controlling a DNSSEC-signed domaincan trigger this bug with a single query by configuring a DNAME chain withunsigned CNAMEs and a response containing unsigned AUTHORITY recordsalongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patchwith a fix to use the proper counters to calculate the write offsets. Update Instructions: Run `sudo pro fix CVE-2026-42959` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-42959 NLnet Labs Unbound up to and including version 1.25.0 is vulnerable topoisoning via promiscuous records for the authority section. PromiscuousRRSets that complement DNS replies in the authority section can be used totrick Unbound to cache such records. If an adversary is able to attach suchrecords in a reply (i.e., spoofed packet, fragmentation attack) he would beable to poison Unbound's cache. A malicious actor can exploit the possiblepoisonous effect by injecting RRSets other than NS that are alsoaccompanied by address records in a reply, for example MX. This could beachieved by trying to spoof a reply packet or fragmentation attacks.Unbound would then accept the relative address records in the additionalsection and cache them if the authority RRSet has enough trust at thispoint, i.e., in-zone data for the delegation point. Unbound 1.25.1 containsa patch with a fix that disregards address records from the additionalsection if they are not explicitly relevant only to authority NS records,mitigating the possible poison effect. This is a complement fix toCVE-2025-11411. Update Instructions: Run `sudo pro fix CVE-2026-42960` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 TaoFei Guo, Yang Luo and JianJun Chen https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-42960 An issue was discovered in idrac in OpenStack Ironic before 35.0.1. Duringimport, a user invoking molds can request authorization to be sent to aremote endpoint. The credential forwarded is a time-limited Keystone token(which provides access to all OpenStack services Ironic is authorized for);or basic credentials configured for molds storage. The fixed versions are26.1.6, 29.0.5, 32.0.1, and 35.0.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 19:16:00 UTC https://bugs.launchpad.net/ironic/+bug/2148317 CVE-2026-42997 An issue was discovered in OpenStack Keystone 13 through 29. POST/v3/credentials did not validate that the caller-supplied project_id for anEC2-type credential matched the project of the authenticating applicationcredential. This allowed an attacker holding an unrestricted applicationcredential for project A to create an EC2 credential targeting project B; asubsequent /v3/ec2tokens exchange would then issue a Keystone token scopedto project B while still carrying the original app_cred_id, enablingcross-project lateral movement within the credential owner's rolefootprint. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 09:16:00 UTC https://bugs.launchpad.net/keystone/+bug/2149775 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135645 CVE-2026-43001 An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3.There is a write operation to the session storage backend beforeauthentication and thus storage can be exhausted by unauthenticatedrequests. This is a regression of the CVE-2014-8124 fix. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 17:17:00 UTC https://bugs.launchpad.net/horizon/+bug/2150331 CVE-2026-43002 An issue was discovered in OpenStack ironic-python-agent 1.0.0 through11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install fromwithin a chroot of the deployed partition image, leading to code executionin the case of a malicious image. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 09:16:00 UTC https://bugs.launchpad.net/ironic-python-agent/+bug/2148310 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135646 CVE-2026-43003 In the Linux kernel, the following vulnerability has been resolved:spi: stm32-ospi: Fix resource leak in remove() callbackThe remove() callback returned early if pm_runtime_resume_and_get()failed, skipping the cleanup of spi controller and other resources.Remove the early return so cleanup completes regardless of PM resumeresult. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43004 In the Linux kernel, the following vulnerability has been resolved:hwmon: (tps53679) Fix array access with zero-length block readi2c_smbus_read_block_data() can return 0, indicating a zero-lengthread. When this happens, tps53679_identify_chip() accesses buf[ret - 1]which is buf[-1], reading one byte before the buffer on the stack.Fix by changing the check from "ret < 0" to "ret <= 0", treating azero-length read as an error (-EIO), which prevents the out-of-boundsarray access.Also fix a typo in the adjacent comment: "if present" instead ofduplicate "if". Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43005 In the Linux kernel, the following vulnerability has been resolved:io_uring/rsrc: reject zero-length fixed buffer importvalidate_fixed_range() admits buf_addr at the exact end of theregistered region when len is zero, because the check uses strictgreater-than (buf_end > imu->ubuf + imu->len). io_import_fixed()then computes offset == imu->len, which causes the bvec skip logicto advance past the last bio_vec entry and read bv_offset fromout-of-bounds slab memory.Return early from io_import_fixed() when len is zero. A zero-lengthimport has no data to transfer and should not walk the bvec arrayat all. BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43006 In the Linux kernel, the following vulnerability has been resolved:accel/qaic: Handle DBC deactivation if the owner went awayWhen a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEVtransaction to the host over the QAIC_CONTROL MHI channel. QAIC handlesthis by calling decode_deactivate() to release the resources allocated forthat DBC. Since that handling is done in the qaic_manage_ioctl() context,if the user goes away before receiving and handling the deactivation, thehost will be out-of-sync with the DBCs available for use, and the DBCresources will not be freed unless the device is removed. If another userloads and requests to activate a network, then the device assigns the sameDBC to that network, QAIC will "indefinitely" wait for dbc->in_use = false,leading the user process to hang.As a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactionsthat are received after the user has gone away. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43007 In the Linux kernel, the following vulnerability has been resolved:gpio: qixis-fpga: Fix error handling for devm_regmap_init_mmio()devm_regmap_init_mmio() returns an ERR_PTR() on failure, not NULL.The original code checked for NULL which would never trigger on error,potentially leading to an invalid pointer dereference.Use IS_ERR() and PTR_ERR() to properly handle the error case. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43008 In the Linux kernel, the following vulnerability has been resolved:bpf: Fix incorrect pruning due to atomic fetch precision trackingWhen backtrack_insn encounters a BPF_STX instruction with BPF_ATOMICand BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts asa destination, thus receiving the old value from the memory location.The current backtracking logic does not account for this. It treatsatomic fetch operations the same as regular stores where the srcregister is only an input. This leads the backtrack_insn to fail topropagate precision to the stack location, which is then not markedas precise!Later, the verifier's path pruning can incorrectly consider two statesequivalent when they differ in terms of stack state. Meaning, twobranches can be treated as equivalent and thus get pruned when theyshould not be seen as such.Fix it as follows: Extend the BPF_LDX handling in backtrack_insn toalso cover atomic fetch operations via is_atomic_fetch_insn() helper.When the fetch dst register is being tracked for precision, clear it,and propagate precision over to the stack slot. For non-stack memory,the precision walk stops at the atomic instruction, same as regularBPF_LDX. This covers all fetch variants.Before: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 =atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exitAfter: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 =atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43009 In the Linux kernel, the following vulnerability has been resolved:bpf: Reject sleepable kprobe_multi programs at attach timekprobe.multi programs run in atomic/RCU context and cannot sleep.However, bpf_kprobe_multi_link_attach() did not validate whether theprogram being attached had the sleepable flag set, allowing sleepablehelpers such as bpf_copy_from_user() to be invoked from a non-sleepablecontext.This causes a "sleeping function called from invalid context" splat: BUG: sleeping function called from invalid context at./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0Fix this by rejecting sleepable programs early inbpf_kprobe_multi_link_attach(), before any further processing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43010 In the Linux kernel, the following vulnerability has been resolved:net/x25: Fix potential double free of skbWhen alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) atline 48 and returns 1 (error).This error propagates back through the call chain:x25_queue_rx_frame returns 1 | vx25_state3_machine receives the return value 1 and takes the elsebranch at line 278, setting queued=0 and returning 0 | vx25_process_rx_frame returns queued=0 | vx25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)againThis would free the same skb twice. Looking at x25_backlog_rcv:net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb);} Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43011 In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Fix switchdev mode rollback in case of failureIf for some internal reason switchdev mode fails, we rollback to legacymode, before this patch, rollback will unregister the uplink netdev andleave it unregistered causing the below kernel bug.To fix this, we need to avoid netdev unregister by setting the properrollback flag 'MLX5_PRIV_FLAGS_SWITCH_LEGACY' to indicate legacy mode.devlink (431) used greatest stack depth: 11048 bytes leftmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), \ necvfs(0), active vports(0)mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offloadmlx5_core 0000:00:03.0: Loading uplink representor for vport 65535mlx5_core 0000:00:03.0: mlx5_cmd_out_err:816:(pid 456): \ QUERY_HCA_CAP(0x100) op_mod(0x0) failed, \ status bad parameter(0x3), syndrome (0x3a3846), err(-22)mlx5_core 0000:00:03.0 enp0s3np0 (unregistered): Unloading uplink \ representor for vport 65535 ------------[ cut here ]------------kernel BUG at net/core/dev.c:12070!Oops: invalid opcode: 0000 [#1] SMP NOPTICPU: 2 UID: 0 PID: 456 Comm: devlink Not tainted 6.16.0-rc3+ \ #9 PREEMPT(voluntary)RIP: 0010:unregister_netdevice_many_notify+0x123/0xae0...Call Trace:[ 90.923094] unregister_netdevice_queue+0xad/0xf0[ 90.923323] unregister_netdev+0x1c/0x40[ 90.923522] mlx5e_vport_rep_unload+0x61/0xc6[ 90.923736] esw_offloads_enable+0x8e6/0x920[ 90.923947] mlx5_eswitch_enable_locked+0x349/0x430[ 90.924182] ? is_mp_supported+0x57/0xb0[ 90.924376] mlx5_devlink_eswitch_mode_set+0x167/0x350[ 90.924628] devlink_nl_eswitch_set_doit+0x6f/0xf0[ 90.924862] genl_family_rcv_msg_doit+0xe8/0x140[ 90.925088] genl_rcv_msg+0x18b/0x290[ 90.925269] ? __pfx_devlink_nl_pre_doit+0x10/0x10[ 90.925506] ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10[ 90.925766] ? __pfx_devlink_nl_post_doit+0x10/0x10[ 90.926001] ? __pfx_genl_rcv_msg+0x10/0x10[ 90.926206] netlink_rcv_skb+0x52/0x100[ 90.926393] genl_rcv+0x28/0x40[ 90.926557] netlink_unicast+0x27d/0x3d0[ 90.926749] netlink_sendmsg+0x1f7/0x430[ 90.926942] __sys_sendto+0x213/0x220[ 90.927127] ? __sys_recvmsg+0x6a/0xd0[ 90.927312] __x64_sys_sendto+0x24/0x30[ 90.927504] do_syscall_64+0x50/0x1c0[ 90.927687] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 90.927929] RIP: 0033:0x7f7d0363e047 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43012 In the Linux kernel, the following vulnerability has been resolved:net/mlx5: lag: Check for LAG device before creating debugfs__mlx5_lag_dev_add_mdev() may return 0 (success) even when an erroroccurs that is handled gracefully. Consequently, the initializationflow proceeds to call mlx5_ldev_add_debugfs() even when there is novalid LAG context.mlx5_ldev_add_debugfs() blindly created the debugfs directory andattributes. This exposed interfaces (like the members file) that rely ona valid ldev pointer, leading to potential NULL pointer dereferences ifaccessed when ldev is NULL.Add a check to verify that mlx5_lag_dev(dev) returns a valid pointerbefore attempting to create the debugfs entries. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43013 In the Linux kernel, the following vulnerability has been resolved:net: macb: properly unregister fixed rate clocksThe additional resources allocated with clk_register_fixed_rate() needto be released with clk_unregister_fixed_rate(), otherwise they are lost. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43014 In the Linux kernel, the following vulnerability has been resolved:net: macb: fix clk handling on PCI glue driver removalplatform_device_unregister() may still want to use the registered clksduring runtime resume callback.Note that there is a commit d82d5303c4c5 ("net: macb: fix use after freeon rmmod") that addressed the similar problem of clk vs platform deviceunregistration but just moved the bug to another place.Save the pointers to clks into local variables for reuse after platformdevice is unregistered.BUG: KASAN: use-after-free in clk_prepare+0x5a/0x60Read of size 8 at addr ffff888104f85e00 by task modprobe/597CPU: 2 PID: 597 Comm: modprobe Not tainted 6.1.164+ #114Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOSrel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014Call Trace: <TASK> dump_stack_lvl+0x8d/0xba print_report+0x17f/0x496 kasan_report+0xd9/0x180 clk_prepare+0x5a/0x60 macb_runtime_resume+0x13d/0x410 [macb] pm_generic_runtime_resume+0x97/0xd0 __rpm_callback+0xc8/0x4d0 rpm_callback+0xf6/0x230 rpm_resume+0xeeb/0x1a70 __pm_runtime_resume+0xb4/0x170 bus_remove_device+0x2e3/0x4b0 device_del+0x5b3/0xdc0 platform_device_del+0x4e/0x280 platform_device_unregister+0x11/0x50 pci_device_remove+0xae/0x210 device_remove+0xcb/0x180 device_release_driver_internal+0x529/0x770 driver_detach+0xd4/0x1a0 bus_remove_driver+0x135/0x260 driver_unregister+0x72/0xb0 pci_unregister_driver+0x26/0x220 __do_sys_delete_module+0x32e/0x550 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 </TASK>Allocated by task 519: kasan_save_stack+0x2c/0x50 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x8e/0x90 __clk_register+0x458/0x2890 clk_hw_register+0x1a/0x60 __clk_hw_register_fixed_rate+0x255/0x410 clk_register_fixed_rate+0x3c/0xa0 macb_probe+0x1d8/0x42e [macb_pci] local_pci_probe+0xd7/0x190 pci_device_probe+0x252/0x600 really_probe+0x255/0x7f0 __driver_probe_device+0x1ee/0x330 driver_probe_device+0x4c/0x1f0 __driver_attach+0x1df/0x4e0 bus_for_each_dev+0x15d/0x1f0 bus_add_driver+0x486/0x5e0 driver_register+0x23a/0x3d0 do_one_initcall+0xfd/0x4d0 do_init_module+0x18b/0x5a0 load_module+0x5663/0x7950 __do_sys_finit_module+0x101/0x180 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8Freed by task 597: kasan_save_stack+0x2c/0x50 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x180 __kmem_cache_free+0xbc/0x320 clk_unregister+0x6de/0x8d0 macb_remove+0x73/0xc0 [macb_pci] pci_device_remove+0xae/0x210 device_remove+0xcb/0x180 device_release_driver_internal+0x529/0x770 driver_detach+0xd4/0x1a0 bus_remove_driver+0x135/0x260 driver_unregister+0x72/0xb0 pci_unregister_driver+0x26/0x220 __do_sys_delete_module+0x32e/0x550 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43015 In the Linux kernel, the following vulnerability has been resolved:bpf: sockmap: Fix use-after-free of sk->sk_socket insk_psock_verdict_data_ready().syzbot reported use-after-free of AF_UNIX socket's sk->sk_socketin sk_psock_verdict_data_ready(). [0]In unix_stream_sendmsg(), the peer socket's ->sk_data_ready() iscalled after dropping its unix_state_lock().Although the sender socket holds the peer's refcount, it does notprevent the peer's sock_orphan(), and the peer's sk_socket mightbe freed after one RCU grace period.Let's fetch the peer's sk->sk_socket and sk->sk_socket->ops underRCU in sk_psock_verdict_data_ready().[0]:BUG: KASAN: slab-use-after-free in sk_psock_verdict_data_ready+0xec/0x590net/core/skmsg.c:1278Read of size 8 at addr ffff8880594da860 by task syz.4.1842/11013CPU: 1 UID: 0 PID: 11013 Comm: syz.4.1842 Not tainted syzkaller #0PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOSGoogle 02/12/2026Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 sk_psock_verdict_data_ready+0xec/0x590 net/core/skmsg.c:1278 unix_stream_sendmsg+0x8a3/0xe80 net/unix/af_unix.c:2482 sock_sendmsg_nosec net/socket.c:721 [inline] __sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x972/0x9f0 net/socket.c:2585 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2639 __sys_sendmsg net/socket.c:2671 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2674 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7facf899c819Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f748 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ffff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007facf9827028 EFLAGS: 00000246 ORIG_RAX: 000000000000002eRAX: ffffffffffffffda RBX: 00007facf8c15fa0 RCX: 00007facf899c819RDX: 0000000000000000 RSI: 0000200000000500 RDI: 0000000000000004RBP: 00007facf8a32c91 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007facf8c16038 R14: 00007facf8c15fa0 R15: 00007ffd41b01c78 </TASK>Allocated by task 11013: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4538 [inline] slab_alloc_node mm/slub.c:4866 [inline] kmem_cache_alloc_lru_noprof+0x2b8/0x640 mm/slub.c:4885 sock_alloc_inode+0x28/0xc0 net/socket.c:316 alloc_inode+0x6a/0x1b0 fs/inode.c:347 new_inode_pseudo include/linux/fs.h:3003 [inline] sock_alloc net/socket.c:631 [inline] __sock_create+0x12d/0x9d0 net/socket.c:1562 sock_create net/socket.c:1656 [inline] __sys_socketpair+0x1c4/0x560 net/socket.c:1803 __do_sys_socketpair net/socket.c:1856 [inline] __se_sys_socketpair net/socket.c:1853 [inline] __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1853 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fFreed by task 15: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2685 [inline] slab_free mm/slub.c:6165 [inline] kmem_cache_free+0x187/0x630 mm/slub.c:6295 rcu_do_batch kernel/rcu/tree.c:---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43016 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: MGMT: validate mesh send advertising payload lengthmesh_send() currently bounds MGMT_OP_MESH_SEND by total commandlength, but it never verifies that the bytes supplied for theflexible adv_data[] array actually match the embedded adv_data_lenfield. MGMT_MESH_SEND_SIZE only covers the fixed header, so atruncated command can still pass the existing 20..50 byte rangecheck and later drive the async mesh send path past the end of thequeued command buffer.Keep rejecting zero-length and oversized advertising payloads, butvalidate adv_data_len explicitly and require the command length toexactly match the flexible array size before queueing the request. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43017 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evthci_conn lookup and field access must be covered by hdev lock inhci_le_remote_conn_param_req_evt, otherwise it's possible it is freedconcurrently.Extend the hci_dev_lock critical section to cover all conn usage. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43018 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_conn: fix potential UAF in set_cig_params_synchci_conn lookup and field access must be covered by hdev lock inset_cig_params_sync, otherwise it's possible it is freed concurrently.Take hdev lock to prevent hci_conn from being deleted or modifiedconcurrently. Just RCU lock is not suitable here, as we also want toavoid "tearing" in the configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43019 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: MGMT: validate LTK enc_size on loadLoad Long Term Keys stores the user-provided enc_size and later usesit to size fixed-size stack operations when replying to LE LTKrequests. An enc_size larger than the 16-byte key buffer can thereforeoverflow the reply stack buffer.Reject oversized enc_size values while validating the management LTKrecord so invalid keys never reach the stored key state. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43020 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: fix leaks when hci_cmd_sync_queue_once failsWhen hci_cmd_sync_queue_once() returns with error, the destroy callbackwill not be called.Fix leaking references / memory on these failures. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43021 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if existshci_cmd_sync_queue_once() needs to indicate whether a queue item wasadded, so caller can know if callbacks are called, so it can avoidleaking resources.Change the function to return -EEXIST if queue item already exists.Modify all callsites to handle that. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43022 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: SCO: fix race conditions in sco_sock_connect()sco_sock_connect() checks sk_state and sk_type without holdingthe socket lock. Two concurrent connect() syscalls on the samesocket can both pass the check and enter sco_connect(), leadingto use-after-free.The buggy scenario involves three participants and was confirmedwith additional logging instrumentation: Thread A (connect): HCI disconnect: Thread B (connect): sco_sock_connect(sk) sco_sock_connect(sk) sk_state==BT_OPEN sk_state==BT_OPEN (pass, no lock) (pass, no lock) sco_connect(sk): sco_connect(sk): hci_dev_lock hci_dev_lock hci_connect_sco <- blocked -> hcon1 sco_conn_add->conn1 lock_sock(sk) sco_chan_add: conn1->sk = sk sk->conn = conn1 sk_state=BT_CONNECT release_sock hci_dev_unlock hci_dev_lock sco_conn_del: lock_sock(sk) sco_chan_del: sk->conn=NULL conn1->sk=NULL sk_state= BT_CLOSED SOCK_ZAPPED release_sock hci_dev_unlock (unblocked) hci_connect_sco -> hcon2 sco_conn_add -> conn2 lock_sock(sk) sco_chan_add: sk->conn=conn2 sk_state= BT_CONNECT // zombie sk! release_sock hci_dev_unlockThread B revives a BT_CLOSED + SOCK_ZAPPED socket back toBT_CONNECT. Subsequent cleanup triggers double sock_put() anduse-after-free. Meanwhile conn1 is leaked as it was orphanedwhen sco_conn_del() cleared the association.Fix this by:- Moving lock_sock() before the sk_state/sk_type checks in sco_sock_connect() to serialize concurrent connect attempts- Fixing the sk_type != SOCK_SEQPACKET check to actually return the error instead of just assigning it- Adding a state re-check in sco_connect() after lock_sock() to catch state changes during the window between the locks- Adding sco_pi(sk)->conn check in sco_chan_add() to prevent double-attach of a socket to multiple connections- Adding hci_conn_drop() on sco_chan_add failure to prevent HCI connection leaks Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43023 In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: reject immediate NF_QUEUE verdictnft_queue is always used from userspace nftables to deliver the NF_QUEUEverdict. Immediately emitting an NF_QUEUE verdict is never used by theuserspace nft tools, so reject immediate NF_QUEUE verdicts.The arp family does not provide queue support, but such an immediateverdict is still reachable. Globally reject NF_QUEUE immediate verdictsto address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43024 In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: ignore explicit helper on new expectationsUse the existing master conntrack helper, anything else is not reallysupported and it just makes validation more complicated, so just ignorewhat helper userspace suggests for this expectation.This was uncovered when validating CTA_EXPECT_CLASS via different helperprovided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds innf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350Allowing to read kernel memory bytes off the expectation boundary.CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspacevia netlink dump. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43025 In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absentctnetlink_alloc_expect() allocates expectations from a non-zeroingslab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is notpresent in the netlink message, saved_addr and saved_proto arenever initialized. Stale data from a previous slab occupant canthen be dumped to userspace by ctnetlink_exp_dump_expect(), whichchecks these fields to decide whether to emit CTA_EXPECT_NAT.The safe sibling nf_ct_expect_init(), used by the packet path,explicitly zeroes these fields.Zero saved_addr, saved_proto and dir in the else branch, guardedby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist whenNAT is enabled.Confirmed by priming the expect slab with NAT-bearing expectations,freeing them, creating a new expectation without CTA_EXPECT_NAT,and observing that the ctnetlink dump emits a spuriousCTA_EXPECT_NAT containing stale data from the prior allocation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43026 In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_helper: pass helper to expect cleanupnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()to remove expectations belonging to the helper being unregistered.However, it passes NULL instead of the helper pointer as the dataargument, so expect_iter_me() never matches any expectation and allof them survive the cleanup.After unregister returns, nfnl_cthelper_del() frees the helperobject immediately. Subsequent expectation dumps or packet-driveninit_conntrack() calls then dereference the freed exp->helper,causing a use-after-free.Pass the actual helper pointer so expectations referencing it areproperly destroyed before the helper object is freed. BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seq_printf+0x17a/0x240 exp_seq_show+0x2e5/0x560 seq_read_iter+0x419/0x1280 proc_reg_read+0x1ac/0x270 vfs_read+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43027 In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: ensure names are nul-terminatedReject names that lack a \0 character before feeding themto functions that expect c-strings.Fixes tag is the most recent commit that needs this change. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43028 In the Linux kernel, the following vulnerability has been resolved:mptcp: fix soft lockup in mptcp_recvmsg()syzbot reported a soft lockup in mptcp_recvmsg() [0].When receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is notremoved from the sk_receive_queue. This causes sk_wait_data() to alwaysfind available data and never perform actual waiting, leading to a softlockup.Fix this by adding a 'last' parameter to track the last peeked skb.This allows sk_wait_data() to make informed waiting decisions and preventinfinite loops when MSG_PEEK is used.[0]:watchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963]Modules linked in:CPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61PREEMPT(none)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-104/01/2014RIP: 0010:sk_wait_data+0x15/0x190Code: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 6548 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8bRSP: 0018:ffffc90000603ca0 EFLAGS: 00000246RAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001RDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101R10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18R13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000FS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000)knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0Call Trace: <TASK> mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329 inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891 sock_recvmsg+0x94/0xc0 net/socket.c:1100 __sys_recvfrom+0xb2/0x130 net/socket.c:2256 __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267 do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131RIP: 0033:0x7f6e386a4a1dCode: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ffff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41RSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002dRAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1dRDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004RBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0R13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000 </TASK> Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43029 In the Linux kernel, the following vulnerability has been resolved:bpf: Fix regsafe() for pointers to packetIn case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == Nregsafe() may return true which may lead to current state withvalid packet range not being explored. Fix the bug. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43030 In the Linux kernel, the following vulnerability has been resolved:net: xilinx: axienet: Fix BQL accounting for multi-BD TX packetsWhen a TX packet spans multiple buffer descriptors (scatter-gather),axienet_free_tx_chain sums the per-BD actual length from descriptorstatus into a caller-provided accumulator. That sum is reset on eachNAPI poll. If the BDs for a single packet complete across differentpolls, the earlier bytes are lost and never credited to BQL. Thiscauses BQL to think bytes are permanently in-flight, eventuallystalling the TX queue.The SKB pointer is stored only on the last BD of a packet. When thatBD completes, use skb->len for the byte count instead of summingper-BD status lengths. This matches netdev_sent_queue(), which debitsskb->len, and naturally survives across polls because no partialpacket contributes to the accumulator. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43031 In the Linux kernel, the following vulnerability has been resolved:NFC: pn533: bound the UART receive bufferpn532_receive_buf() appends every incoming byte to dev->recv_skb andonly resets the buffer after pn532_uart_rx_is_frame() recognizes acomplete frame. A continuous stream of bytes without a valid PN532 frameheader therefore keeps growing the skb until skb_put_u8() hits the taillimit.Drop the accumulated partial frame once the fixed receive buffer is fullso malformed UART traffic cannot grow the skb pastPN532_UART_SKB_BUFF_LEN. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43032 In the Linux kernel, the following vulnerability has been resolved:crypto: authencesn - Do not place hiseq at end of dst for out-of-placedecryptionWhen decrypting data that is not in-place (src != dst), there isno need to save the high-order sequence bits in dst as it couldsimply be re-copied from the source.However, the data to be hashed need to be rearranged accordingly.Thanks, Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC 2026-05-01 15:16:00 UTC https://ubuntu.com/security/notices/USN-8277-1 https://ubuntu.com/security/notices/USN-8278-1 https://ubuntu.com/security/notices/USN-8279-1 https://ubuntu.com/security/notices/USN-8280-1 https://ubuntu.com/security/notices/USN-8281-1 https://ubuntu.com/security/notices/USN-8289-1 CVE-2026-43033 In the Linux kernel, the following vulnerability has been resolved:bnxt_en: set backing store type from query typebnxt_hwrm_func_backing_store_qcaps_v2() stores resp->type from thefirmware response in ctxm->type and later uses that value to indexfixed backing-store metadata arrays such as ctx_arr[] andbnxt_bstore_to_trace[].ctxm->type is fixed by the current backing-store query type and matchesthe array index of ctx->ctx_arr. Set ctxm->type from the current loopvariable instead of depending on resp->type.Also update the loop to advance type from next_valid_type in the forstatement, which keeps the control flow simpler for non-valid andunchanged entries. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43034 In the Linux kernel, the following vulnerability has been resolved:net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zeroto prevent an info-leakWhen building netlink messages, tc_chain_fill_node() never initializesthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,kernel heap memory is leaked to userspace through this 4-byte field.The fix simply zeroes tcm_info alongside the other fields that arealready initialized. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43035 In the Linux kernel, the following vulnerability has been resolved:net: use skb_header_pointer() for TCPv4 GSO frag_off checkSyzbot reported a KMSAN uninit-value warning in gso_features_check()called from netif_skb_features() [1].gso_features_check() reads iph->frag_off to decide whether to clearmangleid_features. Accessing the IPv4 header via ip_hdr()/inner_ip_hdr()can rely on skb header offsets that are not always safe for directdereference on packets injected from PF_PACKET paths.Use skb_header_pointer() for the TCPv4 frag_off check so the header readis robust whether data is already linear or needs copying.[1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43036 In the Linux kernel, the following vulnerability has been resolved:ip6_tunnel: clear skb2->cb[] in ip4ip6_err()Oskar Kjos reported the following problem.ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was writtenby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passesIPCB(skb2) to __ip_options_echo(), which interprets that cb[] regionas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoffat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rrvalue. __ip_options_echo() then reads optlen from attacker-controlledpacket data at sptr[rr+1] and copies that many bytes into dopt->__data,a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).To fix this we clear skb2->cb[], as suggested by Oskar Kjos.Also add minimal IPv4 header validation (version == 4, ihl >= 5). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43037 In the Linux kernel, the following vulnerability has been resolved:ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP errorpacket where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao ininet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() iscalled and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting atthat offset, potentially returning a fake TLV without checking if theremaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past theend of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this?This patch implements the first suggestion.I am not sure if ip6ip6_err() needs to be changed.A separate patch would be better anyway. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43038 In the Linux kernel, the following vulnerability has been resolved:net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RXdispatchemac_dispatch_skb_zc() allocates a new skb via napi_alloc_skb() butnever copies the packet data from the XDP buffer into it. The skb ispassed up the stack containing uninitialized heap memory instead ofthe actual received packet, leaking kernel heap contents to userspace.Copy the received packet data from the XDP buffer into the skb usingskb_copy_to_linear_data().Additionally, remove the skb_mark_for_recycle() call since the skb isbacked by the NAPI page frag allocator, not page_pool. Marking anon-page_pool skb for recycle causes the free path to return pages toa page_pool that does not own them, corrupting page_pool state.The non-ZC path (emac_rx_packet) does not have these issues because ituses napi_build_skb() to wrap the existing page_pool page directly,requiring no copy, and correctly marks for recycle since the page comesfrom page_pool_dev_alloc_pages(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43039 In the Linux kernel, the following vulnerability has been resolved:net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fieldsto zero to prevent an info-leakWhen processing Router Advertisements with user options the kernelbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg structhas three padding fields that are never zeroed and can leak kernel dataThe fix is simple, just zeroes the padding fields. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43040 In the Linux kernel, the following vulnerability has been resolved:net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak__radix_tree_create() allocates and links intermediate nodes into thetree one by one. If a subsequent allocation fails, the already-linkednodes remain in the tree with no corresponding leaf entry. These orphanedinternal nodes are never reclaimed because radix_tree_for_each_slot()only visits slots containing leaf values.The radix_tree API is deprecated in favor of xarray. As suggested byMatthew Wilcox, migrate qrtr_tx_flow from radix_tree to xarray insteadof fixing the radix_tree itself [1]. xarray properly handles cleanup ofinternal nodes — xa_destroy() frees all internal xarray nodes when theqrtr_node is released, preventing the leak.[1]https://lore.kernel.org/all/20260225071623.41275-1-jiayuan.chen@linux.dev/T/ Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43041 In the Linux kernel, the following vulnerability has been resolved:mpls: add seqcount to protect the platform_label{,s} pairThe RCU-protected codepaths (mpls_forward, mpls_dump_routes) can havean inconsistent view of platform_labels vs platform_label in case of aconcurrent resize (resize_platform_label_table, underplatform_mutex). This can lead to OOB accesses.This patch adds a seqcount, so that we get a consistent snapshot.Note that mpls_label_ok is also susceptible to this, so the checkagainst RTA_DST in rtm_to_route_config, done outside platform_mutex,is not sufficient. This value gets passed to mpls_label_ok once morein both mpls_route_add and mpls_route_del, so there is no issue, butthat additional check must not be removed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43042 In the Linux kernel, the following vulnerability has been resolved:crypto: af-alg - fix NULL pointer dereference in scatterwalkThe AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGLexactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequentsendmsg() allocates a new SGL and chains it, but fails to clear the endmarker on the previous SGL's last data entry.This causes the crypto scatterwalk to hit a premature end, returning NULLon sg_next() and leading to a kernel panic during dereference.Fix this by explicitly unmarking the end of the previous SGL whenperforming sg_chain() in af_alg_alloc_tsgl(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43043 In the Linux kernel, the following vulnerability has been resolved:crypto: caam - fix DMA corruption on long hmac keysWhen a key longer than block size is supplied, it is copied and thenhashed into the real key. The memory allocated for the copy needs tobe rounded to DMA cache alignment, as otherwise the hashed key maycorrupt neighbouring memory.The rounding was performed, but never actually used for the allocation.Fix this by replacing kmemdup with kmalloc for a larger buffer,followed by memcpy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43044 In the Linux kernel, the following vulnerability has been resolved:mshv: Fix error handling in mshv_region_pinThe current error handling has two issues:First, pin_user_pages_fast() can return a short pin count (less thanrequested but greater than zero) when it cannot pin all requested pages.This is treated as success, leading to partially pinned regions beingused, which causes memory corruption.Second, when an error occurs mid-loop, already pinned pages from thecurrent batch are not properly accounted for before callingmshv_region_invalidate_pages(), causing a page reference leak.Treat short pins as errors and fix partial batch accounting beforecleanup. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43045 In the Linux kernel, the following vulnerability has been resolved:btrfs: reject root items with drop_progress and zero drop_level[BUG]When recovering relocation at mount time, merge_reloc_root() andbtrfs_drop_snapshot() both use BUG_ON(level == 0) to guard againstan impossible state: a non-zero drop_progress combined with a zerodrop_level in a root_item, which can be triggered:------------[ cut here ]------------kernel BUG at fs/btrfs/relocation.c:1545!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTICPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary)Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULEHardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2RIP: 0010:merge_reloc_root+0x1266/0x1650 fs/btrfs/relocation.c:1545Code: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000Call Trace: merge_reloc_roots+0x295/0x890 fs/btrfs/relocation.c:1861 btrfs_recover_relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195 btrfs_start_pre_rw_mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130 open_ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640 btrfs_fill_super fs/btrfs/super.c:987 [inline] btrfs_get_tree_super fs/btrfs/super.c:1951 [inline] btrfs_get_tree_subvol fs/btrfs/super.c:2094 [inline] btrfs_get_tree+0x111c/0x2190 fs/btrfs/super.c:2128 vfs_get_tree+0x9a/0x370 fs/super.c:1758 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3642 [inline] do_new_mount fs/namespace.c:3718 [inline] path_mount+0x5b8/0x1ea0 fs/namespace.c:4028 do_mount fs/namespace.c:4041 [inline] __do_sys_mount fs/namespace.c:4229 [inline] __se_sys_mount fs/namespace.c:4206 [inline] __x64_sys_mount+0x282/0x320 fs/namespace.c:4206 ...RIP: 0033:0x7f969c9a8fdeCode: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f---[ end trace 0000000000000000 ]---The bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamicmetadata fuzzing tool that corrupts btrfs metadata at runtime.[CAUSE]A non-zero drop_progress.objectid means an interruptedbtrfs_drop_snapshot() left a resume point on disk, and in that casedrop_level must be greater than 0 because the checkpoint is onlysaved at internal node levels.Although this invariant is enforced when the kernel writes the rootitem, it is not validated when the root item is read back from disk.That allows on-disk corruption to provide an invalid state withdrop_progress.objectid != 0 and drop_level == 0.When relocation recovery later processes such a root item,merge_reloc_root() reads drop_level and hits BUG_ON(level == 0). Thesame invalid metadata can also trigger the corresponding BUG_ON() inbtrfs_drop_snapshot().[FIX]Fix this by validating the root_item invariant in tree-checker whenreading root items from disk: if drop_progress.objectid is non-zero,drop_level must also be non-zero. Reject such malformed metadata with-EUCLEAN before it reaches merge_reloc_root() or btrfs_drop_snapshot()and triggers the BUG_ON.After the fix, the same corruption is correctly rejected by tree-checkerand the BUG_ON is no longer triggered. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43046 In the Linux kernel, the following vulnerability has been resolved:HID: multitouch: Check to ensure report responses match the requestIt is possible for a malicious (or clumsy) device to respond to aspecific report's feature request using a completely different reportID. This can cause confusion in the HID core resulting in nastyside-effects such as OOB writes.Add a check to ensure that the report ID in the response, matches theone that was requested. If it doesn't, omit reporting the raw event andreturn early. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43047 In the Linux kernel, the following vulnerability has been resolved:HID: core: Mitigate potential OOB by removing bogus memset()The memset() in hid_report_raw_event() has the good intention ofclearing out bogus data by zeroing the area from the end of the incomingdata string to the assumed end of the buffer. However, as we havepreviously seen, doing so can easily result in OOB reads and writes inthe subsequent thread of execution.The current suggestion from one of the HID maintainers is to remove thememset() and simply return if the incoming event buffer size is notlarge enough to fill the associated report.Suggested-by Benjamin Tissoires <bentiss@kernel.org>[bentiss: changed the return value] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43048 In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Prevent use-after-free on force feedbackinitialisation failurePresently, if the force feedback initialisation fails when probing theLogitech G920 Driving Force Racing Wheel for Xbox One, an error numberwill be returned and propagated before the userspace infrastructure(sysfs and /dev/input) has been torn down. If userspace ignores theerrors and continues to use its references to these dangling entities, aUAF will promptly follow.We have 2 options; continue to return the error, but ensure that all ofthe infrastructure is torn down accordingly or continue to treat thiscondition as a warning by emitting the message but returning success.It is thought that the original author's intention was to emit thewarning but keep the device functional, less the force feedback feature,so let's go with that. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43049 In the Linux kernel, the following vulnerability has been resolved:atm: lec: fix use-after-free in sock_def_readable()A race condition exists between lec_atm_close() setting priv->lecdto NULL and concurrent access to priv->lecd in send_to_lecd(),lec_handle_bridge(), and lec_atm_send(). When the socket is freedvia RCU while another thread is still using it, a use-after-freeoccurs in sock_def_readable() when accessing the socket's wait queue.The root cause is that lec_atm_close() clears priv->lecd withoutany synchronization, while callers dereference priv->lecd withoutany protection against concurrent teardown.Fix this by converting priv->lecd to an RCU-protected pointer:- Mark priv->lecd as __rcu in lec.h- Use rcu_assign_pointer() in lec_atm_close() and lecd_attach() for safe pointer assignment- Use rcu_access_pointer() for NULL checks that do not dereference the pointer in lec_start_xmit(), lec_push(), send_to_lecd() and lecd_attach()- Use rcu_read_lock/rcu_dereference/rcu_read_unlock in send_to_lecd(), lec_handle_bridge() and lec_atm_send() to safely access lecd- Use rcu_assign_pointer() followed by synchronize_rcu() in lec_atm_close() to ensure all readers have completed before proceeding. This is safe since lec_atm_close() is called from vcc_release() which holds lock_sock(), a sleeping lock.- Remove the manual sk_receive_queue drain from lec_atm_close() since vcc_destroy_socket() already drains it after lec_atm_close() returns.v2: Switch from spinlock + sock_hold/put approach to RCU to properly fix the race. The v1 spinlock approach had two issues pointed out by Eric Dumazet: 1. priv->lecd was still accessed directly after releasing the lock instead of using a local copy. 2. The spinlock did not prevent packets being queued after lec_atm_close() drains sk_receive_queue since timer and workqueue paths bypass netif_stop_queue().Note: Syzbot patch testing was attempted but the test VM terminated unexpectedly with "Connection to localhost closed by remote host", likely due to a QEMU AHCI emulation issue unrelated to this fix. Compile testing with "make W=1 net/atm/lec.o" passes cleanly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43050 In the Linux kernel, the following vulnerability has been resolved:HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irqThe wacom_intuos_bt_irq() function processes Bluetooth HID reportswithout sufficient bounds checking. A maliciously crafted short reportcan trigger an out-of-bounds read when copying data into the wacomstructure.Specifically, report 0x03 requires at least 22 bytes to safely readthe processed data and battery status, while report 0x04 (whichfalls through to 0x03) requires 32 bytes.Add explicit length checks for these report IDs and log a warning ifa short report is received. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43051 In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: check tdls flag in ieee80211_tdls_operWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if thestation exists but not whether it is actually a TDLS station. Thisallows the operation to proceed for non-TDLS stations, causingunintended side effects like modifying channel context and HTprotection before failing.Add a check for sta->sta.tdls early in the ENABLE_LINK case, beforeany side effects occur, to ensure the operation is only allowed foractual TDLS peers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43052 In the Linux kernel, the following vulnerability has been resolved:xfs: close crash window in attr dabtree inactivationWhen inactivating an inode with node-format extended attributes,xfs_attr3_node_inactive() invalidates all child leaf/node blocks viaxfs_trans_binval(), but intentionally does not remove the correspondingentries from their parent node blocks. The implicit assumption is thatxfs_attr_inactive() will truncate the entire attr fork to zero extentsafterwards, so log recovery will never reach the root node and followthose stale pointers.However, if a log shutdown occurs after the leaf/node block cancellationscommit but before the attr bmap truncation commits, this assumptionbreaks. Recovery replays the attr bmap intact (the inode still hasattr fork extents), but suppresses replay of all cancelled leaf/nodeblocks, maybe leaving them as stale data on disk. On the next mount,xlog_recover_process_iunlinks() retries inactivation and attempts toread the root node via the attr bmap. If the root node was not replayed,reading the unreplayed root block triggers a metadata verificationfailure immediately; if it was replayed, following its child pointersto unreplayed child blocks triggers the same failure: XFS (pmem0): Metadata corruption detected at xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78 XFS (pmem0): Unmount and run xfs_repair XFS (pmem0): First 128 bytes of corrupted metadata buffer: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr0x78 len 8 error 117Fix this in two places:In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on achild block, immediately remove the entry that references it from theparent node in the same transaction. This eliminates the window wherethe parent holds a pointer to a cancelled block. Once all children areremoved, the now-empty root node is converted to a leaf block within thesame transaction. This node-to-leaf conversion is necessary for crashsafety. If the system shutdown after the empty node is written to thelog but before the second-phase bmap truncation commits, log recoverywill attempt to verify the root block on disk. xfs_da3_node_verify()does not permit a node block with count == 0; such a block will failverification and trigger a metadata corruption shutdown. on the otherhand, leaf blocks are allowed to have this transient state.In xfs_attr_inactive(), split the attr fork truncation into two explicitphases. First, truncate all extents beyond the root block (the childextents whose parent references have already been removed above).Second, invalidate the root block and truncate the attr bmap to zero ina single transaction. The two operations in the second phase must beatomic: as long as the attr bmap has any non-zero length, recovery canfollow it to the root block, so the root block invalidation must committogether with the bmap-to-zero truncation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43053 In the Linux kernel, the following vulnerability has been resolved:scsi: target: tcm_loop: Drain commands in target_reset handlertcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESSwithout draining any in-flight commands. The SCSI EH documentation(scsi_eh.rst) requires that when a reset handler returns SUCCESS the driverhas made lower layers "forget about timed out scmds" and is ready for newcommands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug,mpi3mr) enforces this by draining or completing outstanding commands beforereturning SUCCESS.Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flightscsi_cmnd structures for recovery commands (e.g. TUR) while the target corestill has async completion work queued for the old se_cmd. The memset inqueuecommand zeroes se_lun and lun_ref_active, causingtransport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUNreference prevents transport_clear_lun_ref() from completing, hangingconfigfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd — this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43054 In the Linux kernel, the following vulnerability has been resolved:scsi: target: file: Use kzalloc_flex for aio_cmdThe target_core_file doesn't initialize the aio_cmd->iocb for theki_write_stream. When a write command fd_execute_rw_aio() is executed,we may get a bogus ki_write_stream value, causing unintended writefailure status when checking iocb->ki_write_stream > max_write_streamsin the block device.Let's just use kzalloc_flex when allocating the aio_cmd and letki_write_stream=0 to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43055 In the Linux kernel, the following vulnerability has been resolved:net: mana: fix use-after-free in add_adev() error pathIf auxiliary_device_add() fails, add_adev() jumps to add_fail and callsauxiliary_device_uninit(adev).The auxiliary device has its release callback set to adev_release(),which frees the containing struct mana_adev. Since adev is embedded instruct mana_adev, the subsequent fall-through to init_fail and accessto adev->id may result in a use-after-free.Fix this by saving the allocated auxiliary device id in a localvariable before calling auxiliary_device_add(), and use that saved idin the cleanup path after auxiliary_device_uninit(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43056 In the Linux kernel, the following vulnerability has been resolved:net: correctly handle tunneled traffic on IPV6_CSUM GSO fallbackNETIF_F_IPV6_CSUM only advertises support for checksum offload ofpackets without IPv6 extension headers. Packets with extensionheaders must fall back onto software checksumming. Since TSOdepends on checksum offload, those must revert to GSO.The below commit introduces that fallback. It always checksnetwork header length. For tunneled packets, the inner header lengthmust be checked instead. Extend the check accordingly.A special case is tunneled packets without inner IP protocol. Such asRFC 6951 SCTP in UDP. Those are not standard IPv6 followed bytransport header either, so also must revert to the software GSO path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43057 In the Linux kernel, the following vulnerability has been resolved:media: vidtv: fix pass-by-value structs causing MSAN warningsvidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take theirargument structs by value, causing MSAN to report uninit-value warnings.While only vidtv_ts_null_write_into() has triggered a report so far,both functions share the same issue.Fix by passing both structs by const pointer instead, avoiding thestack copy of the struct along with its MSAN shadow and origin metadata.The functions do not modify the structs, which is enforced by the constqualifier. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-02 07:16:00 UTC CVE-2026-43058 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: MGMT: Fix list corruption and UAF in command complete handlersCommit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introducedmgmt_pending_valid(), which not only validates the pending command butalso unlinks it from the pending list if it is valid. This change insemantics requires updates to several completion handlers to avoid listcorruption and memory safety issues.This patch addresses two left-over issues from the aforementioned rework:1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove()is replaced with mgmt_pending_free() in the success path. Sincemgmt_pending_valid() already unlinks the command at the beginning ofthe function, calling mgmt_pending_remove() leads to a double list_del()and subsequent list corruption/kernel panic.2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the errorpath is removed. Since the current command is already unlinked bymgmt_pending_valid(), this foreach loop would incorrectly target otherpending mesh commands, potentially freeing them while they are still beingprocessed concurrently (leading to UAFs). The redundant mgmt_cmd_status()is also simplified to use cmd->opcode directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43059 In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_ct: drop pending enqueued packets on removalPackets sitting in nfqueue might hold a reference to:- templates that specify the conntrack zone, because a percpu area is used and module removal is possible.- conntrack timeout policies and helper, where object removal leave a stale reference.Since these objects can just go away, drop enqueued packets to avoidstale reference to them.If there is a need for finer grain removal, this logic can be revisitedto make selective packet drop upon dependencies. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43060 In the Linux kernel, the following vulnerability has been resolved:serial: 8250: Fix TX deadlock when using DMA`dmaengine_terminate_async` does not guarantee that the`__dma_tx_complete` callback will run. The callback is currently theonly place where `dma->tx_running` gets cleared. If the transaction iscanceled and the callback never runs, then `dma->tx_running` will neverget cleared and we will never schedule new TX DMA transactions again.This change makes it so we clear `dma->tx_running` after we terminatethe DMA transaction. This is "safe" because `serial8250_tx_dma_flush`is holding the UART port lock. The first thing the callback does is alsograb the UART port lock, so access to `dma->tx_running` is serialized. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43061 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()l2cap_ecred_reconf_rsp() casts the incoming data to structl2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes withresult at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 byteswith result at offset 0).This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check.Fix by using the correct type. Also pass the already byte-swappedresult variable to BT_DBG instead of the raw __le16 field. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43062 In the Linux kernel, the following vulnerability has been resolved:xfs: don't irele after failing to iget in xfs_attri_recover_workxlog_recovery_iget* never set @ip to a valid pointer if they returnan error, so this irele will walk off a dangling pointer. Fix that. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43063 In the Linux kernel, the following vulnerability has been resolved:dmaengine: idxd: Fix not releasing workqueue on .release()The workqueue associated with an DSA/IAA device is not released whenthe object is freed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43064 In the Linux kernel, the following vulnerability has been resolved:ext4: always drain queued discard work in ext4_mb_release()While reviewing recent ext4 patch[1], Sashiko raised the followingconcern[2]:> If the filesystem is initially mounted with the discard option,> deleting files will populate sbi->s_discard_list and queue> s_discard_work. If it is then remounted with nodiscard, the> EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is> neither cancelled nor flushed.[1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/[2]https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.devThe concern was valid, but it had nothing to do with the patch[1].One of the problems with Sashiko in its current (early) form is thatit will detect pre-existing issues and report it as a problem with thepatch that it is reviewing.In practice, it would be hard to hit deliberately (unless you are amalicious syzkaller fuzzer), since it would involve mounting the filesystem with -o discard, and then deleting a large number of files,remounting the file system with -o nodiscard, and then immediatelyunmounting the file system before the queued discard work has a changeto drain on its own.Fix it because it's a real bug, and to avoid Sashiko from raising thisconcern when analyzing future patches to mballoc.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43065 In the Linux kernel, the following vulnerability has been resolved:ext4: fix iloc.bh leak in ext4_fc_replay_inode() error pathsDuring code review, Joseph found that ext4_fc_replay_inode() callsext4_get_fc_inode_loc() to get the inode location, which holds areference to iloc.bh that must be released via brelse().However, several error paths jump to the 'out' label withoutreleasing iloc.bh: - ext4_handle_dirty_metadata() failure - sync_dirty_buffer() failure - ext4_mark_inode_used() failure - ext4_iget() failureFix this by introducing an 'out_brelse' label placed just beforethe existing 'out' label to ensure iloc.bh is always released.Additionally, make ext4_fc_replay_inode() propagate errorsproperly instead of always returning 0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43066 In the Linux kernel, the following vulnerability has been resolved:ext4: handle wraparound when searching for blocks for indirect mappedblocksCommit 4865c768b563 ("ext4: always allocate blocks only from groupsinode can use") restricts what blocks will be allocated for indirectblock based files to block numbers that fit within 32-bit blocknumbers.However, when using a review bot running on the latest Gemini LLM tocheck this commit when backporting into an LTS based kernel, it raisedthis concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration.After reviewing the code paths involved and considering the LLMreview, I determined that this can happen when there is a file systemwhere some files/directories are extent-mapped and others areindirect-block mapped. To address this, add a safety clamp inext4_mb_scan_groups(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43067 In the Linux kernel, the following vulnerability has been resolved:ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()There's issue as follows:...EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 atlogical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 atlogical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 atlogical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 atlogical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 atlogical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 atlogical offset 0 with max blocks 1 with error 117EXT4-fs (mmcblk0p1): This should not happen!! Data will be lostEXT4-fs (mmcblk0p1): error count since last fsck: 1EXT4-fs (mmcblk0p1): initial error at time 1765597433:ext4_mb_generate_buddy:760EXT4-fs (mmcblk0p1): last error at time 1765597433:ext4_mb_generate_buddy:760...According to the log analysis, blocks are always requested from thecorrupted block group. This may happen as follows:ext4_mb_find_by_goal ext4_mb_load_buddy ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_wait_block_bitmap ext4_validate_block_bitmap if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) return -EFSCORRUPTED; // There's no logs. if (err) return err; // Will return errorext4_lock_group(ac->ac_sb, group); if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable goto out;After commit 9008a58e5dce ("ext4: make the bitmap read routines returnreal error codes") merged, Commit 163a203ddb36 ("ext4: mark block groupas corrupt on block bitmap error") is no real solution for allocatingblocks from corrupted block groups. This is because if'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then'ext4_mb_load_buddy()' may return an error. This means that the blockallocation will fail.Therefore, check block group if corrupted when ext4_mb_load_buddy()returns error. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43068 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_ll: Fix firmware leak on error pathSmatch reports:drivers/bluetooth/hci_ll.c:587 download_firmware() warn:'fw' from request_firmware() not released on lines: 544.In download_firmware(), if request_firmware() succeeds but the returnedfirmware content is invalid (no data or zero size), the function returnswithout releasing the firmware, resulting in a resource leak.Fix this by calling release_firmware() before returning whenrequest_firmware() succeeded but the firmware content is invalid. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43069 In the Linux kernel, the following vulnerability has been resolved:bpf: Reset register ID for BPF_END value trackingWhen a register undergoes a BPF_END (byte swap) operation, its scalarvalue is mutated in-place. If this register previously shared a scalar IDwith another register (e.g., after an `r1 = r0` assignment), this tie mustbe broken.Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END.Consequently, if a conditional jump checks the swapped register, theverifier incorrectly propagates the learned bounds to the linked register,leading to false confidence in the linked register's value and potentiallyallowing out-of-bounds memory accesses.Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END caseto break the scalar tie, similar to how BPF_NEG handles it via`__mark_reg_known`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43070 In the Linux kernel, the following vulnerability has been resolved:dcache: Limit the minimal number of bucket to twoThere is an OOB read problem on dentry_hashtable when user sets'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260There will be only one bucket in dentry_hashtable when dhash_entries isset as one, and d_hash_shift is calculated as 32 by dcache_init(). Then,following process will access more than one buckets(which memory regionis not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB!Fix it by limiting the minimal number of dentry_hashtable bucket to two,so that 'd_hash_shift' won't exceeds the bit width of type u32. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43071 In the Linux kernel, the following vulnerability has been resolved:drm/vc4: platform_get_irq_byname() returns an intplatform_get_irq_byname() will return a negative value if an errorhappens, so it should be checked and not just passed directly intodevm_request_threaded_irq() hoping all will be ok. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43072 In the Linux kernel, the following vulnerability has been resolved:x86-64: rename misleadingly named '__copy_user_nocache()' functionThis function was a masterclass in bad naming, for various historicalreasons.It claimed to be a non-cached user copy. It is literally _neither_ ofthose things. It's a specialty memory copy routine that usesnon-temporal stores for the destination (but not the source), and thatdoes exception handling for both source and destination accesses.Also note that while it works for unaligned targets, any unaligned parts(whether at beginning or end) will not use non-temporal stores, sinceonly words and quadwords can be non-temporal on x86.The exception handling means that it _can_ be used for user spaceaccesses, but not on its own - it needs all the normal "start user spaceaccess" logic around it.But typically the user space access would be the source, not thenon-temporal destination. That was the original intention of this,where the destination was some fragile persistent memory target thatneeded non-temporal stores in order to catch machine check exceptionssynchronously and deal with them gracefully.Thus that non-descriptive name: one use case was to copy from user spaceinto a non-cached kernel buffer. However, the existing users are a mixof that intended use-case, and a couple of random drivers that just didthis as a performance tweak.Some of those random drivers then actively misused the user copyingversion (with STAC/CLAC and all) to do kernel copies without ever evencaring about the exception handling, _just_ for the non-temporaldestination.Rename it as a first small step to actually make it halfway sane, andchange the prototype to be more normal: it doesn't take a user pointerunless the caller has done the proper conversion, and the argument sizeis the full size_t (it still won't actually copy more than 4GB in onego, but there's also no reason to silently truncate the size argument inthe caller).Finally, use this now sanely named function in the NTB code, whichmis-used a user copy version (with STAC/CLAC and all) of this interfacedespite it not actually being a user copy at all. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 16:16:00 UTC CVE-2026-43073 In the Linux kernel, the following vulnerability has been resolved:eventpoll: defer struct eventpoll free to RCU grace periodIn certain situations, ep_free() in eventpoll.c will kfree the epi->epeventpoll struct while it still being used by another concurrent thread.Defer the kfree() to an RCU callback to prevent UAF. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43074 In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix out-of-bounds write in ocfs2_write_end_inlineKASAN reports a use-after-free write of 4086 bytes inocfs2_write_end_inline, called from ocfs2_write_end_nolock during acopy_file_range splice fallback on a corrupted ocfs2 filesystem mounted ona loop device. The actual bug is an out-of-bounds write past the inodeblock buffer, not a true use-after-free. The write overflows into anadjacent freed page, which KASAN reports as UAF.The root cause is that ocfs2_try_to_write_inline_data trusts the on-diskid_count field to determine whether a write fits in inline data. On acorrupted filesystem, id_count can exceed the physical maximum inline datacapacity, causing writes to overflow the inode block buffer.Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOBSo add id_count upper bound check in ocfs2_validate_inode_block() toalongside the existing i_size check to fix it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43075 In the Linux kernel, the following vulnerability has been resolved:ocfs2: validate inline data i_size during inode readWhen reading an inode from disk, ocfs2_validate_inode_block() performsvarious sanity checks but does not validate the size of inline data. Ifthe filesystem is corrupted, an inode's i_size can exceed the actualinline data capacity (id_count).This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline databuffer, triggering a use-after-free when accessing directory entries fromfreed memory.In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry()Fix by adding a validation check in ocfs2_validate_inode_block() to ensureinodes with inline data have i_size <= id_count. This catches thecorruption early during inode read and prevents all downstream code fromoperating on invalid data. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43076 In the Linux kernel, the following vulnerability has been resolved:crypto: algif_aead - Fix minimum RX size check for decryptionThe check for the minimum receive buffer size did not take thetag size into account during decryption. Fix this by adding therequired extra length. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC 2026-05-06 10:16:00 UTC https://ubuntu.com/security/notices/USN-8277-1 https://ubuntu.com/security/notices/USN-8278-1 https://ubuntu.com/security/notices/USN-8279-1 https://ubuntu.com/security/notices/USN-8280-1 https://ubuntu.com/security/notices/USN-8281-1 https://ubuntu.com/security/notices/USN-8289-1 CVE-2026-43077 In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsglWhen page reassignment was added to af_alg_pull_tsgl the originalloop wasn't updated so it may try to reassign one more page thannecessary.Add the check to the reassignment so that this does not happen.Also update the comment which still refers to the obsolete offsetargument. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC 2026-05-06 10:16:00 UTC https://ubuntu.com/security/notices/USN-8277-1 https://ubuntu.com/security/notices/USN-8278-1 https://ubuntu.com/security/notices/USN-8279-1 https://ubuntu.com/security/notices/USN-8280-1 https://ubuntu.com/security/notices/USN-8281-1 https://ubuntu.com/security/notices/USN-8289-1 CVE-2026-43078 In the Linux kernel, the following vulnerability has been resolved:perf/x86/intel/uncore: Skip discovery table for offline diesThis warning can be triggered if NUMA is disabled and the systemboots with fewer CPUs than the number of CPUs in die 0.WARNING: CPU: 9 PID: 7257 at uncore.c:1157uncore_pci_pmu_register+0x136/0x160 [intel_uncore]Currently, the discovery table continues to be parsed even if all CPUsin the associated die are offline. This can lead to an array overflowat "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which maytrigger the warning above or cause other issues. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43079 In the Linux kernel, the following vulnerability has been resolved:l2tp: Drop large packets with UDP encapsyzbot reported a WARN on my patch series [1]. The actual issue is anoverflow of 16-bit UDP length field, and it exists in the upstream code.My series added a debug WARN with an overflow check that exposed theissue, that's why syzbot tripped on my patches, rather than on upstreamcode.syzbot's repro:r0 = socket$pppl2tp(0x18, 0x1, 0x1)r1 = socket$inet6_udp(0xa, 0x2, 0x0)connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc},0x1c)connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1,0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff',@empty}}}}, 0x32)writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1)It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDPencapsulation, and l2tp_xmit_core doesn't check for overflows when itassigns the UDP length field. The value gets trimmed to 16 bites.Add an overflow check that drops oversized packets and avoids sendingpackets with trimmed UDP length to the wire.syzbot's stack trace (with my patch applied):len >= 65536uWARNING: ./include/linux/udp.h:38 at udp_set_len_shortinclude/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957WARNING: ./include/linux/udp.h:38 at l2tp_xmit_corenet/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957Modules linked in:CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0PREEMPT(full)Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.16.2-debian-1.16.2-1 04/01/2014RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline]RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline]RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 defa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4fRSP: 0018:ffffc90003d67878 EFLAGS: 00010293RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffffRBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000)knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0Call Trace: <TASK> pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x503/0x550 net/socket.c:1195 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_writev+0x154/0x2e0 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f636479c629Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f748 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ffff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 </TASK>[1]:https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43080 In the Linux kernel, the following vulnerability has been resolved:net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+Fix the field masks to match the hardware layout documented indownstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*).Notably this fixes a WARN I was seeing when I tried to send "stop"to the MPSS remoteproc while IPA was up. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43081 In the Linux kernel, the following vulnerability has been resolved:net: txgbe: leave space for null terminators on property_entryLists of struct property_entry are supposed to be terminated with anempty property, this driver currently seems to be allocating exactly theamount of entry used.Change the struct definition to leave an extra element for allproperty_entry. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43082 In the Linux kernel, the following vulnerability has been resolved:net: ioam6: fix OOB and missing lockWhen trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc);This code can lead to an out-of-bounds access of the dev->_tx[] arraywhen is_input is true. In such a case, the packet is on the RX path andskb->queue_mapping contains the RX queue index of the ingress device. Ifthe ingress device has more RX queues than the egress device (dev) hasTX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues.Add a check to avoid this situation since skb_get_tx_queue() does notclamp the index. This issue has also revealed that per queue visibilitycannot be accurate and will be replaced later as a new feature.While at it, add missing lock around qdisc_qstats_qlen_backlog(). Thefunction __ioam6_fill_trace_data() is called from both softirq andprocess contexts, hence the use of spin_lock_bh() here. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43083 In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_queue: make hash table per queueSharing a global hash table among all queues is tempting, butit can cause crash:BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0[nfnetlink_queue][..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450struct nf_queue_entry is freed via kfree, but parallel cpu can stillencounter such an nf_queue_entry when walking the list.Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,but as we have to alloc/free for each skb this will cause more mempressure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43084 In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminatorWhen batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send()appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload vianlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put()helper only zeroes alignment padding after the payload, not the payloaditself, so four bytes of stale kernel heap data are leaked to userspacein the NLMSG_DONE message body.Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializesthe nfgenmsg payload via nfnl_fill_hdr(), consistent with how__build_packet_message() already constructs NFULNL_MSG_PACKET headers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43085 In the Linux kernel, the following vulnerability has been resolved:ipvs: fix NULL deref in ip_vs_add_service error pathWhen ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the localvariable sched is set to NULL. If ip_vs_start_estimator() subsequentlyfails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched)with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULLcheck (because svc->scheduler was set by the successful bind) but thendereferences the NULL sched parameter at sched->done_service, causing akernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..]Fix by simply not clearing the local sched variable after a successfulbind. ip_vs_unbind_scheduler() already detects whether a scheduler isinstalled via svc->scheduler, and keeping sched non-NULL ensures theerror path passes the correct pointer to both ip_vs_unbind_scheduler()and ip_vs_scheduler_put().While the bug is older, the problem popups in more recent kernels (6.2),when the new error path is taken after the ip_vs_start_estimator() call. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43086 In the Linux kernel, the following vulnerability has been resolved:pinctrl: mcp23s08: Disable all pin interrupts during probeA chip being probed may have the interrupt-on-change feature enabled onsome of its pins, for example after a reboot. This can cause the chip togenerate interrupts for pins that don't have a registered nested handler,which leads to a kernel crash such as below:[ 7.928897] Unable to handle kernel read from unreadable memory atvirtual address 00000000000000ac[ 7.932314] Mem abort info:[ 7.935081] ESR = 0x0000000096000004[ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits[ 7.944094] SET = 0, FnV = 0[ 7.947127] EA = 0, S1PTW = 0[ 7.950247] FSC = 0x04: level 0 translation fault[ 7.955101] Data abort info:[ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000[ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0[ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000[ 7.980148] [00000000000000ac] pgd=0000000000000000,p4d=0000000000000000[ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP[ 7.992545] Modules linked in:[ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted7.0.0-rc6-gd2b5a1f931c8-dirty #199[ 8.073689] Hardware name: Khadas VIM3 (DT)[ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBSBTYPE=--)[ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80[ 8.098970] lr : handle_nested_irq+0x2c/0x168[ 8.098979] sp : ffff800082b2bd20[ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27:ffff800080104d88[ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24:000000000000ff00[ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21:000000000000000e[ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18:0000000000000000[ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15:0000000000000000[ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12:0000000000000000[ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 :ffff800080109e0c[ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 :ffff0000034ede00[ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 :0000000000000001[ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 :00000000000000ac[ 8.170560] Call trace:[ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P)[ 8.184443] mcp23s08_irq+0x248/0x358[ 8.184462] irq_thread_fn+0x34/0xb8[ 8.184470] irq_thread+0x1a4/0x310[ 8.195093] kthread+0x13c/0x150[ 8.198309] ret_from_fork+0x10/0x20[ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01)[ 8.207931] ---[ end trace 0000000000000000 ]---This issue has always been present, but has been latent until commit"f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe andswitch cache type"), which correctly removed reg_defaults from the regmapand as a side effect changed the behavior of the interrupt handler so thatthe real value of the MCP_GPINTEN register is now being read from the chipinstead of using a bogus 0 default value; a non-zero value for thisregister can trigger the invocation of a nested handler which may not exist(yet).Fix this issue by disabling all pin interrupts during initialization. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43087 In the Linux kernel, the following vulnerability has been resolved:net: af_key: zero aligned sockaddr tail in PF_KEY exportsPF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddrpayload space, so IPv6 addresses occupy 32 bytes on the wire. However,`pfkey_sockaddr_fill()` initializes only the first 28 bytes of`struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized.Not every PF_KEY message is affected. The state and policy dump buildersalready zero the whole message buffer before filling the sockaddrpayloads. Keep the fix to the export paths that still append alignedsockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE`Fix those paths by clearing only the aligned sockaddr tail after`pfkey_sockaddr_fill()`. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43088 In the Linux kernel, the following vulnerability has been resolved:xfrm_user: fix info leak in build_mapping()struct xfrm_usersa_id has a one-byte padding hole after the protofield, which ends up never getting set to zero before copying out touserspace. Fix that up by zeroing out the whole structure beforesetting individual variables. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43089 In the Linux kernel, the following vulnerability has been resolved:xfrm: fix refcount leak in xfrm_migrate_policy_findsyzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432The root cause is a double call to xfrm_pol_hold_rcu() inxfrm_migrate_policy_find(). The lookup function already returnsa policy with held reference, making the second call redundant.Remove the redundant xfrm_pol_hold_rcu() call to fix the refcountimbalance and prevent the memory leak.Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43090 In the Linux kernel, the following vulnerability has been resolved:xfrm: Wait for RCU readers during policy netns exitxfrm_policy_fini() frees the policy_bydst hash tables after flushing thepolicy work items and deleting all policies, but it does not wait forconcurrent RCU readers to leave their read-side critical sections first.The policy_bydst tables are published via rcu_assign_pointer() and arelooked up through rcu_dereference_check(), so netns teardown must alsowait for an RCU grace period before freeing the table memory.Fix this by adding synchronize_rcu() before freeing the policy hash tables. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43091 In the Linux kernel, the following vulnerability has been resolved:xsk: validate MTU against usable frame size on bindAF_XDP bind currently accepts zero-copy pool configurations withoutverifying that the device MTU fits into the usable frame space providedby the UMEM chunk.This becomes a problem since we started to respect tailroom which issubtracted from chunk_size (among with headroom). 2k chunk size mightnot provide enough space for standard 1500 MTU, so let us catch suchsettings at bind time. Furthermore, validate whether underlying HW willbe able to satisfy configured MTU wrt XSK's frame size multiplied bysupported Rx buffer chain length (that is exposed vianet_device::xdp_zc_max_segs). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43092 In the Linux kernel, the following vulnerability has been resolved:xsk: tighten UMEM headroom validation to account for tailroom and min frameThe current headroom validation in xdp_umem_reg() could leave us withinsufficient space dedicated to even receive minimum-sized ethernetframe. Furthermore if multi-buffer would come to play thenskb_shared_info stored at the end of XSK frame would be corrupted.HW typically works with 128-aligned sizes so let us provide this valueas bare minimum.Multi-buffer setting is known later in the configuration process sobesides accounting for 128 bytes, let us also take care of tailroom spaceupfront. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43093 In the Linux kernel, the following vulnerability has been resolved:ixgbevf: add missing negotiate_features op to Hyper-V ops tableCommit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility bynegotiating supported features") added the .negotiate_features callbackto ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgotto add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULLon Hyper-V VMs.During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(),which unconditionally dereferences hw->mac.ops.negotiate_features().On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine[...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...]Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP andwire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPPgracefully. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43094 In the Linux kernel, the following vulnerability has been resolved:ASoC: SDCA: Fix errors in IRQ cleanupIRQs are enabled through sdca_irq_populate() from component probeusing devm_request_threaded_irq(), this however means the IRQs canpersist if the sound card is torn down. Some of the IRQ handlersstore references to the card and the kcontrols which can thenfail. Some detail of the crash was explained in [1].Generally it is not advised to use devm outside of bus probe, sothe code is updated to not use devm. The IRQ requests are not movedto bus probe time as it makes passing the snd_soc_component intothe IRQs very awkward and would the require a second step once thecomponent is available, so it is simpler to just register the IRQsat this point, even though that necessitates some manual cleanup. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43095 In the Linux kernel, the following vulnerability has been resolved:mshv: Fix infinite fault loop on permission-denied GPA interceptsPrevent infinite fault loops when guests access memory regions withoutproper permissions. Currently, mshv_handle_gpa_intercept() attempts toremap pages for all faults on movable memory regions, regardless ofwhether the access type is permitted. When a guest writes to a read-onlyregion, the remap succeeds but the region remains read-only, causingimmediate re-fault and spinning the vCPU indefinitely.Validate intercept access type against region permissions beforeattempting remaps. Reject writes to non-writable regions and executes tonon-executable regions early, returning false to let the VMM handle theintercept appropriately.This also closes a potential DoS vector where malicious guests couldintentionally trigger these fault loops to consume host resources. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43096 In the Linux kernel, the following vulnerability has been resolved:PCI: hv: Fix double ida_free in hv_pci_probe error pathIf hv_pci_probe() fails after storing the domain number inhbus->bridge->domain_nr, there is a call to free this domain_nr viapci_bus_release_emul_domain_nr(), however, during cleanup, the bridgerelease callback pci_release_host_bridge_dev() also frees the domain_nrcausing ida_free to be called on same ID twice and triggering followingwarning: ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0Fix this by letting pci core handle the free domain_nr and removethe explicit free called in pci-hyperv driver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43097 In the Linux kernel, the following vulnerability has been resolved:nfc: s3fwrn5: allocate rx skb before consuming bytess3fwrn82_uart_read() reports the number of accepted bytes to the serdevcore. The current code consumes bytes into recv_skb and may alreadydeliver a complete frame before allocating a fresh receive buffer.If that alloc_skb() fails, the callback returns 0 even though it hasalready consumed bytes, and it leaves recv_skb as NULL for the nextreceive callback. That breaks the receive_buf() accounting contract andcan also lead to a NULL dereference on the next skb_put_u8().Allocate the receive skb lazily before consuming the next byte instead.If allocation fails, return the number of bytes already accepted. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43098 In the Linux kernel, the following vulnerability has been resolved:ipv4: icmp: fix null-ptr-deref in icmp_build_probe()ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when theIPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passingthis error pointer to dev_hold() will cause a kernel crash withnull-ptr-deref.Instead, silently discard the request. RFC 8335 does not appear todefine a specific response for the case where an IPv6 interfaceidentifier is syntactically valid but the implementation cannot performthe lookup at runtime, and silently dropping the request may safer thanmisreporting "No Such Interface". Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43099 In the Linux kernel, the following vulnerability has been resolved:bridge: guard local VLAN-0 FDB helpers against NULL vlan groupWhen CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() andnbp_vlan_group() return NULL (br_private.h stub definitions). TheBR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally andreaches br_fdb_delete_locals_per_vlan_port() andbr_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointeris dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).The observed crash is in the delete path, triggered when creating abridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575Add NULL checks for the vlan group pointer in both helpers, returningearly when there are no VLANs to iterate. This matches the existingpattern used by other bridge FDB functions such as br_fdb_add() andbr_fdb_delete(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43100 In the Linux kernel, the following vulnerability has been resolved:ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()We need to check __in6_dev_get() for possible NULL value, assuggested by Yiming Qian.Also add skb_dst_dev_rcu() instead of skb_dst_dev(),and two missing READ_ONCE().Note that @dev can't be NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43101 In the Linux kernel, the following vulnerability has been resolved:net: airoha: Fix memory leak in airoha_qdma_rx_process()If an error occurs on the subsequents buffers belonging to thenon-linear part of the skb (e.g. due to an error in the payload lengthreported by the NIC or if we consumed all the available fragments forthe skb), the page_pool fragment will not be linked to the skb so it willnot return to the pool in the airoha_qdma_rx_process() error path. Fix thememory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fixpage recycling in airoha_qdma_rx_process()")' and always runningpage_pool_put_full_page routine in the airoha_qdma_rx_process() errorpath. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43102 In the Linux kernel, the following vulnerability has been resolved:net: lapbether: handle NETDEV_PRE_TYPE_CHANGElapbeth_data_transmit() expects the underlying device typeto be ARPHRD_ETHER.Returning NOTIFY_BAD from lapbeth_device_event() makes surebonding driver can not break this expectation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43103 In the Linux kernel, the following vulnerability has been resolved:drm/vc4: Fix a memory leak in hang state error pathWhen vc4_save_hang_state() encounters an early return condition, itreturns without freeing the previously allocated `kernel_state`,leaking memory.Add the missing kfree() calls by consolidating the early return pathsinto a single place. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43104 In the Linux kernel, the following vulnerability has been resolved:drm/vc4: Fix memory leak of BO array in hang stateThe hang state's BO array is allocated separately with kzalloc() invc4_save_hang_state() but never freed in vc4_free_hang_state(). Add themissing kfree() for the BO array before freeing the hang state struct. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43105 In the Linux kernel, the following vulnerability has been resolved:cachefiles: fix incorrect dentry refcount in cachefiles_cull()The patch mentioned below changed cachefiles_bury_object() to expect 2references to the 'rep' dentry. Three of the callers were changed touse start_removing_dentry() which takes an extra reference so in thosecases the call gets the expected references.However there is another call to cachefiles_bury_object() incachefiles_cull() which did not need to be changed to usestart_removing_dentry() and so was not properly considered.It still passed the dentry with just one reference so the net result isthat a reference is lost.To meet the expectations of cachefiles_bury_object(), cachefiles_cull()must take an extra reference before the call. It will be dropped bycachefiles_bury_object(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43106 In the Linux kernel, the following vulnerability has been resolved:xfrm: account XFRMA_IF_ID in aevent size calculationxfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), thenbuild_aevent() appends attributes including XFRMA_IF_ID when x->if_id isset.xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For stateswith if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0)in xfrm_get_ae(), turning a malformed netlink interaction into a kernelpanic.Account XFRMA_IF_ID in the size calculation unconditionally and replacethe BUG_ON with normal error unwinding. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43107 In the Linux kernel, the following vulnerability has been resolved:soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_eiIt looks element length declared in servreg_loc_pfr_req_ei for reasonnot matching servreg_loc_pfr_req's reason field due which we couldobserve decoding error on PD crash. qmi_decode_string_elem: String len 81 >= Max Len 65Fix this by matching with servreg_loc_pfr_req's reason field. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43108 In the Linux kernel, the following vulnerability has been resolved:x86: shadow stacks: proper error handling for mmap lock김영민 reports that shstk_pop_sigframe() doesn't check for errors frommmap_read_lock_killable(), which is a silly oversight, and also showsthat we haven't marked those functions with "__must_check", which wouldhave immediately caught it.So let's fix both issues. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43109 In the Linux kernel, the following vulnerability has been resolved:wifi: brcmfmac: validate bsscfg indices in IF eventsbrcmf_fweh_handle_if_event() validates the firmware-provided interfaceindex before it touches drvr->iflist[], but it still uses the rawbsscfgidx field as an array index without a matching range check.Reject IF events whose bsscfg index does not fit in drvr->iflist[]before indexing the interface array.[add missing wifi prefix] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43110 In the Linux kernel, the following vulnerability has been resolved:HID: roccat: fix use-after-free in roccat_report_eventroccat_report_event() iterates over the device->readers list withoutholding the readers_lock. This allows a concurrent roccat_release() toremove and free a reader while it's still being accessed, leading to ause-after-free.Protect the readers list traversal with the readers_lock mutex. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43111 In the Linux kernel, the following vulnerability has been resolved:fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepathWhen cifs_sanitize_prepath is called with an empty string or a stringcontaining only delimiters (e.g., "/"), the current logic attempts tocheck *(cursor2 - 1) before cursor2 has advanced. This results in anout-of-bounds read.This patch adds an early exit check after stripping prependeddelimiters. If no path content remains, the function returns NULL.The bug was identified via manual audit and verified using astandalone test case compiled with AddressSanitizer, whichtriggered a SEGV on affected inputs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43112 In the Linux kernel, the following vulnerability has been resolved:wifi: wl1251: validate packet IDs before indexing tx_frameswl1251_tx_packet_cb() uses the firmware completion ID directly to indexthe fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from thecompletion block, and the callback does not currently verify that itfits the array before dereferencing it.Reject completion IDs that fall outside wl->tx_frames[] and keep theexisting NULL check in the same guard. This keeps the fix local to thetrust boundary and avoids touching the rest of the completion flow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43113 In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiryNew test case fails unexpectedly when avx2 matching functions are used.The test first loads a ranomly generated pipapo setwith 'ipv4 . port' key, i.e. nft -f foo.This works. Then, it reloads the set after a flush:(echo flush set t s; cat foo) | nft -f -This is expected to work, because its the same set after all and it wasalready loaded once.But with avx2, this fails: nft reports a clashing element.The reported clash is of following form: We successfully re-inserted a . b c . dThen we try to insert a . davx2 finds the already existing a . d, which (due to 'flush set') is markedas invalid in the new generation. It skips the element and moves to next.Due to incorrect masking, the skip-step finds the next matchingelement *only considering the first field*,i.e. we return the already reinserted "a . b", even though thelast field is different and the entry should not have been matched.No such error is reported for the generic c implementation (no avx2) orwhenthe last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback.Bisection points to7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection")but that fix merely uncovers this bug.Before this commit, the wrong element is returned, but erronouslyreported as a full, identical duplicate.The root-cause is too early return in the avx2 match functions.When we process the last field, we should continue to process datauntil the entire input size has been consumed to make sure no stalebits remain in the map. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43114 In the Linux kernel, the following vulnerability has been resolved:srcu: Use irq_work to start GP in tiny SRCUTiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(),which acquires the workqueue pool->lock.This causes a lockdep splat when call_srcu() is called with a schedulerlock held, due to: call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lockAlso add irq_work_sync() to cleanup_srcu_struct() to prevent ause-after-free if a queued irq_work fires after cleanup begins.Tested with rcutorture SRCU-T and no lockdep warnings.[ Thanks to Boqun for similar fix in patch "rcu: Use an intermediateirq_workto start process_srcu()" ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43115 In the Linux kernel, the following vulnerability has been resolved:netfilter: ctnetlink: ensure safe access to master conntrackHolding reference on the expectation is not sufficient, the masterconntrack object can just go away, making exp->master invalid.To access exp->master safely:- Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away.- Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths.This patch goes for extending the nf_conntrack_expect_lock sectionto address this issue for simplicity, in the cases that are describedbelow this is just slightly extending the lock section.The add expectation command already holds a reference to the masterconntrack from ctnetlink_create_expect().However, the delete expectation command needs to grab the spinlockbefore looking up for the expectation. Expand the existing spinlocksection to address this to cover the expectation lookup. Note that,the nf_ct_expect_iterate_net() calls already grabs the spinlock whileiterating over the expectation table, which is correct.The get expectation command needs to grab the spinlock to ensure masterconntrack does not go away. This also expands the existing spinlocksection to cover the expectation lookup too. I needed to move thenetlink skb allocation out of the spinlock to keep it GFP_KERNEL.For the expectation events, the IPEXP_DESTROY event is already deliveredunder the spinlock, just move the delivery of IPEXP_NEW under thespinlock too because the master conntrack event cache is reached throughexp->master.While at it, add lockdep notations to help identify what codepaths needto grab the spinlock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43116 In the Linux kernel, the following vulnerability has been resolved:btrfs: tracepoints: get correct superblock from dentry in eventbtrfs_sync_file()If overlay is used on top of btrfs, dentry->d_sb translates to overlay'ssuper block and fsid assignment will lead to a crash.Use file_inode(file)->i_sb to always get btrfs_sb. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43117 In the Linux kernel, the following vulnerability has been resolved:btrfs: fix zero size inode with non-zero size after log replayWhen logging that an inode exists, as part of logging a new name orlogging new dir entries for a directory, we always set the generation ofthe logged inode item to 0. This is to signal during log replay (inoverwrite_item()), that we should not set the i_size since we only loggedthat an inode exists, so the i_size of the inode in the subvolume treemust be preserved (as when we log new names or that an inode exists, wedon't log extents).This works fine except when we have already logged an inode in full modeor it's the first time we are logging an inode created in a pasttransaction, that inode has a new i_size of 0 and then we log a new namefor the inode (due to a new hardlink or a rename), in which case we logan i_size of 0 for the inode and a generation of 0, which causes the logreplay code to not update the inode's i_size to 0 (in overwrite_item()).An example scenario: mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo sync xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo ln /mnt/dir/foo /mnt/dir/bar xfs_io -c "fsync" /mnt/dir <power fail>After log replay the file remains with a size of 64K. This is because whenwe first log the inode, when we fsync file foo, we log its current i_sizeof 0, and then when we create a hard link we log again the inode in existsmode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item weadd to the log tree, so during log replay overwrite_item() sees that thegeneration is 0 and i_size is 0 so we skip updating the inode's i_sizefrom 64K to 0.Fix this by making sure at fill_inode_item() we always log the realgeneration of the inode if it was logged in the current transaction withthe i_size we logged before. Also if an inode created in a previoustransaction is logged in exists mode only, make sure we log the i_sizestored in the inode item located from the commit root, so that if we logmultiple times that the inode exists we get the correct i_size.A test case for fstests will follow soon. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43118 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: annotate data-races around hdev->req_status__hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND;However, several other functions read or write hdev->req_status withoutholding any lock: - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) - hci_cmd_sync_complete() reads/writes from HCI event completion - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write - hci_abort_conn() reads in connection abort pathSince __hci_cmd_sync_sk() runs on hdev->req_workqueue whilehci_send_cmd_sync() runs on hdev->workqueue, these are differentworkqueues that can execute concurrently on different CPUs. The plainC accesses constitute a data race.Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accessesto hdev->req_status to prevent potential compiler optimizations thatcould affect correctness (e.g., load fusing in the wait_eventcondition or store reordering). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43119 In the Linux kernel, the following vulnerability has been resolved:RDMA/irdma: Fix double free related to rereg_user_mrIf IB_MR_REREG_TRANS is set during rereg_user_mr, theumem will be released and a new one will be allocatedin irdma_rereg_mr_trans. If any step of irdma_rereg_mr_transfails after the new umem is allocated, it releases the umem,but does not set iwmr->region to NULL. The problem is thatthis failure is propagated to the user, who will then callibv_dereg_mr (as they should). Then, the dereg_mr path willsee a non-NULL umem and attempt to call ib_umem_release again.Fix this by setting iwmr->region to NULL after ib_umem_release.Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memoryregion") Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 10:16:00 UTC CVE-2026-43120 In the Linux kernel, the following vulnerability has been resolved:io_uring/zcrx: fix user_ref race between scrub and refill pathsThe io_zcrx_put_niov_uref() function uses a non-atomiccheck-then-decrement pattern (atomic_read followed by separateatomic_dec) to manipulate user_refs. This is serialized against othercallers by rq_lock, but io_zcrx_scrub() modifies the same counter withatomic_xchg() WITHOUT holding rq_lock.On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH#1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE]The same niov is pushed to the freelist twice, causing free_count toexceed nr_iovs. Subsequent freelist pushes then perform an out-of-boundswrite (a u32 value) past the kvmalloc'd freelist array into the adjacentslab object.Fix this by replacing the non-atomic read-then-dec inio_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomicallytests and decrements user_refs. This makes the operation safe againstconcurrent atomic_xchg from scrub without requiring scrub to acquirerq_lock.[pavel: removed a warning and a comment] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43121 In the Linux kernel, the following vulnerability has been resolved:ACPI: processor: Update cpuidle driver check in __acpi_processor_start()Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idledriver registration") moved the ACPI idle driver registration toacpi_processor_driver_init() and acpi_processor_power_init() doesnot register an idle driver any more.Accordingly, the cpuidle driver check in __acpi_processor_start() needsto be updated to avoid calling acpi_processor_power_init() without acpuidle driver, in which case the registration of the cpuidle devicein that function would lead to a NULL pointer dereference in__cpuidle_register_device(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43122 In the Linux kernel, the following vulnerability has been resolved:fbcon: check return value of con2fb_acquire_newinfo()If fbcon_open() fails when called from con2fb_acquire_newinfo() theninfo->fbcon_par pointer remains NULL which is later dereferenced.Add check for return value of the function con2fb_acquire_newinfo() toavoid it.Found by Linux Verification Center (linuxtesting.org) with SVACE. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43123 In the Linux kernel, the following vulnerability has been resolved:pstore: ram_core: fix incorrect success return when vmap() failsIn persistent_ram_vmap(), vmap() may return NULL on failure.If offset is non-zero, adding offset_in_page(start) causes the functionto return a non-NULL pointer even though the mapping failed.persistent_ram_buffer_map() therefore incorrectly returns success.Subsequent access to prz->buffer may dereference an invalid addressand cause crashes.Add proper NULL checking for vmap() failures. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43124 In the Linux kernel, the following vulnerability has been resolved:dlm: validate length in dlm_search_rsb_treeThe len parameter in dlm_dump_rsb_name() is not validated and comesfrom network messages. When it exceeds DLM_RESNAME_MAXLEN, it cancause out-of-bounds write in dlm_search_rsb_tree().Add length validation to prevent potential buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43125 In the Linux kernel, the following vulnerability has been resolved:ALSA: mixer: oss: Add card disconnect checkpointsALSA OSS mixer layer calls the kcontrol ops rather individually, andpending calls might be not always caught at disconnecting the device.For avoiding the potential UAF scenarios, add sanity checks of thecard disconnection at each entry point of OSS mixer accesses. Therwsem is taken just before that check, hence the rest context shouldbe covered by that properly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43126 In the Linux kernel, the following vulnerability has been resolved:ntfs3: fix circular locking dependency in run_unpack_exSyzbot reported a circular locking dependency between wnd->rw_lock(sbi->used.bitmap) and ni->file.run_lock.The deadlock scenario:1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock.2. run_unpack_ex() takes wnd->rw_lock then tries to acquire ni->file.run_lock inside ntfs_refresh_zone().This creates an AB-BA deadlock.Fix this by using down_read_trylock() instead of down_read() whenacquiring run_lock in run_unpack_ex(). If the lock is contended,skip ntfs_refresh_zone() - the MFT zone will be refreshed on thenext MFT operation. This breaks the circular dependency since wenever block waiting for run_lock while holding wnd->rw_lock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43127 In the Linux kernel, the following vulnerability has been resolved:RDMA/umem: Fix double dma_buf_unpin in failure pathIn ib_umem_dmabuf_get_pinned_with_dma_device(), the call toib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabufis immediately unpinned but the umem_dmabuf->pinned flag is stillset. Then, when ib_umem_release() is called, it callsib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.Fix this by removing the immediate unpin upon failure and just letthe ib_umem_release/revoke path handle it. This also ensures theproper unmap-unpin unwind ordering if the dmabuf_map_pages callhappened to fail due to dma_resv_wait_timeout (and therefore hasa non-NULL umem_dmabuf->sgt). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43128 In the Linux kernel, the following vulnerability has been resolved:ima: verify the previous kernel's IMA buffer lies in addressable RAMPatch series "Address page fault in ima_restore_measurement_list()", v3.When the second-stage kernel is booted via kexec with a limiting commandline such as "mem=<size>" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present pageThis happens on x86_64 only, as this is already fixed in aarch64 incommit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-bufferagainst memory bounds")This patch (of 3):When the second-stage kernel is booted with a limiting command line (e.g."mem=<size>"), the IMA measurement buffer handed over from the previouskernel may fall outside the addressable RAM of the new kernel. Accessingsuch a buffer can fault during early restore.Introduce a small generic helper, ima_validate_range(), which verifiesthat a physical [start, end] range for the previous-kernel IMA buffer lieswithin addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43129 In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalablemodeCommit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidationrequest when device is disconnected") relies onpci_dev_is_disconnected() to skip ATS invalidation forsafely-removed devices, but it does not cover link-down causedby faults, which can still hard-lock the system.For example, if a VM fails to connect to the PCIe device,"virsh destroy" is executed to release resources and isolatethe fault, but a hard-lockup occurs while releasing the group fd.Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fputAlthough pci_device_is_present() is slower thanpci_dev_is_disconnected(), it still takes only ~70 µs on aConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speedand width increase.Besides, devtlb_invalidation_with_pasid() is called only in thepaths below, which are far less frequent than memory map/unmap.1. mm-struct release2. {attach,release}_dev3. set/remove PASID4. dirty-tracking setupThe gain in system stability far outweighs the negligible costof using pci_device_is_present() instead of pci_dev_is_disconnected()to decide when to skip ATS invalidation, especially under GDRhigh-load conditions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43130 In the Linux kernel, the following vulnerability has been resolved:drm/amd/pm: Fix null pointer dereference issueIf SMU is disabled, during RAS initialization,there will be null pointer dereference issue here. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43131 In the Linux kernel, the following vulnerability has been resolved:dm-verity: correctly handle dm_bufio_client_create() failureIf either of the calls to dm_bufio_client_create() in verity_fec_ctr()fails, then dm_bufio_client_destroy() is later called with an ERR_PTR()argument. That causes a crash. Fix this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43132 In the Linux kernel, the following vulnerability has been resolved:KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulationCommit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmloadof guest state") made KVM always use vmcb01 for the fields controlled byVMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation codeto always use vmcb01.As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is notintercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01instead of the current VMCB. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43133 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQThis adds a check for encryption key size upon receivingL2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C whichexpects L2CAP_CR_LE_BAD_KEY_SIZE. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43134 In the Linux kernel, the following vulnerability has been resolved:media: cx23885: Add missing unmap in snd_cx23885_hw_params()In error path, add cx23885_alsa_dma_unmap() to release theresource acquired by cx23885_alsa_dma_map(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43135 In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()Do not crash when a report has no fields.Fake USB gadgets can send their own HID report descriptors and can definereportstructures without valid fields. This can be used to crash the kernel overUSB. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43136 In the Linux kernel, the following vulnerability has been resolved:ASoC: SOF: Intel: hda: Fix NULL pointer dereferenceIf there's a mismatch between the DAI links in the machine driver andthe topology, it is possible that the playback/capture widget is notset, especially in the case of loopback capture for echo referencewhere we use the dummy DAI link. Return the error when the widget is notset to avoid a null pointer dereference like below when the topology isbroken.RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43137 In the Linux kernel, the following vulnerability has been resolved:reset: gpio: suppress bind attributes in sysfsThis is a special device that's created dynamically and is supposed tostay in memory forever. We also currently don't have a devlink betweenit and the actual reset consumer. Suppress sysfs bind attributes so thatuser-space can't unbind the device because - as of now - it will cause ause-after-free splat from any user that puts the reset control handle. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43138 In the Linux kernel, the following vulnerability has been resolved:xfrm6: fix uninitialized saddr in xfrm6_get_saddr()xfrm6_get_saddr() does not check the return value ofipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitablesource address (returns -EADDRNOTAVAIL), saddr->in6 is leftuninitialized, but xfrm6_get_saddr() still returns 0 (success).This causes the caller xfrm_tmpl_resolve_one() to use the uninitializedaddress in xfrm_state_find(), triggering KMSAN warning:=====================================================BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7fLocal variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770=====================================================Fix by checking the return value of ipv6_dev_get_saddr() and propagatingthe error. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43139 In the Linux kernel, the following vulnerability has been resolved:HID: magicmouse: Do not crash on missing msc->inputFake USB devices can send their own report descriptors for which theinput_mapping() hook does not get called. In this case, msc->input staysNULL,leading to a crash at a later time.Detect this condition in the input_configured() hook and reject the device.This is not supposed to happen with actual magic mouse devices, but can beprovoked by imposing as a magic mouse USB device. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43140 In the Linux kernel, the following vulnerability has been resolved:ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lutNumber of MW LUTs depends on NTB configuration and can be set to zero,in such scenario rounddown_pow_of_two will cause undefined behaviour andshould not be performed.This patch ensures that rounddown_pow_of_two is called on valid value. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43141 In the Linux kernel, the following vulnerability has been resolved:media: iris: gen1: Destroy internal buffers after FW releasesAfter the firmware releases internal buffers, the driver was notdestroying them. This left stale allocations that were no longer used,especially across resolution changes where new buffers are allocated perthe updated requirements. As a result, memory was wasted until sessionclose.Destroy internal buffers once the release response is received from thefirmware. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43142 In the Linux kernel, the following vulnerability has been resolved:mfd: core: Add locking around 'mfd_of_node_list'Manipulating a list in the kernel isn't safe without some sort ofmutual exclusion. Add a mutex any time we access / modify'mfd_of_node_list' to prevent possible crashes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43143 In the Linux kernel, the following vulnerability has been resolved:wifi: brcmfmac: Fix potential kernel oops when probe failsWhen probe of the sdio brcmfmac device fails for some reasons (i.e.missing firmware), the sdiodev->bus is set to error instead of NULL, thusthe cleanup later in brcmf_sdio_remove() tries to free resources viainvalid bus pointer. This happens because sdiodev->bus is set 2 times:first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fixthis by chaning the brcmf_sdio_probe() function to return the error codeand set sdio->bus only there. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43144 In the Linux kernel, the following vulnerability has been resolved:remoteproc: imx_rproc: Fix invalid loaded resource table detectionimx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loadedresource table even when the current firmware does not provide one.When the device tree contains a "rsc-table" entry, priv->rsc_table isnon-NULL and denotes where a resource table would be located if one ispresent in memory. However, when the current firmware has no resourcetable, rproc->table_ptr is NULL. The function still returnspriv->rsc_table, and the remoteproc core interprets this as a valid loadedresource table.Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() whenthere is no resource table for the current firmware (i.e. whenrproc->table_ptr is NULL). This aligns the function's semantics with theremoteproc core: a loaded resource table is only reported when a validtable_ptr exists.With this change, starting firmware without a resource table no longertriggers a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43145 In the Linux kernel, the following vulnerability has been resolved:media: iris: Add buffer to list only after successful allocationMove `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creatinginternal buffers. Previously, the buffer was enqueued in `buffers->list`before the DMA allocation. If the allocation failed, the function returned`-ENOMEM` while leaving a partially initialized buffer in the list, whichcould lead to inconsistent state and potential leaks.By adding the buffer to the list only after `dma_alloc_attrs()` succeeds,we ensure the list contains only valid, fully initialized buffers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43146 In the Linux kernel, the following vulnerability has been resolved:Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disablingSR-IOV"This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove lockingwhen enabling/disabling SR-IOV"), which causes a deadlock by recursivelytaking pci_rescan_remove_lock when sriov_del_vfs() is called as part ofpci_stop_and_remove_bus_device(). For example with the following sequenceof commands: $ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/removeA trimmed trace of the deadlock on a mlx5 device is as below: zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at:sriov_disable+0x34/0x140 but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at:pci_stop_and_remove_bus_device_locked+0x24/0x80 ... Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90This alone is not a complete fix as it restores the issue the cited committried to solve. A new fix will be provided as a follow on. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43147 In the Linux kernel, the following vulnerability has been resolved:powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()As kcalloc() may fail, check its return value to avoid a NULL pointerdereference when passing it to of_property_read_u32_array(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43148 In the Linux kernel, the following vulnerability has been resolved:net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()The priv->rx_buffer and priv->tx_buffer are alloc'd together ascontiguous buffers in uhdlc_init() but freed as two buffers inuhdlc_memclean().Change the cleanup to only call dma_free_coherent() once on the wholebuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43149 In the Linux kernel, the following vulnerability has been resolved:perf/arm-cmn: Reject unsupported hardware configurationsSo far we've been fairly lax about accepting both unknown CMN models(at least with a warning), and unknown revisions of those which wedo know, as although things do frequently change between releases,typically enough remains the same to be somewhat useful for at leastsome basic bringup checks. However, we also make assumptions of themaximum supported sizes and numbers of things in various places, andthere's no guarantee that something new might not be bigger and leadto nasty array overflows. Make sure we only try to run on things thatactually match our assumptions and so will not risk memory corruption.We have at least always failed on completely unknown node types, soupdate that error message for clarity and consistency too. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43150 In the Linux kernel, the following vulnerability has been resolved:Revert "media: iris: Add sanity check for stop streaming"This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4.Revert the check that skipped stop_streaming when the instance was inIRIS_INST_ERROR, as it caused multiple regressions:1. Buffers were not returned to vb2 when the instance was already in error state, triggering warnings in the vb2 core because buffer completion was skipped.2. If a session failed early (e.g. unsupported configuration), the instance transitioned to IRIS_INST_ERROR. When userspace attempted to stop streaming for cleanup, stop_streaming was skipped due to the added check, preventing proper teardown and leaving the firmware in an inconsistent state. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43151 In the Linux kernel, the following vulnerability has been resolved:HID: hid-pl: handle probe errorsErrors in init must be reported back or we'llfollow a NULL pointer the first time FF is used. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43152 In the Linux kernel, the following vulnerability has been resolved:xfs: remove xfs_attr_leaf_hasnameThe calling convention of xfs_attr_leaf_hasname() is problematic, becauseit returns a NULL buffer when xfs_attr3_leaf_read fails, a valid bufferwhen xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and anon-NULL buffer pointer for an already released buffer whenxfs_attr3_leaf_lookup_int fails with other error values.Fix this by simply open coding xfs_attr_leaf_hasname in the callers, sothat the buffer release code is done by each caller ofxfs_attr3_leaf_read. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43153 In the Linux kernel, the following vulnerability has been resolved:erofs: fix incorrect early exits in volume label handlingCrafted EROFS images containing valid volume labels can triggerincorrect early returns, leading to folio reference leaks.However, this does not cause system crashes or other severe issues. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43154 In the Linux kernel, the following vulnerability has been resolved:mux: mmio: fix regmap leak on probe failureThe mmio regmap that may be allocated during probe is never freed.Switch to using the device managed allocator so that the regmap isreleased on probe failures (e.g. probe deferral) and on driver unbind. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43155 In the Linux kernel, the following vulnerability has been resolved:net: usb: pegasus: enable basic endpoint checkingpegasus_probe() fills URBs with hardcoded endpoint pipes withoutverifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interruptsA malformed USB device can present these endpoints with transfer typesthat differ from what the driver assumes.Add a pegasus_usb_ep enum for endpoint numbers, replacing magicconstants throughout. Add usb_check_bulk_endpoints() andusb_check_int_endpoints() calls before any resource allocation toverify endpoint types before use, rejecting devices with mismatcheddescriptors at probe time, and avoid triggering assertion.Similar fix to- commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking")- commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking") Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43156 In the Linux kernel, the following vulnerability has been resolved:octeontx2-af: CGX: fix bitmap leaksThe RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap)are allocated by cgx_lmac_init() but never freed in cgx_lmac_exit().Unbinding and rebinding the driver therefore triggers kmemleak: unreferenced object (size 16): backtrace: rvu_alloc_bitmap cgx_probeFree both bitmaps during teardown. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43157 In the Linux kernel, the following vulnerability has been resolved:xfs: fix freemap adjustments when adding xattrs to leaf blocksxfs/592 and xfs/794 both trip this assertion in the leaf block freemapadjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf));Upon enabling quite a lot more debugging code, I narrowed this down tofsstress trying to set a local extended attribute with namelen=3 andvaluelen=71. This results in an entry size of 80 bytes.At the start of xfs_attr3_leaf_add_work, the freemap looks like this:i 0 base 448 size 0 rhs 448 count 46i 1 base 388 size 132 rhs 448 count 46i 2 base 2120 size 4 rhs 448 count 46firstused = 520where "rhs" is the first byte past the end of the leaf entry array.This is inconsistent -- the entries array ends at byte 448, butfreemap[1] says there's free space starting at byte 388!By the end of the function, the freemap is in worse shape:i 0 base 456 size 0 rhs 456 count 47i 1 base 388 size 52 rhs 456 count 47i 2 base 2120 size 4 rhs 456 count 47firstused = 440Important note: 388 is not aligned with the entries array element sizeof 8 bytes.Based on the incorrect freemap, the name area starts at byte 440, whichis below the end of the entries array! That's why the assertiontriggers and the filesystem shuts down.How did we end up here? First, recall from the previous patch that thefreemap array in an xattr leaf block is not intended to be acomprehensive map of all free space in the leaf block. In other words,it's perfectly legal to have a leaf block with: * 376 bytes in use by the entries array * freemap[0] has [base = 376, size = 8] * freemap[1] has [base = 388, size = 1500] * the space between 376 and 388 is free, but the freemap stopped tracking that some time agoIf we add one xattr, the entries array grows to 384 bytes, andfreemap[0] becomes [base = 384, size = 0]. So far, so good. But if weadd a second xattr, the entries array grows to 392 bytes, and freemap[0]gets pushed up to [base = 392, size = 0]. This is bad, becausefreemap[1] hasn't been updated, and now the entries array and the freespace claim the same space.The fix here is to adjust all freemap entries so that none of themcollide with the entries array. Note that this fix relies on commit2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") andthe previous patch that resets zero length freemap entries to havebase = 0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43158 In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: fix null dereference in find_networkThe variable pwlan has the possibility of being NULL when passed intortw_free_network_nolock() which would later dereference the variable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43159 In the Linux kernel, the following vulnerability has been resolved:mfd: macsmc: Initialize mutexInitialize struct apple_smc's mutex in apple_smc_probe(). Using themutex uninitialized surprisingly resulted only in occasional NULLpointer dereferences in apple_smc_read() calls from the probe()functions of sub devices. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43160 In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device withoutscalable modePCIe endpoints with ATS enabled and passed through to userspace(e.g., QEMU, DPDK) can hard-lock the host when their link drops,either by surprise removal or by a link fault.Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidationrequest when device is disconnected") adds pci_dev_is_disconnected()to devtlb_invalidation_with_pasid() so ATS invalidation is skippedonly when the device is being safely removed, but it applies onlywhen Intel IOMMU scalable mode is enabled.With scalable mode disabled or unsupported, a system hard-lockoccurs when a PCIe endpoint's link drops because the Intel IOMMUwaits indefinitely for an ATS invalidation that cannot complete.Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_istCommit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release")adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(),which calls qi_flush_dev_iotlb() and can also hard-lock the systemwhen a PCIe endpoint's link drops.Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_istSometimes the endpoint loses connection without a link-down event(e.g., due to a link fault); killing the process (virsh destroy)then hard-locks the host.Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fputpci_dev_is_disconnected() only covers safe-removal paths;pci_device_is_present() tests accessibility by readingvendor/device IDs and internally calls pci_dev_is_disconnected().On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs.Since __context_flush_dev_iotlb() is only called on{attach,release}_dev paths (not hot), add pci_device_is_present()there to skip inaccessible devices and avoid the hard-lock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43161 In the Linux kernel, the following vulnerability has been resolved:media: tegra-video: Fix memory leak in __tegra_channel_try_format()The state object allocated by __v4l2_subdev_state_alloc() must be freedwith __v4l2_subdev_state_free() when it is no longer needed.In __tegra_channel_try_format(), two error paths return directly afterv4l2_subdev_call() fails, without freeing the allocated 'sd_state'object. This violates the requirement and causes a memory leak.Fix this by introducing a cleanup label and using goto statements in theerror paths to ensure that __v4l2_subdev_state_free() is always calledbefore the function returns. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43162 In the Linux kernel, the following vulnerability has been resolved:md/bitmap: fix GPF in write_page caused by resize raceA General Protection Fault occurs in write_page() during array resize:RIP: 0010:write_page+0x22b/0x3c0 [md_mod]This is a use-after-free race between bitmap_daemon_work() and__bitmap_resize(). The daemon iterates over `bitmap->storage.filemap`without locking, while the resize path frees that storage viamd_bitmap_file_unmap(). `quiesce()` does not stop the md thread,allowing concurrent access to freed pages.Fix by holding `mddev->bitmap_info.mutex` during the bitmap update. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43163 In the Linux kernel, the following vulnerability has been resolved:udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0]Since the cited commit, udp_lib_init_sock() can fail, as canudp_init_sock() and udpv6_init_sock().Let's handle the error in udplite_sk_init() and udplitev6_sk_init().[0]:BUG: KASAN: null-ptr-deref in instrument_atomic_readinclude/linux/instrumented.h:82 [inline]BUG: KASAN: null-ptr-deref in atomic_readinclude/linux/atomic/atomic-instrumented.h:32 [inline]BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480net/ipv4/udp.c:1719Read of size 4 at addr 0000000000000008 by task syz.2.18/2944CPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZYHardware name: Google Google Compute Engine/Google Compute Engine, BIOSGoogle 10/25/2025Call Trace: <IRQ> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 kasan_report+0xa2/0xe0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:82 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline] udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906 udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064 ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438 ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6149 [inline] __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262 process_backlog+0x4d6/0x1160 net/core/dev.c:6614 __napi_poll+0xae/0x320 net/core/dev.c:7678 napi_poll net/core/dev.c:7741 [inline] net_rx_action+0x60d/0xdc0 net/core/dev.c:7893 handle_softirqs+0x209/0x8d0 kernel/softirq.c:622 do_softirq+0x52/0x90 kernel/softirq.c:523 </IRQ> <TASK> __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246 ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984 udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442 udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469 udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3eb/0x580 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7eRIP: 0033:0x7f67b4d9c629Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f748 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ffff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002cRAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003RBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000R13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8 </TASK> Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43164 In the Linux kernel, the following vulnerability has been resolved:hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_faninWhen calling of_parse_phandle_with_args(), the caller is responsibleto call of_node_put() to release the reference of device node.In nct7363_present_pwm_fanin, it does not release the reference,causing a resource leak. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43165 In the Linux kernel, the following vulnerability has been resolved:erofs: fix interlaced plain identification for encoded extentsOnly plain data whose start position and on-disk physical length areboth aligned to the block size should be classified as interlacedplain extents. Otherwise, it must be treated as shifted plain extents.This issue was found by syzbot using a crafted compressed imagecontaining plain extents with unaligned physical lengths, which cancause OOB read in z_erofs_transform_plain(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43166 In the Linux kernel, the following vulnerability has been resolved:xfrm: always flush state and policy upon NETDEV_UNREGISTER eventsyzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count= 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fThis is because commit d77e38e612a0 ("xfrm: Add an IPsec hardwareoffloading API") implemented xfrm_dev_unregister() as no-op despitexfrm_dev_state_add() from xfrm_state_construct() acquires a referenceto "struct net_device".I guess that that commit expected that NETDEV_DOWN event is fired beforeNETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()is called only if (dev->features & NETIF_F_HW_ESP) != 0.Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_deviceLike these steps indicate, the NETIF_F_HW_ESP bit can be cleared afterxfrm_dev_state_add() acquired a reference to "struct net_device".Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bitwhen acquiring a reference to "struct net_device".Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device")re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but thatcommit for unknown reason chose to share xfrm_dev_down() between theNETDEV_DOWN event and the NETDEV_UNREGISTER event.I guess that that commit missed the behavior in the previous paragraph.Therefore, we need to re-introduce xfrm_dev_unregister() in order torelease the reference to "struct net_device" by unconditionally flushingstate and policy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43167 In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix reflink preserve cleanup issuecommit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error")doesn't handle all cases and the cleanup job for preserved xattr entriesstill has bug:- the 'last' pointer should be shifted by one unit after cleanup an array entry.- current code logic doesn't cleanup the first entry when xh_count is 1.Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43168 In the Linux kernel, the following vulnerability has been resolved:drm/buddy: Prevent BUG_ON by validating rounded allocationWhen DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size isrounded up to the next power-of-two via roundup_pow_of_two().Similarly, for non-contiguous allocations with large min_block_size,the size is aligned up via round_up(). Both operations can produce arounded size that exceeds mm->size, which later triggersBUG_ON(order > mm->max_order).Example scenarios:- 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G- 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10GFix this by checking the rounded size against mm->size. Fornon-contiguous or range allocations where size > mm->size is invalid,return -EINVAL immediately. For contiguous allocations without rangerestrictions, allow the request to fall through to the existing__alloc_contig_try_harder() fallback.This ensures invalid user input returns an error or uses the fallbackpath instead of hitting BUG_ON.v2: (Matt A)- Add Fixes, Cc stable, and Closes tags for context Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43169 In the Linux kernel, the following vulnerability has been resolved:usb: dwc3: gadget: Move vbus draw to workqueue contextCurrently dwc3_gadget_vbus_draw() can be called from atomiccontext, which in turn invokes power-supply-core APIs. Andsome these PMIC APIs have operations that may sleep, leadingto kernel panic.Fix this by moving the vbus_draw into a workqueue context. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43170 In the Linux kernel, the following vulnerability has been resolved:EFI/CPER: don't dump the entire memory regionThe current logic at cper_print_fw_err() doesn't check if theerror record length is big enough to handle offset. On a bad firmware,if the ofset is above the actual record, length -= offset willunderflow, making it dump the entire memory.The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to dump an unmapped memory region.Fix it by checking if the section length is too small before doinga hex dump.[ rjw: Subject tweaks ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43171 In the Linux kernel, the following vulnerability has been resolved:wifi: iwlwifi: fix 22000 series SMEM parsingIf the firmware were to report three LMACs (which doesn'texist in hardware) then using "fwrt->smem_cfg.lmac[2]" isan overrun of the array. Reject such and use IWL_FW_CHECKinstead of WARN_ON in this function. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43172 In the Linux kernel, the following vulnerability has been resolved:net: ethernet: xscale: Check for PTP support properlyIn ixp4xx_get_ts_info() ixp46x_ptp_find() is calledunconditionally despite this feature only existing onixp46x, leading to the following splat from tcpdump:root@OpenWrt:~# tcpdump -vv -X -i eth0(...)Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read(...)Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...)Segmentation faultCheck for ixp46x in ixp46x_ptp_find() before trying to set upPTP to avoid this.To avoid altering the returned error code from ixp4xx_hwtstamp_set()which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPPfrom ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matterthe error code. The helper function ixp46x_ptp_find() helperreturns -ENODEV. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43173 In the Linux kernel, the following vulnerability has been resolved:io_uring/zcrx: fix post open error handlingClosing a queue doesn't guarantee that all associated page pools areterminated right away, let the refcounting do the work instead ofreleasing the zcrx ctx directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43174 In the Linux kernel, the following vulnerability has been resolved:clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make surethere are 8 slots for those newly registered clk_hw pointers, elsethere is going to be out of bounds write when pointers 4..7 are setinto struct rs9_driver_data .clk_dif[4..7] field.Since there are other structure members past this struct clk_hwpointer array, writing to .clk_dif[4..7] fields corrupts boththe struct rs9_driver_data content and data around it, sometimeswithout crashing the kernel. However, the kernel does surelycrash when the driver is unbound or during suspend.Fix this, increase the struct clk_hw pointer array size to themaximum output count of 9FGV0841, which is the biggest chip thatis supported by this driver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43175 In the Linux kernel, the following vulnerability has been resolved:wifi: rtw89: pci: validate release report content before using forRTL8922DEThe commit 957eda596c76("wifi: rtw89: pci: validate sequence number of TX release report")does validation on existing chips, which somehow a release report of SKBbecomes malformed. As no clear cause found, add rules ahead for RTL8922DEto avoid crash if it happens. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43176 In the Linux kernel, the following vulnerability has been resolved:media: ipu6: Fix RPM reference leak in probe error pathsSeveral error paths in ipu6_pci_probe() were jumping directly toout_ipu6_bus_del_devices without releasing the runtime PM reference.Add pm_runtime_put_sync() before cleaning up other resources. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43177 In the Linux kernel, the following vulnerability has been resolved:procfs: fix possible double mmput() in do_procmap_query()When user provides incorrectly sized buffer for build ID for PROCMAP_QUERYwe return with -ENAMETOOLONG error. After recent changes this conditionhappens later, after we unlocked mmap_lock/per-VMA lock and did mmput(),so original goto out is now wrong and will double-mmput() mm_struct. Fixby jumping further to clean up only vm_file and name_buf. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43178 In the Linux kernel, the following vulnerability has been resolved:erofs: fix incorrect early exits for invalid metabox-enabled imagesCrafted EROFS images with metadata compression enabled can triggerincorrect early returns, leading to folio reference leaks.However, this does not cause system crashes or other severe issues. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43179 In the Linux kernel, the following vulnerability has been resolved:net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_modekaweth_set_rx_mode(), the ndo_set_rx_mode callback, callsnetif_stop_queue() and netif_wake_queue(). These are TX queue flowcontrol functions unrelated to RX multicast configuration.The premature netif_wake_queue() can re-enable TX while tx_urb is stillin-flight, leading to a double usb_submit_urb() on the same URB:kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb);}kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done}kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active}This triggers the WARN in usb_submit_urb(): "URB submitted while active"This is a similar class of bug fixed in rtl8150 by- commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue inrtl8150_set_multicast").Also kaweth_set_rx_mode() is already functionally broken, thereal set_rx_mode action is performed by kaweth_async_set_rx_mode(),which in turn is not a no-op only at ndo_open() time. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43180 In the Linux kernel, the following vulnerability has been resolved:gpio: sysfs: fix chip removal with GPIOs exported over sysfsCurrently if we export a GPIO over sysfs and unbind the parent GPIOcontroller, the exported attribute will remain under /sys/class/gpiobecause once we remove the parent device, we can no longer associate thedescriptor with it in gpiod_unexport() and never drop the finalreference.Rework the teardown code: provide an unlocked variant ofgpiod_unexport() and remove all exported GPIOs with the sysfs_lock takenbefore unregistering the parent device itself. This is done to preventany new exports happening before we unregister the device completely. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43181 In the Linux kernel, the following vulnerability has been resolved:media: ccs: Avoid possible division by zeroCalculating maximum M for scaler configuration involves dividing byMIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumablynon-zero, the driver was missing the check it in fact was. Fix this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43182 In the Linux kernel, the following vulnerability has been resolved:media: cx25821: Fix a resource leak in cx25821_dev_setup()Add release_mem_region() if ioremap() fails to release the memoryregion obtained by cx25821_get_resources(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43183 In the Linux kernel, the following vulnerability has been resolved:rnbd-srv: Zero the rsp buffer before using itBefore using the data buffer to send back the response message, zero itcompletely. This prevents any stray bytes to be picked up by the clientside when there the message is exchanged between different protocolversions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43184 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix signededness bug in smb_direct_prepare_negotiation()smb_direct_prepare_negotiation() casts an unsigned __u32 valuefrom sp->max_recv_size and req->preferred_send_size to a signedint before computing min_t(int, ...). A maliciously providedpreferred_send_size of 0x80000000 will return as smaller thanmax_recv_size, and then be used to set the maximum allowedalowed receive size for the next message.By sending a second message with a large value (>1420 bytes)the attacker can then achieve a heap buffer overflow.This fix replaces min_t(int, ...) with min_t(u32) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43185 In the Linux kernel, the following vulnerability has been resolved:ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()On the receive path, __ioam6_fill_trace_data() uses trace->nodelento decide how much data to write for each node. It trusts this fieldas-is from the incoming packet, with no consistency check againsttrace->type (the 24-bit field that tells which data items arepresent). A crafted packet can set nodelen=0 while setting type bits0-21, causing the function to write ~100 bytes past the allocatedregion (into skb_shared_info), which corrupts adjacent heap memoryand leads to a kernel panic.Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c toderive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written.Per RFC 9197, bits 12-21 are each short (4-octet) fields, so theyare included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to0xff1ffc00). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43186 In the Linux kernel, the following vulnerability has been resolved:xfs: delete attr leaf freemap entries when emptyBack in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.sizeunderflow"), Brian Foster observed that it's possible for a smallfreemap at the end of the end of the xattr entries array to experiencea size underflow when subtracting the space consumed by an expansion ofthe entries array. There are only three freemap entries, which meansthat it is not a complete index of all free space in the leaf block.This code can leave behind a zero-length freemap entry with a nonzerobase. Subsequent setxattr operations can increase the base up to thepoint that it overlaps with another freemap entry. This isn't in and ofitself a problem because the code in _leaf_add that finds free spaceignores any freemap entry with zero size.However, there's another bug in the freemap update code in _leaf_add,which is that it fails to update a freemap entry that begins midwaythrough the xattr entry that was just appended to the array. That canresult in the freemap containing two entries with the same base butdifferent sizes (0 for the "pushed-up" entry, nonzero for the entrythat's actually tracking free space). A subsequent _leaf_add can thenallocate xattr namevalue entries on top of the entries array, leading todata loss. But fixing that is for later.For now, eliminate the possibility of confusion by zeroing out the baseof any freemap entry that has zero size. Because the freemap is notintended to be a complete index of free space, a subsequent failure tofind any free space for a new xattr will trigger block compaction, whichregenerates the freemap.It looks like this bug has been in the codebase for quite a long time. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43187 In the Linux kernel, the following vulnerability has been resolved:ceph: do not propagate page array emplacement errors as batch errorsWhen fscrypt is enabled, move_dirty_folio_in_page_array() may failbecause it needs to allocate bounce buffers to store the encryptedversions of each folio. Each folio beyond the first allocates its bouncebuffer with GFP_NOWAIT. Failures are common (and expected) under thisallocation mode; they should flush (not abort) the batch.However, ceph_process_folio_batch() uses the same `rc` variable for itsown return code and for capturing the return codes of its routine calls;failing to reset `rc` back to 0 results in the error being propagatedout to the main writeback loop, which cannot actually tolerate anyerrors here: once `ceph_wbc.pages` is allocated, it must be passed toceph_submit_write() to be freed. If it survives until the next iteration(e.g. due to the goto being followed), ceph_allocate_page_array()'sBUG_ON() will oops the worker.Note that this failure mode is currently masked due to another bug(addressed next in this series) that prevents multiple encrypted foliosfrom being selected for the same write.For now, just reset `rc` when redirtying the folio to prevent errors inmove_dirty_folio_in_page_array() from propagating. Note thatmove_dirty_folio_in_page_array() is careful never to return errors onthe first folio, so there is no need to check for that. After thischange, ceph_process_folio_batch() no longer returns errors; its onlyremaining failure indicator is `locked_pages == 0`, which the calleralready handles correctly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43188 In the Linux kernel, the following vulnerability has been resolved:media: v4l2-async: Fix error handling on steps after finding a matchOnce an async connection is found to be matching with an fwnode, asub-device may be registered (in case it wasn't already), its boundoperation is called, ancillary links are created, the async connectionis added to the sub-device's list of connections and removed from theglobal waiting connection list. Further on, the sub-device's possible ownnotifier is searched for possible additional matches.Fix these specific issues:- If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify().- The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43189 In the Linux kernel, the following vulnerability has been resolved:netfilter: xt_tcpmss: check remaining length before reading optlenQuoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the codeattempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43190 In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS onDCN35[Why]A backport of the change made for DCN401 that addresses an issue wherewe turn off the PHY PLL when disabling TMDS output, which causes theOTG to remain stuck.The OTG being stuck can lead to a hang in the DCHVM's ability to ACKinvalidations when it thinks the HUBP is still on but it's not receivingglobal sync.The transition to PLL_ON needs to be atomic as there's no guaranteethat the thread isn't pre-empted or is able to complete before theIOMMU watchdog times out.[How]Backport the implementation from dcn401 back to dcn35.There's a functional difference in when the eDP output is disabled indcn401 code so we don't want to utilize it directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43191 In the Linux kernel, the following vulnerability has been resolved:dm mpath: Add missing dm_put_device when failing to get scsi dh nameWhen commit fd81bc5cca8f ("scsi: device_handler: Return error pointer inscsi_dh_attached_handler_name()") added code to fail parsing the path ifscsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean upthe reference to the path device that had just been taken. Fix this, andsteamline the error paths of parse_path() a little. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43192 In the Linux kernel, the following vulnerability has been resolved:nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg()Claude pointed out that there is a nfs4_file refcount leak innfsd_get_dir_deleg(). Ensure that the reference to "fp" is releasedbefore returning. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43193 In the Linux kernel, the following vulnerability has been resolved:net: consume xmit errors of GSO framesudpgro_frglist.sh and udpgro_bench.sh are the flakiest testscurrently in NIPA. They fail in the same exact way, TCP GROtest stalls occasionally and the test gets killed after 10min.These tests use veth to simulate GRO. They attach a trivial("return XDP_PASS;") XDP program to the veth to force TSO offand NAPI on.Digging into the failure mode we can see that the connectionis completely stuck after a burst of drops. The sender's snd_nxtis at sequence number N [1], but the receiver claims to havereceived (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzleis that senders rtx queue is not empty (let's say the block inthe rtx queue is at sequence number N - 4 * MSS [3]).In this state, sender sends a retransmission from the rtx queuewith a single segment, and sequence numbers N-4*MSS:N-3*MSS [3].Receiver sees it and responds with an ACK all the way up toN + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATAbecause it has no recollection of ever sending data that far out [1].And we are stuck.The root cause is the mess of the xmit return codes. veth returnsan error when it can't xmit a frame. We end up with a loss eventlike this: ------------------------------------------------- | GSO super frame 1 | GSO super frame 2 | |-----------------------------------------------| | seg | seg | seg | seg | seg | seg | seg | seg | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ------------------------------------------------- x ok ok <ok>| ok ok ok <x> \\ snd_nxt"x" means packet lost by veth, and "ok" means it went thru.Since veth has TSO disabled in this test it sees individual segments.Segment 1 is on the retransmit queue and will be resent.So why did the sender not advance snd_nxt even tho it clearly didsend up to seg 8? tcp_write_xmit() interprets the return codefrom the core to mean that data has not been sent at all. SinceTCP deals with GSO super frames, not individual segment the cruxof the problem is that loss of a single segment can be interpretedas loss of all. TCP only sees the last return code for the lastsegment of the GSO frame (in <> brackets in the diagram above).Of course for the problem to occur we need a setup or a devicewithout a Qdisc. Otherwise Qdisc layer disconnects the protocollayer from the device errors completely.We have multiple ways to fix this. 1) make veth not return an error when it lost a packet. While this is what I think we did in the past, the issue keeps reappearing and it's annoying to debug. The game of whack a mole is not great. 2) fix the damn return codes We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the documentation, so maybe we should make the return code from ndo_start_xmit() a boolean. I like that the most, but perhaps some ancient, not-really-networking protocol would suffer. 3) make TCP ignore the errors It is not entirely clear to me what benefit TCP gets from interpreting the result of ip_queue_xmit()? Specifically once the connection is established and we're pushing data - packet loss is just packet loss? 4) this fix Ignore the rc in the Qdisc-less+GSO case, since it's unreliable. We already always return OK in the TCQ_F_CAN_BYPASS case. In the Qdisc-less case let's be a bit more conservative and only mask the GSO errors. This path is taken by non-IP-"networks" like CAN, MCTP etc, so we could regress some ancient thing. This is the simplest, but also maybe the hackiest fix?Similar fix has been proposed by Eric in the past but never committedbecause original reporter was working with an OOT driver and wasn'tproviding feedback (see Link). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43194 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: validate user queue size constraintsAdd validation to ensure user queue sizes meet hardware requirements:- Size must be a power of two for efficient ring buffer wrapping- Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersizedallocationsThis prevents invalid configurations that could lead to GPU faults orunexpected behavior. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43195 In the Linux kernel, the following vulnerability has been resolved:soc: ti: pruss: Fix double free in pruss_clk_mux_setup()In the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectlycalls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np)on the error path. However, after the devm_add_action_or_reset()returns, the of_node_put(clk_mux_np) is called again, causing a doublefree.Fix by returning directly, to avoid the duplicate of_node_put(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43196 In the Linux kernel, the following vulnerability has been resolved:netconsole: avoid OOB reads, msg is not nul-terminatedmsg passed to netconsole from the console subsystem is not guaranteedto be nul-terminated. Before recentcommit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure")the message would be placed in printk_shared_pbufs, a static globalbuffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594 CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750 Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0 The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000,ffff88813b6d4c00) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43197 In the Linux kernel, the following vulnerability has been resolved:tcp: fix potential race in tcp_v6_syn_recv_sock()Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock()is done too late.After tcp_v4_syn_recv_sock(), the child socket is already visiblefrom TCP ehash table and other cpus might use it.Since newinet->pinet6 is still pointing to the listener ipv6_pinfobad things can happen as syzbot found.Move the problematic code in tcp_v6_mapped_child_init()and call this new helper from tcp_v4_syn_recv_sock() beforethe ehash insertion.This allows the removal of one tcp_sync_mss(), sincetcp_v4_syn_recv_sock() will call it with the correctcontext. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43198 In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address queryFix a "scheduling while atomic" bug in mlx5e_ipsec_init_macs() byreplacing mlx5_query_mac_address() with ether_addr_copy() to get thelocal MAC address directly from netdev->dev_addr.The issue occurs because mlx5_query_mac_address() queries the hardwarewhich involves mlx5_cmd_exec() that can sleep, but it is called fromthe mlx5e_ipsec_handle_event workqueue which runs in atomic context.The MAC address is already available in netdev->dev_addr, so no needto query hardware. This avoids the sleeping call and resolves the bug.Call trace: BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200 __schedule+0x7ab/0xa20 schedule+0x1c/0xb0 schedule_timeout+0x6e/0xf0 __wait_for_common+0x91/0x1b0 cmd_exec+0xa85/0xff0 [mlx5_core] mlx5_cmd_exec+0x1f/0x50 [mlx5_core] mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core] mlx5_query_mac_address+0x19/0x30 [mlx5_core] mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core] mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core] mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core] process_one_work+0x178/0x2e0 worker_thread+0x2ea/0x430 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43199 In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: Fix swapped parameters inpci_{primary/secondary}_epc_epf_unlink() functionsstruct configfs_item_operations callbacks are defined like the following: int (*allow_link)(struct config_item *src, struct config_item *target); void (*drop_link)(struct config_item *src, struct config_item *target);While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specifythe parameters in the correct order, pci_primary_epc_epf_unlink() andpci_secondary_epc_epf_unlink() specify the parameters in the wrong order,leading to the below kernel crash when using the unlink command inconfigfs: Unable to handle kernel paging request at virtual address0000000300000857 Mem abort info: ... pc : string+0x54/0x14c lr : vsnprintf+0x280/0x6e8 ... string+0x54/0x14c vsnprintf+0x280/0x6e8 vprintk_default+0x38/0x4c vprintk+0xc4/0xe0 pci_epf_unbind+0xdc/0x108 configfs_unlink+0xe0/0x208+0x44/0x74 vfs_unlink+0x120/0x29c __arm64_sys_unlinkat+0x3c/0x90 invoke_syscall+0x48/0x134 do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0[mani: cced stable, changed commit message as perhttps://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43200 In the Linux kernel, the following vulnerability has been resolved:APEI/GHES: ARM processor Error: don't go past allocated memoryIf the BIOS generates a very small ARM Processor Error, oran incomplete one, the current logic will fail to deferrence err->section_lengthand ctx_info->sizeAdd checks to avoid that. With such changes, such GHESv2records won't cause OOPSes like this:[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP[ 1.495449] Modules linked in:[ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT[ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown02/02/2022[ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred[ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBSBTYPE=--)[ 1.497199] pc : log_arm_hw_error+0x5c/0x200[ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x2200xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75).70 err_info = (struct cper_arm_err_info *)(err + 1);71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num);72 ctx_err = (u8 *)ctx_info;7374 for (n = 0; n < err->context_info_num; n++) {75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size;76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz);77 ctx_len += sz;78 }79and similar ones while trying to access section_length on anerror dump with too small size.[ rjw: Subject tweaks ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43201 In the Linux kernel, the following vulnerability has been resolved:fbdev: vt8500lcdfb: fix missing dma_free_coherent()fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is notfreed if the error path is reached. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43202 In the Linux kernel, the following vulnerability has been resolved:atm: fore200e: fix use-after-free in tasklets during device removalWhen the PCA-200E or SBA-200E adapter is being detached, the fore200eis deallocated. However, the tx_tasklet or rx_tasklet may still be runningor pending, leading to use-after-free bug when the already freed fore200eis accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet().One of the race conditions can occur as follows:CPU 0 (cleanup) | CPU 1 (tasklet)fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAFFix this by ensuring tx_tasklet or rx_tasklet is properly canceled beforethe fore200e is released. Add tasklet_kill() in fore200e_shutdown() tosynchronize with any pending or running tasklets. Moreover, sincefore200e_reset() could prevent further interrupts or data transfers,the tasklet_kill() should be placed after fore200e_reset() to preventthe tasklet from being rescheduled in fore200e_interrupt(). Finally,it only needs to do tasklet_kill() when the fore200e state is greaterthan or equal to FORE200E_STATE_IRQ, since tasklets are uninitializedin earlier states. In a word, the tasklet_kill() should be placed inthe FORE200E_STATE_IRQ branch within the switch...case structure.This bug was identified through static analysis. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43203 In the Linux kernel, the following vulnerability has been resolved:ASoC: qcom: q6asm: drop DSP responses for closed data streams'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responsesafter closing")' attempted to ignore DSP responses arrivingafter a stream had been closed.However, those responses were still handled, causing lockups.Fix this by unconditionally dropping all DSP responses associated withclosed data streams. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43204 In the Linux kernel, the following vulnerability has been resolved:dpaa2-switch: validate num_ifs to prevent out-of-bounds writeThe driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()but never validates it against DPSW_MAX_IF (64). This value controlsiteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indicesinto the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reportsnum_ifs >= 64, the loop can write past the array bounds.Add a bound check for num_ifs in dpaa2_switch_init().dpaa2_switch_fdb_get_flood_cfg() appends the control interface (portnum_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and allports match the flood filter, the loop fills all 64 slots and the controlinterface write overflows by one entry.The check uses >= because num_ifs == DPSW_MAX_IF is also functionallybroken.build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ... Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43205 In the Linux kernel, the following vulnerability has been resolved:drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8bytes via memset without checking the buffer size parameter. This allowsunprivileged userspace to trigger an out-of bounds kernel memory writeby passing a small buffer, leading to potential privilegeescalation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43206 In the Linux kernel, the following vulnerability has been resolved:media: mtk-mdp: Fix error handling in probe functionAdd mtk_mdp_unregister_m2m_device() on the error handling path to preventresource leak.Add check for the return value of vpu_get_plat_device() to prevent nullpointer dereference. And vpu_get_plat_device() increases the referencecount of the returned platform device. Add platform_device_put() toprevent reference leak. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43207 In the Linux kernel, the following vulnerability has been resolved:net: do not pass flow_id to set_rps_cpu()Blamed commit made the assumption that the RPS table for each receivequeue would have the same size, and that it would not change.Compute flow_id in set_rps_cpu(), do not assume we can use the valuecomputed by get_rps_cpu(). Otherwise we risk out-of-bound accessand/or crashes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43208 In the Linux kernel, the following vulnerability has been resolved:minix: Add required sanity checking to minix_check_superblock()The fs/minix implementation of the minix filesystem does not currentlysupport any other value for s_log_zone_size than 0. This is also theonly value supported in util-linux; see mkfs.minix.c line 511. Inaddition, this patch adds some sanity checking for the other minixsuperblock fields, and moves the minix_blocks_needed() checks for thezmap and imap also to minix_check_super_block().This also closes a related syzbot bug report. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43209 In the Linux kernel, the following vulnerability has been resolved:tracing: ring-buffer: Fix to check event length before usingCheck the event length before adding it for accessing next index inrb_read_data_buffer(). Since this function is used for validatingpossibly broken ring buffers, the length of the event could be broken.In that case, the new event (e + len) can point a wrong address.To avoid invalid memory access at boot, check whether the length ofeach event is in the possible range before using it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43210 In the Linux kernel, the following vulnerability has been resolved:PCI: Fix pci_slot_trylock() error handlingCommit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() inpci_slot_trylock(), but it forgets to remove the correspondingpci_dev_unlock() when pci_bus_trylock() fails.Before a4e772898f8b, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } }After a4e772898f8b the bridge-device lock is no longer taken, but thepci_dev_unlock(dev) on the failure path was left in place, leading to thebug.This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread.Fix it by removing the now-redundant pci_dev_unlock(dev) on the failurepath.[Same patch later posted by Keith athttps://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43211 In the Linux kernel, the following vulnerability has been resolved:LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODEThe arch definition of cpumask_of_node() cannot handle NUMA_NO_NODE -which is a valid index - so add a check for this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43212 In the Linux kernel, the following vulnerability has been resolved:wifi: rtw89: pci: validate sequence number of TX release reportHardware rarely reports abnormal sequence number in TX release report,which will access out-of-bounds of wd_ring->pages array, causing NULLpointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>To prevent crash, validate rpp_info.seq before using. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43213 In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()Add SRCU read-side protection when reading PDPTR registers in__get_sregs2().Reading PDPTRs may trigger access to guest memory:kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() ->kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot()kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(),which uses srcu_dereference_check() and requires either kvm->srcu orkvm->slots_lock to be held. Currently only vcpu->mutex is held,triggering lockdep warning:=============================WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot6.12.59+ #3 Not taintedinclude/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage!other info that might help us debug this:rcu_scheduler_active = 2, debug_locks = 11 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at:kvm_vcpu_ioctl+0x1d5/0x1590Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7fFound by Linux Verification Center (linuxtesting.org) with Syzkaller. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43214 In the Linux kernel, the following vulnerability has been resolved:cifs: Fix locking usage for tcon fieldsWe used to use the cifs_tcp_ses_lock to protect a lot of objectsthat are not just the server, ses or tcon lists. We later introducedsrv_lock, ses_lock and tc_lock to protect fields within thecorresponding structs. This was done to provide a more granularprotection and avoid unnecessary serialization.There were still a couple of uses of cifs_tcp_ses_lock to providetcon fields. In this patch, I've replaced them with tc_lock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43215 In the Linux kernel, the following vulnerability has been resolved:net: Drop the lock in skb_may_tx_timestamp()skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock mustnot be taken in IRQ context, only softirq is okay. A few drivers receivethe timestamp via a dedicated interrupt and complete the TX timestampfrom that handler. This will lead to a deadlock if the lock is alreadywrite-locked on the same CPU.Taking the lock can be avoided. The socket (pointed by the skb) willremain valid until the skb is released. The ->sk_socket and ->filemember will be set to NULL once the user closes the socket which mayhappen before the timestamp arrives.If we happen to observe the pointer while the socket is closing butbefore the pointer is set to NULL then we may use it because bothpointer (and the file's cred member) are RCU freed.Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add amatching WRITE_ONCE() where the pointer are cleared. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43216 In the Linux kernel, the following vulnerability has been resolved:media: iris: gen2: Add sanity check for session stopIn iris_kill_session, inst->state is set to IRIS_INST_ERROR andsession_close is executed, which will kfree(inst_hfi_gen2->packet).If stop_streaming is called afterward, it will cause a crash.Add a NULL check for inst_hfi_gen2->packet before sendling STOP packetto firmware to fix that. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43217 In the Linux kernel, the following vulnerability has been resolved:media: i2c/tw9903: Fix potential memory leak in tw9903_probe()In one of the error paths in tw9903_probe(), the memory allocated inv4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix thatby calling v4l2_ctrl_handler_free() on the handler in that error path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43218 In the Linux kernel, the following vulnerability has been resolved:net: cpsw_new: Fix potential unregister of netdev that has not beenregistered yetIf an error occurs during register_netdev() for the first MAC incpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,cpsw->slaves[1].ndev would remain unchanged. This could later causecpsw_unregister_ports() to attempt unregistering the second MAC.To address this, add a check for ndev->reg_state before callingunregister_netdev(). With this change, setting cpsw->slaves[i].ndevto NULL becomes unnecessary and can be removed accordingly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43219 In the Linux kernel, the following vulnerability has been resolved:iommu/amd: serialize sequence allocation under concurrent TLB invalidationsWith concurrent TLB invalidations, completion wait randomly gets timed outbecause cmd_sem_val was incremented outside the IOMMU spinlock, allowingCMD_COMPL_WAIT commands to be queued out of sequence and breaking theordering assumption in wait_on_sem().Move the cmd_sem_val increment under iommu->lock so completion sequenceallocation is serialized with command queuing.And remove the unnecessary return. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43220 In the Linux kernel, the following vulnerability has been resolved:ipmi: ipmb: initialise event handler read bytesIPMB doesn't use i2c reads, but the handler needs to set a value.Otherwise an i2c read will return an uninitialised value from the busdriver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43221 In the Linux kernel, the following vulnerability has been resolved:media: verisilicon: AV1: Fix tile info buffer sizeEach tile info is composed of: row_sb, col_sb, start_posand end_pos (4 bytes each). So the total required memoryis AV1_MAX_TILES * 16 bytes.Use the correct #define to allocate the buffer and avoidwriting tile info in non-allocated memory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43222 In the Linux kernel, the following vulnerability has been resolved:media: pvrusb2: fix URB leak in pvr2_send_request_exWhen pvr2_send_request_ex() submits a write URB successfully but fails tosubmit the read URB (e.g. returns -ENOMEM), it returns immediately withoutwaiting for the write URB to complete. Since the driver reuses the sameURB structure, a subsequent call to pvr2_send_request_ex() attempts tosubmit the still-active write URB, triggering a 'URB submitted whileactive' warning in usb_submit_urb().Fix this by ensuring the write URB is unlinked and waited upon if the readURB submission fails. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43223 In the Linux kernel, the following vulnerability has been resolved:io_uring/zcrx: fix sgtable leak on mapping failuresIn an unlikely case when io_populate_area_dma() fails, which could onlyhappen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine,io_zcrx_map_area() will have an initialised and not freed table. It wassupposed to be cleaned up in the error path, but !is_mapped preventsthat. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43224 In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: fix memory leak on failure pathcfg80211_inform_bss_frame() may return NULL on failure. In that case,the allocated buffer 'buf' is not freed and the function returns early,leading to potential memory leak.Fix this by ensuring that 'buf' is freed on both success and failure paths. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43225 In the Linux kernel, the following vulnerability has been resolved:net/rds: No shortcut out of RDS_CONN_ERRORRDS connections carry a state "rds_conn_path::cp_state"and transitions from one state to another and are conditionalupon an expected state: "rds_conn_path_transition."There is one exception to this conditionality, which is"RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop"regardless of what state the condition is currently in.But as soon as a connection enters state "RDS_CONN_ERROR",the connection handling code expects it to go through theshutdown-path.The RDS/TCP multipath changes added a shortcut out of"RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING"via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change").A subsequent "rds_tcp_reset_callbacks" can then transitionthe state to "RDS_CONN_RESETTING" with a shutdown-worker queued.That'll trip up "rds_conn_init_shutdown", which wasnever adjusted to handle "RDS_CONN_RESETTING" and subsequentlydrops the connection with the dreaded "DR_INV_CONN_STATE",which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever.So we do two things here:a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code.b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again." Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43226 In the Linux kernel, the following vulnerability has been resolved:clocksource/drivers/sh_tmu: Always leave device running after probeThe TMU device can be used as both a clocksource and a clockeventprovider. The driver tries to be smart and power itself on and off, aswell as enabling and disabling its clock when it's not in operation.This behavior is slightly altered if the TMU is used as an earlyplatform device in which case the device is left powered on after probe,but the clock is still enabled and disabled at runtime.This has worked for a long time, but recent improvements in PREEMPT_RTand PROVE_LOCKING have highlighted an issue. As the TMU registers itselfas a clockevent provider, clockevents_register_device(), it needs to useraw spinlocks internally as this is the context of which the clockeventframework interacts with the TMU driver. However in the context ofholding a raw spinlock the TMU driver can't really manage its powerstate or clock with calls to pm_runtime_*() and clk_*() as these callsend up in other platform drivers using regular spinlocks to controlpower and clocks.This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at:__pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at:__tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965(DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90For non-PREEMPT_RT builds this is not really an issue, but forPREEMPT_RT builds where normal spinlocks can sleep this might be anissue. Be cautious and always leave the power and clock running afterprobe. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43227 In the Linux kernel, the following vulnerability has been resolved:hfs: Replace BUG_ON with error handling for CNID count checksIn a06ec283e125 next_id, folder_count, and file_count in the super blockinfo were expanded to 64 bits, and BUG_ONs were added to detectoverflow. This triggered an error reported by syzbot: if the MDB iscorrupted, the BUG_ON is triggered. This patch replaces this mechanismwith proper error handling and resolves the syzbot reported bug.Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl> Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43228 In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix device cleanup order to prevent kernel panicMove video device unregistration to the beginning of the remove functionto ensure all video operations are stopped before cleaning up the workerthread and disabling PM runtime. This prevents hardware register accessafter the device has been powered down.In polling mode, the hrtimer periodically triggerswave5_vpu_timer_callback() which queues work to the kthread worker.The worker executes wave5_vpu_irq_work_fn() which reads hardwareregisters via wave5_vdi_read_register().The original cleanup order disabled PM runtime and powered down hardwarebefore unregistering video devices. When autosuspend triggers and powersoff the hardware, the video devices are still registered and the workerthread can still be triggered by the hrtimer, causing it to attemptreading registers from powered-off hardware. This results in a bus error(synchronous external abort) and kernel panic.This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43229 In the Linux kernel, the following vulnerability has been resolved:net/rds: Clear reconnect pending bitWhen canceling the reconnect worker, care must be taken to reset thereconnect-pending bit. If the reconnect worker has not yet beenscheduled before it is canceled, the reconnect-pending bit will stayon forever. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43230 In the Linux kernel, the following vulnerability has been resolved:media: radio-keene: fix memory leak in error pathFix a memory leak in usb_keene_probe(). The v4l2 control handler isinitialized and controls are added, but if v4l2_device_register() orvideo_register_device() fails afterward, the handler was never freed,leaking memory.Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensurethe control handler is properly freed for all error paths after it isinitialized. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43231 In the Linux kernel, the following vulnerability has been resolved:net: wan: farsync: Fix use-after-free bugs caused by unfinished taskletsWhen the FarSync T-series card is being detached, the fst_card_info isdeallocated in fst_remove_one(). However, the fst_tx_task or fst_int_taskmay still be running or pending, leading to use-after-free bugs when thealready freed fst_card_info is accessed in fst_process_tx_work_q() orfst_process_int_work_q().A typical race condition is depicted below:CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit()fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //useThe following KASAN trace was captured:================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx___hrtimer_run_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 __irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800aad1000: fa fb---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43232 In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_conntrack_h323: fix OOB read in decode_choice()In decode_choice(), the boundary check before get_len() uses thevariable `len`, which is still 0 from its initialization at the top ofthe function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */When the bitstream is exactly consumed (bs->cur == bs->end), the checknf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),which is false. The subsequent get_len() call then dereferences*bs->cur++, reading 1 byte past the end of the buffer. If that bytehas bit 7 set, get_len() reads a second byte as well.This can be triggered remotely by sending a crafted Q.931 SETUP messagewith a User-User Information Element containing exactly 2 bytes ofPER-encoded data ({0x08, 0x00}) to port 1720 through a firewall withthe nf_conntrack_h323 helper active. The decoder fully consumes thePER buffer before reaching this code path, resulting in a 1-2 byteheap-buffer-overflow read confirmed by AddressSanitizer.Fix this by checking for 2 bytes (the maximum that get_len() may read)instead of the uninitialized `len`. This matches the pattern used atevery other get_len() call site in the same file, where the callerchecks for 2 bytes of available data before calling get_len(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43233 In the Linux kernel, the following vulnerability has been resolved:team: avoid NETDEV_CHANGEMTU event when unregistering slavesyzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count= 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1and also found that the same issue was fixed in the bond driver incommit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event whenunregistering slave").Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net:hold netdev instance lock during sysfs operations") and commit 303a8487a657("net: s/__dev_set_mtu/__netif_set_mtu/") also applied. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43234 In the Linux kernel, the following vulnerability has been resolved:media: iris: Add missing platform data entries for SM8750Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43235 In the Linux kernel, the following vulnerability has been resolved:drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after releaseThe atmel_hlcdc_plane_atomic_duplicate_state() callback was copyingthe atmel_hlcdc_plane state structure without properly duplicating thedrm_plane_state. In particular, state->commit remained set to the oldstate commit, which can lead to a use-after-free in the nextdrm_atomic_commit() call.Fix this by calling__drm_atomic_helper_duplicate_plane_state(), which correctly clonesthe base drm_plane_state (including the ->commit pointer).It has been seen when closing and re-opening the device node whileanother DRM client (e.g. fbdev) is still attached:=============================================================================BUG kmalloc-64 (Not tainted): Poison overwritten-----------------------------------------------------------------------------0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6bFIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6bAllocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0flags=0x200(workingset|zone=0)Object 0xc611b340 @offset=832 fp=0xc611b7c0 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43236 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update andTimeline Management v4This commit simplifies the amdgpu_gem_va_ioctl function, key updatesinclude: - Moved the logic for managing the last update fence directly into amdgpu_gem_va_update_vm. - Introduced checks for the timeline point to enable conditional replacement or addition of fences.v2: Addressed review comments from Christian.v3: Updated comments (Christian).v4: The previous version selected the fence too early and did not manageits reference correctly, which could lead to stale or freed fences beingused. This resulted in refcount underflows and could crash when updating GPU timelines. The fence is now chosen only after the VA mapping work is completed,and its reference is taken safely. After exporting it to the VM timelinesyncobj, the driver always drops its local fence reference, ensuring balancedrefcounting and avoiding use-after-free on dma_fence. Crash signature: [ 205.828135] refcount_t: underflow; use-after-free. [ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28refcount_warn_saturate+0xbe/0x110 ... [ 206.074014] Call Trace: [ 206.076488] <TASK> [ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu] [ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm] [ 206.094415] drm_ioctl+0x26e/0x520 [drm] [ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu] [ 206.109387] __x64_sys_ioctl+0x96/0xe0 [ 206.113156] do_syscall_64+0x66/0x2d0 ... [ 206.553351] BUG: unable to handle page fault for address:ffffffffc0dfde90 ... [ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.553405] Call Trace: [ 206.553409] <IRQ> [ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched] [ 206.553424] dma_fence_signal+0x30/0x60 [ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched] [ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0 [ 206.553437] dma_fence_signal+0x30/0x60 [ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu] [ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu] [ 206.554353] edac_mce_amd(E) ee1004(E) [ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu] [ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu] [ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu] [ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0 [ 206.555506] handle_irq_event+0x38/0x80 [ 206.555509] handle_edge_irq+0x92/0x1e0 [ 206.555513] __common_interrupt+0x3e/0xb0 [ 206.555519] common_interrupt+0x80/0xa0 [ 206.555525] </IRQ> [ 206.555527] <TASK> ... [ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43237 In the Linux kernel, the following vulnerability has been resolved:net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()Commit 38a6f0865796 ("net: sched: support hash selecting tx queue")added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size iscomputed as:mapping_mod = queue_mapping_max - queue_mapping + 1;The range size can be 65536 when the requested range covers all possibleu16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX).That value cannot be represented in a u16 and previously wrapped to 0,so tcf_skbedit_hash() could trigger a divide-by-zero:queue_mapping += skb_get_hash(skb) % params->mapping_mod;Compute mapping_mod in a wider type and reject ranges larger than U16_MAXto prevent params->mapping_mod from becoming 0 and avoid the crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43238 In the Linux kernel, the following vulnerability has been resolved:smb: client: prevent races in ->query_interfaces()It was possible for two query interface works to be concurrently tryingto update the interfaces.Prevent this by checking and updating iface_last_update underiface_lock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43239 In the Linux kernel, the following vulnerability has been resolved:x86/kexec: add a sanity check on previous kernel's ima kexec bufferWhen the second-stage kernel is booted via kexec with a limiting commandline such as "mem=<size>", the physical range that contains the carriedover IMA measurement list may fall outside the truncated RAM leading to akernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) – not-present pageOther architectures already validate the range with page_is_ram(), as donein commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-bufferagainst memory bounds") do a similar check on x86.Without carrying the measurement list across kexec, the attestationwould fail. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43240 In the Linux kernel, the following vulnerability has been resolved:ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds accessNumber of MW LUTs depends on NTB configuration and can be set to MAX_MWS,This patch protects against invalid index out of bounds access to mw_sizesWhen invalid access print message to user that configuration is not valid. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43241 In the Linux kernel, the following vulnerability has been resolved:soc: ti: k3-socinfo: Fix regmap leak on probe failureThe mmio regmap allocated during probe is never freed.Switch to using the device managed allocator so that the regmap isreleased on probe failures (e.g. probe deferral) and on driver unbind. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43242 In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Add signal type check for dcn401 get_phyd32clk_srcTrying to access link enc on a dpia link will cause a crash otherwise Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43243 In the Linux kernel, the following vulnerability has been resolved:kcm: fix zero-frag skb in frag_list on partial sendmsg errorSyzkaller reported a warning in kcm_write_msgs() when processing amessage with a zero-fragment skb in the frag_list.When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,it allocates a new skb (tskb) and links it into the frag_list beforecopying data. If the copy subsequently fails (e.g. -EFAULT fromuser memory), tskb remains in the frag_list with zero fragments: head skb (msg being assembled, NOT yet in sk_write_queue) +-----------+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+--> tskb +-----------+ +----------+ | frags[0] | (empty! copy failed before filling) +----------+For SOCK_SEQPACKET with partial data already copied, the error pathsaves this message via partial_message for later completion. ForSOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so asubsequent zero-length write(fd, NULL, 0) completes the message andqueues it to sk_write_queue. kcm_write_msgs() then walks thefrag_list and hits: WARN_ON(!skb_shinfo(skb)->nr_frags)TCP has a similar pattern where skbs are enqueued before data copyand cleaned up on failure via tcp_remove_empty_skb(). KCM wasmissing the equivalent cleanup.Fix this by tracking the predecessor skb (frag_prev) when allocatinga new frag_list entry. On error, if the tail skb has zero frags,use frag_prev to unlink and free it in O(1) without walking thesingly-linked frag_list. frag_prev is safe to dereference becausethe entire message chain is only held locally (or in kcm->seq_skb)and is not added to sk_write_queue until MSG_EOR, so the send pathcannot free it underneath us.Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the logif the condition is somehow hit repeatedly.There are currently no KCM selftests in the kernel tree; a simplereproducer is available at [1].[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43244 In the Linux kernel, the following vulnerability has been resolved:ntfs: ->d_compare() must not block... so don't use __getname() there. Switch it (and ntfs_d_hash(), whilewe are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash()almost certainly can do with smaller allocations, but let ntfs folksdeal with that - keep the allocation size as-is for now.Stop abusing names_cachep in ntfs, period - various uses of that thingin there have nothing to do with pathnames; just use k[mz]alloc() andbe done with that. For now let's keep sizes as-in, but AFAICS none ofthe users actually want PATH_MAX. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43245 In the Linux kernel, the following vulnerability has been resolved:media: i2c/tw9906: Fix potential memory leak in tw9906_probe()In one of the error paths in tw9906_probe(), the memory allocated inv4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix thatby calling v4l2_ctrl_handler_free() on the handler in that error path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43246 In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix SError of kernel panic when closedSError of kernel panic rarely happened while testing fluster.The root cause was to enter suspend mode because timeout of autosuspenddelay happened.[ 48.834439] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError[ 48.834455] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted6.12.9-gc9e21a1ebd75-dirty #7[ 48.834461] Hardware name: ti Texas Instruments J721S2 EVM/TexasInstruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025[ 48.834464] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBSBTYPE=--)[ 48.834468] pc : wave5_dec_clr_disp_flag+0x40/0x80 [wave5][ 48.834488] lr : wave5_dec_clr_disp_flag+0x40/0x80 [wave5][ 48.834495] sp : ffff8000856e3a30[ 48.834497] x29: ffff8000856e3a30 x28: ffff0008093f6010 x27:ffff000809158130[ 48.834504] x26: 0000000000000000 x25: ffff00080b625000 x24:ffff000804a9ba80[ 48.834509] x23: ffff000802343028 x22: ffff000809158150 x21:ffff000802218000[ 48.834513] x20: ffff0008093f6000 x19: ffff0008093f6000 x18:0000000000000000[ 48.834518] x17: 0000000000000000 x16: 0000000000000000 x15:0000ffff74009618[ 48.834523] x14: 000000010000000c x13: 0000000000000000 x12:0000000000000000[ 48.834527] x11: ffffffffffffffff x10: ffffffffffffffff x9 :ffff000802343028[ 48.834532] x8 : ffff00080b6252a0 x7 : 0000000000000038 x6 :0000000000000000[ 48.834536] x5 : ffff00080b625060 x4 : 0000000000000000 x3 :0000000000000000[ 48.834541] x2 : 0000000000000000 x1 : ffff800084bf0118 x0 :ffff800084bf0000[ 48.834547] Kernel panic - not syncing: Asynchronous SError Interrupt[ 48.834549] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted6.12.9-gc9e21a1ebd75-dirty #7[ 48.834554] Hardware name: ti Texas Instruments J721S2 EVM/TexasInstruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025[ 48.834556] Call trace:[ 48.834559] dump_backtrace+0x94/0xec[ 48.834574] show_stack+0x18/0x24[ 48.834579] dump_stack_lvl+0x38/0x90[ 48.834585] dump_stack+0x18/0x24[ 48.834588] panic+0x35c/0x3e0[ 48.834592] nmi_panic+0x40/0x8c[ 48.834595] arm64_serror_panic+0x64/0x70[ 48.834598] do_serror+0x3c/0x78[ 48.834601] el1h_64_error_handler+0x34/0x4c[ 48.834605] el1h_64_error+0x64/0x68[ 48.834608] wave5_dec_clr_disp_flag+0x40/0x80 [wave5][ 48.834615] wave5_vpu_dec_clr_disp_flag+0x54/0x80 [wave5][ 48.834622] wave5_vpu_dec_buf_queue+0x19c/0x1a0 [wave5][ 48.834628] __enqueue_in_driver+0x3c/0x74 [videobuf2_common][ 48.834639] vb2_core_qbuf+0x508/0x61c [videobuf2_common][ 48.834646] vb2_qbuf+0xa4/0x168 [videobuf2_v4l2][ 48.834656] v4l2_m2m_qbuf+0x80/0x238 [v4l2_mem2mem][ 48.834666] v4l2_m2m_ioctl_qbuf+0x18/0x24 [v4l2_mem2mem][ 48.834673] v4l_qbuf+0x48/0x5c [videodev][ 48.834704] __video_do_ioctl+0x180/0x3f0 [videodev][ 48.834725] video_usercopy+0x2ec/0x68c [videodev][ 48.834745] video_ioctl2+0x18/0x24 [videodev][ 48.834766] v4l2_ioctl+0x40/0x60 [videodev][ 48.834786] __arm64_sys_ioctl+0xa8/0xec[ 48.834793] invoke_syscall+0x44/0x100[ 48.834800] el0_svc_common.constprop.0+0xc0/0xe0[ 48.834804] do_el0_svc+0x1c/0x28[ 48.834809] el0_svc+0x30/0xd0[ 48.834813] el0t_64_sync_handler+0xc0/0xc4[ 48.834816] el0t_64_sync+0x190/0x194[ 48.834820] SMP: stopping secondary CPUs[ 48.834831] Kernel Offset: disabled[ 48.834833] CPU features: 0x08,00002002,80200000,4200421b[ 48.834837] Memory Limit: none[ 49.161404] ---[ end Kernel panic - not syncing: Asynchronous SErrorInterrupt ]--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43247 In the Linux kernel, the following vulnerability has been resolved:vhost: move vdpa group bound check to vhost_vdpaRemove duplication by consolidating these here. This reduces theposibility of a parent driver missing them.While we're at it, fix a bug in vdpa_sim where a valid ASID can beassigned to a group equal to ngroups, causing an out of bound write. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43248 In the Linux kernel, the following vulnerability has been resolved:9p/xen: protect xen_9pfs_front_free against concurrent callsThe xenwatch thread can race with other back-end change notificationsand call xen_9pfs_front_free() twice, hitting the observed generalprotection fault due to a double-free. Guard the teardown path so onlyone caller can release the front-end state at a time, preventing thecrash.This is a fix for the following double-free:[ 27.052347] Oops: general protection fault, probably for non-canonicaladdress 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI[ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none)[ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150[ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 5548 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00<48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42[ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246[ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX:0000000000000000[ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI:0000000000000000[ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09:0000000000000000[ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12:ffff888009e46b68[ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15:ffff88800a887040[ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000)knlGS:0000000000000000[ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033[ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4:0000000000050660[ 27.052418] Call Trace:[ 27.052420] <TASK>[ 27.052422] xen_9pfs_front_changed+0x5d5/0x720[ 27.052426] ? xenbus_otherend_changed+0x72/0x140[ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10[ 27.052434] xenwatch_thread+0x94/0x1c0[ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10[ 27.052442] kthread+0xf8/0x240[ 27.052445] ? __pfx_kthread+0x10/0x10[ 27.052449] ? __pfx_kthread+0x10/0x10[ 27.052452] ret_from_fork+0x16b/0x1a0[ 27.052456] ? __pfx_kthread+0x10/0x10[ 27.052459] ret_from_fork_asm+0x1a/0x30[ 27.052463] </TASK>[ 27.052465] Modules linked in:[ 27.052471] ---[ end trace 0000000000000000 ]--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43249 In the Linux kernel, the following vulnerability has been resolved:usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()The ChipIdea UDC driver can encounter "not page aligned sg buffer"errors when a USB device is reconnected after being disconnectedduring an active transfer. This occurs because _ep_nuke() returnsrequests to the gadget layer without properly unmapping DMA buffersor cleaning up scatter-gather bounce buffers.Root cause:When a disconnect happens during a multi-segment DMA transfer, therequest's num_mapped_sgs field and sgt.sgl pointer remain set withstale values. The request is returned to the gadget driver with status-ESHUTDOWN but still has active DMA state. If the gadget driver reusesthis request on reconnect without reinitializing it, the stale DMAstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zeronum_mapped_sgs) and attempt to use freed/invalid DMA addresses,leading to alignment errors and potential memory corruption.The normal completion path via _hardware_dequeue() properly callsusb_gadget_unmap_request_by_dev() and sglist_do_debounce() beforereturning the request. The _ep_nuke() path must do the same cleanupto ensure requests are returned in a clean, reusable state.Fix:Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirrorthe cleanup sequence in _hardware_dequeue():- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set- Call sglist_do_debounce() with copy=false if bounce buffer existsThis ensures that when requests are returned due to endpoint shutdown,they don't retain stale DMA mappings. The 'false' parameter tosglist_do_debounce() prevents copying data back (appropriate forshutdown path where transfer was aborted). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43250 In the Linux kernel, the following vulnerability has been resolved:HID: prodikeys: Check presence of pm->input_ep82Fake USB devices can send their own report descriptors for which theinput_mapping() hook does not get called. In this case, pm->input_ep82staysNULL, which leads to a crash later.This does not happen with the real device, but can be provoked by imposingasone. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43251 In the Linux kernel, the following vulnerability has been resolved:mptcp: pm: in-kernel: always set ID as avail when rm endpSyzkaller managed to find a combination of actions that was generatingthis warning: WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_availablenet/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmeshnet/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_allnet/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535 Modules linked in: CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074[inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline] RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538 Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e93d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89 RSP: 0018:ffffc9001535b820 EFLAGS: 00010287 netdevsim0: tun_chr_ioctl cmd 1074025677 RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7 netdevsim0: linktype set to 823 RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800 FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000)knlGS:0000000000000000 netlink: 'syz.3.50': attribute type 5 has an invalid length. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 netlink: 1232 bytes leftover after parsing attributes in process`syz.3.50'. CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0 Call Trace: <TASK> mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline] mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:733 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608 ___sys_sendmsg+0x2de/0x320 net/socket.c:2662 __sys_sendmsg net/socket.c:2694 [inline] __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc6adb66f6d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43252 In the Linux kernel, the following vulnerability has been resolved:iommu/amd: move wait_on_sem() out of spinlockWith iommu.strict=1, the existing completion wait path can cause softlockups under stressed environment, as wait_on_sem() busy-waits under thespinlock with interrupts disabled.Move the completion wait in iommu_completion_wait() out of the spinlock.wait_on_sem() only polls the hardware-updated cmd_sem and does not requireiommu->lock, so holding the lock during the busy wait unnecessarilyincreases contention and extends the time with interrupts disabled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43253 In the Linux kernel, the following vulnerability has been resolved:ovpn: tcp - fix packet extraction from streamWhen processing TCP stream data in ovpn_tcp_recv, we receive largecloned skbs from __strp_rcv that may contain multiple coalesced packets.The current implementation has two bugs:1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops.2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned.Fix both issues by allocating a new skb for each openvpn packet andusing skb_copy_bits to extract only the packet content into the newbuffer, skipping the 2-byte length prefix. Also, check the length beforeinvoking the function that performs the allocation to avoid creating aninvalid skb.If the packet has to be forwarded to userspace the 2-byte prefix can bepushed to the head safely, without misalignment.As a side effect, this approach also avoids the expensive linearizationthat pskb_pull triggers on cloned skbs with page fragments. In testing,this resulted in TCP throughput improvements of up to 74%. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43254 In the Linux kernel, the following vulnerability has been resolved:wifi: libertas: fix WARNING in usb_tx_blockThe function usb_tx_block() submits cardp->tx_urb without ensuring thatany previous transmission on this URB has completed. If a second calloccurs while the URB is still active (e.g. during rapid firmware loading),usb_submit_urb() detects the active state and triggers a warning:'URB submitted while active'.Fix this by enforcing serialization: call usb_kill_urb() beforesubmitting the new request. This ensures the URB is idle and safe to reuse. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43255 In the Linux kernel, the following vulnerability has been resolved:media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loopbound and passes the index to vfe_isr_reg_update(). However,vfe->line[] array is defined with VFE_LINE_NUM_MAX(4): struct vfe_line line[VFE_LINE_NUM_MAX];When index is 4, 5, 6, the access to vfe->line[line_id] exceedsthe array bounds and resulting in out-of-bounds memory access.Fix this by using separate loops for output lines and write masters. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43256 In the Linux kernel, the following vulnerability has been resolved:media: cx88: Add missing unmap in snd_cx88_hw_params()In error path, add cx88_alsa_dma_unmap() to releaseresource acquired by cx88_alsa_dma_map(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43257 In the Linux kernel, the following vulnerability has been resolved:alpha: fix user-space corruption during memory compactionAlpha systems can suffer sporadic user-space crashes and heapcorruption when memory compaction is enabled.Symptoms include SIGSEGV, glibc allocator failures (e.g. "unalignedtcache chunk"), and compiler internal errors. The failures disappearwhen compaction is disabled or when using global TLB invalidation.The root cause is insufficient TLB shootdown during page migration.Alpha relies on ASN-based MM context rollover for instruction cachecoherency, but this alone is not sufficient to prevent stale data orinstruction translations from surviving migration.Fix this by introducing a migration-specific helper that combines: - MM context invalidation (ASN rollover), - immediate per-CPU TLB invalidation (TBI), - synchronous cross-CPU shootdown when required.The helper is used only by migration/compaction paths to avoid changingglobal TLB semantics.Additionally, update flush_tlb_other(), pte_clear(), to useREAD_ONCE()/WRITE_ONCE() for correct SMP memory ordering.This fixes observed crashes on both UP and SMP Alpha systems. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43258 In the Linux kernel, the following vulnerability has been resolved:phy: fsl-imx8mq-usb: set platform driver dataAdd missing platform_set_drvdata() as the data will be used in remove(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43259 In the Linux kernel, the following vulnerability has been resolved:bnxt_en: Fix RSS context delete logicWe need to free the corresponding RSS context VNICin FW everytime an RSS context is deleted in driver.Commit 667ac333dbb7 added a check to delete the VNICin FW only when netif_running() is true to help deleteRSS contexts with interface down.Having that condition will make the driver leak VNICsin FW whenever close() happens with active RSS contexts.On the subsequent open(), as part of RSS context restoration,we will end up trying to create extra VNICs for which wedid not make any reservation. FW can fail this request,thereby making us lose active RSS contexts.Suppose an RSS context is deleted already and we try toprocess a delete request again, then the HWRM functionswill check for validity of the request and they simplyreturn if the resource is already freed. So, even fordelete-when-down cases, netif_running() check is notnecessary.Remove the netif_running() condition check when deletingan RSS context. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43260 In the Linux kernel, the following vulnerability has been resolved:arm64: Add support for TSV110 Spectre-BHB mitigationThe TSV110 processor is vulnerable to the Spectre-BHB (Branch HistoryBuffer) attack, which can be exploited to leak information throughbranch prediction side channels. This commit adds the MIDR of TSV110to the list for software mitigation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43261 In the Linux kernel, the following vulnerability has been resolved:gfs2: fiemap page fault fixIn gfs2_fiemap(), we are calling iomap_fiemap() while holding the inodeglock. This can lead to recursive glock taking if the fiemap buffer ismemory mapped to the same inode and accessing it triggers a page fault.Fix by disabling page faults for iomap_fiemap() and faulting in thebuffer by hand if necessary.Fixes xfstest generic/742. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43262 In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix Null reference while testing flusterWhen multi instances are created/destroyed, many interrupts happensand structures for decoder are removed."struct vpu_instance" this structure is shared for all flow in the decoder,so if the structure is not protected by lock, Null dereferencecould happens sometimes.IRQ Handler was spilt to two phases and Lock was added as well. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43263 In the Linux kernel, the following vulnerability has been resolved:fbdev: of: display_timing: fix refcount leak in of_get_display_timings()of_parse_phandle() returns a device_node with refcount incremented,which is stored in 'entry' and then copied to 'native_mode'. When theerror paths at lines 184 or 192 jump to 'entryfail', native_mode'srefcount is not decremented, causing a refcount leak.Fix this by changing the goto target from 'entryfail' to 'timingfail',which properly calls of_node_put(native_mode) before cleanup. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43264 In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()Ignore -EBUSY when checking nested events after exiting a blocking statewhile L2 is active, as exiting to userspace will generate a spurioususerspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM'sdemise. Continuing with the wakeup isn't perfect either, as *something*has gone sideways if a vCPU is awakened in L2 with an injected event (orworse, a nested run pending), but continuing on gives the VM a decentchance of surviving without any major side effects.As explained in the Fixes commits, it _should_ be impossible for a vCPU tobe put into a blocking state with an already-injected event (exception,IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injectedevents, and thus put the vCPU into what should be an impossible state.Don't bother trying to preserve the WARN, e.g. with an anti-syzkallerKconfig, as WARNs can (hopefully) be added in paths where _KVM_ would beviolating x86 architecture, e.g. by WARNing if KVM attempts to inject anexception or interrupt while the vCPU isn't running. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43265 In the Linux kernel, the following vulnerability has been resolved:EFI/CPER: don't go past the ARM processor CPER record bufferThere's a logic inside GHES/CPER to detect if the section_lengthis too small, but it doesn't detect if it is too big.Currently, if the firmware receives an ARM processor CPER recordstating that a section length is big, kernel will blindly trustsection_length, producing a very long dump. For instance, a 67bytes record with ERR_INFO_NUM set 46198 and section lengthset to 854918320 would dump a lot of data going a way past thefirmware memory-mapped area.Fix it by adding a logic to prevent it to go past the bufferif ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source:1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198[ rjw: Subject and changelog tweaks ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43266 In the Linux kernel, the following vulnerability has been resolved:wifi: rtw89: fix potential zero beacon interval in beacon trackingDuring fuzz testing, it was discovered that bss_conf->beacon_intmight be zero, which could result in a division by zero error insubsequent calculations. Set a default value of 100 TU if theinterval is zero to ensure stability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43267 In the Linux kernel, the following vulnerability has been resolved:hfsplus: pretend special inodes as regular filesSince commit af153bb63a33 ("vfs: catch invalid modes in may_open()")requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43268 In the Linux kernel, the following vulnerability has been resolved:drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callbackAfter several commits, the slab memory increases. Some drm_crtc_commitobjects are not freed. The atomic_destroy_state callback only put theframebuffer. Use the __drm_atomic_helper_plane_destroy_state() functionto put all the objects that are no longer needed.It has been seen after hours of usage of a graphics application or usingkmemleak:unreferenced object 0xc63a6580 (size 64): comm "egt_basic", pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43269 In the Linux kernel, the following vulnerability has been resolved:media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()In mtk_mdp_probe(), vpu_get_plat_device() increases the referencecount of the returned platform device. Add platform_device_put()to prevent reference leak. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43270 In the Linux kernel, the following vulnerability has been resolved:md-cluster: fix NULL pointer dereference in process_metadata_updateThe function process_metadata_update() blindly dereferences the 'thread'pointer (acquired via rcu_dereference_protected) within the wait_event()macro.While the code comment states "daemon thread must exist", there is a validrace condition window during the MD array startup sequence (md_run):1. bitmap_load() is called, which invokes md_cluster_ops->join().2. join() starts the "cluster_recv" thread (recv_daemon).3. At this point, recv_daemon is active and processing messages.4. However, mddev->thread (the main MD thread) is not initialized until later in md_run().If a METADATA_UPDATED message is received from a remote node during thisspecific window, process_metadata_update() will be called whilemddev->thread is still NULL, leading to a kernel panic.To fix this, we must validate the 'thread' pointer. If it is NULL, werelease the held lock (no_new_dev_lockres) and return early, safelyignoring the update request as the array is not yet fully ready toprocess it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43271 In the Linux kernel, the following vulnerability has been resolved:ring-buffer: Fix possible dereference of uninitialized pointerThere is a pointer head_page in rb_meta_validate_events() which is notinitialized at the beginning of a function. This pointer can bedereferencedif there is a failure during reader page validation. In this case thecontrolis passed to "invalid" label where the pointer is dereferenced in a loop.To fix the issue initialize orig_head and head_page before callingrb_validate_buffer.Found by Linux Verification Center (linuxtesting.org) with SVACE. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43272 In the Linux kernel, the following vulnerability has been resolved:ceph: supply snapshot context in ceph_zero_partial_object()The ceph_zero_partial_object function was missing proper snapshotcontext for its OSD write operations, which could lead to datainconsistencies in snapshots.Reproducer:../src/vstart.sh --new -x --localhost --bluestore./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow rfsname=a' osd 'allow rw tag cephfs data=a'mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.confdd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1mkdir /mnt/mycephfs/.snap/snap1md5sum /mnt/mycephfs/.snap/snap1/foofallocate -p -o 0 -l 4096 /mnt/mycephfs/fooecho 3 > /proc/sys/vm/drop/cachesmd5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!! Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43273 In the Linux kernel, the following vulnerability has been resolved:mailbox: mchp-ipc-sbi: fix out-of-bounds access inmchp_ipc_get_cluster_aggr_irq()The cluster_cfg array is dynamically allocated to hold per-CPUconfiguration structures, with its size based on the number of onlineCPUs. Previously, this array was indexed using hartid, which may benon-contiguous or exceed the bounds of the array, leading toout-of-bounds access.Switch to using cpuid as the index, as it is guaranteed to be withinthe valid range provided by for_each_online_cpu(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43274 In the Linux kernel, the following vulnerability has been resolved:scsi: ufs: core: Flush exception handling work when RPM level is zeroEnsure that the exception event handling work is explicitly flushed duringsuspend when the runtime power management level is set to UFS_PM_LVL_0.When the RPM level is zero, the device power mode and link state bothremain active. Previously, the UFS core driver bypassed flushing exceptionevent handling jobs in this configuration. This created a race conditionwhere the driver could attempt to access the host controller to handle anexception after the system had already entered a deep power-down state,resulting in a system crash.Explicitly flush this work and disable auto BKOPs before the suspendcallback proceeds. This guarantees that pending exception tasks completeand prevents illegal hardware access during the power-down sequence. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43275 In the Linux kernel, the following vulnerability has been resolved:net: mana: Fix double destroy_workqueue on service rescan PCI pathWhile testing corner cases in the driver, a use-after-free crashwas found on the service rescan PCI path.When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup()destroys gc->service_wq. If the subsequent mana_gd_resume() failswith -ETIMEDOUT or -EPROTO, the code falls through tomana_serv_rescan() which triggers pci_stop_and_remove_bus_device().This invokes the PCI .remove callback (mana_gd_remove), which callsmana_gd_cleanup() a second time, attempting to destroy the already-freed workqueue. Fix this by NULL-checking gc->service_wq inmana_gd_cleanup() and setting it to NULL after destruction.Call stack of issue for reference:[Sat Feb 21 18:53:48 2026] Call Trace:[Sat Feb 21 18:53:48 2026] <TASK>[Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana][Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana][Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0[Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70[Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250[Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20[Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90[Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30[Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana][Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana][Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0[Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0[Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130[Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10[Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350[Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10[Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30[Sat Feb 21 18:53:48 2026] </TASK> Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43276 In the Linux kernel, the following vulnerability has been resolved:APEI/GHES: ensure that won't go past CPER allocated recordThe logic at ghes_new() prevents allocating too large records, bychecking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).Yet, the allocation is done with the actual number of pages from theCPER bios table location, which can be smaller.Yet, a bad firmware could send data with a different size, which mightbe bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual addressfff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403,pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]---Prevent that by taking the actual allocated are into account whenchecking for CPER length.[ rjw: Subject tweaks ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43277 In the Linux kernel, the following vulnerability has been resolved:dm: clear cloned request bio pointer when last clone bio completesStale rq->bio values have been observed to cause double-initialization ofcloned bios in request-based device-mapper targets, leading touse-after-free and double-free scenarios.One such case occurs when using dm-multipath on top of a PCIe NVMenamespace, where cloned request bios are freed duringblk_complete_request(), but rq->bio is left intact. Subsequent cloneteardown then attempts to free the same bios again viablk_rq_unprep_clone().The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone biosFix this by clearing the clone request's bio pointer when the last clonedbio completes, ensuring that later teardown paths do not attempt to freealready-released bios. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43278 In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-audio: Add sanity check for OOB writes at silencingAt silencing the playback URB packets in the implicit fb mode beforethe actual playback, we blindly assume that the received packets fitwith the buffer size. But when the setup in the capture streamdiffers from the playback stream (e.g. due to the USB core limitationof max packet size), such an inconsistency may lead to OOB writes tothe buffer, resulting in a crash.For addressing it, add a sanity check of the transfer buffer size atprepare_silent_urb(), and stop the data copy if the received dataoverflows. Also, report back the transfer error properly from there,too.Note that this doesn't fix the root cause of the playback erroritself, but this merely covers the kernel Oops. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43279 In the Linux kernel, the following vulnerability has been resolved:drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madviseWhen user provides a bogus pat_index value through the madvise IOCTL, thexe_pat_index_get_coh_mode() function performs an array access withoutvalidating bounds. This allows a malicious user to trigger an out-of-boundskernel read from the xe->pat.table array.The vulnerability exists because the validation in madvise_args_are_sane()directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) withoutfirst checking if pat_index is within [0, xe->pat.n_entries).Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debugbuilds, it still performs the unsafe array access in production kernels.v2(Matthew Auld)- Using array_index_nospec() to mitigate spectre attacks when the valueis usedv3(Matthew Auld)- Put the declarations at the start of the block(cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43280 In the Linux kernel, the following vulnerability has been resolved:mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()Although it is guided that `#mbox-cells` must be at least 1, there aremany instances of `#mbox-cells = <0>;` in the device tree. If that isthe case and the corresponding mailbox controller does not provide`fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` willbe used by default and out-of-bounds accesses could occur due to lack ofbounds check in that function. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43281 In the Linux kernel, the following vulnerability has been resolved:RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_portThe function ionic_query_port() calls ib_device_get_netdev() withoutchecking the return value which could lead to NULL pointer dereference,Fix it by checking the return value and return -ENODEV if the 'ndev' isNULL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43282 In the Linux kernel, the following vulnerability has been resolved:net: ethernet: ec_bhf: Fix dma_free_coherent() dma handledma_free_coherent() in error path takes priv->rx_buf.alloc_len asthe dma handle. This would lead to improper unmapping of the buffer.Change the dma handle to priv->rx_buf.alloc_phys. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC CVE-2026-43283 In the Linux kernel, the following vulnerability has been resolved:xfrm: esp: avoid in-place decrypt on shared skb fragsMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCPmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),so later paths that may modify packet data can first make a privatecopy. The IPv4/IPv6 datagram append paths did not set this flag whensplicing pages into UDP skbs.That leaves an ESP-in-UDP packet made from shared pipe pages lookinglike an ordinary uncloned nonlinear skb. ESP input then takes the no-COWfast path for uncloned skbs without a frag_list and decrypts in placeover data that is not owned privately by the skb.Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matchingTCP. Also make ESP input fall back to skb_cow_data() when the flag ispresent, so ESP does not decrypt externally backed frags in place.Private nonlinear skb frags still use the existing fast path.This intentionally does not change ESP output. In esp_output_head(),the path that appends the ESP trailer to existing skb tailroom withoutcalling skb_cow_data() is not reachable for nonlinear skbs:skb_tailroom() returns zero when skb->data_len is nonzero, while ESPtailen is positive. Thus ESP output will either use the separatedestination-frag path or fall back to skb_cow_data(). Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-08 08:16:00 UTC CVE-2026-43284 In the Linux kernel, the following vulnerability has been resolved:mm/slab: do not access current->mems_allowed_seq if !allow_spinLockdep complains when get_from_any_partial() is called in an NMIcontext, because current->mems_allowed_seq is seqcount_spinlock_t andnot NMI-safe: ================================ WARNING: inconsistent lock state 6.19.0-rc5-kfree-rcu+ #315 Tainted: G N -------------------------------- inconsistent {INITIAL USE} -> {IN-NMI} usage. kunit_try_catch/9989 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff889085799820 (&____s->seqcount#3){.-.-}-{0:0}, at:___slab_alloc+0x58f/0xc00 {INITIAL USE} state was registered at: lock_acquire+0x185/0x320 kernel_init_freeable+0x391/0x1150 kernel_init+0x1f/0x220 ret_from_fork+0x736/0x8f0 ret_from_fork_asm+0x1a/0x30 irq event stamp: 56 hardirqs last enabled at (55): [<ffffffff850a68d7>]_raw_spin_unlock_irq+0x27/0x70 hardirqs last disabled at (56): [<ffffffff850858ca>]__schedule+0x2a8a/0x6630 softirqs last enabled at (0): [<ffffffff81536711>]copy_process+0x1dc1/0x6a10 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&____s->seqcount#3); <Interrupt> lock(&____s->seqcount#3); *** DEADLOCK ***According to Documentation/locking/seqlock.rst, seqcount_t is notNMI-safe and seqcount_latch_t should be used when read path can interruptthe write-side critical section. In this case, do not accesscurrent->mems_allowed_seq and avoid retry. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43285 In the Linux kernel, the following vulnerability has been resolved:mm/hugetlb: restore failed global reservations to subpoolCommit a833a693a490 ("mm: hugetlb: fix incorrect fallback for subpool")fixed an underflow error for hstate->resv_huge_pages caused by incorrectlyattributing globally requested pages to the subpool's reservation.Unfortunately, this fix also introduced the opposite problem, which wouldleave spool->used_hpages elevated if the globally requested pages couldnot be acquired. This is because while a subpool's reserve pages onlyaccounts for what is requested and allocated from the subpool, its "used"counter keeps track of what is consumed in total, both from the subpooland globally. Thus, we need to adjust spool->used_hpages in the otherdirection, and make sure that globally requested pages are uncharged fromthe subpool's used counter.Each failed allocation attempt increments the used_hpages counter by howmany pages were requested from the global pool. Ultimately, this rendersthe subpool unusable, as used_hpages approaches the max limit.The issue can be reproduced as follows:1. Allocate 4 hugetlb pages2. Create a hugetlb mount with max=4, min=23. Consume 2 pages globally4. Request 3 pages from the subpool (2 from subpool + 1 from global) 4.1 hugepage_subpool_get_pages(spool, 3) succeeds. used_hpages += 3 4.2 hugetlb_acct_memory(h, 1) fails: no global pages left used_hpages -= 25. Subpool now has used_hpages = 1, despite not being able to successfully allocate any hugepages. It believes it can now only allocate 3 more hugepages, not 4.With each failed allocation attempt incrementing the used counter, thesubpool eventually reaches a point where its used counter equals itsmax counter. At that point, any future allocations that try toallocate hugeTLB pages from the subpool will fail, despite the subpoolnot having any of its hugeTLB pages consumed by any user.Once this happens, there is no way to make the subpool usable again,since there is no way to decrement the used counter as no process isreally consuming the hugeTLB pages.The underflow issue that the original commit fixes still remains fixedas well.Without this fix, used_hpages would keep on leaking ifhugetlb_acct_memory() fails. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43286 In the Linux kernel, the following vulnerability has been resolved:drm: Account property blob allocations to memcgDRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sizedproperty blobs backed by kernel memory.Currently, the blob data allocation is not accounted to the allocatingprocess's memory cgroup, allowing unprivileged users to trigger unboundedkernel memory consumption and potentially cause system-wide OOM.Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that thememoryis properly charged to the caller's memcg. This ensures existing cgroupmemory limits apply and prevents uncontrolled kernel memory growth withoutintroducing additional policy or per-file limits. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43287 In the Linux kernel, the following vulnerability has been resolved:ext4: move ext4_percpu_param_init() before ext4_mb_init()When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the`DOUBLE_CHECK` macro defined, the following panic is triggered:==================================================================EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksumBUG: unable to handle page fault for address: ff110000fa2cc000PGD 3e01067 P4D 3e02067 PUD 0Oops: Oops: 0000 [#1] SMP NOPTICPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none)RIP: 0010:percpu_counter_add_batch+0x13/0xa0Call Trace: <TASK> ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e==================================================================This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/testWith DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() readsand validates the block bitmap. When the validation fails,ext4_mark_group_bitmap_corrupted() attempts to updatesbi->s_freeclusters_counter. However, this percpu_counter has not beeninitialized yet at this point, which leads to the panic described above.Fix this by moving the execution of ext4_percpu_param_init() to occurbefore ext4_mb_init(), ensuring the per-CPU counters are initializedbefore they are used. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43288 In the Linux kernel, the following vulnerability has been resolved:kexec: derive purgatory entry from symbolkexec_load_purgatory() derives image->start by locating e_entry inside anSHF_EXECINSTR section. If the purgatory object contains multipleexecutable sections with overlapping sh_addr, the entrypoint check canmatch more than once and trigger a WARN.Derive the entry section from the purgatory_start symbol when present andcompute image->start from its final placement. Keep the existing e_entryfallback for purgatories that do not expose the symbol.WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0,CPU#10: kexec/1784Call Trace: <TASK> bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e[me@linux.beauty: move helper to avoid forward declaration, per Baoquan] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43289 In the Linux kernel, the following vulnerability has been resolved:media: uvcvideo: Return queued buffers on start_streaming() failureReturn buffers if streaming fails to start due to uvc_pm_get() error.This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; doneon an xHCI controller which failed under this workload.I had no luck reproducing this warning again to confirm.xhci_hcd 0000:09:00.0: HC died; cleaning upusb 13-2: USB disconnect, device number 2WARNING: CPU: 2 PID: 29386 atdrivers/media/common/videobuf2/videobuf2-core.c:1803vb2_start_streaming+0xac/0x120 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43290 In the Linux kernel, the following vulnerability has been resolved:net: nfc: nci: Fix parameter validation for packet dataSince commit 9c328f54741b ("net: nfc: nci: Add parameter validation forpacket data") communication with nci nfc chips is not working any more.The mentioned commit tries to fix access of uninitialized data, butfailed to understand that in some cases the data packet is of variablelength and can therefore not be compared to the maximum packet lengthgiven by the sizeof(struct). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43291 In the Linux kernel, the following vulnerability has been resolved:mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_nodeWhen CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages duringvmalloc cleanup triggers expensive stack unwinding that acquires RCU readlocks. Processing a large purge_list without rescheduling can cause thetask to hold CPU for extended periods (10+ seconds), leading to RCU stallsand potential OOM conditions.The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node()where iterating through hundreds or thousands of vmap_area entries andfreeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299Each call to kasan_release_vmalloc() can free many pages, and withpage_owner tracking, each free triggers save_stack() which performs stackunwinding under RCU read lock. Without yielding, this creates anunbounded RCU critical section.Add periodic cond_resched() calls within the loop to allow:- RCU grace periods to complete- Other tasks to run- Scheduler to preempt when neededThe fix uses need_resched() for immediate response under load, with abatch count of 32 as a guaranteed upper bound to prevent worst-case stallseven under light load. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43292 In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix kthread worker destruction in polling modeFix the cleanup order in polling mode (irq < 0) to prevent kernel warningsduring module removal. Cancel the hrtimer before destroying the kthreadworker to ensure work queues are empty.In polling mode, the driver uses hrtimer to periodically triggerwave5_vpu_timer_callback() which queues work via kthread_queue_work().The kthread_destroy_worker() function validates that both work queuesare empty with WARN_ON(!list_empty(&worker->work_list)) andWARN_ON(!list_empty(&worker->delayed_work_list)).The original code called kthread_destroy_worker() before hrtimer_cancel(),creating a race condition where the timer could fire during workerdestruction and queue new work, triggering the WARN_ON.This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43293 In the Linux kernel, the following vulnerability has been resolved:drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for somepanelsSince commit 56de5e305d4b ("clk: renesas: r9a07g044: Add MSTOP for RZ/G2L")we may get the following kernel panic, for some panels, when rebooting: systemd-shutdown[1]: Rebooting. Call trace: ... do_serror+0x28/0x68 el1h_64_error_handler+0x34/0x50 el1h_64_error+0x6c/0x70 rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P) mipi_dsi_device_transfer+0x44/0x58 mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4 ili9881c_unprepare+0x38/0x88 drm_panel_unprepare+0xbc/0x108This happens for panels that need to send MIPI-DSI commands in theirunprepare() callback. Since the MIPI-DSI interface is stopped at thatpoint, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic.Fix by moving rzg2l_mipi_dsi_stop() to new callback functionrzg2l_mipi_dsi_atomic_post_disable().With this change we now have the correct power-down/stop sequence: systemd-shutdown[1]: Rebooting. rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry reboot: Restarting system Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43294 In the Linux kernel, the following vulnerability has been resolved:rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()When idtab allocation fails, net is not registered with rio_add_net() yet,so kfree(net) is sufficient to release the memory. Set mport->net to NULLto avoid dangling pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43295 In the Linux kernel, the following vulnerability has been resolved:octeontx2-af: Workaround SQM/PSE stalls by disabling stickyNIX SQ manager sticky mode is known to cause stalls when multiple SQsshare an SMQ and transmit concurrently. Additionally, PSE may deadlockon transitions between sticky and non-sticky transmissions. There isalso a credit drop issue observed when certain condition clocks aregated.work around these hardware errata by:- Disabling SQM sticky operation: - Clear TM6 (bit 15) - Clear TM11 (bit 14)- Disabling sticky → non-sticky transition path that can deadlock PSE: - Clear TM5 (bit 23)- Preventing credit drops by keeping the control-flow clock enabled: - Set TM9 (bit 21)These changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With thisconfiguration the SQM/PSE maintain forward progress under load withoutcredit loss, at the cost of disabling sticky optimizations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43296 In the Linux kernel, the following vulnerability has been resolved:media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type isunsupported or invalid. rga_buf_init() does not check the return valueand unconditionally dereferences the pointer when accessing f->size.Add proper ERR_PTR checking and return the error to preventdereferencing an invalid pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43297 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Skip vcn poison irq release on VFVF doesn't enable VCN poison irq in VCNv2.5. Skip releasing it and avoidcall trace during deinitialization.[ 71.913601] [drm] clean up the vf2pf work item[ 71.915088] ------------[ cut here ]------------[ 71.915092] WARNING: CPU: 3 PID: 1079 at/tmp/amd.aFkFvSQl/amd/amdgpu/amdgpu_irq.c:641 amdgpu_irq_put+0xc6/0xe0[amdgpu][ 71.915355] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE)amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE)amdkcl(OE) drm_suballoc_helper drm_display_helper cec rc_core i2c_algo_bitvideo wmi binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_commoninput_leds joydev serio_raw mac_hid qemu_fw_cfg sch_fq_codel dm_multipathscsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpyasync_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 hid_genericcrct10dif_pclmul crc32_pclmul polyval_clmulni polyval_genericghash_clmulni_intel usbhid 8139too sha256_ssse3 sha1_ssse3 hid psmousebochs i2c_i801 ahci drm_vram_helper libahci i2c_smbus lpc_ichdrm_ttm_helper 8139cp mii ttm aesni_intel crypto_simd cryptd[ 71.915484] CPU: 3 PID: 1079 Comm: rmmod Tainted: G OE6.8.0-87-generic #88~22.04.1-Ubuntu[ 71.915489] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.104/01/2014[ 71.915492] RIP: 0010:amdgpu_irq_put+0xc6/0xe0 [amdgpu][ 71.915768] Code: 75 84 b8 ea ff ff ff eb d4 44 89 ea 48 89 de 4c 89 e7e8 fd fc ff ff 5b 41 5c 41 5d 41 5e 5d 31 d2 31 f6 31 ff e9 55 30 3b c7<0f> 0b eb d4 b8 fe ff ff ff eb a8 e9 b7 3b 8a 00 66 2e 0f 1f 84 00[ 71.915771] RSP: 0018:ffffcf0800eafa30 EFLAGS: 00010246[ 71.915775] RAX: 0000000000000000 RBX: ffff891bda4b0668 RCX:0000000000000000[ 71.915777] RDX: 0000000000000000 RSI: 0000000000000000 RDI:0000000000000000[ 71.915779] RBP: ffffcf0800eafa50 R08: 0000000000000000 R09:0000000000000000[ 71.915781] R10: 0000000000000000 R11: 0000000000000000 R12:ffff891bda480000[ 71.915782] R13: 0000000000000000 R14: 0000000000000001 R15:0000000000000000[ 71.915792] FS: 000070cff87c4c40(0000) GS:ffff893abfb80000(0000)knlGS:0000000000000000[ 71.915795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 71.915797] CR2: 00005fa13073e478 CR3: 000000010d634006 CR4:0000000000770ef0[ 71.915800] PKRU: 55555554[ 71.915802] Call Trace:[ 71.915805] <TASK>[ 71.915809] vcn_v2_5_hw_fini+0x19e/0x1e0 [amdgpu] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43298 In the Linux kernel, the following vulnerability has been resolved:btrfs: do not ASSERT() when the fs flips RO insidebtrfs_repair_io_failure()[BUG]There is a bug report that when btrfs hits ENOSPC error in a criticalpath, btrfs flips RO (this part is expected, although the ENOSPC bugstill needs to be addressed).The problem is after the RO flip, if there is a read repair pending, wecan hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block group 30408704 flagsmetadata|raid1 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at__btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844 Modules linked in: kvm_intel kvm irqbypass [...] ---[ end trace 0000000000000000 ]--- BTRFS info (device vdc state EA): 2 enospc errors during balance BTRFS info (device vdc state EA): balance: ended with status: -30 BTRFS error (device vdc state EA): parent transid verify failed onlogical 30556160 mirror 2 wanted 8 found 6 BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0,flush 0, corrupt 10, gen 0 [...] assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, infs/btrfs/bio.c:938 ------------[ cut here ]------------ assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, infs/btrfs/bio.c:938 kernel BUG at fs/btrfs/bio.c:938! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N6.19.0-rc6+ #4788 PREEMPT(full) Tainted: [W]=WARN, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOSrel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Workqueue: btrfs-endio simple_end_io_work RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120 RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246 RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988 R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310 R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000 FS: 0000000000000000(0000) GS:ffff8885e752c000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ------------[ cut here ]------------[CAUSE]The cause of -ENOSPC error during the test case btrfs/124 is stillunknown, although it's known that we still have cases where metadata canbe over-committed but can not be fulfilled correctly, thus if we hitsuch ENOSPC error inside a critical path, we have no choice but abortthe current transaction.This will mark the fs read-only.The problem is inside the btrfs_repair_io_failure() path that we requirethe fs not to be mount read-only. This is normally fine, but if we aredoing a read-repair meanwhile the fs flips RO due to a critical error,we can enter btrfs_repair_io_failure() with super block set toread-only, thus triggering the above crash.[FIX]Just replace the ASSERT() with a proper return if the fs is alreadyread-only. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43299 In the Linux kernel, the following vulnerability has been resolved:drm/panel: Fix a possible null-pointer dereference injdi_panel_dsi_remove()In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that itmay be NULL: if (!jdi) mipi_dsi_detach(dsi);However, when jdi is NULL, the function does not return and continues bycalling jdi_panel_disable(): err = jdi_panel_disable(&jdi->base);Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which canlead to a NULL-pointer dereference: struct jdi_panel *jdi = to_panel_jdi(panel); backlight_disable(jdi->backlight);To prevent such a potential NULL-pointer dereference, return early fromjdi_panel_dsi_remove() when jdi is NULL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43300 In the Linux kernel, the following vulnerability has been resolved:media: chips-media: wave5: Fix PM runtime usage count underflowReplace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() inthe remove path to properly pair with pm_runtime_use_autosuspend() fromprobe. This allows pm_runtime_disable() to handle reference count cleanupcorrectly regardless of current suspend state.The driver calls pm_runtime_put_sync() unconditionally in remove, but thedevice may already be suspended due to autosuspend configured in probe.When autosuspend has already suspended the device, the usage count is 0,and pm_runtime_put_sync() decrements it to -1.This causes the following warning on module unload: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 ... vdec 30210000.video-codec: Runtime PM usage count underflow! Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43301 In the Linux kernel, the following vulnerability has been resolved:drm/v3d: Set DMA segment size to avoid debug warningsWhen using V3D rendering with CONFIG_DMA_API_DEBUG enabled, thekernel occasionally reports a segment size mismatch. This is because'max_seg_size' is not set. The kernel defaults to 64K. setting'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()'from complaining about the over-mapping of the V3D segment length.DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device claims to support [len=8290304] [max=65536]WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179debug_dma_map_sg+0x330/0x388CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT)pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : debug_dma_map_sg+0x330/0x388lr : debug_dma_map_sg+0x330/0x388sp : ffff8000829a3ac0x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffffx17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7cx8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280Call trace: debug_dma_map_sg+0x330/0x388 __dma_map_sg_attrs+0xc0/0x278 dma_map_sgtable+0x30/0x58 drm_gem_shmem_get_pages_sgt+0xb4/0x140 v3d_bo_create_finish+0x28/0x130 [v3d] v3d_create_bo_ioctl+0x54/0x180 [v3d] drm_ioctl_kernel+0xc8/0x140 drm_ioctl+0x2d4/0x4d8 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43302 In the Linux kernel, the following vulnerability has been resolved:mm/page_alloc: clear page->private in free_pages_prepare()Several subsystems (slub, shmem, ttm, etc.) use page->private but don'tclear it before freeing pages. When these pages are later allocated ashigh-order pages and split via split_page(), tail pages retain stalepage->private values.This causes a use-after-free in the swap subsystem. The swap code usespage->private to track swap count continuations, assuming freshlyallocated pages have page->private == 0. When stale values are present,swap_count_continued() incorrectly assumes the continuation list is validand iterates over uninitialized page->lru containing LIST_POISON values,causing a crash: KASAN: maybe wild-memory-access in range[0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860Fix this by clearing page->private in free_pages_prepare(), ensuring allfreed pages have clean state regardless of previous use. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43303 In the Linux kernel, the following vulnerability has been resolved:libceph: define and enforce CEPH_MAX_KEY_LENWhen decoding the key, verify that the key material would fit intoa fixed-size buffer in process_auth_done() and generally has a sanelength.The new CEPH_MAX_KEY_LEN check replaces the existing check for a keywith no key material which is a) not universal since CEPH_CRYPTO_NONEhas to be excluded and b) doesn't provide much value since a smallerthan needed key is just as invalid as no key -- this has to be handledelsewhere anyway. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43304 In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path[Why]The evaluation for whether we need to use the DMUB HW lock isn't thesame as whether we need to unlock which results in a hang when thefast path is used for ASIC without FAMS support.[How]Store a flag that indicates whether we should use the lock and usethat same flag to specify whether unlocking is needed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43305 In the Linux kernel, the following vulnerability has been resolved:bpf: crypto: Use the correct destructor kfunc typeWith CONFIG_CFI enabled, the kernel strictly enforces that indirectfunction calls use a function pointer type that matches the targetfunction. I ran into the following type mismatch when running BPFself-tests: CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops - CFI: 00000000f2008228 [#1] SMP ...As bpf_crypto_ctx_release() is also used in BPF programs and usinga void pointer as the argument would make the verifier unhappy, adda simple stub function with the correct type and register it as thedestructor kfunc instead. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43306 In the Linux kernel, the following vulnerability has been resolved:iio: accel: adxl380: Avoid reading more entries than present in FIFOThe interrupt handler reads FIFO entries in batches of N samples, where Nis the number of scan elements that have been enabled. However, the sensorfills the FIFO one sample at a time, even when more than one channel isenabled. Therefore,the number of entries reported by the FIFO statusregisters may not be a multiple of N; if this number is not a multiple, thenumber of entries read from the FIFO may exceed the number of entriesactually present.To fix the above issue, round down the number of FIFO entries read from thestatus registers so that it is always a multiple of N. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43307 In the Linux kernel, the following vulnerability has been resolved:btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()There is no need to BUG(), we can just return an error and log an errormessage. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43308 In the Linux kernel, the following vulnerability has been resolved:md raid: fix hang when stopping arrays with metadata through dm-raidWhen using device-mapper's dm-raid target, stopping a RAID array can causethe system to hang under specific conditions.This occurs when:- A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices)- The top-level RAID device is then removedRemoving the top-level device triggers a hang in the following sequence:the dm-raid destructor calls md_stop(), which tries to flush thewrite-intent bitmap by writing to the metadata sub-devices. However, thesedevices are already suspended, making them unable to complete thewrite-intentoperations and causing an indefinite block.Fix:- Prevent bitmap flushing when md_stop() is called from dm-raiddestructor context and avoid a quiescing/unquescing cycle which could also cause I/O- Still allow write-intent bitmap flushing when called from dm-raidsuspend contextThis ensures that RAID array teardown can complete successfully even whentheunderlying devices are in a suspended state.This second patch uses md_is_rdwr() to distinguish between suspend anddestructor paths as elaborated on above. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43309 In the Linux kernel, the following vulnerability has been resolved:media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVCFor the i.MX8MQ platform, there is a hardware limitation: the g1 VPU andg2 VPU cannot decode simultaneously; otherwise, it will cause below buserror and produce corrupted pictures, even potentially lead to system hang.[ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out.[ 110.583517] hantro-vpu 38310000.video-codec: bus error detected.Therefore, it is necessary to ensure that g1 and g2 operate alternately.This allows for successful multi-instance decoding of H.264 and HEVC.To achieve this, g1 and g2 share the same v4l2_m2m_dev, and then thev4l2_m2m_dev can handle the scheduling. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43310 In the Linux kernel, the following vulnerability has been resolved:soc/tegra: pmc: Fix unsafe generic_handle_irq() callCurrently, when resuming from system suspend on Tegra platforms,the following warning is observed:WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666Call trace: handle_irq_desc+0x20/0x58 (P) tegra186_pmc_wake_syscore_resume+0xe4/0x15c syscore_resume+0x3c/0xb8 suspend_devices_and_enter+0x510/0x540 pm_suspend+0x16c/0x1d8The warning occurs because generic_handle_irq() is being called froma non-interrupt context which is considered as unsafe.Fix this warning by deferring generic_handle_irq() call to an IRQ workwhich gets executed in hard IRQ context where generic_handle_irq()can be called safely.When PREEMPT_RT kernels are used, regular IRQ work (initialized withinit_irq_work) is deferred to run in per-CPU kthreads in preemptiblecontext rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARDvariant so that with PREEMPT_RT kernels, the IRQ work is processed inhardirq context instead of being deferred to a thread which is requiredfor calling generic_handle_irq().On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD()execute in IRQ context, so this change has no functional impact forstandard kernel configurations.[treding@nvidia.com: miscellaneous cleanups] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43311 In the Linux kernel, the following vulnerability has been resolved:media: i2c: ov5647: Initialize subdev before controlsIn ov5647_init_controls() we call v4l2_get_subdevdata, but it isinitialized by v4l2_i2c_subdev_init() in the probe, which currentlyhappens after init_controls(). This can result in a segfault if theerror condition is hit, and we try to access i2c_client, so fix theorder. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43312 In the Linux kernel, the following vulnerability has been resolved:ACPI: processor: Fix NULL-pointer dereference inacpi_processor_errata_piix4()In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDEdevice and then reassigned an ISA device: dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...); dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...);If the first lookup succeeds but the second fails, dev becomes NULL. Thisleads to a potential null-pointer dereference when dev_dbg() is called: if (errata.piix4.bmisx) dev_dbg(&dev->dev, ...);To prevent this, use two temporary pointers and retrieve each deviceindependently, avoiding overwriting dev with a possible NULL value.[ rjw: Subject adjustment, added an empty code line ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43313 In the Linux kernel, the following vulnerability has been resolved:dm: remove fake timeout to avoid leak requestSince commit 15f73f5b3e59 ("blk-mq: move failure injection out ofblk_mq_complete_request"), drivers are responsible for callingblk_should_fake_timeout() at appropriate code paths and opportunities.However, the dm driver does not implement its own timeout handler andrelies on the timeout handling of its slave devices.If an io-timeout-fail error is injected to a dm device, the requestwill be leaked and never completed, causing tasks to hang indefinitely.Reproduce:1. prepare dm which has iscsi slave device2. inject io-timeout-fail to dm echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times3. read/write dm4. iscsiadm -m node -uResult: hang task like below[ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122seconds.[ 862.244133] Tainted: G E 6.19.0-rc1+ #51[ 862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disablesthis message.[ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000[ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session[scsi_transport_iscsi][ 862.245264] Call Trace:[ 862.245587] <TASK>[ 862.245814] __schedule+0x810/0x15c0[ 862.246557] schedule+0x69/0x180[ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120[ 862.247688] elevator_change+0x16d/0x460[ 862.247893] elevator_set_none+0x87/0xf0[ 862.248798] blk_unregister_queue+0x12e/0x2a0[ 862.248995] __del_gendisk+0x231/0x7e0[ 862.250143] del_gendisk+0x12f/0x1d0[ 862.250339] sd_remove+0x85/0x130 [sd_mod][ 862.250650] device_release_driver_internal+0x36d/0x530[ 862.250849] bus_remove_device+0x1dd/0x3f0[ 862.251042] device_del+0x38a/0x930[ 862.252095] __scsi_remove_device+0x293/0x360[ 862.252291] scsi_remove_target+0x486/0x760[ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi][ 862.252886] process_one_work+0x633/0xe50[ 862.253101] worker_thread+0x6df/0xf10[ 862.253647] kthread+0x36d/0x720[ 862.254533] ret_from_fork+0x2a6/0x470[ 862.255852] ret_from_fork_asm+0x1a/0x30[ 862.256037] </TASK>Remove the blk_should_fake_timeout() check from dm, as dm has nonative timeout handling and should not attempt to fake timeouts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43314 In the Linux kernel, the following vulnerability has been resolved:KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3()succeedingDrop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failingas it is trivially easy to trigger from userspace by modifying CPUID afterloading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]) /* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm); - vcpu_load_state(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu,X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + } /* * Restore XSAVE state in a dummy vCPU, first withoutdoinggenerates: WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: <TASK> kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53Simply delete the WARN instead of trying to prevent userspace from shoving"illegal" state into CR3. For better or worse, KVM's ABI allows userspaceto set CPUID after SREGS, and vice versa, and KVM is very permissive whenit comes to guest CPUID. I.e. attempting to enforce the virtual CPU modelwhen setting CPUID could break userspace. Given that the WARN doesn'tprovide any meaningful protection for KVM or benefit for userspace, simplydrop it even though the odds of breaking userspace are minuscule.Opportunistically delete a spurious newline. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43315 In the Linux kernel, the following vulnerability has been resolved:media: solo6x10: Check for out of bounds chip_idClang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type(literal "1" is an "int") could end up being shifted beyond 32 bits,so instrumentation was added (and due to the double is_tw286x() callseen via inlining), Clang decides the second one must now be undefinedbehavior and elides the rest of the function[1]. This is a known problemwith Clang (that is still being worked on), but we can avoid the entireproblem by actually checking the existing max chip ID, and now there isno runtime instrumentation added at all since everything is known to bewithin bounds.Additionally use an unsigned value for the shift to remove theinstrumentation even without the explicit bounds checking.[hverkuil: fix checkpatch warning for is_tw286x] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43316 In the Linux kernel, the following vulnerability has been resolved:most: core: fix leak on early registration failureA recent commit fixed a resource leak on early registration failures butfor some reason left out the first error path which still leaks theresources associated with the interface.Fix up also the first error path so that the interface is alwaysreleased on errors. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43317 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notifyInvalidating a dmabuf will impact other users of the shared BO.In the scenario where process A moves the BO, it needs to informprocess B about the move and process B will need to update itspage table.The commit fixes a synchronisation bug caused by the use of theticket: it made amdgpu_vm_handle_moved behave as if updatingthe page table immediately was correct but in this case it's not.An example is the following scenario, with 2 GPUs and glxgearsrunning on GPU0 and Xorg running on GPU1, on a system where P2PPCI isn't supported:glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blitXorg: copy of linear bufferThe sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0It this point the blit job on GPU0 is still running and wouldlikely produce a page fault. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43318 In the Linux kernel, the following vulnerability has been resolved:spi: spidev: fix lock inversion between spi_lock and buf_lockThe spidev driver previously used two mutexes, spi_lock and buf_lock,but acquired them in different orders depending on the code path: write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lockThis AB-BA locking pattern triggers lockdep warnings and cancause real deadlocks: WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) *** DEADLOCK ***The issue is reproducible with a simple userspace program thatperforms write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls fromseparate threads on the same spidev file descriptor.Fix this by simplifying the locking model and removing the lockinversion entirely. spidev_sync() no longer performs any locking,and all callers serialize access using spi_lock.buf_lock is removed since its functionality is fully covered byspi_lock, eliminating the possibility of lock ordering issues.This removes the lock inversion and prevents deadlocks withoutchanging userspace ABI or behaviour. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43319 In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix dsc eDP issue[why]Need to add function hook check before use Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43320 In the Linux kernel, the following vulnerability has been resolved:bpf: Properly mark live registers for indirect jumpsFor a `gotox rX` instruction the rX register should be marked as usedin the compute_insn_live_regs() function. Fix this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43321 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_sync: Fix UAF in le_read_features_completeThis fixes the following backtrace caused by hci_conn being freedbefore le_read_features_complete but afterhci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeueis not able to prevent it:==================================================================BUG: KASAN: slab-use-after-free in instrument_atomic_read_writeinclude/linux/instrumented.h:96 [inline]BUG: KASAN: slab-use-after-free in atomic_dec_and_testinclude/linux/atomic/atomic-instrumented.h:1383 [inline]BUG: KASAN: slab-use-after-free in hci_conn_dropinclude/net/bluetooth/hci_core.h:1688 [inline]BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340net/bluetooth/hci_sync.c:7344Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOSGoogle 10/25/2025Workqueue: hci0 hci_cmd_sync_workCall Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:194 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383[inline] hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK>Allocated by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963 hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084 le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861 hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246Freed by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x2f8/0x6e0 mm/slub.c:6871 device_release+0xa4/0x240 drivers/base/core.c:2565 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e7/0x590 lib/kobject.---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43322 In the Linux kernel, the following vulnerability has been resolved:sched/fair: Fix zero_vruntime tracking fixJohn reported that stress-ng-yield could make his machine unhappy andmanaged to bisect it to commit b3d99f43c72b ("sched/fair: Fixzero_vruntime tracking").The combination of yield and that commit was specific enough tohypothesize the following scenario:Suppose we have 2 runnable tasks, both doing yield. Then one will beeligible and one will not be, because the average position must be inbetween these two entities.Therefore, the runnable task will be eligible, and be promoted a fullslice (all the tasks do is yield after all). This causes it to jump overthe other task and now the other task is eligible and current is nolonger. So we schedule.Since we are runnable, there is no {de,en}queue. All we have is the__{en,de}queue_entity() from {put_prev,set_next}_task(). But per thefingered commit, those two no longer move zero_vruntime.All that moves zero_vruntime are tick and full {de,en}queue.This means, that if the two tasks playing leapfrog can reach thecritical speed to reach the overflow point inside one tick's worth oftime, we're up a creek.Additionally, when multiple cgroups are involved, there is no guaranteethe tick will in fact hit every cgroup in a timely manner. Statisticallyspeaking it will, but that same statistics does not rule out thepossibility of one cgroup not getting a tick for a significant amount oftime -- however unlikely.Therefore, just like with the yield() case, force an update at the endof every slice. This ensures the update is never more than a singleslice behind and the whole thing is within 2 lag bounds as per thecomment on entity_key(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43323 In the Linux kernel, the following vulnerability has been resolved:USB: dummy-hcd: Fix interrupt synchronization errorThis fixes an error in synchronization in the dummy-hcd driver. Theerror has a somewhat involved history. The synchronization mechanismwas introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneoussynchronization change"), which added an emulated "interrupts enabled"flag together with code emulating synchronize_irq() (it waits untilall current handler callbacks have returned).But the emulated interrupt-disable occurred too late, after the drivercontaining the handler callback routines had been told that it wasunbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb:gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this bymoving the synchronize_irq() emulation code from dummy_stop() todummy_pullup(), which runs before the unbind callback.There still were races, though, because the emulated interrupt-disablestill occurred too late. It couldn't be moved to dummy_pullup(),because that routine can be called for reasons other than an impendingunbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Addudc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implementudc_async_callbacks in dummy-hcd") added an API allowing the UDC coreto tell dummy-hcd exactly when emulated interrupts and their callbacksshould be disabled.That brings us to the current state of things, which is still wrongbecause the emulated synchronize_irq() occurs before the emulatedinterrupt-disable! That's no good, beause it means that more emulatedinterrupts can occur after the synchronize_irq() emulation has run,leading to the possibility that a callback handler may be running whenthe gadget driver is unbound.To fix this, we have to move the synchronize_irq() emulation code yetagain, to the dummy_udc_async_callbacks() routine, which takes care ofenabling and disabling emulated interrupt requests. Thesynchronization will now run immediately after emulated interrupts aredisabled, which is where it belongs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43324 In the Linux kernel, the following vulnerability has been resolved:wifi: iwlwifi: mvm: don't send a 6E related command when not supportedMCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if thedevice doesn't support 6E.Apparently, the firmware is mistakenly advertising support for thiscommand even on AX201 which does not support 6E and then the firmwarecrashes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43325 In the Linux kernel, the following vulnerability has been resolved:sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callbackSCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() usingsmp_cond_load_acquire() until the target CPU's kick_sync advances. Becausethe irq_work runs in hardirq context, the waiting CPU cannot reschedule andits own kick_sync never advances. If multiple CPUs form a wait cycle, allCPUs deadlock.Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() toforce the CPU through do_pick_task_scx(), which queues a balance callbackto perform the wait. The balance callback drops the rq lock and enablesIRQs following the sched_core_balance() pattern, so the CPU can processIPIs while waiting. The local CPU's kick_sync is advanced on entry todo_pick_task_scx() and continuously during the wait, ensuring any CPU thatstarts waiting for us sees the advancement and cannot form cyclicdependencies. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43326 In the Linux kernel, the following vulnerability has been resolved:USB: dummy-hcd: Fix locking/synchronization errorSyzbot testing was able to provoke an addressing exception and crashin the usb_gadget_udc_reset() routine indrivers/usb/gadgets/udc/core.c, resulting from the fact that theroutine was called with a second ("driver") argument of NULL. The badcaller was set_link_state() in dummy_hcd.c, and the problem arosebecause of a race between a USB reset and driver unbind.These sorts of races were not supposed to be possible; commit7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"),along with a few followup commits, was written specifically to preventthem. As it turns out, there are (at least) two errors remaining inthe code. Another patch will address the second error; this one isconcerned with the first.The error responsible for the syzbot crash occurred because thestop_activity() routine will sometimes drop and then re-acquire thedum->lock spinlock. A call to stop_activity() occurs inset_link_state() when handling an emulated USB reset, after the testof dum->ints_enabled and before the increment of dum->callback_usage.This allowed another thread (doing a driver unbind) to sneak in andgrab the spinlock, and then clear dum->ints_enabled and dum->driver.Normally this other thread would have to wait for dum->callback_usageto go down to 0 before it would clear dum->driver, but in this case itdidn't have to wait since dum->callback_usage had not yet beenincremented.The fix is to increment dum->callback_usage _before_ callingstop_activity() instead of after. Then the thread doing the unbindwill not clear dum->driver until after the call tousb_gadget_udc_reset() safely returns and dum->callback_usage has beendecremented again. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43327 In the Linux kernel, the following vulnerability has been resolved:cpufreq: governor: fix double free in cpufreq_dbs_governor_init() errorpathWhen kobject_init_and_add() fails, cpufreq_dbs_governor_init() callskobject_put(&dbs_data->attr_set.kobj).The kobject release callback cpufreq_dbs_data_release() callsgov->exit(dbs_data) and kfree(dbs_data), but the current error paththen calls gov->exit(dbs_data) and kfree(dbs_data) again, causing adouble free.Keep the direct kfree(dbs_data) for the gov->init() failure path, butafter kobject_init_and_add() has been called, let kobject_put() handlethe cleanup through cpufreq_dbs_data_release(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43328 In the Linux kernel, the following vulnerability has been resolved:netfilter: flowtable: strictly check for maximum number of actionsThe maximum number of flowtable hardware offload actions in IPv6 is:* ethernet mangling (4 payload actions, 2 for each ethernet address)* SNAT (4 payload actions)* DNAT (4 payload actions)* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ.* Redirect (1 action)Which makes 17, while the maximum is 16. But act_ct supports for tunnelsactions too. Note that payload action operates at 32-bit word level, somangling an IPv6 address takes 4 payload actions.Update flow_action_entry_next() calls to check for the maximum number ofsupported actions.While at it, rise the maximum number of actions per flow from 16 to 24so this works fine with IPv6 setups. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43329 In the Linux kernel, the following vulnerability has been resolved:crypto: caam - fix overflow on long hmac keysWhen a key longer than block size is supplied, it is copied and thenhashed into the real key. The memory allocated for the copy needs tobe rounded to DMA cache alignment, as otherwise the hashed key maycorrupt neighbouring memory.The copying is performed using kmemdup, however this leads to an overflow:reading more bytes (aligned_len - keylen) from the keylen source buffer.Fix this by replacing kmemdup with kmalloc, followed by memcpy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43330 In the Linux kernel, the following vulnerability has been resolved:x86/kexec: Disable KCOV instrumentation after load_segments()The load_segments() function changes segment registers, invalidating GSbase(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, anysubsequent instrumented C code call (e.g. native_gdt_invalidate()) beginscrashing the kernel in an endless loop.To reproduce the problem, it's sufficient to do kexec on aKCOV-instrumentedkernel: $ kexec -l /boot/otherKernel $ kexec -eThe real-world context for this problem is enabling crash dump collectioninsyzkaller. For this, the tool loads a panic kernel before fuzzing and thencalls makedumpfile after the panic. This workflow requires bothCONFIG_KEXECand CONFIG_KCOV to be enabled simultaneously.Adding safeguards directly to the KCOV fast-path(__sanitizer_cov_trace_pc())is also undesirable as it would introduce an extra performance overhead.Disabling instrumentation for the individual functions would be toofragile,so disable KCOV instrumentation for the entire machine_kexec_64.c andphysaddr.c. If coverage-guided fuzzing ever needs these components in thefuture, other approaches should be considered.The problem is not relevant for 32 bit kernels as CONFIG_KCOV is notsupportedthere. [ bp: Space out comment for better readability. ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43331 In the Linux kernel, the following vulnerability has been resolved:thermal: core: Fix thermal zone device registration error pathIf thermal_zone_device_register_with_trips() fails after registeringa thermal zone device, it needs to wait for the tz->removal completionlike thermal_zone_device_unregister(), in case user space has managedto take a reference to the thermal zone device's kobject, in which casethermal_release() may not be called by the error path itself and tz maybe freed prematurely.Add the missing wait_for_completion() call to the thermal zone deviceregistration error path. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43332 In the Linux kernel, the following vulnerability has been resolved:bpf: reject direct access to nullable PTR_TO_BUF pointerscheck_mem_access() matches PTR_TO_BUF via base_type() which stripsPTR_MAYBE_NULL, allowing direct dereference without a null check.Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL.On stop callbacks these are NULL, causing a kernel NULL dereference.Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching theexisting PTR_TO_BTF_ID pattern. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43333 In the Linux kernel, the following vulnerability has been resolved:Bluetooth: SMP: force responder MITM requirements before building thepairing responsesmp_cmd_pairing_req() currently builds the pairing response from theinitiator auth_req before enforcing the local BT_SECURITY_HIGHrequirement. If the initiator omits SMP_AUTH_MITM, the response canalso omit it even though the local side still requires MITM.tk_request() then sees an auth value without SMP_AUTH_MITM and mayselect JUST_CFM, making method selection inconsistent with the pairingpolicy the responder already enforces.When the local side requires HIGH security, first verify that MITM canbe achieved from the IO capabilities and then force SMP_AUTH_MITM in theresponse in both rsp.auth_req and auth. This keeps the responder auth bitsand later method selection aligned. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43334 In the Linux kernel, the following vulnerability has been resolved:interconnect: qcom: sm8450: Fix NULL pointer dereference inicc_link_nodes()The change to dynamic IDs for SM8450 platform interconnects left two linksunconverted, fix it to avoid the NULL pointer dereference in runtime,when a pointer to a destination interconnect is not valid: Unable to handle kernel NULL pointer dereference at virtual address0000000000000008 <...> Call trace: icc_link_nodes+0x3c/0x100 (P) qcom_icc_rpmh_probe+0x1b4/0x528 platform_probe+0x64/0xc0 really_probe+0xc4/0x2a8 __driver_probe_device+0x80/0x140 driver_probe_device+0x48/0x170 __device_attach_driver+0xc0/0x148 bus_for_each_drv+0x88/0xf0 __device_attach+0xb0/0x1c0 device_initial_probe+0x58/0x68 bus_probe_device+0x40/0xb8 deferred_probe_work_func+0x90/0xd0 process_one_work+0x15c/0x3c0 worker_thread+0x2e8/0x400 kthread+0x150/0x208 ret_from_fork+0x10/0x20 Code: 900310f4 911d6294 91008280 94176078 (f94002a0) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43335 In the Linux kernel, the following vulnerability has been resolved:lib/crypto: chacha: Zeroize permuted_state before it leaves scopeSince the ChaCha permutation is invertible, the local variable'permuted_state' is sufficient to compute the original 'state', and thusthe key, even after the permutation has been done.While the kernel is quite inconsistent about zeroizing secrets on thestack (and some prominent userspace crypto libraries don't bother at allsince it's not guaranteed to work anyway), the kernel does try to do itas a best practice, especially in cases involving the RNG.Thus, explicitly zeroize 'permuted_state' before it goes out of scope. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43336 In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()dcn401_init_hw() assumes that update_bw_bounding_box() is valid whenentering the update path. However, the existing condition: ((!fams2_enable && update_bw_bounding_box) || freq_changed)does not guarantee this, as the freq_changed branch can evaluate to trueindependently of the callback pointer.This can result in calling update_bw_bounding_box() when it is NULL.Fix this by separating the update condition from the pointer checks andensuring the callback, dc->clk_mgr, and bw_params are validated beforeuse.Fixes the below:../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previouslyassumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (seeline 362)(cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43337 In the Linux kernel, the following vulnerability has been resolved:btrfs: reserve enough transaction items for qgroup ioctlsCurrently our qgroup ioctls don't reserve any space, they just do atransaction join, which does not reserve any space, neither for the quotatree updates nor for the delayed refs generated when updating the quotatree. The quota root uses the global block reserve, which is fine most ofthe time since we don't expect a lot of updates to the quota root, or tobe too close to -ENOSPC such that other critical metadata updates need toresort to the global reserve.However this is not optimal, as not reserving proper space may result in atransaction abort due to not reserving space for delayed refs and thenabusing the use of the global block reserve.For example, the following reproducer (which is unlikely to model anyreal world use case, but just to illustrate the problem), triggers such atransaction abort due to -ENOSPC when running delayed refs: $ cat test.sh #!/bin/bash DEV=/dev/nullb0 MNT=/mnt/nullb0 umount $DEV &> /dev/null # Limit device to 1G so that it's much faster to reproduce the issue. mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT fallocate -l 800M $MNT/filler btrfs quota enable $MNT for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done umount $MNTWhen running this, we can see in dmesg/syslog that a transaction aborthappened: [436.490] BTRFS error (device nullb0): failed to run delayed ref forlogical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ------------[ cut here ]------------ [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 atbtrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (...) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOSrel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (...) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX:0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI:ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09:ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12:ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15:0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000)knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4:0000000000370ef0 [436.530] Call Trace: [436.530] <TASK> [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (...) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX:00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX:00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI:00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09:00000000ffffffff [436.544] R10: 0000000000000103 R11:---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43338 In the Linux kernel, the following vulnerability has been resolved:ipv6: prevent possible UaF in addrconf_permanent_addr()The mentioned helper try to warn the user about an exceptionalcondition, but the message is delivered too late, accessing the ipv6after its possible deletion.Reorder the statement to avoid the possible UaF; while at it, place thewarning outside the idev->lock as it needs no protection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43339 In the Linux kernel, the following vulnerability has been resolved:comedi: Reinit dev->spinlock between attachments to low-level drivers`struct comedi_device` is the main controlling structure for a COMEDIdevice created by the COMEDI subsystem. It contains a member `spinlock`containing a spin-lock that is initialized by the COMEDI subsystem, butis reserved for use by a low-level driver attached to the COMEDI device(at least since commit 25436dc9d84f ("Staging: comedi: remove RTcode")).Some COMEDI devices (those created on initialization of the COMEDIsubsystem when the "comedi.comedi_num_legacy_minors" parameter isnon-zero) can be attached to different low-level drivers over theirlifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result ininconsistent lock states being reported when there is a mismatch in thespin-lock locking levels used by each low-level driver to which theCOMEDI device has been attached. Fix it by reinitializing`dev->spinlock` before calling the low-level driver's `attach` functionpointer if `CONFIG_LOCKDEP` is enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43340 In the Linux kernel, the following vulnerability has been resolved:net/ipv6: ioam6: prevent schema length wraparound in trace fillioam6_fill_trace_data() stores the schema contribution to the tracelength in a u8. With bit 22 enabled and the largest schema payload,sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses theremaining-space check. __ioam6_fill_trace_data() then positions thewrite cursor without reserving the schema area but still copies the4-byte schema header and the full schema payload, overrunning the tracebuffer.Keep sclen in an unsigned int so the remaining-space check and the writecursor calculation both see the full schema length. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43341 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_rndis: Protect RNDIS options with mutexThe class/subclass/protocol options are suspectible to race conditionsas they can be accessed concurrently through configfs.Use existing mutex to protect these options. This issue was identifiedduring code inspection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43342 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_subset: Fix unbalanced refcnt in geth_freegeth_alloc() increments the reference count, but geth_free() fails todecrement it. This prevents the configuration of attributes via configfsafter unlinking the function.Decrement the reference count in geth_free() to ensure proper cleanup. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43343 In the Linux kernel, the following vulnerability has been resolved:perf/x86/intel/uncore: Fix die ID init and look up bugsIn snbep_pci2phy_map_init(), in the nr_node_ids > 8 path,uncore_device_to_die() may return -1 when all CPUs associatedwith the UBOX device are offline.Remove the WARN_ON_ONCE(die_id == -1) check for two reasons:- The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be skipped during the scan.- Returning -EINVAL is incorrect, since marking offline buses with die_id == -1 is expected and should not be treated as an error.Separately, when NUMA is disabled on a NUMA-capable platform,pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die()to return -1 for all PCI devices. As a result,spr_update_device_location(), used on Intel SPR and EMR, ignores thecorresponding PMON units and does not add them to the RB tree.Fix this by using uncore_pcibus_to_dieid(), which retrieves topologyfrom the UBOX GIDNIDMAP register and works regardless of whether NUMAis enabled in Linux. This requires snbep_pci2phy_map_init() to beadded in spr_uncore_pci_init().Keep uncore_device_to_die() only for the nr_node_ids > 8 case, whereNUMA is expected to be enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43344 In the Linux kernel, the following vulnerability has been resolved:net: ipa: fix event ring index not programmed for IPA v5.0+For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 toCH_C_CNTXT_1. The v5.0 register definition intended to define thisfield in the CH_C_CNTXT_1 fmask array but used the old identifier ofERINDEX instead of CH_ERINDEX.Without a valid event ring, GSI channels could never signal transfercompletions. This caused gsi_channel_trans_quiesce() to blockforever in wait_for_completion().At least for IPA v5.2 this resolves an issue seen where runtimesuspend, system suspend, and remoteproc stop all hanged forever. Italso meant the IPA data path was completely non functional. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43345 In the Linux kernel, the following vulnerability has been resolved:ice: ptp: don't WARN when controlling PF is unavailableIn VFIO passthrough setups, it is possible to pass through only a PFwhich doesn't own the source timer. In that case the PTP controlling PF(adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp()returns NULL and triggers WARN_ON() in ice_ptp_setup_pf().Since this is an expected behavior in that configuration, replaceWARN_ON() with an informational message and return -EOPNOTSUPP. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43346 In the Linux kernel, the following vulnerability has been resolved:arm64: dts: qcom: monaco: Reserve full Gunyah metadata regionWe observe spurious "Synchronous External Abort" exceptions(ESR=0x96000010) and kernel crashes on Monaco-based platforms.These faults are caused by the kernel inadvertently accessinghypervisor-owned memory that is not properly marked as reserved.>From boot log, The Qualcomm hypervisor reports the memory rangeat 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned:qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0However, the EFI memory map provided by firmware only reserves thesubrange 0x91a40000–0x91a87fff (288 KiB). The remaining portion(0x91a88000–0x91afffff) is incorrectly reported as conventionalmemory (from efi debug):efi: 0x000091a40000-0x000091a87fff [Reserved...]efi: 0x000091a88000-0x0000938fffff [Conventional...]As a result, the allocator may hand out PFNs inside the hypervisorowned region, causing fatal aborts when the kernel accesses thoseaddresses.Add a reserved-memory carveout for the Gunyah hypervisor metadataat 0x91a80000 (512 KiB) and mark it as no-map so Linux does notmap or allocate from this area.For the record:Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC)UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43347 In the Linux kernel, the following vulnerability has been resolved:mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDERWhen registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernelcomputes pgmap->vmemmap_shift as the number of trailing zeros in theOR of start_pfn and last_pfn, intending to use the largest compoundpage order both endpoints are aligned to.However, this value is not clamped to MAX_FOLIO_ORDER, so asufficiently aligned range (e.g. physical range[0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000with 35 trailing zeros) can produce a shift larger than whatmemremap_pages() accepts, triggering a WARN and returning -EINVAL: WARNING: ... memremap_pages+0x512/0x650 requested folio size unsupportedThe MAX_FOLIO_ORDER check was added bycommit 646b67d57589 ("mm/memremap: reject unreasonable folio/compoundpage sizes in memremap_pages()").Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we alwaysrequest the largest order the kernel supports, in those cases, ratherthan an out-of-range value.Also fix the error path to propagate the actual error code fromdevm_memremap_pages() instead of hard-coding -EFAULT, which wasmasking the real -EINVAL return. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43348 In the Linux kernel, the following vulnerability has been resolved:f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footersyzbot reported a f2fs bug as below:BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20fs/f2fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fThe root cause is: in f2fs_finish_read_bio(), we may access uninit datain folio if we failed to read the data from device into folio, let's adda check condition to avoid such issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43349 In the Linux kernel, the following vulnerability has been resolved:smb: client: require a full NFS mode SID before reading mode bitsparse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFSmode SID and reads sid.sub_auth[2] to recover the mode bits.That assumes the ACE carries three subauthorities, but compare_sids()only compares min(a, b) subauthorities. A malicious server can returnan ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which stillmatches sid_unix_NFS_mode and then drives the sub_auth[2] read fourbytes past the end of the ACE.Require num_subauth >= 3 before treating the ACE as an NFS mode SID.This keeps the fix local to the special-SID mode path without changingcompare_sids() semantics for the rest of cifsacl. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 14:16:00 UTC CVE-2026-43350 In the Linux kernel, the following vulnerability has been resolved:KVM: arm64: Eagerly init vgic dist/redist on vgic creationIf vgic_allocate_private_irqs_locked() fails for any odd reason,we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised.kvm_vgic_dist_destroy() then comes along and walks into the weedstrying to free the RDs. Got to love this stuff.Solve it by moving all the static initialisation early, and makesure that if we fail halfway, we're in a reasonable shape toperform the rest of the teardown. While at it, reset the vgic modelon failure, just in case... Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43351 In the Linux kernel, the following vulnerability has been resolved:i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeueThe logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action.Fix the abort handling by checking whether the ring is running beforeissuing an abort, re-initializing the completion when needed, ensuring thatRING_CTRL_ENABLE remains asserted during abort, and treating an alreadystopped ring as a successful condition. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43352 In the Linux kernel, the following vulnerability has been resolved:i3c: mipi-i3c-hci: Fix race in DMA ring dequeueThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked formultiple transfers that timeout around the same time. However, thefunction is not serialized and can race with itself.When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processesincomplete transfers, and then restarts the ring. If another timeouttriggers a parallel call into the same function, the two instances mayinterfere with each other - stopping or restarting the ring at unexpectedtimes.Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect toitself. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43353 In the Linux kernel, the following vulnerability has been resolved:iio: proximity: hx9023s: Protect against division by zero in set_samp_freqAvoid division by zero when sampling frequency is unspecified. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43354 In the Linux kernel, the following vulnerability has been resolved:iio: light: bh1780: fix PM runtime leak on error pathMove pm_runtime_put_autosuspend() before the error check to ensurethe PM runtime reference count is always decremented afterpm_runtime_get_sync(), regardless of whether the read operationsucceeds or fails. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43355 In the Linux kernel, the following vulnerability has been resolved:iio: imu: adis: Fix NULL pointer dereference in adis_initThe adis_init() function dereferences adis->ops to check if theindividual function pointers (write, read, reset) are NULL, but doesnot first check if adis->ops itself is NULL.Drivers like adis16480, adis16490, adis16545 and others do not setcustom ops and rely on adis_init() assigning the defaults. Since structadis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULLwhen adis_init() is called, causing a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address0000000000000000 pc : adis_init+0xc0/0x118 Call trace: adis_init+0xc0/0x118 adis16480_probe+0xe0/0x670Fix this by checking if adis->ops is NULL before dereferencing it,falling through to assign the default ops in that case. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43356 In the Linux kernel, the following vulnerability has been resolved:iio: gyro: mpu3050-core: fix pm_runtime error handlingThe return value of pm_runtime_get_sync() is not checked, allowingthe driver to access hardware that may fail to resume. The deviceusage count is also unconditionally incremented. Usepm_runtime_resume_and_get() which propagates errors and avoidsincrementing the usage count on failure.In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()failure since postdisable does not run when preenable fails. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43357 In the Linux kernel, the following vulnerability has been resolved:btrfs: add missing RCU unlock in error path intry_release_subpage_extent_buffer()Call rcu_read_lock() before exiting the loop intry_release_subpage_extent_buffer() because there is a rcu_read_unlock()call past the loop.This has been detected by the Clang thread-safety analyzer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43358 In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction abort on set received ioctl due to item overflowIf the set received ioctl fails due to an item overflow when attempting toadd the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transactionsince we did some metadata updates before.This means that if a user calls this ioctl with the same received UUIDfield for a lot of subvolumes, we will hit the overflow, trigger thetransaction abort and turn the filesystem into RO mode. A malicious usercould exploit this, and this ioctl does not even requires that a userhas admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.Fix this by doing an early check for item overflow before starting atransaction. This is also race safe because we are holding the subvol_semsemaphore in exclusive (write) mode.A test case for fstests will follow soon. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43359 In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction abort on file creation due to name hash collisionIf we attempt to create several files with names that result in the samehash, we have to pack them in same dir item and that has a limit inherentto the leaf size. However if we reach that limit, we trigger a transactionabort and turns the filesystem into RO mode. This allows for a malicioususer to disrupt a system, without the need to have administrationprivileges/capabilities.Reproducer: $ cat exploit-hash-collisions.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster and require fewer file # names that result in hash collision. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # List of names that result in the same crc32c hash for btrfs. declare -a names=( 'foobar''%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC''AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z''CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4' 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:''HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO''Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us''KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY''NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO' 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU' 'Ono7avN5GjC:_6dBJ_''WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am''WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k''XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2''d3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd''ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm''evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ''gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky''hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS''isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz''kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu''lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN''rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=''uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn''UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C' 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW''8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc''YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43360 In the Linux kernel, the following vulnerability has been resolved:btrfs: fix transaction abort when snapshotting received subvolumesCurrently a user can trigger a transaction abort by snapshotting apreviously received snapshot a bunch of times until we reach aBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size wecan store in a leaf). This is very likely not common in practice, butif it happens, it turns the filesystem into RO mode. The snapshot, sendand set_received_subvol and subvol_setflags (used by receive) don'trequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious usercould use this to turn a filesystem into RO mode and disrupt a system.Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i >/dev/null done echo umount $MNTWhen running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value toolarge for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-onlyfile system Creating snapshot 498/500ERROR: Could not create subvolume: Read-onlyfile system Creating snapshot 499/500ERROR: Could not create subvolume: Read-onlyfile system Creating snapshot 500/500ERROR: Could not create subvolume: Read-onlyfile systemAnd in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75(0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 atcreate_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: GW 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX:00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI:ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09:ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12:ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15:00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000)knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4:0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43361 In the Linux kernel, the following vulnerability has been resolved:smb: client: fix in-place encryption corruption in SMB2_write()SMB2_write() places write payload in iov[1..n] as part of rq_iov.smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()encrypts iov[1] in-place, replacing the original plaintext withciphertext. On a replayable error, the retry sends the same iov[1]which now contains ciphertext instead of the original data,resulting in corruption.The corruption is most likely to be observed when connections areunstable, as reconnects trigger write retries that re-send thealready-encrypted data.This affects SFU mknod, MF symlinks, etc. On kernels before6.10 (prior to the netfs conversion), sync writes also usedthis path and were similarly affected. The async write pathwasn't unaffected as it uses rq_iter which gets deep-copied.Fix by moving the write payload into rq_iter via iov_iter_kvec(),so smb3_init_transform_rq() deep-copies it before encryption. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43362 In the Linux kernel, the following vulnerability has been resolved:x86/apic: Disable x2apic on resume if the kernel expects soWhen resuming from s2ram, firmware may re-enable x2apic mode, which mayhavebeen disabled by the kernel during boot either because it doesn't supportIRQremapping or for other reasons. This causes the kernel to continue usingthexapic interface, while the hardware is in x2apic mode, which causes hangs.This happens on defconfig + bare metal + s2ram.Fix this in lapic_resume() by disabling x2apic if the kernel expects it tobedisabled, i.e. when x2apic_mode = 0.The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either thepre-sleep configuration or initial boot configuration for each CPU,includingMSR state: When executing from the power-on reset vector as a result of waking froman S2 or S3 sleep state, the platform firmware performs only the hardware initialization required to restore the system to either the state the platform was in prior to the initial operating system boot, or to the pre-sleep configuration state. In multiprocessor systems, non-boot processors should be placed in the same state as prior to the initial operating system boot. (further ahead) If this is an S2 or S3 wake, then the platform runtime firmware restores minimum context of the system before jumping to the waking vector. This includes: CPU configuration. Platform runtime firmware restores the pre-sleep configuration or initial boot configuration of each CPU (MSR, MTRR, firmware update, SMBase, and so on). Interrupts must be disabled (for IA-32 processors, disabled by CLI instruction). (and other things)So at least as per the spec, re-enablement of x2apic by the firmware isallowed if "x2apic on" is a part of the initial boot configuration. [1]https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization [ bp: Massage. ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43363 In the Linux kernel, the following vulnerability has been resolved:ublk: fix NULL pointer dereference in ublk_ctrl_set_size()ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk viaset_capacity_and_notify() without checking if it is NULL.ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is onlyassigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZEhandler performs no state validation, a user can trigger a NULL pointerdereference by sending UPDATE_SIZE to a device that has been added butnot yet started, or one that has been stopped.Fix this by checking ub->ub_disk under ub->mutex before dereferencingit, and returning -ENODEV if the disk is not available. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43364 In the Linux kernel, the following vulnerability has been resolved:xfs: fix undersized l_iclog_roundoff valuesIf the superblock doesn't list a log stripe unit, we set the incore logroundoff value to 512. This leads to corrupt logs and unmountablefilesystems in generic/617 on a disk with 4k physical sectors...XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1cXFS (sda1): Torn write (CRC failure) detected at log block 0x318e.Truncating head block from 0x3197.XFS (sda1): failed to locate log tailXFS (sda1): log mount/recovery failed: error -74XFS (sda1): log mount failedXFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1cXFS (sda1): Ending clean mount...on the current xfsprogs for-next which has a broken mkfs. xfs_infoshows this...meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1nrext64=1 = exchange=1 metadir=1data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blksnaming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0...observe that the log section has sectsz=4096 sunit=0, which meansthat the roundoff factor is 512, not 4096 as you'd expect. We shouldfix mkfs not to generate broken filesystems, but anyone can fuzz theondisk superblock so we should be more cautious. I think the inadequatelogic predates commit a6a65fef5ef8d0, but that's clearly going torequire a different backport. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43365 In the Linux kernel, the following vulnerability has been resolved:io_uring/kbuf: check if target buffer list is still legacy on recycleThere's a gap between when the buffer was grabbed and when itpotentially gets recycled, where if the list is empty, someone could'veupgraded it to a ring provided type. This can happen if the requestis forced via io-wq. The legacy recycling is missing checking if thebuffer_list still exists, and if it's of the correct type. Add thosechecks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43366 In the Linux kernel, the following vulnerability has been resolved:drm/i915: Fix potential overflow of shmem scatterlist lengthWhen a scatterlists table of a GEM shmem object of size 4 GB or more ispopulated with pages allocated from a folio, unsigned int .lengthattribute of a scatterlist may get overflowed if total byte length ofpages allocated to that single scatterlist happens to reach or cross the4GB limit. As a consequence, users of the object may suffer from hittingunexpected, premature end of the object's backing pages.[278.780187] ------------[ cut here ]------------[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55remap_sg+0x199/0x1d0 [i915]...[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER[278.780658] Hardware name: Intel Corporation Meteor Lake ClientPlatform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.240131091801/31/2024[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]...[278.780786] Call Trace:[278.780787] <TASK>[278.780788] ? __apply_to_page_range+0x3e6/0x910[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915][278.780906] apply_to_page_range+0x14/0x30[278.780908] remap_io_sg+0x14d/0x260 [i915][278.781013] vm_fault_cpu+0xd2/0x330 [i915][278.781137] __do_fault+0x3a/0x1b0[278.781140] do_fault+0x322/0x640[278.781143] __handle_mm_fault+0x938/0xfd0[278.781150] handle_mm_fault+0x12c/0x300[278.781152] ? lock_mm_and_find_vma+0x4b/0x760[278.781155] do_user_addr_fault+0x2d6/0x8e0[278.781160] exc_page_fault+0x96/0x2c0[278.781165] asm_exc_page_fault+0x27/0x30...That issue was apprehended by the author of a change that introduced it,and potential risk even annotated with a comment, but then never addressed.When adding folio pages to a scatterlist table, take care of byte lengthof any single scatterlist not exceeding max_segment.(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43368 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Fix use-after-free race in VM acquireReplace non-atomic vm->process_info assignment with cmpxchg()to prevent race when parent/child processes sharing a drm_fileboth try to acquire the same VM after fork().(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43370 In the Linux kernel, the following vulnerability has been resolved:net: dsa: microchip: Fix error path in PTP IRQ setupIf request_threaded_irq() fails during the PTP message IRQ setup, thenewly created IRQ mapping is never disposed. Indeed, theksz_ptp_irq_setup()'s error path only frees the mappings that weresuccessfully set up.Dispose the newly created mapping if the associatedrequest_threaded_irq() fails at setup. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43372 In the Linux kernel, the following vulnerability has been resolved:net: ncsi: fix skb leak in error pathsEarly return paths in NCSI RX and AEN handlers fail to releasethe received skb, resulting in a memory leak.Specifically, ncsi_aen_handler() returns on invalid AEN packetswithout consuming the skb. Similarly, ncsi_rcv_rsp() exits earlywhen failing to resolve the NCSI device, response handler, orrequest, leaving the skb unfreed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43373 In the Linux kernel, the following vulnerability has been resolved:net: nexthop: fix percpu use-after-free in remove_nh_grp_entryWhen removing a nexthop from a group, remove_nh_grp_entry() publishesthe new group via rcu_assign_pointer() then immediately frees theremoved entry's percpu stats with free_percpu(). However, thesynchronize_net() grace period in the caller remove_nexthop_from_groups()runs after the free. RCU readers that entered before the publish stillsee the old group and can dereference the freed stats vianh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing ause-after-free on percpu memory.Fix by deferring the free_percpu() until after synchronize_net() in thecaller. Removed entries are chained via nh_list onto a local deferredfree list. After the grace period completes and all RCU readers havefinished, the percpu stats are safely freed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43374 In the Linux kernel, the following vulnerability has been resolved:net: mctp: fix device leak on probe failureDriver core holds a reference to the USB interface and its parent USBdevice while the interface is bound to a driver and there is no need totake additional references unless the structures are needed afterdisconnect.This driver takes a reference to the USB device during probe but doesnot to release it on probe failures.Drop the redundant device reference to fix the leak, reduce cargoculting, make it easier to spot drivers where an extra reference isneeded, and reduce the risk of further memory leaks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43375 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free by using call_rcu() for oplock_infoksmbd currently frees oplock_info immediately using kfree(), eventhough it is accessed under RCU read-side critical sections in placeslike opinfo_get() and proc_show_files().Since there is no RCU grace period delay between nullifying the pointerand freeing the memory, a reader can still access oplock_infostructure after it has been freed. This can leads to a use-after-freeespecially in opinfo_get() where atomic_inc_not_zero() is called onalready freed memory.Fix this by switching to deferred freeing using call_rcu(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43376 In the Linux kernel, the following vulnerability has been resolved:ksmbd: Don't log keys in SMB3 signing and encryption key generationWhen KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() andgenerate_smb3encryptionkey() log the session, signing, encryption, anddecryption key bytes. Remove the logs to avoid exposing credentials. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43377 In the Linux kernel, the following vulnerability has been resolved:smb: server: fix use-after-free in smb2_open()The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) isdereferenced after rcu_read_unlock(), creating a use-after-freewindow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43378 In the Linux kernel, the following vulnerability has been resolved:ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is beingaccessed after rcu_read_unlock() has been called. This creates arace condition where the memory could be freed by a concurrentwriter between the unlock and the subsequent pointer dereferences(opinfo->is_lease, etc.), leading to a use-after-free. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43379 In the Linux kernel, the following vulnerability has been resolved:hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs readThe q54sj108a2_debugfs_read function suffers from a stack buffer overflowdue to incorrect arguments passed to bin2hex(). The function currentlypasses 'data' as the destination and 'data_char' as the source.Because bin2hex() converts each input byte into two hex characters, a32-byte block read results in 64 bytes of output. Since 'data' is only34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the endof the buffer onto the stack.Additionally, the arguments were swapped: it was reading from thezero-initialized 'data_char' and writing to 'data', resulting inall-zero output regardless of the actual I2C read.Fix this by:1. Expanding 'data_char' to 66 bytes to safely hold the hex output.2. Correcting the bin2hex() argument order and using the actual read count.3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43380 In the Linux kernel, the following vulnerability has been resolved:nouveau/dpcd: return EBUSY for aux xfer if the device is asleepIf we have runtime suspended, and userspace wants to use /dev/drm_dp_*then just tell it the device is busy instead of crashing in the GSPcode.WARNING: CPU: 2 PID: 565741 atdrivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64#1 PREEMPT(lazy)Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 )08/05/2024RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau]This is a simple fix to get backported. We should probably engineer aproper power domain solution to wake up devices and keep them awakewhile fw updates are happening. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43381 In the Linux kernel, the following vulnerability has been resolved:batman-adv: Avoid double-rtnl_lock ELP metric workerbatadv_v_elp_get_throughput() might be called when the RTNL lock is alreadyheld. This could be problematic when the work queue item is cancelled viacancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case,an rtnl_lock() would cause a deadlock.To avoid this, rtnl_trylock() was used in this function to skip theretrieval of the ethtool information in case the RTNL lock was alreadyheld.But for cfg80211 interfaces, batadv_get_real_netdev() was called - whichalso uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() mustalso be used instead and the lockless version __batadv_get_real_netdev()has to be called. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43382 In the Linux kernel, the following vulnerability has been resolved:net/tcp-md5: Fix MAC comparison to be constant-timeTo prevent timing attacks, MACs need to be compared in constanttime. Use the appropriate helper function for this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43383 In the Linux kernel, the following vulnerability has been resolved:net/tcp-ao: Fix MAC comparison to be constant-timeTo prevent timing attacks, MACs need to be compared in constanttime. Use the appropriate helper function for this. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43384 In the Linux kernel, the following vulnerability has been resolved:net: Fix rcu_tasks stall in threaded busypollI was debugging a NIC driver when I noticed that when I enablethreaded busypoll, bpftrace hangs when starting up. dmesg showed: rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is131273 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is402058 jiffies old. INFO: rcu_tasks detected stalls on tasks: 00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64 task:napi/eth2-8265 state:R running task stack:0 pid:48300tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000 Call Trace: <TASK> ? napi_threaded_poll_loop+0x27c/0x2c0 ? __pfx_napi_threaded_poll+0x10/0x10 ? napi_threaded_poll+0x26/0x80 ? kthread+0xfa/0x240 ? __pfx_kthread+0x10/0x10 ? ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ? ret_from_fork_asm+0x1a/0x30 </TASK>The cause is that in threaded busypoll, the main loop is innapi_threaded_poll rather than napi_threaded_poll_loop, where thelatter rarely iterates more than once within its loop. Forrcu_softirq_qs_periodic inside napi_threaded_poll_loop to report itsqs state, the last_qs must be 100ms behind, and this can't happenbecause napi_threaded_poll_loop rarely iterates in threaded busypoll,and each time napi_threaded_poll_loop is called last_qs is reset tolatest jiffies.This patch changes so that in threaded busypoll, last_qs is savedin the outer napi_threaded_poll, and whether busy_poll_last_qsis NULL indicates whether napi_threaded_poll_loop is called forbusypoll. This way last_qs would not reset to latest jiffies oneach invocation of napi_threaded_poll_loop. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43385 In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ieThe current code checks 'i + 5 < in_len' at the end of the if statement.However, it accesses 'in_ie[i + 5]' before that check, which can leadto an out-of-bounds read. Move the length check to the beginning of theconditional to ensure the index is within bounds before accessing thearray. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43386 In the Linux kernel, the following vulnerability has been resolved:staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-boundsread in rtw_get_ie() parser"), we don't trust the data in the frame sowe should check the length better before acting on it Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43387 In the Linux kernel, the following vulnerability has been resolved:mm/damon/core: clear walk_control on inactive context in damos_walk()damos_walk() sets ctx->walk_control to the caller-provided controlstructure before checking whether the context is running. If the contextis inactive (damon_is_running() returns false), the function returns-EINVAL without clearing ctx->walk_control. This leaves a danglingpointer to a stack-allocated structure that will be freed when the callerreturns.This is structurally identical to the bug fixed in commit f9132fbc2e83("mm/damon/core: remove call_control in inactive contexts") fordamon_call(), which had the same pattern of linking a control object andreturning an error without unlinking it.The dangling walk_control pointer can cause:1. Use-after-free if the context is later started and kdamond   dereferences ctx->walk_control (e.g., in damos_walk_cancel()   which writes to control->canceled and calls complete())2. Permanent -EBUSY from subsequent damos_walk() calls, since the   stale pointer is non-NULLNonetheless, the real user impact is quite restrictive. Theuse-after-free is impossible because there is no damos_walk() callers whostarts the context later. The permanent -EBUSY can actually confuseusers, as DAMON is not running. But the symptom is kept only while thecontext is turned off. Turning it on again will make DAMON internallyuses a newly generated damon_ctx object that doesn't have the invaliddamos_walk_control pointer, so everything will work fine again.Fix this by clearing ctx->walk_control under walk_control_lock beforereturning -EINVAL, mirroring the fix pattern from f9132fbc2e83. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43388 In the Linux kernel, the following vulnerability has been resolved:mm: memfd_luo: always dirty all foliosA dirty folio is one which has been written to. A clean folio is itsopposite. Since a clean folio has no user data, it can be freed undermemory pressure.memfd preservation with LUO saves the flag at preserve(). This isproblematic. The folio might get dirtied later. Saving it at freeze()also doesn't work, since the dirty bit from PTE is normally synced atunmap and there might still be mappings of the file at freeze().To see why this is a problem, say a folio is clean at preserve, but getsdirtied later. The serialized state of the folio will mark it as clean.After retrieve, the next kernel will see the folio as clean and might tryto reclaim it under memory pressure. This will result in losing userdata.Mark all folios of the file as dirty, and always set theMEMFD_LUO_FOLIO_DIRTY flag. This comes with the side effect of making allclean folios un-reclaimable. This is a cost that has to be paid forparticipants of live update. It is not expected to be a common use caseto preserve a lot of clean folios anyway.Since the value of pfolio->flags is a constant now, drop the flagsvariable and set it directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43389 In the Linux kernel, the following vulnerability has been resolved:nstree: tighten permission checks for listingEven privileged services should not necessarily be able to see otherprivileged service's namespaces so they can't leak information to eachother. Use may_see_all_namespaces() helper that centralizes this policyuntil the nstree adapts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43390 In the Linux kernel, the following vulnerability has been resolved:nsfs: tighten permission checks for handle openingEven privileged services should not necessarily be able to see otherprivileged service's namespaces so they can't leak information to eachother. Use may_see_all_namespaces() helper that centralizes this policyuntil the nstree adapts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43391 In the Linux kernel, the following vulnerability has been resolved:sched_ext: Fix starvation of scx_enable() under fair-class saturationDuring scx_enable(), the READY -> ENABLED task switching loop changes thecalling thread's sched_class from fair to ext. Since fair has higherpriority than ext, saturating fair-class workloads can indefinitely starvethe enable thread, hanging the system. This was introduced when the enablepath switched from preempt_disable() to scx_bypass() which doesn't protectagainst fair-class starvation. Note that the original preempt_disable()protection wasn't complete either - in partial switch modes, the callingthread could still be starved after preempt_enable() as it may have beenswitched to ext class.Fix it by offloading the enable body to a dedicated system-wide RT(SCHED_FIFO) kthread which cannot be starved by either fair or ext classtasks. scx_enable() lazily creates the kthread on first use and passes theops pointer through a struct scx_enable_cmd containing the kthread_work,then synchronously waits for completion.The workfn runs on a different kthread from sch->helper (which runsdisable_work), so it can safely flush disable_work on the error pathwithout deadlock. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43392 In the Linux kernel, the following vulnerability has been resolved:btrfs: fix chunk map leak in btrfs_map_block() afterbtrfs_chunk_map_num_copies()Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL,we're not freeing the chunk map that we've just looked up. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43393 In the Linux kernel, the following vulnerability has been resolved:nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit().nfsd_nl_listener_set_doit() uses get_current_cred() withoutput_cred().As we can see from other callers, svc_xprt_create_from_sa()does not require the extra refcount.nfsd_nl_listener_set_doit() is always in the process context,sendmsg(), and current->cred does not go away.Let's use current_cred() in nfsd_nl_listener_set_doit(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43394 In the Linux kernel, the following vulnerability has been resolved:drm/xe/sync: Cleanup partially initialized sync on parse failurexe_sync_entry_parse() can allocate references (syncobj, fence, chain fence,or user fence) before hitting a later failure path. Several of those pathsreturned directly, leaving partially initialized state and leaking refs.Route these error paths through a common free_sync label and callxe_sync_entry_cleanup(sync) before returning the error.(cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43395 In the Linux kernel, the following vulnerability has been resolved:drm/xe/sync: Fix user fence leak on alloc failureWhen dma_fence_chain_alloc() fails, properly release the user fencereference to prevent a memory leak.(cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43396 In the Linux kernel, the following vulnerability has been resolved:drm/bridge: samsung-dsim: Fix memory leak in error pathIn samsung_dsim_host_attach(), drm_bridge_add() is called to add thebridge. However, if samsung_dsim_register_te_irq() orpdata->host_ops->attach() fails afterwards, the function returnswithout removing the bridge, causing a memory leak.Fix this by adding proper error handling with goto labels to ensuredrm_bridge_remove() is called in all error paths. Also ensure thatsamsung_dsim_unregister_te_irq() is called if the attach operationfails after the TE IRQ has been registered.samsung_dsim_unregister_te_irq() function is moved without changesto be before samsung_dsim_host_attach() to avoid forward declaration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43397 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: add upper bound check on user inputs in wait ioctlHuge input values in amdgpu_userq_wait_ioctl can lead to a OOM andcould be exploited.So check these input value against AMDGPU_USERQ_MAX_HANDLESwhich is big enough value for genuine use cases and couldpotentially avoid OOM.v2: squash in Srini's fix(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43398 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctlDrop reference to syncobj and timeline fence when aborting the ioctl dueoutput array being too small.(cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43399 In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: add upper bound check on user inputs in signal ioctlHuge input values in amdgpu_userq_signal_ioctl can lead to a OOM andcould be exploited.So check these input value against AMDGPU_USERQ_MAX_HANDLESwhich is big enough value for genuine use cases and couldpotentially avoid OOM.(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43400 In the Linux kernel, the following vulnerability has been resolved:cpufreq: intel_pstate: Fix NULL pointer dereference inupdate_cpu_qos_request()The update_cpu_qos_request() function attempts to initialize the 'freq'variable by dereferencing 'cpudata' before verifying if the 'policy'is valid.This issue occurs on systems booted with the "nosmt" parameter, whereall_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,any call to update_qos_requests() will result in a NULL pointerdereference as the code will attempt to access pstate.turbo_freq usingthe NULL cpudata pointer.Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap()after initializing the 'freq' variable, so it is better to defer the'freq' until intel_pstate_get_hwp_cap() has been called.Fix this by deferring the 'freq' assignment until after the policy anddriver_data have been validated.[ rjw: Added one paragraph to the changelog ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43401 In the Linux kernel, the following vulnerability has been resolved:kthread: consolidate kthread exit paths to prevent use-after-freeGuillaume reported crashes via corrupted RCU callback function pointersduring KUnit testing. The crash was traced back to the pidfs rhashtableconversion which replaced the 24-byte rb_node with an 8-byte rhash_headin struct pid, shrinking it from 160 to 144 bytes.struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. WithCONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to192 bytes and share the same slab cache. struct pid.rcu.func andstruct kthread.affinity_node both sit at offset 0x78.When a kthread exits via make_task_dead() it bypasses kthread_exit() andmisses the affinity_node cleanup. free_kthread_struct() frees the memorywhile the node is still linked into the global kthread_affinity_list. Asubsequent list_del() by another kthread writes through dangling listpointers into the freed and reused memory, corrupting the pid'srcu.func pointer.Instead of patching free_kthread_struct() to handle the missed cleanup,consolidate all kthread exit paths. Turn kthread_exit() into a macrothat calls do_exit() and add kthread_do_exit() which is called fromdo_exit() for any task with PF_KTHREAD set. This guarantees thatkthread-specific cleanup always happens regardless of the exit path -make_task_dead(), direct do_exit(), or kthread_exit().Replace __to_kthread() with a new tsk_is_kthread() accessor in thepublic header. Export do_exit() since module code using thekthread_exit() macro now needs it directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43402 In the Linux kernel, the following vulnerability has been resolved:nsfs: tighten permission checks for ns iteration ioctlsEven privileged services should not necessarily be able to see otherprivileged service's namespaces so they can't leak information to eachother. Use may_see_all_namespaces() helper that centralizes this policyuntil the nstree adapts. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43403 In the Linux kernel, the following vulnerability has been resolved:mm: Fix a hmm_range_fault() livelock / starvation problemIf hmm_range_fault() fails a folio_trylock() in do_swap_page,trying to acquire the lock of a device-private folio for migration,to ram, the function will spin until it succeeds grabbing the lock.However, if the process holding the lock is depending on a workitem to be completed, which is scheduled on the same CPU as thespinning hmm_range_fault(), that work item might be starved andwe end up in a livelock / starvation situation which is neverresolved.This can happen, for example if the process holding thedevice-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all()sinc lru_add_drain_all() requires a short work-itemto be run on all online cpus to complete.A prerequisite for this to happen is:a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio.b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all().c) No or voluntary only preemption.This all seems pretty unlikely to happen, but indeed is hit bythe "xe_exec_system_allocator" igt test.Resolve this by waiting for the folio to be unlocked if thefolio_trylock() fails in do_swap_page().Rename migration_entry_wait_on_locked() tosoftleaf_entry_wait_unlock() and update its documentation toindicate the new use-case.Future code improvements might consider movingthe lru_add_drain_all() call in migrate_device_unmap() to becalled *after* all pages have migration entries inserted.That would eliminate also b) above.v2:- Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton)v3:- Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot)v4:- Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple)v5:- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked().- Modify wording around function names in the commit message (Andrew Morton)(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43404 In the Linux kernel, the following vulnerability has been resolved:libceph: Use u32 for non-negative values in ceph_monmap_decode()This patch fixes unnecessary implicit conversions that change signednessof blob_len and num_mon in ceph_monmap_decode().Currently blob_len and num_mon are (signed) int variables. They are usedto hold values that are always non-negative and get assigned inceph_decode_32_safe(), which is meant to assign u32 values. Bothvariables are subsequently used as unsigned values, and the value ofnum_mon is further assigned to monmap->num_mon, which is of type u32.Therefore, both variables should be of type u32. This is especiallyrelevant for num_mon. If the value read from the incoming message isvery large, it is interpreted as a negative value, and the check fornum_mon > CEPH_MAX_MON does not catch it. This leads to the attempt toallocate a very large chunk of memory for monmap, which will most likelyfail. In this case, an unnecessary attempt to allocate memory isperformed, and -ENOMEM is returned instead of -EINVAL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43405 In the Linux kernel, the following vulnerability has been resolved:libceph: prevent potential out-of-bounds reads in process_message_header()If the message frame is (maliciously) corrupted in a way that thelength of the control segment ends up being less than the size of themessage header or a different frame is made to look like a messageframe, out-of-bounds reads may ensue in process_message_header().Perform an explicit bounds check before decoding the message header. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43406 In the Linux kernel, the following vulnerability has been resolved:libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()This patch fixes an out-of-bounds access in ceph_handle_auth_reply()that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. Inceph_handle_auth_reply(), the value of the payload_len field of such amessage is stored in a variable of type int. A value greater thanINT_MAX leads to an integer overflow and is interpreted as a negativevalue. This leads to decrementing the pointer address by this value andsubsequently accessing it because ceph_decode_need() only checks thatthe memory access does not exceed the end address of the allocation.This patch fixes the issue by changing the data type of payload_len tou32. Additionally, the data type of result_msg_len is changed to u32,as it is also a variable holding a non-negative length.Also, an additional layer of sanity checks is introduced, ensuring thatdirectly after reading it from the message, payload_len andresult_msg_len are not greater than the overall segment length.BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0[libceph]Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS1.16.3-debian-1.16.3-2 04/01/2014Workqueue: ceph-msgr ceph_con_workfn [libceph]Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK>[ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43407 In the Linux kernel, the following vulnerability has been resolved:ceph: add a bunch of missing ceph_path_info initializersceph_mdsc_build_path() must be called with a zero-initializedceph_path_info parameter, or else the followingceph_mdsc_free_path_info() may crash.Example crash (on Linux 6.18.12): virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732kmem_cache_free+0x316/0x400 [...] Call Trace: [...] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a/0xe0 path_openat+0x9a3/0x1160 [...] cache_from_obj: Wrong slab cache. names_cache but object is fromceph_inode_info WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746kmem_cache_free+0x2dd/0x400 [...] kernel BUG at mm/slub.c:634! Oops: invalid opcode: 0000 [#1] SMP NOPTI RIP: 0010:__slab_free+0x1a4/0x350Some of the ceph_mdsc_build_path() callers had initializers, butothers had not, even though they were all added by commit 15f519e9f883("ceph: fix race condition validating r_parent before applying state").The ones without initializer are suspectible to random crashes. (I canimagine it could even be possible to exploit this bug to elevateprivileges.)Unfortunately, these Ceph functions are undocumented and its semanticscan only be derived from the code. I see that ceph_mdsc_build_path()initializes the structure only on success, but not on error.Calling ceph_mdsc_free_path_info() after a failedceph_mdsc_build_path() call does not even make sense, but that's whatall callers do, and for it to be safe, the structure must bezero-initialized. The least intrusive approach to fix this istherefore to add initializers everywhere. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43408 In the Linux kernel, the following vulnerability has been resolved:kprobes: avoid crash when rmmod/insmod after ftrace killedAfter we hit ftrace is killed by some errors, the kernel crash ifwe remove modules in which kprobe probes.BUG: unable to handle page fault for address: fffffbfff805000dPGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0Oops: Oops: 0000 [#1] SMP KASAN PTICPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OETainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULERIP: 0010:kprobes_module_callback+0x89/0x790RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9aR10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000)knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0Call Trace: <TASK> notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7eThis is because the kprobe on ftrace does not correctly handlesthe kprobe_ftrace_disabled flag set by ftrace_kill().To prevent this error, check kprobe_ftrace_disabled in__disarm_kprobe_ftrace() and skip all ftrace related operations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43409 In the Linux kernel, the following vulnerability has been resolved:firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabledWhen the Remote System Update (RSU) isn't enabled in the First StageBoot Loader (FSBL), the driver encounters a NULL pointer dereference whenexcute svc_normal_to_secure_thread() thread, resulting in a kernel panic:Unable to handle kernel NULL pointer dereference at virtual address0000000000000008Mem abort info:...Data abort info:...[0000000000000008] user address but active_mm is swapperInternal error: Oops: 0000000096000004 [#1] SMPModules linked in:CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted6.19.0-rc8-yocto-standard+ #59 PREEMPTHardware name: SoCFPGA Stratix 10 SoCDK (DT)pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : svc_normal_to_secure_thread+0x38c/0x990lr : svc_normal_to_secure_thread+0x144/0x990...Call trace: svc_normal_to_secure_thread+0x38c/0x990 (P) kthread+0x150/0x210 ret_from_fork+0x10/0x20Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402)---[ end trace 0000000000000000 ]---The issue occurs because rsu_send_async_msg() fails when RSU is not enabledin firmware, causing the channel to be freed viastratix10_svc_free_channel().However, the probe function continues execution and registerssvc_normal_to_secure_thread(), which subsequently attempts to access thealready-freed channel, triggering the NULL pointer dereference.Fix this by properly cleaning up the async client and returning early onfailure, preventing the thread from being used with an invalid channel. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43410 In the Linux kernel, the following vulnerability has been resolved:tipc: fix divide-by-zero in tipc_sk_filter_connect()A user can set conn_timeout to any value viasetsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When aSYN is rejected with TIPC_ERR_OVERLOAD and the retry path intipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4);If conn_timeout is in the range [0, 3], the integer division yields 0,and the modulo operation triggers a divide-by-zero exception, causing akernel oops/panic.Fix this by clamping conn_timeout to a minimum of 4 at the point of usein tipc_sk_filter_connect().Oops: divide error: 0000 [#1] SMP KASAN NOPTICPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236net/tipc/socket.c:2362)Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83net/socket.c:2098) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43411 In the Linux kernel, the following vulnerability has been resolved:ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and startDuring ADSP stop and start, the kernel crashes due to the order in whichASoC components are removed.On ADSP stop, the q6apm-audio .remove callback unloads topology and removesPCM runtimes during ASoC teardown. This deletes the RTDs that contain theq6apm DAI components before their removal pass runs, leaving thosecomponents still linked to the card and causing crashes on the next rebind.Fix this by ensuring that all dependent (child) components are removedfirst, and the q6apm component is removed last.[ 48.105720] Unable to handle kernel NULL pointer dereference at virtualaddress 00000000000000d0[ 48.114763] Mem abort info:[ 48.117650] ESR = 0x0000000096000004[ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits[ 48.127010] SET = 0, FnV = 0[ 48.130172] EA = 0, S1PTW = 0[ 48.133415] FSC = 0x04: level 0 translation fault[ 48.138446] Data abort info:[ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000[ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0[ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000[ 48.164517] [00000000000000d0] pgd=0000000000000000,p4d=0000000000000000[ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP[ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_daisnd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codecapr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smdrpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contigath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmemvideobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_execsnd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdamsnd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarmsnd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cecqcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775pvideocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_ethsnd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcomicc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stmstmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmaccoresight_replicator qcom_glink_smem coresight_cti stm_core[ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpiphy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775ppcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcoredisplay_connector qcom_rng nvmem_reboot_mode drm_kms_helperphy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6[ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted6.19.0-rc6-dirty #10 PREEMPT[ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT)[ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface][ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBSBTYPE=--)[ 48.330825] pc : mutex_lock+0xc/0x54[ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core][ 48.340794] sp : ffff800084ddb7b0[ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27:ffff00009cd9cc00[ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24:ffffa31d2f185098[ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21:00000000000000d0[ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18:00000000ffffffff[ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15:072007740775076f[ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12:767265733a637673[ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 :0000000000000001[ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 :0000000000000000[ 48.402854] x5 : 0000000000000---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43412 In the Linux kernel, the following vulnerability has been resolved:scsi: hisi_sas: Fix NULL pointer exception during user_scan()user_scan() invokes updated sas_user_scan() for channel 0, and ifsuccessful, iteratively scans remaining channels (1 to shost->max_channel)via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fixsas_user_scan() to handle wildcard and multi-channel scans"). However,hisi_sas supports only one channel, and the current value of max_channel is1. sas_user_scan() for channel 1 will trigger the following NULL pointerexception:[ 441.554662] Unable to handle kernel NULL pointer dereference at virtualaddress 00000000000008b0[ 441.554699] Mem abort info:[ 441.554710] ESR = 0x0000000096000004[ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits[ 441.554723] SET = 0, FnV = 0[ 441.554726] EA = 0, S1PTW = 0[ 441.554730] FSC = 0x04: level 0 translation fault[ 441.554735] Data abort info:[ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000[ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0[ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000[ 441.554757] [00000000000008b0] pgd=0000000000000000,p4d=0000000000000000[ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP[ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spihisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmuhisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmuhisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xxhisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hprehisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_mainuacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod[ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Nottainted 7.0.0-rc2+ #84 PREEMPT[ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBSBTYPE=--)[ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118[ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118[ 441.707502] sp : ffff80009abbba40[ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27:ffff082810c37c08[ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24:ffff082810c37c00[ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21:ffff082819a40000[ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18:0000000000000020[ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15:00000000ffffffff[ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12:ffff082814c3b26a[ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 :ffffb5dad5ea94f4[ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 :0000000000000030[ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 :0000000000000000[ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 :0000000000000000[ 441.782053] Call trace:[ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P)[ 441.789095] sas_target_alloc+0x24/0xb0[ 441.792920] scsi_alloc_target+0x290/0x330[ 441.797010] __scsi_scan_target+0x88/0x258[ 441.801096] scsi_scan_channel+0x74/0xb8[ 441.805008] scsi_scan_host_selected+0x170/0x188[ 441.809615] sas_user_scan+0xfc/0x148[ 441.813267] store_scan+0x10c/0x180[ 441.816743] dev_attr_store+0x20/0x40[ 441.820398] sysfs_kf_write+0x84/0xa8[ 441.824054] kernfs_fop_write_iter+0x130/0x1c8[ 441.828487] vfs_write+0x2c0/0x370[ 441.831880] ksys_write+0x74/0x118[ 441.835271] __arm64_sys_write+0x24/0x38[ 441.839182] invoke_syscall+0x50/0x120[ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0[ 441.847611] do_el0_svc+0x24/0x38[ 441.850913] el0_svc+0x38/0x158[ 441.854043] el0t_64_sync_handler+0xa0/0xe8[ 441.858214] el0t_64_sync+0x1ac/0x1b0[ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75)[ 441.867946] ---[ end trace 0000000000000000 ]---Therefore---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43413 In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Completely fix fcport double freeIn qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().When an error happens, this function is called by qla2x00_sp_release(),when kref_put() releases the first and the last reference.qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().Doing it one more time after kref_put() is a bad idea. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43414 In the Linux kernel, the following vulnerability has been resolved:scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspendIn __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancelthe UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op,POST_CHANGE). This creates a race condition where ufshcd_rtc_work() canstill be running while ufshcd_vops_suspend() is executing. WhenUFSHCD_CAP_CLK_GATING is not supported, the condition!hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc()to be executed. Since ufshcd_vops_suspend() typically performs clockgating operations, executing ufshcd_update_rtc() at that moment triggersan SError. The kernel panic trace is as follows:Kernel panic - not syncing: Asynchronous SError InterruptCall trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20Fix this by moving cancel_delayed_work_sync() before the call toufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work isfully completed or cancelled at that point. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43415 In the Linux kernel, the following vulnerability has been resolved:powerpc, perf: Check that current->mm is alive before getting usercallchainIt may happen that mm is already released, which leads to kernel panic.This adds the NULL check for current->mm, similarly tocommit 20afc60f892d ("x86, perf: Check that current->mm is alive beforegetting user callchain").I was getting this panic when running a profiling BPF program(profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (588) - exploitattempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] [...] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10]perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c]perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0]get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8]bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258]bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 [...]In addition, move storing the top-level stack entry to genericperf_callchain_user to make sure the top-evel entry is always captured,even if current->mm is NULL.[Maddy: fixed message to avoid checkpatch format style error] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43416 In the Linux kernel, the following vulnerability has been resolved:sched/mmcid: Handle vfork()/CLONE_VM correctlyMatthieu and Jiri reported stalls where a task endlessly loops inmm_get_cid() when scheduling in.It turned out that the logic which handles vfork()'ed tasks is broken. Itis invoked when the number of tasks associated to a process is smaller thanthe number of MMCID users. It then walks the task list to find thevfork()'ed task, but accounts all the already processed tasks as well.If that double processing brings the number of to be handled tasks to 0,the walk stops and the vfork()'ed task's CID is not fixed up. As aconsequence a subsequent schedule in fails to acquire a (transitional) CIDand the machine stalls.Cure this by removing the accounting condition and make the fixup alwayswalk the full task list if it could not find the exact number of users inthe process' thread list. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43417 In the Linux kernel, the following vulnerability has been resolved:sched/mmcid: Prevent CID stalls due to concurrent forksA newly forked task is accounted as MMCID user before the task is visiblein the process' thread list and the global task list. This creates thefollowing problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid()-> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_cpus() for_each_other(current, p) ....As tnew1 is not visible yet, this fails to fix up the already allocated CIDof tnew1. As a consequence a subsequent schedule in might fail to acquire a(transitional) CID and the machine stalls.Move the invocation of sched_mm_cid_fork() after the new task becomesvisible in the thread and the task list to prevent this.This also makes it symmetrical vs. exit() where the task is removed as CIDuser before the task is removed from the thread and task lists. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43418 In the Linux kernel, the following vulnerability has been resolved:ceph: fix memory leaks in ceph_mdsc_build_path()Add __putname() calls to error code paths that did not free the "path"pointer obtained by __getname(). If ownership of this pointer is notpassed to the caller via path_info.path, the function must free itbefore returning. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43419 In the Linux kernel, the following vulnerability has been resolved:ceph: fix i_nlink underrun during async unlinkDuring async unlink, we drop the `i_nlink` counter before we receivethe completion (that will eventually update the `i_nlink`) because "weassume that the unlink will succeed". That is not a bad idea, but itraces against deletions by other clients (or against the completion ofour own unlink) and can lead to an underrun which emits a WARNING likethis one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158In ceph_unlink(), a call to ceph_mdsc_submit_request() submits theCEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion.Meanwhile, between this call and the following drop_nlink() call, aworker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT orjust a CEPH_MSG_CLIENT_REPLY (the latter of which could be our owncompletion). These will lead to a set_nlink() call, updating the`i_nlink` counter to the value received from the MDS. If that new`i_nlink` value happens to be zero, it is illegal to decrement itfurther. But that is exactly what ceph_unlink() will do then.The WARNING can be reproduced this way:1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn't give me the "Fxr" capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge - this is not a theoretical bug.)2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs.The solution is to skip the counter decrement when it is already zero,but doing so without a lock is still racy (TOCTOU). Sinceceph_fill_inode() and handle_cap_grant() both hold the`ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, thisseems like the proper lock to protect the `i_nlink` updates.I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using`afs_vnode.cb_lock`). All three have the zero check as well. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43420 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_ncm: Fix net_device lifecycle with device_moveThe network device outlived its parent gadget device duringdisconnection, resulting in dangling sysfs links and null pointerdereference problems.A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]was reverted due to power management ordering concerns and a NO-CARRIERregression.A subsequent attempt to defer net_device allocation to bind [2] broke1:1 mapping between function instance and network device, making itimpossible for configfs to report the resolved interface name. Thisresults in a regression where the DHCP server fails on pmOS.Use device_move to reparent the net_device between the gadget device and/sys/devices/virtual/ across bind/unbind cycles. This preserves thenetwork interface across USB reconnection, allowing the DHCP server toretain their binding.Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use__free(detach_gadget) macro to undo attachment on bind failure. Thebind_count ensures device_move executes only on the first bind.[1]https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/[2]https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/ Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43421 In the Linux kernel, the following vulnerability has been resolved:usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handlingThe `tpg->tpg_nexus` pointer in the USB Target driver is dynamicallymanaged and tied to userspace configuration via ConfigFS. It can beNULL if the USB host sends requests before the nexus is fullyestablished or immediately after it is dropped.Currently, functions like `bot_submit_command()` and the datatransfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediatelydereference `tv_nexus->tvn_se_sess` without any validation. If amalicious or misconfigured USB host sends a BOT (Bulk-Only Transport)command during this race window, it triggers a NULL pointerdereference, leading to a kernel panic (local DoS).This exposes an inconsistent API usage within the module, as peerfunctions like `usbg_submit_command()` and `bot_send_bad_response()`correctly implement a NULL check for `tv_nexus` before proceeding.Fix this by bringing consistency to the nexus handling. Add themissing `if (!tv_nexus)` checks to the vulnerable BOT command andrequest processing paths, aborting the command gracefully with anerror instead of crashing the system. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43424 In the Linux kernel, the following vulnerability has been resolved:usb: image: mdc800: kill download URB on timeoutmdc800_device_read() submits download_urb and waits for completion.If the timeout fires and the device has not responded, the functionreturns without killing the URB, leaving it active.A subsequent read() resubmits the same URB while it is stillin-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active"Check the return value of wait_event_timeout() and kill the URB ifit indicates timeout, ensuring the URB is complete before its statusis inspected or the URB is resubmitted.Similar to- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")- commit b98d5000c505 ("media: rc: iguanair: handle timeouts") Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43425 In the Linux kernel, the following vulnerability has been resolved:usb: renesas_usbhs: fix use-after-free in ISR during device removalIn usbhs_remove(), the driver frees resources (including the pipe array)while the interrupt handler (usbhs_interrupt) is still registered. If aninterrupt fires after usbhs_pipe_remove() but before the driver is fullyunbound, the ISR may access freed memory, causing a use-after-free.Fix this by calling devm_free_irq() before freeing resources. This ensuresthe interrupt handler is both disabled and synchronized (waits for anyrunning ISR to complete) before usbhs_pipe_remove() is called. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43426 In the Linux kernel, the following vulnerability has been resolved:usb: class: cdc-wdm: fix reordering issue in read code pathQuoting the bug report:Due to compiler optimization or CPU out-of-order execution, thedesc->length update can be reordered before the memmove. If thishappens, wdm_read() can see the new length and call copy_to_user() onuninitialized memory. This also violates LKMM data race rules [1].Fix it by using WRITE_ONCE and memory barriers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43427 In the Linux kernel, the following vulnerability has been resolved:USB: core: Limit the length of unkillable synchronous timeoutsThe usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs inusbcore allow unlimited timeout durations. And since they useuninterruptible waits, this leaves open the possibility of hanging atask for an indefinitely long time, with no way to kill it short ofunplugging the target device.To prevent this sort of problem, enforce a maximum limit on the lengthof these unkillable timeouts. The limit chosen here, somewhatarbitrarily, is 60 seconds. On many systems (although not all) thisis short enough to avoid triggering the kernel's hung-task detector.In addition, clear up the ambiguity of negative timeout values bytreating them the same as 0, i.e., using the maximum allowed timeout. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43428 In the Linux kernel, the following vulnerability has been resolved:USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeoutsThe usbtmc driver accepts timeout values specified by the user in anioctl command, and uses these timeouts for some usb_bulk_msg() calls.Since the user can specify arbitrarily long timeouts andusb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()instead to avoid the possibility of the user hanging a kernel threadindefinitely. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43429 In the Linux kernel, the following vulnerability has been resolved:usb: yurex: fix race in probeThe bbu member of the descriptor must be set to the valuestanding for uninitialized values before the URB whosecompletion handler sets bbu is submitted. Otherwise there isa window during which probing can overwrite already retrieveddata. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43430 In the Linux kernel, the following vulnerability has been resolved:xhci: Fix NULL pointer dereference when reading portli debugfs filesMichal reported and debgged a NULL pointer dereference bug in therecently added portli debugfs filesOops is caused when there are more port registers counted inxhci->max_ports than ports reported by Supported Protocol capabilities.This is possible if max_ports is more than maximum port number, orif there are gaps between ports of different speeds the 'SupportedProtocol' capabilities.In such cases port->rhub will be NULL so we can't reach xhci behind it.Add an explicit NULL check for this case, and print portli in hexwithout dereferencing port->rhub. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43431 In the Linux kernel, the following vulnerability has been resolved:usb: xhci: Fix memory leak in xhci_disable_slot()xhci_alloc_command() allocates a command structure and, when thesecond argument is true, also allocates a completion structure.Currently, the error handling path in xhci_disable_slot() only freesthe command structure using kfree(), causing the completion structureto leak.Use xhci_free_command() instead of kfree(). xhci_free_command() correctlyfrees both the command structure and the associated completion structure.Since the command structure is allocated with zero-initialization,command->in_ctx is NULL and will not be erroneously freed byxhci_free_command().This bug was found using an experimental static analysis tool we aredeveloping. The tool is based on the LLVM framework and is specificallydesigned to detect memory management issues. It is currently underactive development and not yet publicly available, but we plan toopen-source it after our research is published.The bug was originally detected on v6.13-rc1 using our static analysistool, and we have verified that the issue persists in the latest mainlinekernel.We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.Since triggering these error paths in xhci_disable_slot() requires specifichardware conditions or abnormal state, we were unable to construct a testcase to reliably trigger these specific error paths at runtime. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43432 In the Linux kernel, the following vulnerability has been resolved:rust_binder: avoid reading the written value in offsets arrayWhen sending a transaction, its offsets array is first copied into thetarget proc's vma, and then the values are read back from there. This isnormally fine because the vma is a read-only mapping, so the targetprocess cannot change the value under us.However, if the target process somehow gains the ability to write to itsown vma, it could change the offset before it's read back, causing thekernel to misinterpret what the sender meant. If the sender happens tosend a payload with a specific shape, this could in the worst case leadto the receiver being able to privilege escalate into the sender.The intent is that gaining the ability to change the read-only vma ofyour own process should not be exploitable, so remove this TOCTOU readeven though it's unexploitable without another Binder bug. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43433 In the Linux kernel, the following vulnerability has been resolved:rust_binder: check ownership before using vmaWhen installing missing pages (or zapping them), Rust Binder will lookup the vma in the mm by address, and then call vm_insert_page (orzap_page_range_single). However, if the vma is closed and replaced witha different vma at the same address, this can lead to Rust Binderinstalling pages into the wrong vma.By installing the page into a writable vma, it becomes possible to writeto your own binder pages, which are normally read-only. Although you'renot supposed to be able to write to those pages, the intent behind thedesign of Rust Binder is that even if you get that ability, it should notlead to anything bad. Unfortunately, due to another bug, that is not thecase.To fix this, store a pointer in vm_private_data and check that the vmareturned by vma_lookup() has the right vm_ops and vm_private_data beforetrying to use the vma. This should ensure that Rust Binder will refuseto interact with any other VMA. The plan is to introduce more vmaabstractions to avoid this unsafe access to vm_ops and vm_private_data,but for now let's start with the simplest possible fix.C Binder performs the same check in a slightly different way: itprovides a vm_ops->close that sets a boolean to true, then checks thatboolean after calling vma_lookup(), but this is more fragilethan the solution in this patch. (We probably still want to do both, butthe vm_ops->close callback will be added later as part of the follow-upvma API changes.)It's still possible to remap the vma so that pages appear in the rightvma, but at the wrong offset, but this is a separate issue and will befixed when Rust Binder gets a vm_ops->close callback. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43434 In the Linux kernel, the following vulnerability has been resolved:rust_binder: fix oneway spam detectionThe spam detection logic in TreeRange was executed before the currentrequest was inserted into the tree. So the new request was not beingfactored in the spam calculation. Fix this by moving the logic afterthe new range has been inserted.Also, the detection logic for ArrayRange was missing altogether whichmeant large spamming transactions could get away without being detected.Fix this by implementing an equivalent low_oneway_space() in ArrayRange.Note that I looked into centralizing this logic in RangeAllocator butiterating through 'state' and 'size' got a bit too complicated (for me)and I abandoned this effort. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43435 In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixerinterfacesThe Scarlett2 mixer quirk in USB-audio driver may hit a NULLdereference when a malformed USB descriptor is passed, since itassumes the presence of an endpoint in the parsed interface inscarlett2_find_fc_interface(), as reported by fuzzer.For avoiding the NULL dereference, just add the sanity check ofbNumEndpoints and skip the invalid interface. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43436 In the Linux kernel, the following vulnerability has been resolved:ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()In the drain loop, the local variable 'runtime' is reassigned to alinked stream's runtime (runtime = s->runtime at line 2157). Afterreleasing the stream lock at line 2169, the code accessesruntime->no_period_wakeup, runtime->rate, and runtime->buffer_size(lines 2170-2178) — all referencing the linked stream's runtime withoutany lock or refcount protecting its lifetime.A concurrent close() on the linked stream's fd triggerssnd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private()→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime).No synchronization prevents kfree(runtime) from completing while thedrain path dereferences the stale pointer.Fix by caching the needed runtime fields (no_period_wakeup, rate,buffer_size) into local variables while still holding the stream lock,and using the cached values after the lock is released. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43437 In the Linux kernel, the following vulnerability has been resolved:sched_ext: Remove redundant css_put() in scx_cgroup_init()The iterator css_for_each_descendant_pre() walks the cgroup hierarchyunder cgroup_lock(). It does not increment the reference counts onyielded css structs.According to the cgroup documentation, css_put() should only be usedto release a reference obtained via css_get() or css_tryget_online().Since the iterator does not use either of these to acquire a reference,calling css_put() in the error path of scx_cgroup_init() causes arefcount underflow.Remove the unbalanced css_put() to prevent a potential Use-After-Free(UAF) vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43438 In the Linux kernel, the following vulnerability has been resolved:cgroup: fix race between task migration and iterationWhen a task is migrated out of a css_set, cgroup_migrate_add_task()first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks);If a css_task_iter currently has it->task_pos pointing to this task,css_set_move_task() calls css_task_iter_skip() to keep the iteratorvalid. However, since the task has already been moved to ->mg_tasks,the iterator is advanced relative to the mg_tasks list instead of theoriginal tasks list. As a result, remaining tasks on cset->tasks, aswell as tasks queued on cset->mg_tasks, can be skipped by iteration.Fix this by calling css_set_skip_task_iters() before unlinkingtask->cg_list from cset->tasks. This advances all active iterators tothe next task on cset->tasks, so iteration continues correctly evenwhen a task is concurrently being migrated.This race is hard to hit in practice without instrumentation, but itcan be reproduced by artificially slowing down cgroup_procs_show().For example, on an Android device a temporary/sys/kernel/cgroup/cgroup_test knob can be added to inject a delayinto cgroup_procs_show(), and then: 1) Spawn three long-running tasks (PIDs 101, 102, 103). 2) Create a test cgroup and move the tasks into it. 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test. 4) In one shell, read cgroup.procs from the test cgroup. 5) Within the delay window, in another shell migrate PID 102 by writing it to a different cgroup.procs file.Under this setup, cgroup.procs can intermittently show only PID 101while skipping PID 103. Once the migration completes, reading thefile again shows all tasks as expected.Note that this change does not allow removing the existingcss_set_skip_task_iters() call in css_set_move_task(). The new callin cgroup_migrate_add_task() only handles iterators that are racingwith migration while the task is still on cset->tasks. Iterators mayalso start after the task has been moved to cset->mg_tasks. If wedropped css_set_skip_task_iters() from css_set_move_task(), suchiterators could keep task_pos pointing to a migrating task, causingcss_task_iter_advance() to malfunction on the destination css_set,up to and including crashes or infinite loops.The race window between migration and iteration is very small, andcss_task_iter is not on a hot path. In the worst case, when aniterator is positioned on the first thread of the migrating process,cgroup_migrate_add_task() may have to skip multiple tasks viacss_set_skip_task_iters(). However, this only happens when migrationand iteration actually race, so the performance impact is negligiblecompared to the correctness fix provided here. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43439 In the Linux kernel, the following vulnerability has been resolved:net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabledWhen booting with the 'ipv6.disable=1' parameter, the nd_tbl is neverinitialized because inet6_init() exits before ndisc_init() is calledwhich initializes it. If bonding ARP/NS validation is enabled, an IPv6NS/NA packet received on a slave can reach bond_validate_na(), whichcalls bond_has_this_ip6(). That path calls ipv6_chk_addr() and cancrash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK>Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets tobond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate()and avoid the path to ipv6_chk_addr(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43441 In the Linux kernel, the following vulnerability has been resolved:io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte opsWhen IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY,the boundary check for 128-byte SQE operations in io_init_req()validated the logical SQ head position rather than the physical SQEindex.The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1))ensures the logical position isn't at the end of the ring, which iscorrect for NO_SQARRAY rings where physical == logical. However, whensq_array is present, an unprivileged user can remap any logicalposition to an arbitrary physical index via sq_array. Settingsq_array[N] = sq_entries - 1 places a 128-byte operation at the lastphysical SQE slot, causing the 128-byte memcpy inio_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQEarray.Replace the cached_sq_head alignment check with a direct validationof the physical SQE index, which correctly handles both sq_array andNO_SQARRAY cases. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43442 In the Linux kernel, the following vulnerability has been resolved:ASoC: amd: acp-mach-common: Add missing error check for clock acquisitionThe acp_card_rt5682_init() and acp_card_rt5682s_init() functions did notcheck the return values of clk_get(). This could lead to a kernel crashwhen the invalid pointers are later dereferenced by clock corefunctions.Fix this by:1. Changing clk_get() to the device-managed devm_clk_get().2. Adding IS_ERR() checks immediately after each clock acquisition. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43443 In the Linux kernel, the following vulnerability has been resolved:drm/amdkfd: Unreserve bo if queue update failedError handling path should unreserve bo then return failed.(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43444 In the Linux kernel, the following vulnerability has been resolved:e1000/e1000e: Fix leak in DMA error cleanupIf an error is encountered while mapping TX buffers, the driver shouldunmap any buffers already mapped for that skb.Because count is incremented after a successful mapping, it will alwaysmatch the correct number of unmappings needed when dma_error is reached.Decrementing count before the while loop in dma_error causes anoff-by-one error. If any mapping was successful before an unsuccessfulmapping, exactly one DMA mapping would leak.In these commits, a faulty while condition caused an infinite loop indma_error:Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000edriver")Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver")Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests ofunsigned in *_tx_map()") fixed the infinite loop, but introduced theoff-by-one error.This issue may still exist in the igbvf driver, but I did not address itin this patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43445 In the Linux kernel, the following vulnerability has been resolved:accel/amdxdna: Fix runtime suspend deadlock when there is pending jobThe runtime suspend callback drains the running job workqueue beforesuspending the device. If a job is still executing and callspm_runtime_resume_and_get(), it can deadlock with the runtime suspendpath.Fix this by moving pm_runtime_resume_and_get() from the job executionroutine to the job submission routine, ensuring the device is resumedbefore the job is queued and avoiding the deadlock during runtimesuspend. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43446 In the Linux kernel, the following vulnerability has been resolved:iavf: fix PTP use-after-free during resetCommit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced aworker to cache PHC time, but failed to stop it during reset or disable.This creates a race condition where `iavf_reset_task()` or`iavf_disable_vf()` free adapter resources (AQ) while the worker is stillrunning. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, itaccesses freed memory/locks, leading to a crash.Fix this by calling `iavf_ptp_release()` before tearing down the adapter.This ensures `ptp_clock_unregister()` synchronously cancels the worker andcleans up the chardev before the backing resources are destroyed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43447 In the Linux kernel, the following vulnerability has been resolved:nvme-pci: Fix race bug in nvme_poll_irqdisable()In the following scenario, pdev can be disabled between (1) and (3) by(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() willreturn MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2).This causes IRQ warning because it tries to enable INTx IRQ that hasnever been disabled before.To fix this, save IRQ number into a local variable and ensuredisable_irq() and enable_irq() operate on the same IRQ number. Even ifpci_free_irq_vectors() frees the IRQ concurrently, disable_irq() andenable_irq() on a stale IRQ number is still valid and safe, and thedepth accounting reamins balanced.task 1:nvme_poll_irqdisable() disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3)task 2:nvme_reset_work() nvme_dev_disable() pdev->msix_enable = 0; ...(2)crash log:------------[ cut here ]------------Unbalanced enable for IRQ 10WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26Modules linked in:CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOSrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014Workqueue: kblockd blk_mq_timeout_workRIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3ae8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9RSP: 0018:ffffc900001bf550 EFLAGS: 00010046RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000)knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0Call Trace: <TASK> enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] bt_for_each block/blk-mq-tag.c:324 [inline] blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK>irq event stamp: 74478hardirqs last enabled at (74477): [<ffffffffb5720a9c>]__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]hardirqs last enabled at (74477): [<ffffffffb5720a9c>]_raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202hardirqs last disabled at (74478): [<ffffffffb57207b5>]__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]hardirqs last disabled at (74478): [<ffffffffb57207b5>]_raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirqkernel/softirq.c:656 [inline]softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirqkernel/softirq.c:496 [inline]softirqs last enabled at (74304): [<ffffffffb1e9466c>]__irq_exit_rcu+0xdc/0x120---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43448 In the Linux kernel, the following vulnerability has been resolved:nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_setdev->online_queues is a count incremented in nvme_init_queue. Thus,valid indices are 0 through dev->online_queues − 1.This patch fixes the loop condition to ensure the index stays within thevalid range. Index 0 is excluded because it is the admin queue.KASAN splat:==================================================================BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_freedrivers/nvme/host/pci.c:377 [inline]BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400drivers/nvme/host/pci.c:404Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOSrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014Workqueue: nvme-reset-wq nvme_reset_workCall Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x5d0 mm/kasan/report.c:482 kasan_report+0xdc/0x110 mm/kasan/report.c:595 __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK>Allocated by task 34 on cpu 1 at 4.241550s: kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 pci_call_probe drivers/pci/pci-driver.c:392 [inline] __pci_device_probe drivers/pci/pci-driver.c:417 [inline] pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x29b/0xb70 drivers/base/dd.c:661 __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246The buggy address belongs to the object at ffff88800592a000 which belongs to the cache kmalloc-2k of size 2048The buggy address is located 244 bytes to the right of allocated 1152-byte region [ffff88800592a000, ffff88800592a480)The buggy address belongs to the physical page:page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff)page_type: f5(slab)raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000head: 000fffffc0000040 ffff888001042000 00000---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43449 In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a labelinside the for loop body. When the "last" helper saved in cb->args[1]is deleted between dump rounds, every entry fails the (cur != last)check, so cb->args[1] is never cleared. The for loop finishes withcb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps backinto the loop body bypassing the bounds check, causing an 8-byteout-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize].The 'goto restart' block was meant to re-traverse the current bucketwhen "last" is no longer found, but it was placed after the for loopinstead of inside it. Move the block into the for loop body so thatthe restart only occurs while cb->args[0] is still within bounds. BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0 Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43450 In the Linux kernel, the following vulnerability has been resolved:netfilter: nfnetlink_queue: fix entry leak in bridge verdict error pathnfqnl_recv_verdict() calls find_dequeue_entry() to remove the queueentry from the queue data structures, taking ownership of the entry.For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLANattributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLANpresent but NFQA_VLAN_TCI missing), the function returns immediatelywithout freeing the dequeued entry or its sk_buff.This leaks the nf_queue_entry, its associated sk_buff, and all heldreferences (net_device refcounts, struct net refcount). Repeatedtriggering exhausts kernel memory.Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdicton the error path, consistent with other error handling in this file. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43451 In the Linux kernel, the following vulnerability has been resolved:netfilter: x_tables: guard option walkers against 1-byte tail readsWhen the last byte of options is a non-single-byte option kind, walkersthat advance with i += op[i + 1] ? : 1 can read op[i + 1] past the endof the option area.Add an explicit i == optlen - 1 check before dereferencing op[i + 1]in xt_tcpudp and xt_dccp option walkers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43452 In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as theto_offset argument on every iteration, including the last one wherei == m->field_count - 1. This reads one element past the end of thestack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS]with NFT_PIPAPO_MAX_FIELDS == 16).Although pipapo_unmap() returns early when is_last is true withoutusing the to_offset value, the argument is evaluated at the call sitebefore the function body executes, making this a genuine out-of-boundsstack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array.Pass 0 instead of rulemap[i + 1].n on the last iteration to avoidthe out-of-bounds read. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43453 In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: Fix for duplicate device in netdev hooksWhen handling NETDEV_REGISTER notification, duplicate deviceregistration must be avoided since the device may have been added bynft_netdev_hook_alloc() already when creating the hook. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43454 In the Linux kernel, the following vulnerability has been resolved:mctp: route: hold key->lock in mctp_flow_prepare_output()mctp_flow_prepare_output() checks key->dev and may callmctp_dev_set_key(), but it does not hold key->lock while doing so.mctp_dev_set_key() and mctp_dev_release_key() are annotated with__must_hold(&key->lock), so key->dev access is intended to beserialized by key->lock. The mctp_sendmsg() transmit path reachesmctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output()without holding key->lock, so the check-and-set sequence is racy.Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devBNow both devA and devB references were acquired, but only the finalkey->dev value is tracked for release. One reference can be lost,causing a resource leak as mctp_dev_release_key() would only decreasethe reference on one dev.Fix by taking key->lock around the key->dev check andmctp_dev_set_key() call. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43455 In the Linux kernel, the following vulnerability has been resolved:bonding: fix type confusion in bond_setup_by_slave()kernel BUG at net/core/skbuff.c:2306!Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTIRIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306RSP: 0018:ffffc90004aff760 EFLAGS: 00010293RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0eRDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fe1a0e6c1a9When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond,bond_setup_by_slave() directly copies the slave's header_ops to thebond device: bond_dev->header_ops = slave_dev->header_ops;This causes a type confusion when dev_hard_header() is later calledon the bond device. Functions like ipgre_header(), ip6gre_header(),all usenetdev_priv(dev) to access their device-specific private data. Whencalled with the bond device, netdev_priv() returns the bond's privatedata (struct bonding) instead of the expected type (e.g. structip_tunnel), leading to garbage values being read and kernel crashes.Fix this by introducing bond_header_ops with wrapper functions thatdelegate to the active slave's header_ops using the slave's owndevice. This ensures netdev_priv() in the slave's header functionsalways receives the correct device.The fix is placed in the bonding driver rather than individual devicedrivers, as the root cause is bond blindly inheriting header_ops fromthe slave without considering that these callbacks expect a specificnetdev_priv() layout.The type confusion can be observed by adding a printk inipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43456 In the Linux kernel, the following vulnerability has been resolved:mctp: i2c: fix skb memory leak in receive pathWhen 'midev->allow_rx' is false, the newly allocated skb isn't consumedby netif_rx(), it needs to free the skb directly. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43457 In the Linux kernel, the following vulnerability has been resolved:serial: caif: hold tty->link reference in ldisc_open and ser_releaseA reproducer triggers a KASAN slab-use-after-free in pty_write_room()when caif_serial's TX path calls tty_write_room(). The faulting accessis on tty->link->port.Hold an extra kref on tty->link for the lifetime of the caif_serial linediscipline: get it in ldisc_open() and drop it in ser_release(), andalso drop it on the ldisc_open() error path.With this change applied, the reproducer no longer triggers the UAF inmy testing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43458 In the Linux kernel, the following vulnerability has been resolved:ASoC: soc-core: flush delayed work before removing DAIs and widgetsWhen a sound card is unbound while a PCM stream is open, ause-after-free can occur in snd_soc_dapm_stream_event(), called fromthe close_delayed_work workqueue handler.During unbind, snd_soc_unbind_card() flushes delayed work and thencalls soc_cleanup_card_resources(). Inside cleanup,snd_card_disconnect_sync() releases all PCM file descriptors, andthe resulting PCM close path can call snd_soc_dapm_stream_stop()which schedules new delayed work with a pmdown_time timer delay.Since this happens after the flush in snd_soc_unbind_card(), thenew work is not caught. soc_remove_link_components() then freesDAPM widgets before this work fires, leading to the use-after-free.The existing flush in soc_free_pcm_runtime() also cannot help as itruns after soc_remove_link_components() has already freed the widgets.Add a flush in soc_cleanup_card_resources() aftersnd_card_disconnect_sync() (after which no new PCM closes canschedule further delayed work) and before soc_remove_link_dais()and soc_remove_link_components() (which tear down the structures thedelayed work accesses). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43459 In the Linux kernel, the following vulnerability has been resolved:spi: rockchip-sfc: Fix double-free in remove() callbackThe driver uses devm_spi_register_controller() for registration, whichautomatically unregisters the controller via devm cleanup when thedevice is removed. The manual call to spi_unregister_controller() inthe remove() callback can lead to a double-free.And to make sure controller is unregistered before DMA buffer isunmapped, switch to use spi_register_controller() in probe(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43460 In the Linux kernel, the following vulnerability has been resolved:spi: amlogic: spifc-a4: Fix DMA mapping error handlingFix three bugs in aml_sfc_dma_buffer_setup() error paths:1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, nothing needs cleanup. Use direct return instead of goto.2. Double-unmap bug: When info DMA mapping failed, the code would unmap sfc->daddr inline, then fall through to out_map_data which would unmap it again, causing a double-unmap.3. Wrong unmap size: The out_map_info label used datalen instead of infolen when unmapping sfc->iaddr, which could lead to incorrect DMA sync behavior. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43461 In the Linux kernel, the following vulnerability has been resolved:net: spacemit: Fix error handling in emac_tx_mem_map()The DMA mappings were leaked on mapping error. Free them with theexisting emac_free_tx_buf() function. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43462 In the Linux kernel, the following vulnerability has been resolved:rxrpc, afs: Fix missing error pointer check afterrxrpc_kernel_lookup_peer()rxrpc_kernel_lookup_peer() can also return error pointers in addition toNULL, so just checking for NULL is not sufficient.Fix this by: (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure. (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43463 In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQXDP multi-buf programs can modify the layout of the XDP buffer when theprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Thereferenced commit in the fixes tag corrected the assumption in the mlx5driver that the XDP buffer layout doesn't change during a programexecution. However, this fix introduced another issue: the droppedfragments still need to be counted on the driver side to avoid pagefragment reference counting issues.Such issue can be observed with thetest_xdp_native_adjst_tail_shrnk_data selftest when using a payload of3600 and shrinking by 256 bytes (an upcoming selftest patch): the lastfragment gets released by the XDP code but doesn't get tracked by thedriver. This results in a negative pp_ref_count during page release andthe following splat: WARNING: include/net/page_pool/helpers.h:297 atmlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOSrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50This patch fixes the issue by doing page frag counting on all theoriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,XDP_REDIRECT and XDP_PASS). This is basically reverting to the originalcounting before the commit in the fixes tag.As frag_page is still pointing to the original tail, the nr_fragsparameter to xdp_update_skb_frags_info() needs to be calculatedin a different way to reflect the new nr_frags. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43464 In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQXDP multi-buf programs can modify the layout of the XDP buffer when theprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). Thereferenced commit in the fixes tag corrected the assumption in the mlx5driver that the XDP buffer layout doesn't change during a programexecution. However, this fix introduced another issue: the droppedfragments still need to be counted on the driver side to avoid pagefragment reference counting issues.The issue was discovered by the drivers/net/xdp.py selftest,more specifically the test_xdp_native_tx_mb:- The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0.- The test sends one packet with no payload.- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above.- The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63).- mlx5 device skips counting this fragment. Internal frag counter remains 0.- mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error.Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOSrel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70The problem applies for XDP_PASS as well which is handled in a differentcode path in the driver.This patch fixes the issue by doing page frag counting on all theoriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,XDP_REDIRECT and XDP_PASS). This is basically reverting to the originalcounting before the commit in the fixes tag.As frag_page is still pointing to the original tail, the nr_fragsparameter to xdp_update_skb_frags_info() needs to be calculatedin a different way to reflect the new nr_frags. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43465 In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix DMA FIFO desync on error CQE SQ recoveryIn case of a TX error CQE, a recovery flow is triggered,mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,desyncing the DMA FIFO producer and consumer.After recovery, the producer pushes new DMA entries at the olddma_fifo_pc, while the consumer reads from position 0.This causes us to unmap stale DMA addresses from before the recovery.The DMA FIFO is a purely software construct with no HW counterpart.At the point of reset, all WQEs have been flushed so dma_fifo_cc isalready equal to dma_fifo_pc. There is no need to reset either counter,similar to how skb_fifo pc/cc are untouched.Remove the 'dma_fifo_cc = 0' reset.This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pciipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre grenf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_coreact_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangleip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchallnfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_rawtunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgssoid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlinkiptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdmaib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse[last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOSrel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f24c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: <IRQ> ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43466 In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Fix crash when moving to switchdev modeWhen moving to switchdev mode when the device doesn't support IPsec,we try to clean up the IPsec resources anyway which causes the crashbelow, fix that by correctly checking for IPsec support before tryingto clean up its resources.[27642.515799] WARNING: arch/x86/mm/fault.c:1276 atdo_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADEip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtyperpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlinkzram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsiscsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_coreib_core[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOSrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 2200 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d41[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:ffff88810b980f00[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:ffff88810770f728[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:0000000000000000[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:ffff888103f3c4c0[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:0000000000000000[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)knlGS:0000000000000000[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:0000000000172eb0[27642.537982] Call Trace:[27642.538466] <TASK>[27642.538907] exc_page_fault+0x76/0x140[27642.539583] asm_exc_page_fault+0x22/0x30[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b801 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 5b[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:ffff888113ad96d8[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:00000000000000a0[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:ffff88810b980f00[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:00000000000000a8[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:ffff8881130d8a40[27642.550379] complete_all+0x20/0x90[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core][27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core][27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core][27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core][27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core][27642.555757] ? xa_load+0x53/0x90[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core][27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core][27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core][27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core][27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core][27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core][27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130[27642.564816] genl_rcv_msg+0x183/0x290[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160[27642.566329] ? d---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43467 In the Linux kernel, the following vulnerability has been resolved:net/mlx5: Fix deadlock between devlink lock and esw->wqesw->work_queue executes esw_functions_changed_event_handler ->esw_vfs_changed_event_handler and acquires the devlink lock..eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlockswhen esw_vfs_changed_event_handler executes.Fix that by no longer flushing the work to avoid the deadlock, and usinga generation counter to keep track of work relevance. This avoids an oldhandler manipulating an esw that has undergone one or more mode changes:- the counter is incremented in mlx5_eswitch_event_handler_unregister.- the counter is read and passed to the ephemeral mlx5_host_work struct.- the work handler takes the devlink lock and bails out if the current generation is different than the one it was scheduled to operate on.- mlx5_eswitch_cleanup does the final draining before destroying the wq.No longer flushing the workqueue has the side effect of maybe no longercancelling pending vport_change_handler work items, but that's ok sincethose are disabled elsewhere:- mlx5_eswitch_disable_locked disables the vport eq notifier.- mlx5_esw_vport_disable disarms the HW EQ notification and marks vport->enabled under state_lock to false to prevent pending vport handler from doing anything.- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events are disabled/finished. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43468 In the Linux kernel, the following vulnerability has been resolved:xprtrdma: Decrement re_receiving on the early exit pathsIn the event that rpcrdma_post_recvs() fails to create a work request(due to memory allocation failure, say) or otherwise exits early, weshould decrement ep->re_receiving before returning. Otherwise we willhang in rpcrdma_xprt_drain() as re_receiving will never reach zero andthe completion will never be triggered.On a system with high memory pressure, this can appear as the followinghung task: INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables thismessage. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: <TASK> __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:16:00 UTC CVE-2026-43469 In the Linux kernel, the following vulnerability has been resolved:nfs: return EISDIR on nfs3_proc_create if d_alias is a dirIf we found an alias through nfs3_do_create/nfs_add_or_obtain/d_splice_alias which happens to be a dir dentry, we don't returnany error, and simply forget about this alias, but the originaldentry we were adding and passed as parameter remains negative.This later causes an oops on nfs_atomic_open_v23/finish_open since wesupply a negative dentry to do_dentry_open.This has been observed running lustre-racer, where dirs and files arecreated/removed concurrently with the same name and O_EXCL is notused to open files (frequent file redirection).While d_splice_alias typically returns a directory alias or NULL, weexplicitly check d_is_dir() to ensure that we don't attempt to performfile operations (like finish_open) on a directory inode, which triggersthe observed oops. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:17:00 UTC CVE-2026-43470 In the Linux kernel, the following vulnerability has been resolved:scsi: ufs: core: Fix possible NULL pointer dereference inufshcd_add_command_trace()The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULLpointer dereference when accessing hwq->id. This can happen ifufshcd_mcq_req_to_hwq() returns NULL.This patch adds a NULL check for hwq before accessing its id field toprevent a kernel crash.Kernel log excerpt:[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c[<ffffffd5d1814e58>] __die+0x60/0xb0[<ffffffd5d1814d64>] die+0x4c/0xe0[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod][<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:17:00 UTC CVE-2026-43471 In the Linux kernel, the following vulnerability has been resolved:unshare: fix unshare_fs() handlingThere's an unpleasant corner case in unshare(2), when we have aCLONE_NEWNS in flags and current->fs hadn't been shared at all; in thatcase copy_mnt_ns() gets passed current->fs instead of a private copy,which causes interesting warts in proof of correctness]> I guess if private means fs->users == 1, the condition could still betrue.Unfortunately, it's worse than just a convoluted proof of correctness.Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS(and current->fs->users == 1).We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds andflips current->fs->{pwd,root} to corresponding locations in the newnamespace.Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it'sdestroyed and its mount tree is dissolved, but... current->fs->root andcurrent->fs->pwd are both left pointing to now detached mounts.They are pinning those, so it's not a UAF, but it leaves the callingprocess with unshare(2) failing with -ENOMEM _and_ leaving it withpwd and root on detached isolated mounts. The last part is clearly a bug.There is other fun related to that mess (races with pivot_root(), includingthe one between pivot_root() and fork(), of all things), but this oneis easy to isolate and fix - treat CLONE_NEWNS as "allocate a newfs_struct even if it hadn't been shared in the first place". Sure, wecouldgo for something like "if both CLONE_NEWNS *and* one of the things thatmightend up failing after copy_mnt_ns() call in create_new_namespaces() are set,force allocation of new fs_struct", but let's keep it simple - the costof copy_fs_struct() is trivial.Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* getsa freshly allocated fs_struct, yet to be attached to anything. Thatseriously simplifies the analysis...FWIW, that bug had been there since the introduction of unshare(2) ;-/ Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:17:00 UTC CVE-2026-43472 In the Linux kernel, the following vulnerability has been resolved:scsi: mpi3mr: Add NULL checks when resetting request and reply queuesThe driver encountered a crash during resource cleanup when the reply andrequest queues were NULL due to freed memory. This issue occurred when thecreation of reply or request queues failed, and the driver freed the memoryfirst, but attempted to mem set the content of the freed memory, leading toa system crash.Add NULL pointer checks for reply and request queues before accessing thereply/request memory during cleanup Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:17:00 UTC CVE-2026-43473 In the Linux kernel, the following vulnerability has been resolved:fs: init flags_valid before calling vfs_fileattr_getsyzbot reported a uninit-value bug in [1].Similar to the "*get" context where the kernel's internal file_kattrstructure is initialized before calling vfs_fileattr_get(), we shoulduse the same mechanism when using fa.[1]BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450fs/fuse/ioctl.c:517 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 vfs_fileattr_get fs/file_attr.c:94 [inline] __do_sys_file_getattr fs/file_attr.c:416 [inline]Local variable fa.i created at: __do_sys_file_getattr fs/file_attr.c:380 [inline] __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:17:00 UTC CVE-2026-43474 In the Linux kernel, the following vulnerability has been resolved:scsi: storvsc: Fix scheduling while atomic on PREEMPT_RTThis resolves the follow splat and lock-up when running with PREEMPT_RTenabled on Hyper-V:[ 415.140818] BUG: scheduling while atomic:stress-ng-iomix/1048/0x00000002[ 415.140822] INFO: lockdep is turned off.[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_commonintel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discoverypmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intelaesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcmhyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcoredrm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfsefi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_commonhv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_genericscsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboardscsi_common[ 415.140846] Preemption disabled at:[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0[hv_storvsc][ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted6.19.0-rc7 #30 PREEMPT_{RT,(full)}[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/VirtualMachine, BIOS Hyper-V UEFI Release v4.1 09/04/2024[ 415.140857] Call Trace:[ 415.140861] <TASK>[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc][ 415.140863] dump_stack_lvl+0x91/0xb0[ 415.140870] __schedule_bug+0x9c/0xc0[ 415.140875] __schedule+0xdf6/0x1300[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980[ 415.140879] ? rcu_is_watching+0x12/0x60[ 415.140883] schedule_rtlock+0x21/0x40[ 415.140885] rtlock_slowlock_locked+0x502/0x1980[ 415.140891] rt_spin_lock+0x89/0x1e0[ 415.140893] hv_ringbuffer_write+0x87/0x2a0[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0[ 415.140900] ? rcu_is_watching+0x12/0x60[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc][ 415.140904] ? HARDIRQ_verbose+0x10/0x10[ 415.140908] ? __rq_qos_issue+0x28/0x40[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod][ 415.140926] __blk_mq_issue_directly+0x4a/0xc0[ 415.140928] blk_mq_issue_direct+0x87/0x2b0[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0[ 415.140935] __blk_flush_plug+0xf4/0x150[ 415.140940] __submit_bio+0x2b2/0x5c0[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4][ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4][ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4][ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4][ 415.141060] generic_perform_write+0x14e/0x2c0[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4][ 415.141083] vfs_write+0x2ca/0x570[ 415.141087] ksys_write+0x76/0xf0[ 415.141089] do_syscall_64+0x99/0x1490[ 415.141093] ? rcu_is_watching+0x12/0x60[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0[ 415.141097] ? rcu_is_watching+0x12/0x60[ 415.141098] ? lock_release+0x1f0/0x2a0[ 415.141100] ? rcu_is_watching+0x12/0x60[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0[ 415.141103] ? rcu_is_watching+0x12/0x60[ 415.141104] ? __schedule+0xb34/0x1300[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170[ 415.141109] ? do_nanosleep+0x8b/0x160[ 415.141111] ? hrtimer_nanosleep+0x89/0x100[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10[ 415.141116] ? xfd_validate_state+0x26/0x90[ 415.141118] ? rcu_is_watching+0x12/0x60[ 415.141120] ? do_syscall_64+0x1e0/0x1490[ 415.141121] ? do_syscall_64+0x1e0/0x1490[ 415.141123] ? rcu_is_watching+0x12/0x60[ 415.141124] ? do_syscall_64+0x1e0/0x1490[ 415.141125] ? do_syscall_64+0x1e0/0x1490[ 415.141127] ? irqentry_exit+0x140/0---truncated--- Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 15:17:00 UTC CVE-2026-43475 In the Linux kernel, the following vulnerability has been resolved:iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) insteadof the intended __be32 element size (4 bytes). Use sizeof(*meas) tocorrectly match the buffer element type. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43476 In the Linux kernel, the following vulnerability has been resolved:drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTLApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINEbefore enabling TRANS_DDI_FUNC_CTL.Personally I was only able to reproduce a hang (on an Dell XPS 73902-in-1) with an external display connected via a dock using a dodgytype-C cable that made the link training fail. After the failedlink training the machine would hang. TGL seemed immune to theproblem for whatever reason.BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTLas well. The DMC firmware also does the VRR restore in two stages:- first stage seems to be unconditional and includes TRANS_VRR_CTL and a few other VRR registers, among other things- second stage is conditional on the DDI being enabled, and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE, among other thingsSo let's reorder the steps to match to avoid the hang, andtoss in an extra WARN to make sure we don't screw this up later.BSpec: 22243(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43477 In the Linux kernel, the following vulnerability has been resolved:ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_putThe correct helper to use in rt1011_recv_spk_mode_put() to retrieve theDAPM context is snd_soc_component_to_dapm(), from kcontrol we willreceive NULL pointer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43478 In the Linux kernel, the following vulnerability has been resolved:net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnectRemove redundant netif_napi_del() call from disconnect path.A WARN may be triggered in __netif_napi_del_locked() during USB devicedisconnect: WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417__netif_napi_del_locked+0x2b4/0x350This happens because netif_napi_del() is called in the disconnect pathwhileNAPI is still enabled. However, it is not necessary to callnetif_napi_del()explicitly, since unregister_netdev() will handle NAPI teardownautomaticallyand safely. Removing the redundant call avoids triggering the warning.Full trace: lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret =-ENODEV lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV lan78xx 1-1:1.0 enu1: Link is Down lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret =-ENODEV ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417__netif_napi_del_locked+0x2b4/0x350 Modules linked in: flexcan can_dev fuse CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT Hardware name: SKOV IMX8MP CPU revC - bd500 (DT) Workqueue: usb_hub_wq hub_event pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __netif_napi_del_locked+0x2b4/0x350 lr : __netif_napi_del_locked+0x7c/0x350 sp : ffffffc085b673c0 x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8 x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000 x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000 x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028 x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8 x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000 x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001 x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000 Call trace: __netif_napi_del_locked+0x2b4/0x350 (P) lan78xx_disconnect+0xf4/0x360 usb_unbind_interface+0x158/0x718 device_remove+0x100/0x150 device_release_driver_internal+0x308/0x478 device_release_driver+0x1c/0x30 bus_remove_device+0x1a8/0x368 device_del+0x2e0/0x7b0 usb_disable_device+0x244/0x540 usb_disconnect+0x220/0x758 hub_event+0x105c/0x35e0 process_one_work+0x760/0x17b0 worker_thread+0x768/0xce8 kthread+0x3bc/0x690 ret_from_fork+0x10/0x20 irq event stamp: 211604 hardirqs last enabled at (211603): [<ffffffc0828cc9ec>]_raw_spin_unlock_irqrestore+0x84/0x98 hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80 softirqs last enabled at (211296): [<ffffffc080095f10>]handle_softirqs+0x820/0xbc8 softirqs last disabled at (210993): [<ffffffc080010288>]__do_softirq+0x18/0x20 ---[ end trace 0000000000000000 ]--- lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43479 In the Linux kernel, the following vulnerability has been resolved:ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clockacquisitionThe acp3x_5682_init() function did not check the return value ofclk_get(), which could lead to dereferencing error pointers inrt5682_clk_enable().Fix this by:1. Changing clk_get() to the device-managed devm_clk_get().2. Adding proper IS_ERR() checks for both clock acquisitions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43480 In the Linux kernel, the following vulnerability has been resolved:net-shapers: don't free reply skb after genlmsg_reply()genlmsg_reply() hands the reply skb to netlink, andnetlink_unicast() consumes it on all return paths, whether theskb is queued successfully or freed on an error path.net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()currently jump to free_msg after genlmsg_reply() fails and callnlmsg_free(msg), which can hit the same skb twice.Return the genlmsg_reply() error directly and keep free_msgonly for pre-reply failures. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43481 In the Linux kernel, the following vulnerability has been resolved:sched_ext: Disable preemption between scx_claim_exit() and kicking helperworkscx_claim_exit() atomically sets exit_kind, which prevents scx_error() fromtriggering further error handling. After claiming exit, the caller mustkickthe helper kthread work which initiates bypass mode and teardown.If the calling task gets preempted between claiming exit and kicking thehelper work, and the BPF scheduler fails to schedule it back (since errorhandling is now disabled), the helper work is never queued, bypass modenever activates, tasks stop being dispatched, and the system wedges.Disable preemption across scx_claim_exit() and the subsequent work kickingin all callers - scx_disable() and scx_vexit(). Addlockdep_assert_preemption_disabled() to scx_claim_exit() to enforce therequirement. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43482 In the Linux kernel, the following vulnerability has been resolved:KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activatedExplicitly set/clear CR8 write interception when AVIC is (de)activated tofix a bug where KVM leaves the interception enabled after AVIC isactivated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8will remain intercepted in perpetuity.On its own, the dangling CR8 intercept is "just" a performance issue, butcombined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the dangingintercept is fatal to Windows guests as the TPR seen by hardware getswildly out of sync with reality.Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignoredwhen Virtual Interrupt Delivery is enabled, i.e. when APICv is active inKVM's world. I.e. there's no need to trigger update_cr8_intercept(), thisis firmly an SVM implementation flaw/detail.WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM shouldnever enter the guest with AVIC enabled and CR8 writes intercepted.[Squash fix to avic_deactivate_vmcb. - Paolo] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43483 In the Linux kernel, the following vulnerability has been resolved:mmc: core: Avoid bitfield RMW for claim/retune flagsMove claimed and retune control flags out of the bitfield word toavoid unrelated RMW side effects in asynchronous contexts.The host->claimed bit shared a word with retune flags. Writes to claimedin __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwriteother bits when concurrent updates happen in other contexts, triggeringspurious WARN_ON(!host->claimed). Convert claimed, can_retune,retune_now and retune_paused to bool to remove shared-word coupling. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43484 In the Linux kernel, the following vulnerability has been resolved:nouveau/gsp: drop WARN_ON in ACPI probesThese WARN_ONs seem to trigger a lot, and we don't seem to have aplan to fix them, so just drop them, as they are most likelyharmless. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43485 In the Linux kernel, the following vulnerability has been resolved:arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faultscontpte_ptep_set_access_flags() compared the gathered ptep_get() valueagainst the requested entry to detect no-ops. ptep_get() ORs AF/dirtyfrom all sub-PTEs in the CONT block, so a dirty sibling can make thetarget appear already-dirty. When the gathered value matches entry, thefunction returns 0 even though the target sub-PTE still has PTE_RDONLYset in hardware.For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware mayset AF/dirty on any sub-PTE and CPU TLB behavior is effectively gatheredacross the CONT range. But page-table walkers that evaluate eachdescriptor individually (e.g. a CPU without DBM support, or an SMMUwithout HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on theunchanged target sub-PTE, causing an infinite fault loop.Gathering can therefore cause false no-ops when only a sibling has beenupdated: - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared) - read faults: target still lacks PTE_AFFix by checking each sub-PTE against the requested AF/dirty/write state(the same bits consumed by __ptep_set_access_flags()), using rawper-PTE values rather than the gathered ptep_get() view, beforereturning no-op. Keep using the raw target PTE for the write-bit unfolddecision.Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONTrange may become the effective cached translation and software mustmaintain consistent attributes across the range. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43486 In the Linux kernel, the following vulnerability has been resolved:ata: libata-core: Disable LPM on ST1000DM010-2EP102According to a user report, the ST1000DM010-2EP102 has problems with LPM,causing random system freezes. The drive belongs to the same BarraCudafamily as the ST2000DM008-2FR102 which has the same issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43487 In the Linux kernel, the following vulnerability has been resolved:usb: xhci: Prevent interrupt storm on host controller error (HCE)The xHCI controller reports a Host Controller Error (HCE) in UAS StorageDevice plug/unplug scenarios on Android devices. HCE is checked inxhci_irq() function and causes an interrupt storm (since the interruptisn’t cleared), leading to severe system-level faults.When the xHC controller reports HCE in the interrupt handler, the driveronly logs a warning and assumes xHC activity will stop as stated in xHCIspecification. An interrupt storm does however continue on some hostseven after HCE, and only ceases after manually disabling xHC interruptand stopping the controller by calling xhci_halt().Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,mirroring the existing error handling pattern used for STS_FATAL errors.This only fixes the interrupt storm. Proper HCE recovery requires resettingand re-initializing the xHC. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43488 In the Linux kernel, the following vulnerability has been resolved:liveupdate: luo_file: remember retrieve() statusLUO keeps track of successful retrieve attempts on a LUO file. It does soto avoid multiple retrievals of the same file. Multiple retrievals causeproblems because once the file is retrieved, the serialized datastructures are likely freed and the file is likely in a very differentstate from what the code expects.The retrieve boolean in struct luo_file keeps track of this, and is passedto the finish callback so it knows what work was already done and what ithas left to do.All this works well when retrieve succeeds. When it fails,luo_retrieve_file() returns the error immediately, without ever storinganywhere that a retrieve was attempted or what its error code was. Thisresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,but nothing prevents it from trying this again.The retry is problematic for much of the same reasons listed above. Thefile is likely in a very different state than what the retrieve logicnormally expects, and it might even have freed some serialization datastructures. Attempting to access them or free them again is going tobreak things.For example, if memfd managed to restore 8 of its 10 folios, but fails onthe 9th, a subsequent retrieve attempt will try to callkho_restore_folio() on the first folio again, and that will fail with awarning since it is an invalid operation.Apart from the retry, finish() also breaks. Since on failure theretrieved bool in luo_file is never touched, the finish() call on sessionclose will tell the file handler that retrieve was never attempted, and itwill try to access or free the data structures that might not exist, muchin the same way as the retry attempt.There is no sane way of attempting the retrieve again. Remember the errorretrieve returned and directly return it on a retry. Also pass thisstatus code to finish() so it can make the right decision on the work itneeds to do.This is done by changing the bool to an integer. A value of 0 meansretrieve was never attempted, a positive value means it succeeded, and anegative value means it failed and the error code is the value. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC CVE-2026-43489 In the Linux kernel, the following vulnerability has been resolved:ksmbd: validate inherited ACE SID lengthsmb_inherit_dacl() walks the parent directory DACL loaded from thesecurity descriptor xattr. It verifies that each ACE contains the fixedSID header before using it, but does not verify that the variable-lengthSID described by sid.num_subauth is fully contained in the ACE.A malformed inheritable ACE can advertise more subauthorities than arepresent in the ACE. compare_sids() may then read past the ACE.smb_set_ace() also clamps the copied destination SID, but used theunchecked source SID count to compute the inherited ACE size. That couldadvance the temporary inherited ACE buffer pointer and nt_size accountingpast the allocated buffer.Fix this by validating the parent ACE SID count and SID length beforeusing the SID during inheritance. Compute the inherited ACE size from thecopied SID so the size matches the bounded destination SID. Reject theinherited DACL if size accumulation would overflow smb_acl.size or thesecurity descriptor allocation size. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 06:16:00 UTC CVE-2026-43490 In the Linux kernel, the following vulnerability has been resolved:net: qrtr: ns: Limit the maximum server registration per nodeCurrent code does no bound checking on the number of servers added pernode. A malicious client can flood NEW_SERVER messages and exhaust memory.Fix this issue by limiting the maximum number of server registrations to256 per node. If the NEW_SERVER message is received for an old port, thendon't restrict it as it will get replaced. While at it, also rate limitthe error messages in the failure path of qrtr_ns_worker().Note that the limit of 256 is chosen based on the current platformrequirements. If requirement changes in the future, this limit can beincreased. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 12:16:00 UTC CVE-2026-43491 In the Linux kernel, the following vulnerability has been resolved:lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()Yiming reports an integer underflow in mpi_read_raw_from_sgl() whensubtracting "lzeros" from the unsigned "nbytes".For this to happen, the scatterlist "sgl" needs to occupy more bytesthan the "nbytes" parameter and the first "nbytes + 1" bytes of thescatterlist must be zero. Under these conditions, the while loopiterating over the scatterlist will count more zeroes than "nbytes",subtract the number of zeroes from "nbytes" and cause the underflow.When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originallyintroduced the bug, it couldn't be triggered because all callers ofmpi_read_raw_from_sgl() passed a scatterlist whose length was equal to"nbytes".However since commit 63ba4d67594a ("KEYS: asymmetric: Use new cryptointerface without scatterlists"), the underflow can now actually betriggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with alarger "out_len" than "in_len" and filling the "in" buffer with zeroes,crypto_akcipher_sync_prep() will create an all-zero scatterlist used forboth the "src" and "dst" member of struct akcipher_request and therebyfulfil the conditions to trigger the bug: sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl()To the user this will be visible as a DoS as the kernel spins forever,causing soft lockup splats as a side effect.Fix it. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 12:16:00 UTC CVE-2026-43492 In the Linux kernel, the following vulnerability has been resolved:crypto: pcrypt - Fix handling of MAY_BACKLOG requestsMAY_BACKLOG requests can return EBUSY. Handle them by checkingfor that value and filtering out EINPROGRESS notifications. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 12:16:00 UTC CVE-2026-43493 In the Linux kernel, the following vulnerability has been resolved:rxrpc: Also unshare DATA/RESPONSE packets when paged frags are presentThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSEhandler in rxrpc_verify_response() copy the skb to a linear one beforecalling into the security ops only when skb_cloned() is true. An skbthat is not cloned but still carries externally-owned paged fragments(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via__ip_append_data, or a chained skb_has_frag_list()) falls through tothe in-place decryption path, which binds the frag pages directly intothe AEAD/skcipher SGL via skb_to_sgvec().Extend the gate to also unshare when skb_has_frag_list() orskb_has_shared_frag() is true. This catches the splice-loopback vectorand other externally-shared frag sources while preserving thezero-copy fast path for skbs whose frags are kernel-private (e.g. NICpage_pool RX, GRO). The OOM/trace handling already in place is reused. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-11 08:16:00 UTC CVE-2026-43500 An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandlesaccess control in a paused scenario, relaying of unauthenticated trafficcan occur. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43504 An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandlesaccess control in the activation scenario, relaying of unauthenticatedtraffic can occur. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43505 An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0before 13.0.5. A Denial of Service can occur via memory exhaustion causedby memory leaks from unauthenticated connections. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43506 An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0before 13.0.5. A Denial of Service can occur via memory exhaustion causedby XML parsing resource amplification from unauthenticated connections. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 15:16:00 UTC CVE-2026-43507 Improper Authorization vulnerability when multiple method constraintsdefine an HTTP method for the same extension in Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0through 8.5.100, from 7.0.0 through 7.0.109.Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118which fix the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 16:16:00 UTC CVE-2026-43515 A compromised third party cloud server or man-in-the-middle attacker couldsend a malformed HTTP response and cause a crash in applications using theMongoDB C driver. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-17 20:16:00 UTC CVE-2026-4359 Rsync version 3.4.2 and prior contain an authorization bypass vulnerabilityin the rsync daemon's hostname-based access control list enforcement whenconfigured with chroot. Attackers can bypass hostname-based deny rules bycontrolling the PTR record for their source IP address, allowingconnections from hostnames that administrators intended to deny whenreverse DNS resolution fails and defaults to UNKNOWN. Update Instructions: Run `sudo pro fix CVE-2026-43617` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 00:00:00 UTC 2026-05-20 00:00:00 UTC https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-43617 Rsync version 3.4.2 and prior contain an integer overflow vulnerability inthe compressed-token decoder where a 32-bit signed counter is not checkedfor overflow, allowing a malicious sender to trigger an overflow thatcauses the receiver process to read and return data from outside theintended buffer bounds. Attackers can exploit this vulnerability todisclose process memory contents including environment variables,passwords, heap and stack data, and library memory pointers, significantlyreducing ASLR effectiveness and facilitating further exploitation. Update Instructions: Run `sudo pro fix CVE-2026-43618` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-20 00:00:00 UTC 2026-05-20 00:00:00 UTC Omar Elsayed https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-43618 Rsync version 3.4.2 and prior contain symlink race conditionvulnerabilities in path-based system calls including chmod, lchown, utimes,rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allowlocal attackers to redirect operations to files outside the exported rsyncmodule. Attackers with local filesystem access can exploit the timingwindow between path resolution and syscall execution by swapping symlinksto apply sender-supplied permissions, ownership, timestamps, or filenamesto arbitrary files outside the intended module boundary on rsync daemonsconfigured with 'use chroot = no'. Update Instructions: Run `sudo pro fix CVE-2026-43619` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 00:00:00 UTC 2026-05-20 00:00:00 UTC Andrew Tridgell https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-43619 Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds arrayread vulnerability in recv_files() in receiver.c that allows a maliciousrsync server to crash the rsync client process. Attackers can exploit thevulnerability by setting CF_INC_RECURSE in compatibility flags and sendinga specially crafted file list where the first sorted entry is not theleading dot directory, followed by a transfer record with ndx=0 and aniflag word without ITEM_TRANSFER, causing the receiver to read 8 bytesbefore the allocated pointer array and dereference an invalid pointer at anunmapped address, resulting in a deterministic SIGSEGV crash of the rsyncclient. Update Instructions: Run `sudo pro fix CVE-2026-43620` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 00:00:00 UTC 2026-05-20 00:00:00 UTC Pratham Gupta https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-43620 libXpm Out-of-bounds read in xpmNextWord() Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 13:00:00 UTC Naoki Wakamatsu CVE-2026-4367 mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAPauth_cram MD5 digest. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699 CVE-2026-43859 mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAPauth_cram MD5 digest. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699 CVE-2026-43860 mutt before 2.3.2 does not check for '\0' in url_pct_decode. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699 CVE-2026-43861 In mutt before 2.3.2, the imap_auth_gss security level is mishandled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699 CVE-2026-43862 mutt before 2.3.2 has an infinite loop in data_object_to_stream incrypt-gpgme.c. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699 CVE-2026-43863 mutt before 2.3.2 has a show_sig_summary NULL pointer dereference. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699 CVE-2026-43864 Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 09:16:00 UTC CVE-2026-43868 Improper Validation of Certificate with Host Mismatch vulnerability inApache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 08:16:00 UTC CVE-2026-43869 Origin Validation Error, Improper Limitation of a Pathname to a RestrictedDirectory ('Path Traversal'), Improper Neutralization of CRLF Sequences inHTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled ResourceConsumption vulnerability in Apache Thrift.This issue affects Apache Thrift: before 0.23.0.Users are recommended to upgrade to version 0.23.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 09:16:00 UTC CVE-2026-43870 jq is a command-line JSON processor. In 1.8.1 and earlier, whendecNumberFromString is given a number literal of INT_MAX-1 (2147483646)digits, the D2U() macro overflows during signed-int arithmetic. The wrappednegative value bypasses the heap-allocation size check, causes the functionto use a 30-byte stack buffer, and then writes ≈715 million 16-bit units(≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written contentis fully attacker-controlled (the parsed decimal digits, packed3-per-unit). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-43894 jq is a command-line JSON processor. In 1.8.1 and earlier, jq acceptsembedded NUL bytes in import paths at the jq-language level, but laterresolves those paths through C string operations during module anddata-file lookup. This creates a mismatch between the logical import stringthat policy or audit code may validate and the on-disk path that jqactually opens. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-43895 jq is a command-line JSON processor. In 1.8.1 and earlier, unboundedrecursion in jv_object_merge_recursive() allows a crafted jq program tocrash the process with a segfault. The function is reachable through the *operator when both operands are objects. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-43896 Wireshark MCP is an MCP Server that turns tshark into a structured analysisinterface, then layers in optional Wireshark suite utilities. In 1.1.5 andearlier, wireshark-mcp exposes a wireshark_export_objects MCP tool thataccepts an attacker-controlled dest_dir parameter and passes it to tshark's--export-objects flag with no mandatory path restriction. The path sandbox(_allowed_dirs) is None by default and only activates when the environmentvariable WIRESHARK_MCP_ALLOWED_DIRS is explicitly set. In a defaultinstallation, any directory on the filesystem can be used as the exportdestination. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 23:20:00 UTC CVE-2026-43901 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, sgiinput.cpp:265,274 use OIIO_DASSERT for bounds checking in theRLE decode loop. In release builds, OIIO_DASSERT compiles to((void)sizeof(x)) (dassert.h:210), making all bounds checks no-ops. Acrafted .sgi file with RLE count exceeding scanline width causes heapbuffer overflow and crash. This vulnerability is fixed in 3.0.18.0 and3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43903 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, softimageinput.cpp:469 (mixed RLE) and :345 (pure RLE) do notclamp the run length to remaining scanline width before writing pixels. Theraw packet path (line 403) correctly clamps with std::min, but RLE pathsskip this check. A crafted .pic file causes heap overflow up to 65535bytes. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43904 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, jpeg2000input.cpp:395 computes buffer size as const int bufsize =w * h * ch * buffer_bpp using signed 32-bit arithmetic. When the productexceeds INT_MAX, the result wraps to 0 or a small value. m_buf.resize()allocates an undersized buffer, and subsequent pixel write loops cause heapoverflow. Conditional on USE_OPENJPH build flag. This vulnerability isfixed in 3.0.18.0 and 3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43905 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, a heap-based buffer overflow in the HEIF decoder of OpenImageIOallows out-of-bounds writes via crafted images due to a subimage metadatamismatch, leading to memory corruption and potential code execution. Thisvulnerability is fixed in 3.0.18.0 and 3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43906 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() inDPXColorConverter.cpp leads to a heap-based out-of-bounds write whenprocessing crafted DPX image files. The function computes buffer sizesusing 32-bit signed integer arithmetic with negative multipliers (e.g.,pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes forkABGR descriptors), where a negative result is used as an in-band signalthat no separate buffer is needed. When the pixel count is sufficientlylarge, the multiplication overflows INT_MIN and wraps to a small positivevalue. The caller in dpxinput.cpp interprets this positive value as arequired buffer size, allocates an undersized heap buffer viam_decodebuf.resize(), and then writes the full image data into it viafread, resulting in a heap buffer overflow. An attacker can exploit this bycrafting a DPX file that triggers the overflow, causing a denial of service(crash) or potentially arbitrary code execution through heap corruption inany application that reads pixel data using OpenImageIO. This vulnerabilityis fixed in 3.0.18.0 and 3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43907 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, a signed 32-bit integer overflow in the pixel-loop indexexpression i * 3 inside ConvertCbYCrYToRGB() causes the function to computea large negative pointer offset into the output buffer, producing anout-of-bounds write that crashes the process. This vulnerability is fixedin 3.0.18.0 and 3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43908 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, a signed 32-bit integer overflow in the loop index expression i *4 inside SwapRGBABytes() causes the function to compute a large negativepointer offset when processing kABGR DPX images with large dimensions. Theimmediate crash is an out-of-bounds read (the memcpy at line 45 reads from&input[i * 4] first), but the subsequent write operations at lines 46–49target the same wrapped offset — making this a combined OOB read+writeprimitive. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43909 Heap-based buffer overflow in the KCAPI ECC code path ofwc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker towrite attacker-controlled data past the bounds of the pubkey_raw buffer viaa crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code pathcopies the input to key->pubkey_raw (132 bytes) using XMEMCPY without abounds check, unlike the ATECC code path which includes a lengthvalidation. This can be triggered during TLS key exchange when a maliciouspeer sends a crafted ECPoint in ServerKeyExchange. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 21:17:00 UTC CVE-2026-4395 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136828 CVE-2026-43961 Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimesallows a buffer over-read and process crash via an enhanced status codethat lacks text after the third number. Update Instructions: Run `sudo pro fix CVE-2026-43964` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: postfix - 3.10.6-4ubuntu2.1 postfix-cdb - 3.10.6-4ubuntu2.1 postfix-ldap - 3.10.6-4ubuntu2.1 postfix-lmdb - 3.10.6-4ubuntu2.1 postfix-mongodb - 3.10.6-4ubuntu2.1 postfix-mysql - 3.10.6-4ubuntu2.1 postfix-pcre - 3.10.6-4ubuntu2.1 postfix-pgsql - 3.10.6-4ubuntu2.1 postfix-sqlite - 3.10.6-4ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 2026-05-05 Kamil Frankowicz https://ubuntu.com/security/notices/USN-8253-1 CVE-2026-43964 Improper Handling of Highly Compressed Data (Data Amplification)vulnerability in ninenines cowlib allows unauthenticated remote denial ofservice via memory exhaustion.cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directlyto zlib:inflate/2 with no output size bound. The SPDY header compressiondictionary (?ZDICT) is public, and zlib compresses long runs of repeatedbytes at roughly 1024:1, so a few kilobytes of SPDY frame payload candecompress to gigabytes on the BEAM heap, OOM-killing the node. A singleunauthenticated SPDY frame is sufficient to trigger the condition. Theparsers for syn_stream, syn_reply, and headers frame types are all affectedvia cow_spdy:parse_headers/2.This issue affects cowlib from 0.1.0 before 2.16.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136649 CVE-2026-43970 OpenImageIO is a toolset for reading, writing, and manipulating image filesof any image file format relevant to VFX / animation. Prior to 3.0.18.0 and3.1.13.0, the bounds check in TGAInput::decode_pixel computes k +palbytespp as unsigned 32-bit arithmetic. When k = 0xFFFFFFFC andpalbytespp = 4, the addition wraps to 0, which compares less thanpalette_alloc_size and passes the check. The subsequent palette access usesthe unwrapped k (0xFFFFFFFC) as the index, reading ~4 GB past the start ofthe palette buffer — SEGV. This vulnerability is fixed in 3.0.18.0 and3.1.13.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-43996 An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2.Unbounded recursion in the NAR (Nix Archive) parser could lead to astack-to-heap overflow when the parser is run on a coroutine stack. Thestack is allocated without a guard page, which means that a stack overflowcould overwrite memory on the heap and could allow arbitrary code executionas the Nix daemon (run as root in multi-user installations) if ASLRhardening is bypassed. This can be exploited by all users able to connectto the daemon (e.g., in Nix, this is configurable via the allowed-userssetting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6,2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4);and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135777 CVE-2026-44028 An issue was discovered in Nix before 2.34.7. Writing to arbitrary filescan occur via "nix-prefetch-url --unpack" or "nix store prefetch-file--unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6,2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7); Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135777 CVE-2026-44029 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137108 CVE-2026-44047 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137129 CVE-2026-44048 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137130 CVE-2026-44049 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137131 CVE-2026-44050 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137132 CVE-2026-44051 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44052 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44053 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137115 CVE-2026-44054 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137119 CVE-2026-44055 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44056 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137116 CVE-2026-44057 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44058 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44059 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137117 CVE-2026-44060 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44061 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137118 CVE-2026-44062 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44063 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137133 CVE-2026-44064 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44065 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137120 CVE-2026-44066 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44067 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137121 CVE-2026-44068 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44069 Out-of-bounds array write in Xpdf 4.06 and earlier, due to incorrectvalidation of the "N" field in ICCBased color spaces. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-18 22:16:00 UTC CVE-2026-4407 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44070 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44071 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44072 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44073 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44074 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-44075 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137122 CVE-2026-44076 phpseclib is a PHP secure communications library. Prior to 1.0.29, 2.0.54,and 3.0.52, anyone loading untrusted ASN1 files (eg. X509 certificates, RSAPKCS8 private or public keys, etc). This is a bypass of CVE-2024-27355.This vulnerability is fixed in 1.0.29, 2.0.54, and 3.0.52. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 18:17:00 UTC CVE-2026-44167 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-44227 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-44229 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-44230 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-44231 A flaw was found in libarchive. This heap out-of-bounds read vulnerabilityexists in the RAR archive processing logic due to improper validation ofthe LZSS sliding window size after transitions between compression methods.A remote attacker can exploit this by providing a specially crafted RARarchive, leading to the disclosure of sensitive heap memory informationwithout requiring authentication or user interaction. Update Instructions: Run `sudo pro fix CVE-2026-4424` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libarchive-tools - 3.8.5-1ubuntu2.1 libarchive13t64 - 3.8.5-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 15:16:00 UTC 2026-03-19 15:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2449006 https://ubuntu.com/security/notices/USN-8292-1 CVE-2026-4424 GitPython is a python library used to interact with Git repositories. Priorto version 3.1.48, a vulnerability in GitPython allows attackers who cansupply a crafted reference path to an application using GitPython to write,overwrite, move, or delete files outside the repository’s .git directoryvia insufficient validation of reference paths in reference creation,rename, and delete operations. This issue has been patched in version3.1.48. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-44243 GitPython is a python library used to interact with Git repositories. Priorto version 3.1.49, GitConfigParser.set_value() passes values to Python'sconfigparser without validating for newlines. GitPython's own _write()converts embedded newlines into indented continuation lines (e.g. \nbecomes \n\t), but Git still accepts an indented [core] stanza as a sectionheader — so the injected core.hooksPath becomes effective configuration.Any Git operation that invokes hooks (commit, merge, checkout) will thenexecute scripts from the attacker-controlled path. This issue has beenpatched in version 3.1.49. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-44244 Netty is an asynchronous, event-driven network application framework. Priorto 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section isparsed and buffered before any message size limit is applied. Specifically,in MqttDecoder, the decodeVariableHeader() method is called before thebytesRemainingBeforeVariableHeader > maxBytesInMessage check. ThedecodeVariableHeader() can call other methods which will calldecodeProperties(). Effectively, Netty does not apply any limits to thesize of the properties being decoded. Additionally, because MqttDecoderextends ReplayingDecoder, Netty will repeatedly re-parse the enormousProperties sections and buffer the bytes in memory, until the entire thingparses to completion. This can cause high resource usage in both CPU andmemory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136652 CVE-2026-44248 A flaw was found in libarchive. An Undefined Behavior vulnerability existsin the zisofs decompression logic, caused by improper validation of a field(`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attackercan exploit this by supplying a specially crafted ISO file. This can leadto incorrect memory allocation and potential application crashes, resultingin a denial-of-service (DoS) condition. Update Instructions: Run `sudo pro fix CVE-2026-4426` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libarchive-tools - 3.8.5-1ubuntu2.1 libarchive13t64 - 3.8.5-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-19 15:16:00 UTC 2026-03-19 15:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2449010 https://ubuntu.com/security/notices/USN-8292-1 CVE-2026-4426 etcd is a distributed key-value store for the data of a distributed system.Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows readaccess via PrevKv, or lease attachment in Put requests within transactionoperations, to bypass RBAC authorization checks. An authenticated userwithout sufficient read or lease-related permissions may be able to accessunauthorized data or attach leases by invoking transaction operations withthese features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and3.6.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136829 CVE-2026-44283 Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, aremote, unauthenticated denial of service (DoS) vulnerability affectsDeskflow servers running with TLS enabled (the default). When any TCP peerconnects to the listening port and its first bytes do not parse as a validTLS ClientHello, SecureSocket::secureAccept enters its fatal-error branchand calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexerworker thread. That thread services every socket on the server, includingestablished TLS clients delivering mouse motion, keyboard events, andclipboard updates. A single failed handshake therefore stalls inputdelivery to all connected screens for ~1 second, and a sustained drip ofmalformed connections (≥ 1/s) makes the server effectively unusable whilethe attack persists. This vulnerability is fixed in 1.26.0.167. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 22:16:00 UTC CVE-2026-44296 Out-of-bounds write vulnerability in The Document Foundation LibreOfficevia crafted OOXML documents with mismatched encryption salt parameters.This issue affects LibreOffice: from 26.2 before 26.2.3, from 25.8 before25.8.7. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 08:16:00 UTC mdeslaur(main) https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/2152251 CVE-2026-4430 Hugo is a static site generator. From 0.43 to before 0.161.0, when buildinga Hugo site that uses Node-based asset pipelines (PostCSS, Babel,TailwindCSS), Hugo invoked the configured Node tools without restrictionson file system access. As a result, executing hugo against an untrustedsite could allow code running through these tools to read or write filesoutside the project's working directory. Users who do not use PostCSS,Babel, or TailwindCSS, or who only build trusted sites, are not affected.This vulnerability is fixed in 0.161.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 22:16:00 UTC CVE-2026-44301 Mako is a template library written in Python. Prior to 1.3.12, on Windows,a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses thedirectory traversal check in Template.__init__ and the posixpath-basednormalization in TemplateLookup.get_template(), allowing reads of filesoutside the configured template directory. This vulnerability is fixed in1.3.12. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 22:16:00 UTC CVE-2026-44307 Gitsign is a keyless Sigstore to signing tool for Git commits with your aGitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsignverify-tag re-encode commit/tag objects through go-git'sEncodeWithoutSignature before checking the signature, instead of verifyingagainst the raw git object bytes. For malformed objects with duplicate treeheaders, git-core and go-git parse different trees: git-core uses thefirst, go-git uses the second. A signature crafted over thego-git-normalized form (second tree) passes gitsign verify while git-coreresolves the commit to a completely different tree. This breaks theinvariant that a verified signature, the commit semantics git-core presentsto users, and the object hash logged in Rekor all refer to the samecontent. This vulnerability is fixed in 0.16.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136789 CVE-2026-44309 Gitsign is a keyless Sigstore to signing tool for Git commits with your aGitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify()in pkg/git/verifier.go unconditionally dereferences certs[0] aftersd.GetCertificates() without checking the slice length. A CMS/PKCS7 signedmessage with an empty certificate set is a structurally valid DER payload;GetCertificates() returns an empty slice with no error, causing animmediate index-out-of-range panic. On the gitsign --verify code path (theGPG-compatible mode invoked by git verify-commit), the panic is silentlyrecovered by internal/io/streams.go's Wrap() function, which returns nilinstead of an error. main.go then exits with code 0, causing exit-code-onlyverification callers to interpret the failed verification as success. Thisvulnerability is fixed in 0.15.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136789 CVE-2026-44310 css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parsergem does not validate HTTPS connections, allowing a Man-in-the-Middle(MITM) attacker to inject or modify CSS content when stylesheets are loadedvia HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE,meaning any HTTPS certificate—even entirely untrusted—will be acceptedwithout validation. This vulnerability is fixed in 2.1.0 and 1.22.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 17:16:00 UTC CVE-2026-44312 In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability insqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remoteattacker to inject arbitrary SQL commands via a crafted domain name that isaccessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, theattacker-supplied hostname is passed unescaped into SQL queries. Thecharacter restrictions of DNS names may affect exploitability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135840 CVE-2026-44331 PoDoFo is a C++17 PDF manipulation library. From 1.0.0 to before 1.0.4, adouble-free vulnerability exists in compute_hash_to_sign() insrc/podofo/private/OpenSSLInternal_Ripped.cpp. If EVP_DigestFinal failsafter buf has already been freed, the Error label frees buf a second time,causing heap corruption. This vulnerability is fixed in 1.0.4. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 17:16:00 UTC CVE-2026-44348 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 CVE-2026-44353 Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.confthat specifies the library's DNS backend in the GNU C Library version 2.34to version 2.43 could, with a crafted response from the configured DNSserver, result in a violation of the DNS specification that causes theapplication to treat a non-answer section of the DNS response as a validanswer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131435 CVE-2026-4437 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 CVE-2026-44378 Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.confthat specifies the library's DNS backend in the GNU C library version 2.34to version 2.43 could result in an invalid DNS hostname being returned tothe caller in violation of the DNS specification. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131887 CVE-2026-4438 NLnet Labs Unbound up to and including version 1.25.0 has a vulnerabilitywhen handling replies with very large RRsets that Unbound needs to performname compression for. Malicious upstream responses with very large RRsetswith records that don't share a suffix above the root can cause Unbound tospend a considerable time applying name compression to downstream replies.This can lead to degraded performance and eventually denial of service inwell orchestrated attacks. An adversary can exploit the vulnerability byquerying Unbound for the specially crafted contents of a malicious zonewith very large RRsets. Before Unbound replies to the query it will try toapply name compression which was an unbounded operation that could lock theCPU until the whole packet was complete. A compression limit was introducedin 1.21.1 for this but it didn't account for the case where records wouldnot share any suffix above the root. That causes Unbound to go in adifferent code path because of the compression tree lookup failure andeventually not increment the compression counter for those operations.Unbound 1.25.1 contains a patch with a fix that increments the compressioncounter regardless of the compression tree lookup. This is a complement fixto CVE-2024-8508. Update Instructions: Run `sudo pro fix CVE-2026-44390` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-44390 In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1algorithm. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-06 00:16:00 UTC https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135907 CVE-2026-44405 urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0,cross-origin redirects followed from the low-level API viaProxyManager.connection_from_url().urlopen(..., assert_same_host=False)still forward these sensitive headers. This vulnerability is fixed in2.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136653 CVE-2026-44431 urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0,urllib3 could decompress the whole response instead of the requestedportion (1) during the second HTTPResponse.read(amt=N) call when theresponse was decompressed using the official Brotli library or (2) whenHTTPResponse.drain_conn() was called after the response had been read anddecompressed partially (compression algorithm did not matter here). Theseissues could cause urllib3 to fully decode a small amount of highlycompressed data in a single operation. This could result in excessiveresource consumption (high CPU usage and massive memory allocation for thedecompressed data) on the client side. This vulnerability is fixed in2.7.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136654 CVE-2026-44432 gittuf is a platform-agnostic Git security system. Prior to 0.14.0, anattacker with push access to gittuf's Reference State Log (RSL) can rollback the current policy to any previous policy trusted by the current setof root keys. gittuf determines the policy to load by inspecting the RSL.Except for the very first policy (which is automatically trusted givengittuf's TOFU model, or verified against manually specified keys), wheneveran RSL entry that points to a new policy is encountered, gittuf validatesthat this policy is trusted. This is done by checking that the new policy’sroot metadata is signed by the required threshold of the current policy'sroot keys. Because of this, an attacker with push access to the RSL maycreate a new entry that references an old policy (that is trusted by themost recent policy's set of root keys), thereby rolling back gittuf'spolicy to the attacker's chosen state. This vulnerability is fixed in0.14.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136704 CVE-2026-44544 Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or aTRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 01:16:00 UTC CVE-2026-44597 Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, akaTROVE-2026-008. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 03:16:00 UTC CVE-2026-44599 Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queueduring the clearing of a queue, aka TROVE-2026-010. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 03:16:00 UTC CVE-2026-44600 Tor before 0.4.9.7, when circuit queue memory pressure exists, canexperience a client crash because of a double close of a circuit, akaTROVE-2026-009. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-44601 Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell isreceived out of order, aka TROVE-2026-006. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-44602 Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformedBEGIN cell, aka TROVE-2026-007. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 04:16:00 UTC CVE-2026-44603 NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a lockinginconsistency vulnerability that when certain conditions are met(multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname'triggers) it could result in heap use-after-free and eventual crash. Anadversary can exploit the vulnerability if conditions are first met on avulnerable Unbound, i.e., multi-threaded, an RPZ zone with'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone.Local RPZ files do not trigger the vulnerability. If the timing is rightand an XFR happens at the same time another thread needs to read that RPZzone, the reader may not hold the lock long enough and the thread applyingthe XFR may free objects that the reader is about to walk causing theuse-after-free. Unbound 1.25.1 contains a patch with a fix to the lockingcode. Update Instructions: Run `sudo pro fix CVE-2026-44608` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libunbound8 - 1.24.2-1ubuntu2.1 python3-unbound - 1.24.2-1ubuntu2.1 unbound - 1.24.2-1ubuntu2.1 unbound-anchor - 1.24.2-1ubuntu2.1 unbound-host - 1.24.2-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 Qifan Zhang https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-44608 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. From to 1.8.7-r1, signed integer overflow insixel_encode_highcolor's allocation size calculation can lead to a heapbuffer overflow. The public sixel_encode entry point validates only thatwidth and height are greater than zero, with no upper bound. width andheight are multiplied as plain int when computing the allocation size forpaletted_pixels and normalized_pixels. Any caller that asks libsixel toencode a pixel buffer with width times height greater than INT_MAX (about2.15 billion) will hit a wrapped allocation size; under the right wrap, themalloc succeeds with a buffer much smaller than the encoder expects, andthe encoder writes past the end of the heap allocation. This vulnerabilityis fixed in 1.8.7-r2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-44636 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser'simage-buffer doubling loop can lead to an out-of-bounds heap write insixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixelcharacter with no upper bound check. Once pos_x approaches INT_MAX, theexpression "pos_x + repeat_count" used to size the image buffer overflowssigned int. Depending on how the overflow wraps, the resize check thatshould reject oversized buffers can be bypassed, after which a subsequentwrite computes a large attacker-influenced offset into image->data andwrites past the allocation. Reachable from any caller that decodesattacker-supplied SIXEL data, including img2sixel. This vulnerability isfixed in 1.8.7-r2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-44637 libsixel is a SIXEL encoder/decoder implementation derived from kmiya'ssixel. From to 1.8.7-r1, a wrong NULL check after an allocation call insixel_decode_raw and sixel_decode causes a NULL pointer dereferencewhenever the allocation fails. The check tests the address of the outputparameter (always non-NULL) instead of the value the malloc returned. Onallocation failure, the function continues and writes through a NULLpointer, crashing the process. This is a denial of service against anycaller of these public APIs that hits a low-memory condition. Thisvulnerability is fixed in 1.8.7-r2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-44638 Vim is an open source, command line text editor. Prior to version 9.2.0435,an OS command injection vulnerability exists in Vim's :find command-linecompletion. When the path option contains backtick-enclosed shell commands,those commands are executed during file name completion. Because the pathoption lacks the P_SECURE flag, it can be set from a modeline, allowing anattacker who controls the contents of a file to execute arbitrary shellcommands when the user opens that file in Vim and triggers :findcompletion. This issue has been patched in version 9.2.0435. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 23:16:00 UTC kkernick http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136086 CVE-2026-44656 libyang is a YANG data modeling language library. Prior to SO 5.2.15,lyb_read_string() in src/parser_lyb.c contains an integer overflow thatresults in a heap buffer overflow when parsing a maliciously crafted LYBbinary blob. An attacker who can supply LYB data to any libyang consumer(NETCONF server, sysrepo, etc.) can trigger a crash or potential heapcorruption. This vulnerability is fixed in SO 5.2.15. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137026 CVE-2026-44673 LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt acceptsan RSA JWK that does not contain an alg parameter as the verification keyfor an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMACverification to run with a zero-length key, so an attacker can forge avalid JWT without knowing any secret or RSA private key. This is analgorithm-confusion authentication bypass. It affects applications thatload RSA keys from JWKS where alg is omitted, which is valid JWK syntax andcommon in real deployments, and then choose the verification algorithm fromthe JWT header, for example in a kid lookup callback. This vulnerability isfixed in 3.3.3. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136810 CVE-2026-44699 Postorius through 1.3.13 does not escape HTML in the message subject whenrendering it in the Held messages pop-up, as exploited in the wild in May2026. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-44742 jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinarymodule loader recurses without cycle detection when twootherwise valid modules include each other. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-44777 In OpenStack Ironic before 35.0.2 (in a certain non-default configuration),instance_info['ks_template'] is rendered without sandboxing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 07:16:00 UTC https://bugs.launchpad.net/ironic/+bug/2148307 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136005 CVE-2026-44916 In OpenStack Ironic through 35.x before a3f6d73, during image handling, aninfinite loop in checksum calculations can occur via the file:///dev/zeroURL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 02:17:00 UTC https://bugs.launchpad.net/ironic/+bug/2150332 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136655 CVE-2026-44919 In uriparser before 1.0.2, there is pointer difference truncation to int invarious places. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 08:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136088 CVE-2026-44927 In uriparser before 1.0.2, the function family EqualsUri can misclassifytwo unequal URIs as equal. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 08:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136088 CVE-2026-44928 The newly introduced RecordUsage D-Bus methodhttps://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c inmalcontent-timerd allows arbitrary users in the system to slowly fill updisk spacein /var/lib/malcontent-timerd Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 13:01:00 UTC https://gitlab.freedesktop.org/pwithnall/malcontent/-/work_items/137 CVE-2026-44931 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45031 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45063 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45064 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45065 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45066 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45067 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45068 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45069 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45070 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45071 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45072 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45073 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45074 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45075 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45077 Vim is an open source, command line text editor. Prior to version 9.2.0450,a heap buffer overflow exists in read_compound() in src/spellfile.c whenloading a crafted spell file (.spl) with UTF-8 encoding active. Anattacker-controlled length field in the spell file's compound sectionoverflows a 32-bit signed integer multiplication, causing a small buffer tobe allocated for a write loop that runs many iterations, overflowing theheap. Because the 'spelllang' option can be set from a modeline, a textfile modeline can trigger spell file loading if a malicious .spl file hasbeen planted on the runtimepath. This issue has been patched in version9.2.0450. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 23:16:00 UTC kkernick Daniel Cervera http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136097 CVE-2026-45130 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45133 Kdenlive before 26.04.1 allows dangerous proxy parameters when anattacker-controlled project file is used. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136172 CVE-2026-45184 Exim before 4.99.3, in certain GnuTLS configurations, has a remotelyreachable use-after-free in the BDAT body parsing path. It is triggeredwhen a client sends a TLS close_notify mid-body during a CHUNKING transfer,followed by a final cleartext byte on the same TCP connection. This canlead to heap corruption. An unauthenticated network attacker exploitingthis vulnerability could execute arbitrary code. Update Instructions: Run `sudo pro fix CVE-2026-45185` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: exim4 - 4.99.1-1ubuntu1.2 exim4-base - 4.99.1-1ubuntu1.2 exim4-config - 4.99.1-1ubuntu1.2 exim4-daemon-heavy - 4.99.1-1ubuntu1.2 exim4-daemon-light - 4.99.1-1ubuntu1.2 eximon4 - 4.99.1-1ubuntu1.2 No subscription required Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-12 20:16:00 UTC https://ubuntu.com/security/notices/USN-8270-1 CVE-2026-45185 In libexpat before 2.8.1, the computational complexity of attribute namecollision checks allows a denial of service via moderately sized craftedXML input. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-10 07:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136164 CVE-2026-45186 The webbrowser.open() API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to sanitize URLsprior to passing to webbrowser.open(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-20 15:16:00 UTC CVE-2026-4519 Uncontrolled Recursion vulnerability in Apache Commons.When processing an untrusted configuration file, Commons Configuration willthrow a StackOverflowError for YAML input with cycles.This issue affects Apache Commons: from 2.2 before 2.15.0.Users are recommended to upgrade to version 2.15.0, which fixes the issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 12:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136705 CVE-2026-45205 Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack writevulnerability in the establish_proxy_connection() function in socket.c thatallows network attackers to corrupt stack memory by sending a malformedHTTP proxy response. Attackers can exploit this by positioning themselvesbetween the client and proxy or controlling the proxy server to send aresponse line of 1023 or more bytes without a newline terminator, causing anull byte to be written to an out-of-bounds stack address when theRSYNC_PROXY environment variable is set. Update Instructions: Run `sudo pro fix CVE-2026-45232` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: rsync - 3.4.1+ds1-7ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 00:00:00 UTC 2026-05-20 00:00:00 UTC Michal Ruprich https://ubuntu.com/security/notices/USN-8283-1 CVE-2026-45232 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45304 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45305 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137123 CVE-2026-45354 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137124 CVE-2026-45355 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137127 CVE-2026-45356 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45358 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45359 A vulnerability was identified in PyTorch 2.10.0. The affected element isan unknown function of the component pt2 Loading Handler. The manipulationleads to deserialization. The attack can only be performed from a localenvironment. The exploit is publicly available and might be used. Theproject was informed of the problem early through a pull request but hasnot reacted yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 05:16:00 UTC CVE-2026-4538 A security flaw has been discovered in pygments up to 2.19.2. The impactedelement is the function AdlLexer of the file pygments/lexers/archetype.py.The manipulation results in inefficient regular expression complexity. Theattack is only possible with local access. The exploit has been released tothe public and may be used for attacks. The project was informed of theproblem early through an issue report but has not responded yet. Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-22 06:16:00 UTC CVE-2026-4539 A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is anunknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of thecomponent Ed25519 Signature Handler. This manipulation causes improperverification of cryptographic signature. The attack is restricted to localexecution. The attack's complexity is rated as high. The exploitability isconsidered difficult. The exploit has been published and may be used.Upgrading to version 20260301 is recommended to address this issue. Patchname: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affectedcomponent is recommended. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-22 09:15:00 UTC CVE-2026-4541 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45624 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45664 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137126 CVE-2026-45698 security update Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137125 CVE-2026-45699 ws is an open source WebSocket client and server for Node.js. Prior to8.20.1, the websocket.close() implementation is vulnerable to uninitializedmemory disclosure when a TypedArray is passed as the reason argument. Thisvulnerability is fixed in 8.20.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136804 CVE-2026-45736 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45753 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45754 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45755 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-45756 `gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, asecurity vulnerability has been identified in GitHub CLI that could allowterminal escape sequence injection when users view GitHub Actions workflowlogs using gh run view --log or gh run view --log-failed. The vulnerabilitystems from the way GitHub CLI handles raw Actions log output. The gh runview --log and gh run view --log-failed commands stream workflow log linesto stdout or the configured pager without sanitizing terminal controlsequences. An attacker who can influence GitHub Actions log content, forexample via a PR triggered workflow, can embed escape sequences that arereplayed in the user's terminal when they inspect the run. Depending on thevictim's terminal emulator, injected sequences could change the windowtitle, manipulate on screen content, or in some terminal emulators (such asscreen) potentially execute arbitrary commands. This vulnerability is fixedin 2.92.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 16:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136953 CVE-2026-45803 Fragnesia linux kernel local privilege escalation issue Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-13 CVE-2026-46300 Cockpit's remote login feature passes user-supplied hostnames and usernamesfrom the web interface to the SSH client without validation orsanitization. An attacker with network access to the Cockpit web servicecan craft a single HTTP request to the login endpoint that injectsmalicious SSH options or shell commands, achieving code execution on theCockpit host without valid credentials. The injection occurs during theauthentication flow before any credential verification takes place, meaningno login is required to exploit the vulnerability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 17:16:00 UTC CVE-2026-4631 In the Linux kernel, the following vulnerability has been resolved:ptrace: slightly saner 'get_dumpable()' logicThe 'dumpability' of a task is fundamentally about the memory image ofthe task - the concept comes from whether it can core dump or not - andmakes no sense when you don't have an associated mm.And almost all users do in fact use it only for the case where the taskhas a mm pointer.But we have one odd special case: ptrace_may_access() uses 'dumpable' tocheck various other things entirely independently of the MM (typicallyexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including forthreads that no longer have a VM (and maybe never did, like most kernelthreads).It's not what this flag was designed for, but it is what it is.The ptrace code does check that the uid/gid matches, so you do have tobe uid-0 to see kernel thread details, but this means that thetraditional "drop capabilities" model doesn't make any difference forthis all.Make it all make a *bit* more sense by saying that if you don't have aMM pointer, we'll use a cached "last dumpability" flag if the threadever had a MM (it will be zero for kernel threads since it is neverset), and require a proper CAP_SYS_PTRACE capability to override. Ubuntu 26.04 LTS High Copyright (C) 2026 Canonical Ltd. 2026-05-15 14:16:00 UTC CVE-2026-46333 [Heap OOB Read in VLAN Decapsulation memmove] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-46433 SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 04:17:00 UTC CVE-2026-46445 SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartextpasswords are stored, allows SQL injection. This is related to c_password ='%@' in changePasswordForLogin. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 04:17:00 UTC CVE-2026-46446 A flaw was found in the GNU Binutils BFD library, a widely used componentfor handling binary files such as object files and executables. The issueoccurs when processing specially crafted XCOFF object files, where arelocation type value is not properly validated before being used. This cancause the program to read memory outside of intended bounds. As a result,affected tools may crash or expose unintended memory contents, leading todenial-of-service or limited information disclosure risks. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-23 14:16:00 UTC CVE-2026-4647 Vim is an open source, command line text editor. Prior to 9.2.0479, acommand injection vulnerability exists in tar#Vimuntar() inruntime/autoload/tar.vim when decompressing .tgz archives on Unix-likesystems. The function builds :!gunzip and :!gzip -d commands usingshellescape(tartail) without the {special} flag, allowing a crafted archivefilename to trigger Vim cmdline-special expansion and execute shellcommands in the user's context. This vulnerability is fixed in 9.2.0479. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136803 CVE-2026-46483 Apache Artemis before version 2.52.0 is affected by an authenticationbypass flaw which allows reading all messages exchanged via the broker andinjection of new message ( CVE-2026-27446 https://www.cve.org/CVERecord ).Since KNIME Business Hub uses Apache Artemis it is also affected by theissue. However, since Apache Artemis is not exposed to the outside itrequires at least normal user privileges and the ability to executeworkflows in an executor. Such a user can install and register a federatedmirror without authentication to the original Apache Artemis instance andthereby read all internal messages and inject new messages.The issue affects all versions of KNIME Business Hub. A fixed version ofApache Artemis is shipped with versions 1.18.0, 1.17.4, and 1.16.3.We recommend updating to a fixed version as soon as possible since noworkaround is known. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 09:16:00 UTC CVE-2026-4649 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46520 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46521 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46522 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46523 PDF /GoToR action argv injection enables single-click RCE via --gtk-moduledlopen Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 mdeslaur(main) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958981 https://gitlab.gnome.org/GNOME/evince/-/work_items/2153 CVE-2026-46529 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46557 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46559 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46626 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46627 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46628 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46629 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46633 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46634 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46635 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46637 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46638 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46639 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46640 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46692 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-46693 Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signatureverification bypass because hashed-nodes is omitted from a hash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-16 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136954 CVE-2026-46728 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47165 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47166 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47212 Crypt::SaltedHash versions through 0.09 for Perl generate insecure randomvalues for salts.These versions use the built-in rand function, which is predictable andunsuitable for cryptography. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47372 Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timingattacks.These versions use Perl's built-in eq comparison. Discrepencies in timingcould be used to guess the underlying hash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47373 Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortiumITK (‎Modules/ThirdParty/Expat/src/expat modules).This issue affects ITK:before 2.7.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 04:17:00 UTC CVE-2026-4739 Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affectswoof: before woof_15.3.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 06:16:00 UTC CVE-2026-4750 NULL Pointer Dereference vulnerability in tmate-io tmate.This issue affectstmate: before 2.4.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 06:16:00 UTC CVE-2026-4751 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47730 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-47732 A flaw was found in the libtiff library. A remote attacker could exploit asigned integer overflow vulnerability in the putcontig8bitYCbCr44tilefunction by providing a specially crafted TIFF file. This flaw can lead toan out-of-bounds heap write due to incorrect memory pointer calculations,potentially causing a denial of service (application crash) or arbitrarycode execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-24 15:16:00 UTC CVE-2026-4775 In memcached before 1.6.42, username data for SASL password databaseauthentication has a timing side channel because a loop exits as soon as avalid username is found by sasl_server_userdb_checkpass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 07:16:00 UTC CVE-2026-47783 In memcached before 1.6.42, password data for SASL password databaseauthentication has a timing side channel because memcmp is used bysasl_server_userdb_checkpass. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 07:16:00 UTC CVE-2026-47784 Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action"the mitigation could be bypassed for certain browser types the"webbrowser.open()" API could have commands injected into the underlyingshell. See CVE-2026-4519 for details. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 22:16:00 UTC CVE-2026-4786 Impact:The fix for CVE-2021-23337(https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation forthe variable option in _.template but did not apply the same validation tooptions.imports key names. Both paths flow into the same Function()constructor sink.When an application passes untrusted input as options.imports key names, anattacker can inject default-parameter expressions that execute arbitrarycode at template compilation time.Additionally, _.template uses assignInWith to merge imports, whichenumerates inherited properties via for..in. If Object.prototype has beenpolluted by any other vector, the polluted keys are copied into the importsobject and passed to Function().Patches:Users should upgrade to version 4.18.0.Workarounds:Do not pass untrusted input as key names in options.imports. Only usedeveloper-controlled, static key names. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132500 CVE-2026-4800 A weakness has been identified in Orc discount up to 3.0.1.2. This issueaffects the function compile of the file markdown.c of the componentMarkdown Handler. This manipulation causes uncontrolled recursion. Theattack is restricted to local execution. The exploit has been madeavailable to the public and could be used for attacks. The projectmaintainer confirms: "[I]f you feed it an infinitely deep blockquote inputit will crash. (...) [T]his is a duplicate of an old bug that I've beenworking on." Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-03-26 02:16:00 UTC https://github.com/Orc/discount/issues/305 CVE-2026-4833 A vulnerability exists where a connection requiring TLS incorrectly reusesanexisting unencrypted connection from the same connection pool. If aninitialtransfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequentrequestto that same host bypasses the TLS requirement and instead transmit dataunencrypted. Update Instructions: Run `sudo pro fix CVE-2026-4873` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-29 14:00:00 UTC 2026-04-29 14:00:00 UTC Arkadi Vainbrand https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-4873 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasqallows remote attackers to cause a denial of service via a crafted DNSpacket. Update Instructions: Run `sudo pro fix CVE-2026-4890` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsmasq - 2.92-1ubuntu0.2 dnsmasq-base - 2.92-1ubuntu0.2 dnsmasq-base-lua - 2.92-1ubuntu0.2 dnsmasq-utils - 2.92-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 12:00:00 UTC 2026-05-11 12:00:00 UTC https://ubuntu.com/security/notices/USN-8268-1 CVE-2026-4890 A heap-based out-of-bounds read vulnerability in the DNSSEC validation ofdnsmasq allows remote attackers to cause a denial of service via a craftedDNS packet. Update Instructions: Run `sudo pro fix CVE-2026-4891` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsmasq - 2.92-1ubuntu0.2 dnsmasq-base - 2.92-1ubuntu0.2 dnsmasq-base-lua - 2.92-1ubuntu0.2 dnsmasq-utils - 2.92-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 12:00:00 UTC 2026-05-11 12:00:00 UTC https://ubuntu.com/security/notices/USN-8268-1 CVE-2026-4891 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementationof dnsmasq allows local attackers to execute arbitrary code with rootprivileges via a crafted DHCPv6 packet. Update Instructions: Run `sudo pro fix CVE-2026-4892` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsmasq - 2.92-1ubuntu0.2 dnsmasq-base - 2.92-1ubuntu0.2 dnsmasq-base-lua - 2.92-1ubuntu0.2 dnsmasq-utils - 2.92-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 12:00:00 UTC 2026-05-11 12:00:00 UTC https://ubuntu.com/security/notices/USN-8268-1 CVE-2026-4892 An information disclosure vulnerability in dnsmasq allows remote attackersto bypass source checks via a crafted DNS packet with RFC 7871 clientsubnet information. Update Instructions: Run `sudo pro fix CVE-2026-4893` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsmasq - 2.92-1ubuntu0.2 dnsmasq-base - 2.92-1ubuntu0.2 dnsmasq-base-lua - 2.92-1ubuntu0.2 dnsmasq-utils - 2.92-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 12:00:00 UTC 2026-05-11 12:00:00 UTC https://ubuntu.com/security/notices/USN-8268-1 CVE-2026-4893 A flaw was found in firewalld. A local unprivileged user can exploit thisvulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters,setZoneSettings2 and setPolicySettings. This mis-authorization allows theuser to modify the runtime firewall state without proper authentication,leading to unauthorized changes in network security configurations. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 06:16:00 UTC CVE-2026-4948 A vulnerability was identified in dloebl CGIF up to 0.5.2. Thisvulnerability affects the function cgif_addframe of the file src/cgif.c ofthe component GIF Image Handler. The manipulation of the argumentwidth/height leads to integer overflow. The attack may be initiatedremotely. The identifier of the patch isb0ba830093f4317a5d1f345715d2fa3cd2dab474. It is suggested to install apatch to address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-27 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132167 CVE-2026-4985 A vulnerability was determined in mxml up to 4.0.4. This issue affects thefunction index_sort of the file mxml-index.c of the component mxmlIndexNew.Executing a manipulation of the argument tempr can lead to stack-basedbuffer overflow. The attack is restricted to local execution. The exploithas been publicly disclosed and may be utilized. This patch is called6e27354466092a1ac65601e01ce6708710bb9fa5. A patch should be applied toremediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-29 09:15:00 UTC CVE-2026-5037 Dancer::Session::Abstract versions through 1.3522 for Perl generatessession ids insecurely.The session id is generated from summing the character codepoints of theabsolute pathname with the process id, the epoch time and calls to thebuilt-in rand() function to return a number between 0 and 999-billion, andconcatenating that result three times.The path name might be known or guessed by an attacker, especially forapplications known to be written using Dancer with standard installationlocations.The epoch time can be guessed by an attacker, and may be leaked in the HTTPheader.The process id comes from a small set of numbers, and workers may havesequential process ids.The built-in rand() function is seeded with 32-bits and is consideredunsuitable for security applications.Predictable session ids could allow an attacker to gain access to systems. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 12:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135322 CVE-2026-5080 Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 forPerl session ids are insecure.Apache::Session::Generate::ModUniqueId (added in version 1.54) uses thevalue of the UNIQUE_ID environment variable for the session id. TheUNIQUE_ID variable is set by the Apache mod_unique_id plugin, whichgenerates unique ids for the request. The id is based on the IPv4 address,the process id, the epoch time, a 16-bit counter and a thread index, withno obfuscation.The server IP is often available to the public, and if not available, canbe guessed from previous session ids being issued. The process ids may alsobe guessed from previous session ids. The timestamp is easily guessed (andleaked in the HTTP Date response header).The purpose of mod_unique_id is to assign a unique id to requests so thatevents can be correlated in different logs. The id is not designed, nor isit suitable for security purposes. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 13:16:00 UTC CVE-2026-5081 YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflowbug in both int#base60 and float#base60 handlers. When processing theleftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), theinner while loop can decrement a pointer past the start of the stringbuffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 hereWhen no colon is found (final/leftmost segment), colon becomes ptr-1, andthe subsequent *colon dereference reads one byte before the allocatedbuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 17:16:00 UTC CVE-2026-5089 Template::Plugin::HTML versions through 3.102 for Perl allows HTML andJavaScript to be injected.The html_filter function did not escape single quotes. HTML attributesinside of single quotes could be have code injected. For example, thevariable "var" in <a id='ref' title='[% var | html %]'>would not be properly escaped. An attacker could insert some limited HTMLand JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'"Note that arbitrary HTML and JavaScript would be difficult to inject,because angle brackets, ampersands and double-quotes would still beescaped. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137160 CVE-2026-5090 A vulnerability has been found in FRRouting FRR up to 10.5.1. This affectsthe function process_type2_route of the file bgpd/bgp_evpn.c of thecomponent EVPN Type-2 Route Handler. The manipulation leads to improperaccess controls. The attack can be initiated remotely. The attack isconsidered to have high complexity. The exploitability is reported asdifficult. The identifier of the patch is7676cad65114aa23adde583d91d9d29e2debd045. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 06:16:00 UTC 2026-03-30 06:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132329 https://ubuntu.com/security/notices/USN-8175-1 CVE-2026-5107 A flaw was found in libsoup. When establishing HTTPS tunnels through aconfigured HTTP proxy, sensitive session cookies are transmitted incleartext within the initial HTTP CONNECT request. A network-positionedattacker or a malicious HTTP proxy can intercept these cookies, leading topotential session hijacking or user impersonation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 07:15:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132331 CVE-2026-5119 A flaw was found in libarchive. On 32-bit systems, an integer overflowvulnerability exists in the zisofs block pointer allocation logic. A remoteattacker can exploit this by providing a specially crafted ISO9660 image,which can lead to a heap buffer overflow. This could potentially allow forarbitrary code execution on the affected system. Update Instructions: Run `sudo pro fix CVE-2026-5121` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libarchive-tools - 3.8.5-1ubuntu2.1 libarchive13t64 - 3.8.5-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 08:16:00 UTC 2026-03-30 08:16:00 UTC https://ubuntu.com/security/notices/USN-8292-1 CVE-2026-5121 A security flaw has been discovered in osrg GoBGP up to 4.3.0. This affectsthe function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of thecomponent BGP OPEN Message Handler. Performing a manipulation of theargument domainNameLen results in improper access controls. The attack maybe initiated remotely. A high degree of complexity is needed for theattack. The exploitability is reported as difficult. The patch is named2b09db390a3d455808363c53e409afe6b1b86d2d. It is suggested to install apatch to address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 15:16:00 UTC CVE-2026-5122 A weakness has been identified in osrg GoBGP up to 4.3.0. This impacts thefunction DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing amanipulation of the argument data[1] can lead to off-by-one. The attack maybe launched remotely. Attacks of this nature are highly complex. Theexploitability is said to be difficult. This patch is called67c059413470df64bc20801c46f64058e88f800f. A patch should be applied toremediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 16:16:00 UTC CVE-2026-5123 A security vulnerability has been detected in osrg GoBGP up to 4.3.0.Affected is the function BGPHeader.DecodeFromBytes of the filepkg/packet/bgp/bgp.go of the component BGP Header Handler. The manipulationleads to improper access controls. Remote exploitation of the attack ispossible. The attack is considered to have high complexity. Theexploitability is told to be difficult. The identifier of the patch isf0f24a2a901cbf159260698211ab15c583ced131. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-30 17:16:00 UTC CVE-2026-5124 A buffer overflow in dnsmasq’s extract_addresses() function allows anattacker to trigger a heap out-of-bounds read and crash by exploiting amalformed DNS response, enabling extract_name() to advance the pointer pastthe record’s end. Update Instructions: Run `sudo pro fix CVE-2026-5172` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsmasq - 2.92-1ubuntu0.2 dnsmasq-base - 2.92-1ubuntu0.2 dnsmasq-base-lua - 2.92-1ubuntu0.2 dnsmasq-utils - 2.92-1ubuntu0.2 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 12:00:00 UTC 2026-05-11 12:00:00 UTC https://ubuntu.com/security/notices/USN-8268-1 CVE-2026-5172 A security flaw has been discovered in Nothings stb_image up to 2.30. Thisaffects the function stbi__gif_load_next of the file stb_image.h of thecomponent Multi-frame GIF File Handler. The manipulation results inheap-based buffer overflow. The attack requires a local approach. Theexploit has been released to the public and may be used for attacks. Thevendor was contacted early about this disclosure but did not respond in anyway. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 07:16:00 UTC CVE-2026-5185 A weakness has been identified in Nothings stb up to 2.30. This impacts thefunction stbi__load_gif_main of the file stb_image.h of the componentMulti-frame GIF File Handler. This manipulation causes double free. Theattack requires local access. The exploit has been made available to thepublic and could be used for attacks. The vendor was contacted early aboutthis disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-03-31 08:15:00 UTC CVE-2026-5186 Two potential heap out-of-bounds write locations existed inDecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check onlyvalidates one available slot before writing two OID arc values (out[0] andout[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second,multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) insteadof the element count MAX_OID_SZ (32), causing the function to acceptcrafted OIDs with 33 or more arcs that write past the end of the allocatedbuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-5187 An integer underflow issue exists in wolfSSL when parsing the SubjectAlternative Name (SAN) extension of X.509 certificates. A malformedcertificate can specify an entry length larger than the enclosing sequence,causing the internal length counter to wrap during parsing. This results inincorrect handling of certificate data. The issue is limited toconfigurations using the original ASN.1 parsing implementation which is offby default. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 04:17:00 UTC CVE-2026-5188 Missing hash/digest size and OID checks allow digests smaller than allowedwhen verifying ECDSA certificates, or smaller than is appropriate for therelevant key type, to be accepted by signature verification functions. Thiscould lead to reduced security of ECDSA certificate-based authentication ifthe public CA key used is also known. This affects ECDSA/ECC verificationwhen EdDSA or ML-DSA is also enabled. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 20:16:00 UTC CVE-2026-5194 For a server using an RSA key backed by a PKCS#11 token, a client sendingan extremely short premaster secret during an RSA key exchange couldtrigger a short heap overread. Update Instructions: Run `sudo pro fix CVE-2026-5260` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Joshua Rogers https://gitlab.com/gnutls/gnutls/-/issues/1814 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-5260 URI nameConstraints from constrained intermediate CAs are parsed but notenforced during certificate chain verification in wolfcrypt/src/asn.c. Acompromised or malicious sub-CA could issue leaf certificates with URI SANentries that violate the nameConstraints of the issuing CA, and wolfSSLwould accept them as valid. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 22:16:00 UTC CVE-2026-5263 Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attackercan send a crafted DTLS 1.3 ACK message that triggers a heap bufferoverflow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 22:16:00 UTC CVE-2026-5264 When generating an ICMP Destination Unreachable or Packet Too Big response,the handler copies a portion of the original packet into the ICMP errorbody using the IP header's self-declared total length (ip_tot_len for IPv4,ip6_plen for IPv6) without validating it against the actual packet buffersize. A VM can send a short packet with an inflated IP length field thattriggers an ICMP error (e.g., by hitting a reject ACL), causingovn-controller to read heap memory beyond the valid packet data and includeit in the ICMP response sent back to the VM. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 Seiji Sakurai CVE-2026-5265 Exposure of Sensitive Information to an Unauthorized Actor vulnerability inWikimedia Foundation Echo. This vulnerability is associated with program filesincludes/Api/ApiEchoNotifications.Php.This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-5266 A stack buffer overflow exists in wolfSSL's PKCS7 implementation in thewc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing aCMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient,the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer(oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsedOID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData messagewith an ORI recipient containing an OID longer than 32 bytes triggers astack buffer overflow. Exploitation requires the library to be built with--enable-pkcs7 (disabled by default) and the application to have registeredan ORI decrypt callback via wc_PKCS7_SetOriDecryptCb(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 23:17:00 UTC CVE-2026-5295 ICMPv6 PvD protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5299 A vulnerability has been found in Nothings stb up to 2.30. This issueaffects the function stbi__gif_load_next in the library stb_image.h of thecomponent GIF Decoder. Such manipulation leads to denial of service. Theattack may be launched remotely. The exploit has been disclosed to thepublic and may be used. The vendor was contacted early about thisdisclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 22:16:00 UTC CVE-2026-5313 A vulnerability was found in Nothings stb up to 1.26. Impacted is thefunction stbtt_InitFont_internal in the library stb_truetype.h of thecomponent TTF File Handler. Performing a manipulation results inout-of-bounds read. Remote exploitation of the attack is possible. Theexploit has been made public and could be used. The vendor was contactedearly about this disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-01 23:17:00 UTC CVE-2026-5314 A vulnerability was determined in Nothings stb up to 1.26. The affectedelement is the function stbtt__buf_get8 in the library stb_truetype.h ofthe component TTF File Handler. Executing a manipulation can lead toout-of-bounds read. The attack can be executed remotely. The exploit hasbeen publicly disclosed and may be utilized. The vendor was contacted earlyabout this disclosure but did not respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 00:16:00 UTC CVE-2026-5315 A vulnerability was identified in Nothings stb up to 1.22. The impactedelement is the function setup_free of the file stb_vorbis.c. Themanipulation leads to allocation of resources. The attack is possible to becarried out remotely. The exploit is publicly available and might be used.The vendor was contacted early about this disclosure but did not respond inany way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 00:16:00 UTC CVE-2026-5316 A security flaw has been discovered in Nothings stb up to 1.22. Thisaffects the function start_decoder of the file stb_vorbis.c. Themanipulation results in out-of-bounds write. The attack may be performedfrom remote. The exploit has been released to the public and may be usedfor attacks. The vendor was contacted early about this disclosure but didnot respond in any way. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 01:16:00 UTC CVE-2026-5317 A weakness has been identified in LibRaw up to 0.22.0. This impacts thefunction HuffTable::initval of the file src/decompressors/losslessjpeg.cppof the component JPEG DHT Parser. This manipulation of the argument bits[]causes out-of-bounds write. It is possible to initiate the attack remotely.The exploit has been made available to the public and could be used forattacks. Upgrading to version 0.22.1 will fix this issue. Patch name:a6734e867b19d75367c05f872ac26322464e3995. It is advisable to upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 03:16:00 UTC CVE-2026-5318 A flaw has been found in LibRaw up to 0.22.0. This affects the functionLibRaw::nikon_load_padded_packed_raw of the filesrc/decoders/decoders_libraw.cpp of the component TIFF/NEF. Executing amanipulation of the argument load_flags/raw_width can lead to out-of-boundsread. It is possible to launch the attack remotely. The exploit has beenpublished and may be used. Upgrading to version 0.22.1 mitigates thisissue. This patch is called b8397cd45657b84e88bd1202528d1764265f185c. It isadvisable to upgrade the affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-02 15:16:00 UTC CVE-2026-5342 A flaw was found in OVN (Open Virtual Network). A remote attacker, bysending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6)SOLICIT packets with an inflated Client ID length, could cause theovn-controller to read beyond the bounds of a packet. This out-of-boundsread can lead to the disclosure of sensitive information stored in heapmemory, which is then returned to the attacker's virtual machine port. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 Seiji Sakurai CVE-2026-5367 Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message cantrigger an OOB read on the heap. The missing bounds check is in theindefinite-length end-of-content verification loop inPKCS7_VerifySignedData(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 00:16:00 UTC CVE-2026-5392 Dual-Algorithm CertificateVerify out-of-bounds read. When processing adual-algorithm CertificateVerify message, an out-of-bounds read can occuron crafted input. This can only occur when --enable-experimental and--enable-dual-alg-certs is used when building wolfSSL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 00:16:00 UTC CVE-2026-5393 AFP Spotlight protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5401 TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allowsdenial of service and possible code execution Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5402 SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allowsdenial of service and possible code execution Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135323 CVE-2026-5403 K12 RF5 file parser crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135323 CVE-2026-5404 RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service and possible code execution Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135323 CVE-2026-5405 FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5406 SMB2 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5407 BT-DHT protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5408 Monero protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5409 The PKCS#7 padding check performed during decryption was notconstant-time, potentially leaking information about the padding bytesthrough timing differences. Update Instructions: Run `sudo pro fix CVE-2026-5419` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: gnutls-bin - 3.8.12-2ubuntu1.1 libgnutls-dane0t64 - 3.8.12-2ubuntu1.1 libgnutls-openssl27t64 - 3.8.12-2ubuntu1.1 libgnutls30t64 - 3.8.12-2ubuntu1.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 2026-04-30 Doria Tang https://gitlab.com/gnutls/gnutls/-/issues/1815 https://ubuntu.com/security/notices/USN-8284-1 CVE-2026-5419 The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU CLibrary version 2.2 and newer fail to enforce the caller-supplied bufferlength, and can result in an out-of-bounds write when printing TSIGrecords. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 13:19:00 UTC CVE-2026-5435 An out-of-bounds read vulnerability exists in `DicomStreamReader` duringDICOM meta-header parsing. When processing malformed metadata structures,the parser may read beyond the bounds of the allocated metadata buffer.Although this issue does not typically crash the server or expose datadirectly to the attacker, it reflects insufficient input validation in theparsing logic. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5437 A gzip decompression bomb vulnerability exists when Orthanc processes HTTPrequest with `Content-Encoding: gzip`. The server does not enforce limitson decompressed size and allocates memory based on attacker-controlledcompression metadata. A specially crafted gzip payload can triggerexcessive memory allocation and exhaust system memory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5438 A memory exhaustion vulnerability exists in ZIP archive processing. Orthancautomatically extracts ZIP archives uploaded to certain endpoints andtrusts metadata fields describing the uncompressed size of archived files.An attacker can craft a small ZIP archive containing a forged size value,causing the server to allocate extremely large buffers during extraction. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5439 A memory exhaustion vulnerability exists in the HTTP server due tounbounded use of the `Content-Length` header. The server allocates memorydirectly based on the attacker supplied header value without enforcing anupper limit. A crafted HTTP request containing an extremely large`Content-Length` value can trigger excessive memory allocation and servertermination, even without sending a request body. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5440 An out-of-bounds read vulnerability exists in the `DecodePsmctRle1`function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompressionroutine, which decodes the proprietary Philips Compression format, does notproperly validate escape markers placed near the end of the compressed datastream. A crafted sequence at the end of the buffer can cause the decoderto read beyond the allocated memory region and leak heap data into therendered image output. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5441 A heap buffer overflow vulnerability exists in the DICOM image decoder.Dimension fields are encoded using Value Representation (VR) Unsigned Long(UL), instead of the expected VR Unsigned Short (US), which allowsextremely large dimensions to be processed. This causes an integer overflowduring frame size calculation and results in out-of-bounds memory accessduring image decoding. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5442 A heap buffer overflow vulnerability exists during the decoding of `PALETTECOLOR` DICOM images. Pixel length validation uses 32-bit multiplication forwidth and height calculations. If these values overflow, the validationcheck incorrectly succeeds, allowing the decoder to read and write tomemory beyond allocated buffers. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5443 A heap buffer overflow vulnerability exists in the PAM image parsing logic.When Orthanc processes a crafted PAM image embedded in a DICOM file, imagedimensions are multiplied using 32-bit unsigned arithmetic. Speciallychosen values can cause an integer overflow during buffer size calculation,resulting in the allocation of a small buffer followed by a much largerwrite operation during pixel processing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5444 An out-of-bounds read vulnerability exists in the `DecodeLookupTable`function within `DicomImageDecoder.cpp`. The lookup-table decoding logicused for `PALETTE COLOR` images does not validate pixel indices against thelookup table size. Crafted images containing indices larger than thepalette size cause the decoder to read beyond allocated lookup table memoryand expose heap contents in the output image. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 15:16:00 UTC CVE-2026-5445 In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse anidentical 12-byte GCM nonce for every application-data record. Becausewc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim tothe MagicCrypto SDK with no internal counter, and because the explicit IVis zero-initialized at session setup and never incremented in non-FIPSbuilds. This vulnerability affects wolfSSL builds configured with--enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-inconfiguration required for Korean regulatory deployments). AES-GCM is notaffected because wc_AesGcmEncrypt_ex maintains an internal invocationcounter independently of the call-site guard. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 21:16:00 UTC CVE-2026-5446 Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier sizeconfusion. A heap buffer overflow occurs when converting an X.509certificate internally due to incorrect size handling of theAuthorityKeyIdentifier extension. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 21:16:00 UTC CVE-2026-5447 X.509 date buffer overflow in wolfSSL_X509_notAfter /wolfSSL_X509_notBefore. A buffer overflow may occur when parsing datefields from a crafted X.509 certificate via the compatibility layer API.This is only triggered when calling these two APIs directly from anapplication, and does not affect TLS or certificate verify operations inwolfSSL. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 00:16:00 UTC CVE-2026-5448 Calling the scanf family of functions with a %mc (malloc'd character match)in the GNU C Library version 2.7 to version 2.43 with a format widthspecifier with an explicit width greater than 1024 could result in a onebyte heap buffer overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134543 CVE-2026-5450 A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography(PQC) hybrid KeyShare processing. In the error handling path ofTLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner functionTLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object uponencountering an error. The caller then invokes TLSX_KeyShare_FreeAll(),which attempts to call ForceZero() on the already-freed KyberKey, resultingin writes of zero bytes over freed heap memory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 00:16:00 UTC CVE-2026-5460 wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and`s` scalars from the signature blob via `mp_read_unsigned_bin` with nocheck that they lie in `[1, q-1]`. A crafted forged signature could verifyagainst any message for any identity, using only publicly-known constants. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 04:17:00 UTC CVE-2026-5466 An integer overflow existed in the wolfCrypt CMAC implementation, thatcould be exploited to forge CMAC tags. The function wc_CmacUpdate usedthe guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block(where digest is all-zeros and the XOR is a no-op). However, totalSz isword32 and wraps to zero after 2^28 block flushes (4 GiB), causing theguard to erroneously discard the live CBC-MAC chain state. Any two messagessharing a common suffix beyond the 4 GiB mark then produce identical CMACtags, enabling a zero-work prefix-substitution forgery. The fix removes theguard, making the XOR unconditional; the no-op property on the first blockis preserved because digest is zero-initialized by wc_InitCmac_ex. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 06:16:00 UTC CVE-2026-5477 In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path inwolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions)fails to verify the authentication tag before returning plaintext to thecaller. When an application uses the EVP API to perform ChaCha20-Poly1305decryption, the implementation computes or accepts the tag but does notcompare it against the expected value. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 04:17:00 UTC CVE-2026-5479 wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize theAES-GCM authentication tag length received and has no lower bounds check. Aman-in-the-middle can therefore truncate the mac field from 16 bytes to 1byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 04:17:00 UTC CVE-2026-5500 wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts acertificate chain in which the leaf's signature is not checked, if theattacker supplies an untrusted intermediate with Basic Constraints`CA:FALSE` that is legitimately signed by a trusted root. An attacker whoobtains any leaf certificate from a trusted CA (e.g. a free DV cert fromLet's Encrypt) can forge a certificate for any subject name with any publickey and arbitrary signature bytes, and the function returns`WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path(`ProcessPeerCerts`) is not susceptible and the issue is limited toapplications using the OpenSSL compatibility API directly, which wouldinclude integrations of wolfSSL into nginx and haproxy. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 04:17:00 UTC CVE-2026-5501 In TLSX_EchChangeSNI, the ctx->extensions branch set extensionsunconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNIto attach the attacker-controlled publicName to the shared WOLFSSL_CTX whenno inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it upbecause its removal was gated on serverNameX != NULL. The inner ClientHellowas sized before the pollution but written after it, causing TLSX_SNI_Writeto memcpy 255 bytes past the allocation boundary. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 23:17:00 UTC CVE-2026-5503 A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allowan attacker to recover plaintext through repeated decryption queries withmodified ciphertext. In previous versions of wolfSSL the interior paddingbytes are not validated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 23:17:00 UTC CVE-2026-5504 When restoring a session from cache, a pointer from the serialized sessiondata is used in a free operation without validation. An attacker who canpoison the session cache could trigger an arbitrary free. Exploitationrequires the ability to inject a crafted session into the cache and for theapplication to call specific session restore APIs. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 23:17:00 UTC CVE-2026-5507 libcurl might in some circumstances reuse the wrong connection when askedtodo an authenticated HTTP(S) request after a Negotiate-authenticated one,whenboth use the same host.libcurl features a pool of recent connections so that subsequent requestscanreuse an existing connection to avoid overhead.When reusing a connection a range of criteria must be met. Due to a logicalerror in the code, a request that was issued by an application couldwrongfully reuse an existing connection to the same server that wasauthenticated using different credentials.An application that first uses Negotiate authentication to a server with`user1:password1` and then does another operation to the same server askingfor any authentication method but for `user2:password2` (while the previousconnection is still alive) - the second request gets confused and wronglyreuses the same connection and sends the new request over that connectionthinking it uses a mix of user1's and user2's credentials when it is infactstill using the connection authenticated for user1... Update Instructions: Run `sudo pro fix CVE-2026-5545` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 14:00:00 UTC 2026-04-29 14:00:00 UTC Quac Tran and Ngoc Hieu https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-5545 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion ofthe Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of theBouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of theBouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules). This vulnerability is associated with program filesJcaContentVerifierProviderBuilder.Java,JcaContentVerfierProviderBuilder.Java.This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 10:16:00 UTC CVE-2026-5588 Covert timing channel vulnerability in Legion of the Bouncy Castle Inc.BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before1.80.1, from 1.82 before 1.84. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 10:16:00 UTC CVE-2026-5598 DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5653 AMR-NB codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allowsdenial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5654 SDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 allows denial ofservice Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5655 Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service and possible code execution Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 00:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135323 CVE-2026-5656 iLBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allowsdenial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-5657 A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. Thisimpacts the function executeOnReception/executeOnEndOfStudy of the filedcmnet/apps/storescp.cc of the component storescp. Performing amanipulation results in os command injection. Remote exploitation of theattack is possible. The patch is namededbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is therecommended action to fix this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 15:17:00 UTC CVE-2026-5663 A flaw was found in libtheora. This heap-based out-of-bounds readvulnerability exists within the AVI (Audio Video Interleave) parser,specifically in the avi_parse_input_file() function. A local attacker couldexploit this by tricking a user into opening a specially crafted AVI filecontaining a truncated header sub-chunk. This could lead to adenial-of-service (application crash) or potentially leak sensitiveinformation from the heap. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 10:16:00 UTC https://github.com/xiph/theora/issues/24 https://bugzilla.redhat.com/show_bug.cgi?id=2455340 CVE-2026-5673 A flaw was found in tar. A remote attacker could exploit this vulnerabilityby crafting a malicious archive, leading to hidden file injection withfully attacker-controlled content. This bypasses pre-extraction inspectionmechanisms, potentially allowing an attacker to introduce malicious filesonto a system without detection. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-06 16:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2455360 CVE-2026-5704 The "profiling.sampling" module (Python 3.15+) and "asyncio introspectioncapabilities" (3.14+, "python -m asyncio ps" and "python -m asynciopstree") features could be used to read and write addresses in a privilegedprocess if that process connected to a malicious or "infected" Pythonprocess via the remote debugging feature. This vulnerability requirespersistently and repeatedly connecting to the process to be exploited, evenafter the connecting process crashes with high likelihood due to ASLR. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-14 16:16:00 UTC CVE-2026-5713 miniupnpd contains an integer underflow vulnerability in SOAPAction headerparsing that allows remote attackers to cause a denial of service orinformation disclosure by sending a malformed SOAPAction header with asingle quote. Attackers can trigger an out-of-bounds memory read byexploiting improper length validation in ParseHttpHeaders(), where theparsed length underflows to a large unsigned value when passed to memchr(),causing the process to scan memory far beyond the allocated HTTP requestbuffer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134334 CVE-2026-5720 [hw/uefi: heap overflow] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 CVE-2026-5744 A flaw was found in libarchive. A NULL pointer dereference vulnerabilityexists in the ACL parsing logic, specifically within thearchive_acl_from_text_nl() function. When processing a malformed ACL string(such as a bare "d" or "default" tag without subsequent fields), thefunction fails to perform adequate validation before advancing the pointer.An attacker can exploit this by providing a maliciously crafted archive,causing an application utilizing the libarchive API (such as bsdtar) tocrash, resulting in a Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-07 16:16:00 UTC mrmajumder https://bugzilla.redhat.com/show_bug.cgi?id=2455921 https://github.com/libarchive/libarchive/issues/2904 CVE-2026-5745 [virtio-blk: zone report buffer out-of-memory] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 CVE-2026-5761 [virtio-scsi request size mismatch] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 CVE-2026-5763 An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.ASGI requests with a missing or understated `Content-Length` header canbypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading largefiles into memory and causing service degradation.As a reminder, Django expects a limit to be configured at the web serverlevel rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Kyle Agronick for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2026-5766` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu4.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 14:00:00 UTC 2026-05-05 14:00:00 UTC Kyle Agronick and Jacob Walls https://ubuntu.com/security/notices/USN-8232-1 CVE-2026-5766 A 1-byte stack buffer over-read was identified in the MatchDomainNamefunction (src/internal.c) during wildcard hostname validation when theLEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts theentire hostname string, the function reads one byte past the buffer withouta bounds check, which could cause a crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 22:16:00 UTC CVE-2026-5772 libcurl might in some circumstances reuse the wrong connection for SMB(S)transfers.libcurl features a pool of recent connections so that subsequent requestscanreuse an existing connection to avoid overhead.When reusing a connection a range of criteria must be met. Due to a logicalerror in the code, a network transfer operation that was requested by anapplication could wrongfully reuse an existing SMB connection to the sameserver that was using a different 'share' than the new subsequent transfershould.This could in unlucky situations lead to the download of the wrong file ortheupload of a file to the wrong place. When this happens, the samecredentialsare used and the server name is the same. Update Instructions: Run `sudo pro fix CVE-2026-5773` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-29 14:00:00 UTC 2026-04-29 14:00:00 UTC Osama Hamad https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-5773 Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker tocause a program crash in the AEAD decryption path by injecting a TLS recordshorter than the explicit IV plus authentication tag into traffic inspectedby ssl_DecodePacket. The underflow wraps a 16-bit length to a large valuethat is passed to AEAD decryption routines, causing a large out-of-boundsread and crash. An unauthenticated attacker can trigger this remotely viamalformed TLS Application Data records. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-09 22:16:00 UTC CVE-2026-5778 Vulnerability related to an unquoted search path in CivetWeb v1.16. Thisvulnerability allows a local attacker to execute arbitrary code withelevated privileges by placing a malicious executable in a directory thatis scanned before the intended application path (C:\ProgramFiles\CivetWeb\CivetWeb.exe --), due to the absence of quotes in theservice configuration. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-21 15:16:00 UTC CVE-2026-5789 In Eclipse Jetty, the class JASPIAuthenticator initiates the authenticationchecks, which set two ThreadLocal variable.Upon returning from the initial checks, there are conditions that cause anearly return from the JASPIAuthenticator code without clearing thoseThreadLocals.A subsequent request using the same thread inherits the ThreadLocal values,leading to a broken access control and privilege escalation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-08 14:16:00 UTC CVE-2026-5795 Calling the ungetwc function on a FILE stream with wide characters encodedin a character set that has overlaps between its single byte and multi-bytecharacter encodings, in the GNU C Library version 2.43 or earlier, mayresult in an attempt to read bytes before an allocated buffer, potentiallyresulting in unintentional disclosure of neighboring data in the heap, or aprogram crash.A bug in the wide character pushback implementation (_IO_wdefault_pbackfailin libio/wgenops.c) causes ungetwc() to operate on the regular characterbuffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer(fp->_wide_data->_IO_read_ptr). The program crash may happen in cases wherefp->_IO_read_ptr is not initialized and hence points to NULL. The bufferunder-read requires a special situation where the input character encodingis such that there are overlaps between single byte representations andmultibyte representations in that encoding, resulting in spurious matches.The spurious match case is not possible in the standard Unicode charactersets. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134544 CVE-2026-5928 Invalid handling of CLASS != IN Update Instructions: Run `sudo pro fix CVE-2026-5946` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.18-1ubuntu2.1 bind9-dnsutils - 1:9.20.18-1ubuntu2.1 bind9-host - 1:9.20.18-1ubuntu2.1 bind9-libs - 1:9.20.18-1ubuntu2.1 bind9-utils - 1:9.20.18-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 mdeslaur(main) Mcsky23 https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-5946 SIG(0) validation during query flood may lead to undefined behavior Update Instructions: Run `sudo pro fix CVE-2026-5947` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.18-1ubuntu2.1 bind9-dnsutils - 1:9.20.18-1ubuntu2.1 bind9-host - 1:9.20.18-1ubuntu2.1 bind9-libs - 1:9.20.18-1ubuntu2.1 bind9-utils - 1:9.20.18-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 mdeslaur(main) Naoki Wakamatsu https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-5947 Unbounded resend loop in BIND 9 resolver Update Instructions: Run `sudo pro fix CVE-2026-5950` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: bind9 - 1:9.20.18-1ubuntu2.1 bind9-dnsutils - 1:9.20.18-1ubuntu2.1 bind9-host - 1:9.20.18-1ubuntu2.1 bind9-libs - 1:9.20.18-1ubuntu2.1 bind9-utils - 1:9.20.18-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 2026-05-20 mdeslaur(main) Billy Baraja https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-5950 When sed is invoked with both -i (in-place edit) and --follow-symlinks, thefunction open_next_file() performs two separate, non-atomic filesystemoperations on the same path:1. resolves symlink to its target and stores the resolved path fordetermining when output is written,2. opens the original symlink path (not the resolved one) to read the file.Between these two calls there is a race window. If an attacker atomicallyreplaces the symlink with a different target during that window, sed will:read content from the new (attacker-chosen) symlink target and write theprocessed result to the path recorded in step 1. This can lead to arbitraryfile overwrite with attacker-controlled content in the context of the sedprocess.This issue was fixed in version 4.10. Update Instructions: Run `sudo pro fix CVE-2026-5958` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: sed - 4.9-2ubuntu1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-19 2026-04-19 Michał Majchrowicz and Marcin Wyczechowski https://ubuntu.com/security/notices/USN-8229-1 CVE-2026-5958 http.cookies.Morsel.js_output() returns an inline <script> snippet and onlyescapes " for JavaScript string context. It does not neutralize the HTMLparser-sensitive sequence </script> inside the generated script element.Mitigation base64-encodes the cookie value to disallow escaping usingcookie value. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 20:16:00 UTC CVE-2026-6019 A security flaw has been discovered in musl libc up to 1.2.6. Affected isthe function iconv of the file src/locale/iconv.c of the component GB180304-byte Decoder. Performing a manipulation results in inefficientalgorithmic complexity. The attack must be initiated from a local position.To fix this issue, it is recommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 09:16:00 UTC CVE-2026-6042 A vulnerability in the SQL Box in the admin interface of OTRS leads to anuncontrolled resource consumption leading to a DoS against the webserver.will be killed by the systemThis issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-20 19:16:00 UTC CVE-2026-6060 A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM)due to a lack of bounds checking in the obj_directive() function. Thisvulnerability can be exploited by a user assembling a malicious .asm file,potentially leading to heap memory corruption, denial of service (crash),and arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133375 CVE-2026-6067 NASM contains a heap use after free vulnerability in response file (-@)processing where a dangling pointer to freed memory is stored in the globaldepend_file and later dereferenced, as the response-file buffer is freedbefore the pointer is used, allowing for data corruption or unexpectedbehavior. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133376 CVE-2026-6068 NASM’s disasm() function contains a stack based buffer overflow whenformatting disassembly output, allowing an attacker triggered out-of-boundswrite when `slen` exceeds the buffer capacity. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-10 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133377 CVE-2026-6069 Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`,`bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation failswith a `MemoryError` and the decompression instance is re-used. Thisscenario can be triggered if the process is under memory pressure. The fixcleans up the dangling pointer in this specific error condition.The vulnerability is only present if the program re-uses decompressorinstances across multiple decompression calls even after a `MemoryError` israised during decompression. Using the helper functions to one-shotdecompress data such as `lzma.decompress()`, `bz2.decompress()`,`gzip.decompress()`, and `zlib.decompress()` are not affected as a newdecompressor instance is used per call. If the decompressor instance is notre-used after an error condition, this usage is similarly not vulnerable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 18:16:00 UTC CVE-2026-6100 A vulnerability was identified in uclouvain openjpeg up to 2.5.4. Thisimpacts the function opj_pi_initialise_encode in the librarysrc/lib/openjp2/pi.c. The manipulation leads to integer overflow. Theattack must be carried out locally. The exploit is publicly available andmight be used. The identifier of the patch is839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install apatch to address this issue. Update Instructions: Run `sudo pro fix CVE-2026-6192` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libopenjp2-7 - 2.5.4-1ubuntu0.1 libopenjp2-tools - 2.5.4-1ubuntu0.1 libopenjpip-dec-server - 2.5.4-1ubuntu0.1 libopenjpip-viewer - 2.5.4-1ubuntu0.1 libopenjpip7 - 2.5.4-1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-13 17:16:00 UTC 2026-04-13 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133832 https://github.com/uclouvain/openjpeg/issues/1619 https://ubuntu.com/security/notices/USN-8252-1 CVE-2026-6192 A type confusion vulnerability in Qt SVG allows an attacker to cause anapplication crash via a crafted SVG image.When processing SVG marker references, the renderer retrieves a node by itsid attribute and casts it to QSvgMarker* without verifying the node type. Anon-marker element (such as a <line> element) that references itself as amarker triggers an out-of-bounds heap read due to the object sizedifference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursionguard through incorrect virtual dispatch. The result is an applicationcrash (denial of service).This issue affects Qt SVG:from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 12:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136089 CVE-2026-6210 The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU CLibrary version 2.2 and newer fail to validate the RDATA content againstthe RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIGrecords, which may allow an attacker to craft a DNS response, causing atarget application to crash or read uninitialized memory.These functions are for application debugging only and hence not in thepath of code executed by the DNS resolver. Further, they have beendeprecated since version 2.34 and should not be used by any newapplications. Applications should consider porting away from theseinterfaces since they may be removed in future versions. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 19:37:00 UTC CVE-2026-6238 A flaw was found in the System Security Services Daemon (SSSD). Thepam_passkey_child_read_data() function within the PAM passkey responderfails to properly handle raw bytes received from a pipe. Because the datais treated as a NUL-terminated C string without explicit termination, itresults in an out-of-bounds read when processed by functions likesnprintf(). A local attacker could potentially trigger this vulnerabilityby initiating a crafted passkey authentication request, causing the SSSDPAM responder to crash, resulting in a local Denial of Service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 19:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2457954 CVE-2026-6245 curl might erroneously pass on credentials for a first proxy to a secondproxy.This can happen when the following conditions are true:1. curl is setup to use specific different proxies for different URLschemes2. the first proxy needs credentials3. the second proxy uses no credentials4. while using the first proxy (using say `http://`), curl is asked tofollow a redirect to a URL using another scheme (say `https://`), accessedusing a second, different, proxy Update Instructions: Run `sudo pro fix CVE-2026-6253` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 14:00:00 UTC 2026-04-29 14:00:00 UTC Dwij Mehta https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-6253 Using libcurl, when a custom `Host:` header is first set for an HTTPrequestand a second request is subsequently done using the same *easy handle* butwithout the custom `Host:` header set, the second request would use staleinformation and pass on cookies meant for the first host in the secondrequest. Leak them. Update Instructions: Run `sudo pro fix CVE-2026-6276` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-04-29 14:00:00 UTC 2026-04-29 14:00:00 UTC Muhamad Arga Reksapati https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-6276 Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101allowed a remote attacker to obtain potentially sensitive information fromprocess memory via a crafted HTML page. (Chromium security severity:Critical) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 20:16:00 UTC CVE-2026-6298 fast-uri decoded percent-encoded path separators and dot segments beforeapplying dot-segment removal in its normalize() and equal() functions.Encoded path data was treated like real slashes and parent-directoryreferences, so distinct URIs could collapse onto the same normalized path.Applications that normalize or compare attacker-controlled URLs to enforcepath-based policy can be bypassed, with a path that appears confined underan allowed prefix normalizing to a different location. Versions <= 3.1.0are affected. Update to 3.1.1 or later. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 20:16:00 UTC CVE-2026-6321 fast-uri normalize() decoded percent-encoded authority delimiters insidethe host component and then re-emitted them as raw delimiters duringserialization. A host that combined an allowed domain, an encoded at-sign,and a different domain was re-emitted with the at-sign as a raw userinfoseparator, changing the URI's authority to the second domain. Applicationsthat normalize untrusted URLs before host allowlist checks, redirectvalidation, or outbound request routing can be steered to a differentauthority than the input appeared to specify. Versions <= 3.1.1 areaffected. Update to 3.1.2 or later. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-05 11:16:00 UTC CVE-2026-6322 pip prior to version 26.1 would run self-update check functionality afterinstalling wheel files which required importing well-known Python modulesnames. These module imports were intentionally deferred to increase startuptime of the pip CLI. The patch changes self-update functionality to runbefore wheels are installed to prevent newly-installed modules from beingimported shortly after the installation of a wheel package. Users shouldstill review package contents prior to installation. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 15:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135110 CVE-2026-6357 Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 alloweda remote attacker to obtain potentially sensitive information from processmemory via a crafted file. (Chromium security severity: Medium) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 20:16:00 UTC CVE-2026-6364 A flaw was found in FFmpeg. A remote attacker could exploit thisvulnerability by providing a specially crafted MPEG-PS/VOB media filecontaining a malicious DVD subtitle stream. This vulnerability is caused bya signed integer overflow in the DVD subtitle parser's fragment reassemblybounds checks, leading to a heap out-of-bounds write. Successfulexploitation can result in a denial of service (DoS) due to an applicationcrash, and potentially lead to arbitrary code execution. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-15 20:16:00 UTC https://bugzilla.redhat.com/show_bug.cgi?id=2458764 CVE-2026-6385 A Denial of Service (DoS) vulnerability exists in the Protobuf PHP libraryduring the parsing of untrusted input. Maliciously structuredmessages—specifically those containing negative varints or deeprecursion—can be used to crash the application, impacting serviceavailability. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-16 15:17:00 UTC https://github.com/protocolbuffers/protobuf/issues/24159 https://github.com/protocolbuffers/protobuf/issues/25067 CVE-2026-6409 When asked to both use a `.netrc` file for credentials and to follow HTTPredirects, libcurl could leak the password used for the first host to thefollowed-to host under certain circumstances. Update Instructions: Run `sudo pro fix CVE-2026-6429` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 14:00:00 UTC 2026-04-29 14:00:00 UTC Muhamad Arga Reksapati https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-6429 Missing authorization in PostgreSQL CREATE TYPE allows an object creator tohijack other queries that use search_path to find user-defined types,including extension-defined types. That is to say, the victim will executearbitrary SQL functions of the attacker's choice. Versions beforePostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6472` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6472 Integer wraparound in multiple PostgreSQL server features allows anunprivileged database user to cause the server to undersize an allocationand write out-of-bounds. This may execute arbitrary code as the operatingsystem user running the database. In applications that pass gigabyte-scaleuser inputs to the relevant database functions, the application inputprovider may achieve a segmentation fault. Versions before PostgreSQL18.4, 17.10, 16.14, 15.18, and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6473` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6473 Externally-controlled format string in PostgreSQL timeofday() functionallows an attacker to retrieve portions of server memory, via craftedtimezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6474` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6474 Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewindallows an origin superuser to overwrite local files, e.g./var/lib/postgres/.bashrc, that hijack the operating system account. Itwill remain the case that starting the server after these commandsimplicitly trusts the origin superuser, due to features likeshared_preload_libraries. Hence, the attack has practical implicationsonly if one takes relevant action between these commands and server start,like moving the files to a different VM or snapshotting the VM. Versionsbefore PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6475` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6475 SQL injection in PostgreSQL pg_createsubscriber allows an attacker withpg_create_subscription rights to execute arbitrary SQL as a superuser. Theattack takes effect when pg_createsubscriber next runs. Within majorversions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 areaffected. Versions before PostgreSQL 17 are unaffected. Update Instructions: Run `sudo pro fix CVE-2026-6476` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6476 Use of inherently dangerous function PQfn(..., result_is_int=0, ...) inPostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64()functions allows the server superuser to overwrite a client stack bufferwith an arbitrarily-large response. Like gets(), PQfn(...,result_is_int=0, ...) stores arbitrary-length, server-determined data intoa buffer of unspecified size. Because both the \lo_export command in psqland pg_dump call lo_read(), the server superuser can overwrite pg_dump orpsql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18,and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6477` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6477 Covert timing channel in comparison of MD5-hashed password in PostgreSQLauthentication allows an attacker to recover user credentials sufficient toauthenticate. This does not affect scram-sha-256 passwords, the default inall supported releases. However, current databases may have MD5-hashedpasswords originating in upgrades from PostgreSQL 13 or earlier. Versionsbefore PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6478` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6478 Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows anattacker able to connect to a PostgreSQL AF_UNIX socket to achievesustained denial of service. If SSL and GSS are both disabled, an attackercan do the same via access to a PostgreSQL TCP socket. Versions beforePostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6479` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6479 A security vulnerability has been detected in libvips up to 8.18.2. Theaffected element is the function im_minpos_vec of the filelibvips/deprecated/vips7compat.c of the component nip2 Handler. Suchmanipulation of the argument n leads to heap-based buffer overflow. Anattack has to be approached locally. The exploit has been disclosedpublicly and may be used. The vendor confirms that they will "be removingthe deprecated area in libvips 8.19". Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 14:16:00 UTC CVE-2026-6491 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 CVE-2026-6502 A flaw was found in dnsmasq. A remote attacker could exploit anout-of-bounds write vulnerability by sending a specially crafted BOOTREPLY(Bootstrap Protocol Reply) packet to a dnsmasq server configured with the`--dhcp-split-relay` option. This can lead to memory corruption, causingthe dnsmasq daemon to crash and resulting in a denial of service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-17 13:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134264 CVE-2026-6507 MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6519 OpenFlow v6 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4and 4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6520 OpenFlow v5 protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.4and 4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6521 RPKI-Router protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4and 4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6522 GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6523 MySQL protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6524 IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-02 12:16:00 UTC CVE-2026-6525 RTSP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6526 ASN.1 PER protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6527 TLS protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 allowsdenial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6528 iLBC audio codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6529 DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6530 SANE protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6531 Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6532 Dissection engine LZ77 decompression crash in Wireshark 4.6.0 to 4.6.4 and4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6533 USB HID protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6534 Dissection engine zlib decompression crash in Wireshark 4.6.0 to 4.6.4 and4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6535 DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6536 ZigBee protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6537 BEEP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6538 Buffer over-read in PostgreSQL function pg_restore_attribute_stats()accepts array values of unmatched length, which causes query planning toread past end of one array. This allows a table maintainer to infer memoryvalues past that array end. Within major version 18, minor versions beforePostgreSQL 18.4 are affected. Versions before PostgreSQL 18 areunaffected. Update Instructions: Run `sudo pro fix CVE-2026-6575` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6575 Stack buffer overflow in PostgreSQL module "refint" allows an unprivilegeddatabase user to execute arbitrary code as the operating system userrunning the database. A distinct attack is possible if the applicationdeclares a user-controlled column as a "refint" cascade primary key andfacilitates user-controlled updates to that column. In that case, a SQLinjection allows a primary key update value provider to execute arbitrarySQL as the database user performing the primary key update. Versionsbefore PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. Update Instructions: Run `sudo pro fix CVE-2026-6637` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6637 SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ...REFRESH PUBLICATION allows a subscriber table creator to execute arbitrarySQL with the subscription's publication-side credentials. The attack takeseffect at the next REFRESH PUBLICATION. Within major versions 16, 17, and18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected.Versions before PostgreSQL 16 are unaffected. Update Instructions: Run `sudo pro fix CVE-2026-6638` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 - 18.4-0ubuntu0.26.04.1 libecpg6 - 18.4-0ubuntu0.26.04.1 libpgtypes3 - 18.4-0ubuntu0.26.04.1 libpq-oauth - 18.4-0ubuntu0.26.04.1 libpq5 - 18.4-0ubuntu0.26.04.1 postgresql-18 - 18.4-0ubuntu0.26.04.1 postgresql-18-jit - 18.4-0ubuntu0.26.04.1 postgresql-client-18 - 18.4-0ubuntu0.26.04.1 postgresql-plperl-18 - 18.4-0ubuntu0.26.04.1 postgresql-plpython3-18 - 18.4-0ubuntu0.26.04.1 postgresql-pltcl-18 - 18.4-0ubuntu0.26.04.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 14:16:00 UTC 2026-05-14 14:16:00 UTC https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6638 Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure randomvalues for salts.The built-in rand function is predictable, and unsuitable for cryptography. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-08 18:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136091 CVE-2026-6659 An integer overflow in network packet parsing code in PgBouncer before1.25.2 bypasses a boundary check and can lead to a crash. Anunauthenticated remote attacker can crash PgBouncer with a malformed SCRAMauthentication packet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136075 CVE-2026-6664 The SCRAM code in PgBouncer before 1.25.2 did not check the return value ofstrlcat() correctly when building the contents of the SCRAMclient-final-message. A malicious backend that sends a SCRAMserver-final-message with a long nonce can trigger a stack overflow. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136075 CVE-2026-6665 A possible null pointer reference in PgBouncer before 1.25.2 could lead toa crash, if a server sends an error response without SQLSTATE field. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136075 CVE-2026-6666 PgBouncer before 1.25.2 did not perform an appropriate authorization checkfor the KILL_CLIENT admin command. All users with access to theadministration console (which itself requires authorization) could run thiscommand. It would have been correct to allow only users listed in theadmin_users parameter. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 01:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136075 CVE-2026-6667 A flaw was found in libxml2. This vulnerability occurs when the libraryprocesses a specially crafted XML Schema Definition (XSD) validateddocument that includes an internal entity reference. An attacker couldexploit this by providing a malicious document, leading to a type confusionerror that causes the application to crash. This results in a denial ofservice (DoS), making the affected system or application unavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 23:16:00 UTC CVE-2026-6732 Stack exhaustion vulnerability in the MongoDB PHP driver can causeapplication crashes when processing deeply nested BSON documents in unusualcircumstances when the source of these BSON documents is not MongoDBServer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136802 CVE-2026-6811 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-6841 A flaw was found in nano. In environments with permissive umask settings, alocal attacker can exploit incorrect directory permissions (0777 instead of0700) for the `~/.local` directory. This allows the attacker to inject amalicious `.desktop` launcher, which could lead to unintended actions orinformation disclosure if the launcher is subsequently processed. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 08:16:00 UTC CVE-2026-6842 A flaw was found in nano. A local user could exploit a format stringvulnerability in the `statusline()` function. By creating a directory witha name containing `printf` specifiers, the application attempts to displaythis name, leading to a segmentation fault (SEGV). This results in a Denialof Service (DoS) for the `nano` application. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 09:16:00 UTC CVE-2026-6843 A flaw was found in the `readelf` utility of the binutils package. A localattacker could exploit two Denial of Service (DoS) vulnerabilities byproviding a specially crafted Executable and Linkable Format (ELF) file.One vulnerability, a resource exhaustion (CWE-400), can lead to anout-of-memory condition. The other, a null pointer dereference (CWE-476),can cause a segmentation fault. Both issues can result in the `readelf`utility becoming unresponsive or crashing, leading to a denial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 09:16:00 UTC CVE-2026-6844 A flaw was found in binutils, specifically within the `readelf` utility.This vulnerability allows a local attacker to cause a Denial of Service(DoS) by tricking a user into processing a specially crafted Executable andLinkable Format (ELF) file. The exploitation of this flaw can lead to thesystem becoming unresponsive due to excessive resource consumption or aprogram crash. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 09:16:00 UTC CVE-2026-6845 A flaw was found in binutils. A heap-buffer-overflow vulnerability existswhen processing a specially crafted XCOFF (Extended Common Object FileFormat) object file during linking. A local attacker could trick a userinto processing this malicious file, which could lead to arbitrary codeexecution, allowing the attacker to run unauthorized commands, or cause adenial of service, making the system unavailable. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 09:16:00 UTC CVE-2026-6846 A flaw was found in GNU Emacs. This vulnerability, a memory corruptionissue, occurs when Emacs processes specially crafted SVG (Scalable VectorGraphics) CSS (Cascading Style Sheets) data. A local user could exploitthis by convincing a victim to open a malicious SVG file, which may lead toa denial of service (DoS) or potentially information disclosure. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134692 CVE-2026-6861 A flaw was found in libefiboot, a component of efivar. The device path nodeparser in libefiboot fails to validate that each node's Length field is atleast 4 bytes, which is the minimum size for an EFI (Extensible FirmwareInterface) device path node header. A local user could exploit thisvulnerability by providing a specially crafted device path node. This canlead to infinite recursion, causing stack exhaustion and a process crash,resulting in a denial of service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-22 14:17:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134691 https://bugzilla.redhat.com/show_bug.cgi?id=2459982 CVE-2026-6862 SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6867 HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 06:16:00 UTC CVE-2026-6868 WebSocket protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6869 GSM RP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 07:16:00 UTC CVE-2026-6870 An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.`django.middleware.cache.UpdateCacheMiddleware` erroneously caches requestswhere the `Vary` header contained an asterisk (`'*'`). This can lead toprivate data being stored and served.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) werenot evaluated and may also be affected.Django would like to thank Ahmad Sadeddin for reporting this issue. Update Instructions: Run `sudo pro fix CVE-2026-6907` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-django - 3:5.2.9-0ubuntu4.1 No subscription required Ubuntu 26.04 LTS Low Copyright (C) 2026 Canonical Ltd. 2026-05-05 14:00:00 UTC 2026-05-05 14:00:00 UTC Ahmad Sadeddin https://ubuntu.com/security/notices/USN-8232-1 CVE-2026-6907 radare2 prior to 6.1.4 contains a path traversal vulnerability in projectdeletion that allows local attackers to recursively delete arbitrarydirectories by supplying absolute paths that escape the configureddir.projects root directory. Attackers can craft absolute paths to projectmarker files outside the project storage boundary to cause recursivedeletion of attacker-chosen directories with permissions of the radare2process, resulting in integrity and availability loss. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 21:16:00 UTC CVE-2026-6940 radare2 prior to 6.1.4 contains a path traversal vulnerability in itsproject notes handling that allows attackers to read or write files outsidethe configured project directory by importing a malicious .zrp archivecontaining a symlinked notes.txt file. Attackers can craft a .zrp archivewith a symlinked notes.txt that bypasses directory confinement checks,allowing note operations to follow the symlink and access arbitrary filesoutside the dir.projects root directory. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-23 21:16:00 UTC CVE-2026-6941 authd prior to version 0.6.4 contains a logic error in primary group IDassignment that can lead to local privilege escalation. When a user'sprimary group ID (GID) differs from their UID, either because the accountwas created with authd prior to version 0.5.4 or because the primary groupwas manually changed via the `authctl group set-gid` command, and theuser's identity provider record is updated, authd incorrectly resets theuser's primary group ID to their UID upon next login. This causes newlycreated files and directories to be owned by the wrong group, causingdenial of service issues, and potentially granting unintended access toother local users and allowing local privilege escalation. Update Instructions: Run `sudo pro fix CVE-2026-6970` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: authd - 0.6.1ubuntu0.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 2026-04-27 https://ubuntu.com/security/notices/USN-8212-1 CVE-2026-6970 HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTPrequest lines or control field header values.The unvalidated inputs are the method and URI in the request line, the URLhost that becomes the `Host:` header, and HTTP/1.1 control data fieldvalues.An attacker who controls one of these inputs, for example a user suppliedURL passed to a webhook or URL fetch endpoint, can inject additionalheaders and smuggle requests to the upstream server. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 22:22:00 UTC CVE-2026-7010 Text::CSV_XS versions before 1.62 for Perl have a use-after-free whenregistered callbacks extend the Perl argument stack, which may enable typeconfusion or memory corruption.The Parse, print, getline, and getline_all methods invoke registeredcallbacks (for example after_parse, before_print, or on_error) and cachethe Perl argument stack pointer across the call. If a callback extends theargument stack enough to trigger a reallocation, the return value iswritten through the stale pointer into the freed buffer, and the callerreads the original $self argument as the return value instead.Calling code that expects parsed data from getline_all receives theText::CSV_XS object in its place, leading to logic errors or crashes.Text::CSV_XS objects used without any registered callbacks are notaffected. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 15:16:00 UTC CVE-2026-7111 Successfully using libcurl to do a transfer over a specific HTTP proxy(`proxyA`) with **Digest** authentication and then changing the proxy hosttoa second one (`proxyB`) for a second transfer, reusing the same handle,makeslibcurl wrongly pass on the `Proxy-Authorization:` header field meant for`proxyA`, to `proxyB`. Update Instructions: Run `sudo pro fix CVE-2026-7168` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: curl - 8.18.0-1ubuntu2.1 libcurl3t64-gnutls - 8.18.0-1ubuntu2.1 libcurl4t64 - 8.18.0-1ubuntu2.1 No subscription required Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 2026-04-29 Muhamad Arga Reksapati https://ubuntu.com/security/notices/USN-8227-1 CVE-2026-7168 A security vulnerability has been detected in OSPG binwalk up to 2.4.3.This vulnerability affects the function read_null_terminated_string of thefile src/binwalk/plugins/winceextract.py of the component WinCE ExtractionPlugin. Such manipulation of the argument self.file_name leads to pathtraversal. The attack can only be performed from a local environment. Theexploit has been disclosed publicly and may be used. The project maintainerconfirms this issue: "I accept the existence of the Path Traversalvulnerability. However, as stated in the Github link, it reached EOL and asa result no actions should be expected." The GitHub repository mentions,that "[u]sers and contributors should migrate to binwalk v3." Thisvulnerability only affects products that are no longer supported by themaintainer. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-27 23:16:00 UTC CVE-2026-7179 `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropyfor Expat hash-flooding protection, which allows a crafted XML document totrigger hash flooding.\r\n\r\nFully mitigating this vulnerability requiresboth updating libexpat to 2.8.0 or later and applying this patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 18:16:00 UTC CVE-2026-7210 A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impactedelement is the function fz_subset_cff_for_gids of the file subset-cff.c ofthe component CFF Index Handler. This manipulation causes out-of-boundsread. The attack can only be executed locally. The exploit has beenpublicly disclosed and may be utilized. The project was informed of theproblem early through a bug report but has not responded yet. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-28 07:16:00 UTC CVE-2026-7233 UDS protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 06:16:00 UTC CVE-2026-7375 Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 06:16:00 UTC CVE-2026-7376 Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 06:16:00 UTC CVE-2026-7378 Memory leak in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial ofservice Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-30 06:16:00 UTC CVE-2026-7379 Plack::Middleware::XSendfile versions through 1.0053 for Perl can allowclient-controlled path rewriting.Plack::Middleware::XSendfile allows the variation setting (sendfile type)to be set by the client via the X-Sendfile-Type header, if it is notconsidered in the middleware constructor or the Plack environment.A malicious client can set the X-Sendfile-Type header to "X-Accel-Redirect"to services running behind nginx reverse proxies, and then set theX-Accel-Mapping to map the path to an arbitrary file on the server.Since 1.0053, Plack::Middleware::XSendfile is deprecated and will beremoved from future releases of Plack.This is similar to CVE-2025-61780 for Rack::Sendfile, althoughPlack::Middleware::XSendfile has some mitigations that disallow regularexpressions to be used in the mapping, and only apply the mapping for the"X-Accel-Redirect" type. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-04-29 23:16:00 UTC CVE-2026-7381 A vulnerability was detected in Exiftool up to 13.53. Impacted is thefunction Process_mrld of the file lib/Image/ExifTool/GM.pm of the componentJPEG/QuickTime/MOV/MP4. The manipulation of the argument -ee results incode injection. Attacking locally is a requirement. Upgrading to version13.54 is recommended to address this issue. The patch is identified as5a8b6b6ead12b39e3f32f978a4efd0233facbb01. It is suggested to upgrade theaffected component. The fix in the source code mentions: "[J]ust to besafe, probably never happen". Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 12:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135381 CVE-2026-7580 A vulnerability was detected in AcademySoftwareFoundation OpenImageIO up to3.2.0.1-dev. This vulnerability affects unknown code of the filesrc/dds.imageio/ddsinput.cpp of the component DDS Image Handler. Themanipulation results in out-of-bounds write. The attack needs to beapproached locally. The exploit is now public and may be used. The patch isidentified as 94ec2deec3e3bf2f2e2ff84d008e27425d626fe2. Applying a patch isadvised to resolve this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 14:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135382 CVE-2026-7582 A security vulnerability has been detected in libssh2 up to 1.11.1. Theimpacted element is the function userauth_password of the filesrc/userauth.c. Such manipulation of the argument username_len/password_lenleads to integer overflow. The attack may be launched remotely. The name ofthe patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should beapplied to remediate this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-01 22:16:00 UTC mdeslaur(main) dapickle http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135647 CVE-2026-7598 A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts thefunction SRv6L3ServiceAttribute.DecodeFromBytes of the filepkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Suchmanipulation of the argument data leads to denial of service. The attackmay be performed from remote. Upgrading to version 4.4.0 will fix thisissue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11.You should upgrade the affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 06:16:00 UTC CVE-2026-7734 A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is thefunction PathAttributeAigp.DecodeFromBytes of the filepkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing amanipulation results in buffer overflow. It is possible to initiate theattack remotely. Upgrading to version 4.4.0 is able to address this issue.The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affectedcomponent should be upgraded. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 06:16:00 UTC CVE-2026-7735 A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by thisvulnerability is the function parseRibEntry of the filepkg/packet/mrt/mrt.go. Executing a manipulation can lead to integerunderflow. It is possible to launch the attack remotely. Upgrading toversion 4.4.0 addresses this issue. This patch is called76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC CVE-2026-7736 A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by thisissue is the functionBMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the filepkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leadsto out-of-bounds read. The attack can be initiated remotely. Upgrading toversion 4.4.0 can resolve this issue. The identifier of the patch isbc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected componentis recommended. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-04 07:16:00 UTC CVE-2026-7737 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-7835 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-7836 [Unknown description] Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 CVE-2026-7837 Use after free in Skia in Google Chrome prior to 148.0.7778.96 allowed aremote attacker who had compromised the renderer process to potentiallyperform a sandbox escape via a crafted HTML page. (Chromium securityseverity: High) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 19:16:00 UTC CVE-2026-7920 Out of bounds write in Skia in Google Chrome prior to 148.0.7778.96 alloweda remote attacker who had compromised the renderer process to potentiallyperform a sandbox escape via a crafted HTML page. (Chromium securityseverity: High) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 19:16:00 UTC CVE-2026-7923 Out of bounds read in Skia in Google Chrome prior to 148.0.7778.96 alloweda remote attacker who had compromised the renderer process to leakcross-origin data via a crafted Chrome Extension. (Chromium securityseverity: Medium) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-06 19:16:00 UTC CVE-2026-7949 A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. Thisvulnerability affects the function memmove of the filefrmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. Thismanipulation causes out-of-bounds read. The attack is restricted to localexecution. The exploit has been publicly disclosed and may be utilized.Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name:a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected componentis advised. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-8084 A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issueaffects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c.Such manipulation of the argument DimensionName leads to heap-based bufferoverflow. The attack must be carried out locally. The exploit is publiclyavailable and might be used. Upgrading to version 3.12.4RC1 is capable ofaddressing this issue. The name of the patch is9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade theaffected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 19:16:00 UTC CVE-2026-8086 A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4.Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c.Performing a manipulation of the argument DataFieldName results inheap-based buffer overflow. The attack must be initiated from a localposition. The exploit has been released to the public and may be used forattacks. Upgrading to version 3.13.0RC1 is recommended to address thisissue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. Youshould upgrade the affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135997 CVE-2026-8087 A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. Theaffected element is the function GDfieldinfo of the filefrmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead toout-of-bounds read. The attack needs to be launched locally. The exploithas been made available to the public and could be used for attacks.Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patchis called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected componentshould be upgraded. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-07 20:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135997 CVE-2026-8088 A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by thisvulnerability is the function SWSDfldsrch of the filefrmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-basedbuffer overflow. The attack requires local access. The exploit has beenpublished and may be used. Upgrading to version 3.13.0RC1 addresses thisissue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. Theaffected component should be upgraded. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 23:16:00 UTC CVE-2026-8212 A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected bythis issue is the function GDSDfldsrch of the filefrmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. Themanipulation leads to heap-based buffer overflow. An attack has to beapproached locally. The exploit has been disclosed to the public and may beused. Upgrading to version 3.13.0RC1 can resolve this issue. The identifierof the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggestedto upgrade the affected component. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-09 23:16:00 UTC CVE-2026-8213 A vulnerability was detected in WebAssembly Binaryen up to 117. This issueaffects the function IRBuilder::makeBrOn of the filesrc/wasm/wasm-ir-builder.cpp of the component BrOn Parser. Performing amanipulation results in reachable assertion. The attack needs to beapproached locally. The exploit is now public and may be used. The patch isnamed 1251efbc1ea471c1311d2726b2bbe061ff2a291c. It is suggested to installa patch to address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 02:16:00 UTC CVE-2026-8257 A vulnerability was detected in bettercap up to 2.41.5. Affected by thisvulnerability is the function ippReadChunkedBody of the filemodules/zerogod/zerogod_ipp_primitives.go of the component zerogod IPPService. Performing a manipulation results in integer coercion error. Theattack can be initiated remotely. The attack is considered to have highcomplexity. The exploitation appears to be difficult. The exploit is nowpublic and may be used. The patch is named3731d5576cffae9eefe3721cd46a40933304129f. To fix this issue, it isrecommended to deploy a patch. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 06:16:00 UTC CVE-2026-8275 A flaw has been found in bettercap up to 2.41.5. Affected by this issue issome unknown functionality of the file modules/mysql_server/mysql_server.goof the component MySQL Server. Executing a manipulation can lead to integercoercion error. The attack can be launched remotely. The attack requires ahigh level of complexity. The exploitation is known to be difficult. Theexploit has been published and may be used. This patch is called0eaa375c5e5446bfba94a290eff92967a5deac9e. It is advisable to implement apatch to correct this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-11 06:16:00 UTC CVE-2026-8276 The ftpcp() function in Lib/ftplib.py was not updated whenCVE-2021-4189 was fixed. While makepasv() was patched to replaceserver-supplied PASV host addresses with the actual peer address(getpeername()[0]), ftpcp() still calls parse227() directly and passesthe raw attacker-controllable IP address and port to target.sendport().This patch is related to CVE-2021-4189. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 21:16:00 UTC CVE-2026-8328 aria2c accepts a server certificate with incorrect Extended Key Usage(EKU). If the attackers compromise a certificate (with the associatedprivate key) issued for a different purpose, they may be able to reuse itfor TLS server authentication. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 16:17:00 UTC CVE-2026-8367 LWP::UserAgent versions before 6.83 for Perl leak Authorization andProxy-Authorization headers on cross-origin redirects.On a 3xx response, the redirect handler strips only Host and Cookie beforeissuing the follow-up request. Caller-supplied Authorization andProxy-Authorization headers are sent unchanged to the redirect target,including across scheme, host, or port changes.A redirect to an attacker controlled host therefore discloses the caller'scredentials to that host. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 15:16:00 UTC CVE-2026-8368 SPIP versions prior to 4.4.14 contain a remote code execution vulnerabilityin the private space that allows attackers to execute arbitrary code in thecontext of the web server. Attackers can exploit this vulnerability toachieve code execution that bypasses the SPIP security screen protections. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 19:16:00 UTC CVE-2026-8429 SPIP versions prior to 4.4.14 contain a remote code execution vulnerabilityin the public space that is limited to certain nginx configurations,allowing attackers to execute arbitrary code in the context of the webserver. Attackers can exploit this vulnerability through specific nginxconfiguration scenarios to achieve code execution, and this issue is notmitigated by the SPIP security screen. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-12 19:16:00 UTC CVE-2026-8430 Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heapout-of-bounds read in argon2_verify on empty encoded input.The auto-detect form of argon2_verify passes encoded_len - 1 as the lengthargument to memchr without checking that encoded_len is non-zero. When theencoded string is empty, the size_t subtraction underflows to SIZE_MAX andmemchr scans adjacent heap memory looking for a '$' separator byte.A caller that invokes argon2_verify against a stored hash that maylegitimately be empty (for example a placeholder row or a NULL columnmaterialised as an empty string) reads out-of-bounds heap memory, which cancrash the process or leak the position of an adjacent '$' byte intosubsequent parsing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 14:18:00 UTC CVE-2026-8463 Allocation of Resources Without Limits or Throttling vulnerability inninenines cowboy allows denial of service via unbounded buffer accumulationin multipart header parsing.cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming requestbytes into a Buffer binary with no upper-bound check. Whencow_multipart:parse_headers/2 returns more or {more, Buffer2}, the functionreads up to Length bytes (default 64 KB) from the request body and recurseswith the enlarged buffer. There is no equivalent of the byte_size(Acc) >Length guard present in the sibling function read_part_body/4. Anunauthenticated attacker can send a multipart/form-data request whose bodynever yields a complete header section — for example, a body that nevercontains the advertised boundary delimiter, or one whose header lines nevercontain \r\n\r\n — and force the server process to accumulate memorylinearly with the bytes the protocol layer is willing to deliver. A handfulof concurrent such uploads is sufficient to exhaust BEAM memory.This issue affects cowboy from 2.0.0 before 2.15.0. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-8466 A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version5.12.7. A maliciously crafted ICS calendar invitation files allowsarbitrary JavaScript execution within the authenticated SOGo webmailsession. The issue occurs because SVG content embedded in the descriptionfield of an ICS file, with an onrepeat event handler, is insufficientlysanitized before being rendered in the webmail interface. A remote attackercan execute JavaScript in the victim's browser when the malicious calendarinvite is viewed. Successful exploitation may allow mailbox access, emailand contact theft, session hijacking, and other actions allowed by anauthenticated user. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-13 19:17:00 UTC CVE-2026-8496 Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl createinsecure session ids.Apache::Session::Generate::SHA256 generated session ids insecurely. Thedefault session id generator returns a SHA-256 hash of the built-in rand()function, the epoch time, and the PID, that is hashed again. These arepredictable, low-entropy sources. Predicable session ids could allow anattacker to gain access to systems.Note that version 1.3.19 has a fallback without warning to use insecuresession generation method if the call to Crypt::URandom::urandom fails.However, this is unlikely as Crypt::URandom is a hardcoded requirement ofthe module.This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 12:17:00 UTC CVE-2026-8503 Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out-of-bounds(OOB) write flaws.When parsing a PKCS12 file, with a >= 1 GiB OCTET STRING (or BIT STRING)attribute on a SAFEBAG, via info() or info_as_hash(), a heap out-of-boundswrite would be triggered with remote-code-execution potential (RCE) due toa signed integer overflow in the size calculation passed to Renew(). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-17 19:16:00 UTC CVE-2026-8507 Integer overflow in Skia in Google Chrome on Windows prior to148.0.7778.168 allowed a remote attacker who had compromised the rendererprocess to perform an out of bounds memory write via a crafted HTML page.(Chromium security severity: Critical) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-8510 Insufficient validation of untrusted input in Skia in Google Chrome priorto 148.0.7778.168 allowed a remote attacker who had compromised therenderer process to perform an out of bounds memory write via a craftedprint file. (Chromium security severity: Medium) Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-14 20:17:00 UTC CVE-2026-8579 Imager versions through 1.030 for Perl allow a heap out of bounds (OOB)write on crafted multi-frame GIF files.Imager::File::GIF's i_readgif_multi_low allocates a single per-row bufferGifRow sized for the GIF's global screen width 'SWidth' and reuses itacross every image in the file.The page-match branch validates Image.Width + Image.Left > SWidth beforeeach DGifGetLine write, but the parallel skip-image branch atimgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no suchcheck. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 15:16:00 UTC CVE-2026-8669 radare2 6.1.5 contains a use-after-free vulnerability in thegdbr_threads_list() function that allows remote attackers to trigger memorycorruption by sending a valid qfThreadInfo response followed by a malformedqsThreadInfo response. Attackers can exploit this vulnerability through GDBremote debugging to cause a denial of service or potentially achieve codeexecution by manipulating thread list processing. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 17:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136831 CVE-2026-8695 radare2 6.1.5 contains a use-after-free vulnerability in thegdbr_pids_list() function within the GDB client core that allows remoteattackers to cause a denial of service or potentially execute arbitrarycode by sending malformed thread information responses. Attackers cantrigger the vulnerability by causing qsThreadInfo to fail afterqfThreadInfo successfully allocates RDebugPid structures, resulting indouble-free memory corruption when the error path attempts to clean up thelist. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 21:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136830 CVE-2026-8696 Crypt::DSA versions before 1.20 for Perl generate seeds using rand.Seeds were generated using Perl's built-in rand function, which ispredictable and unsuitable for security usage. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 22:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136808 CVE-2026-8700 Crypt::DSA versions through 1.19 for Perl use 2-args open, allowingexisting files to be modified. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-15 23:16:00 UTC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136809 CVE-2026-8704 NGINX JavaScript has a vulnerability when the js_fetch_proxy directive isconfigured with at least one client-controlled NGINX variable (for example,$http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch()operation from NGINX JavaScript. An unauthenticated attacker can exploitthis vulnerability by sending crafted HTTP requests. This may cause a heapbuffer overflow in the NGINX worker process leading to a restart.Additionally, for systems with Address Space Layout Randomization (ASLR)disabled, code execution is possible.Note: Software versions which have reached End of Technical Support (EoTS)are not evaluated. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-19 15:16:00 UTC CVE-2026-8711 Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwordswith embedded NULLs.Password parameters in PKCS12.xs are declared char *, which routes throughPerl's default typemap to SvPV_nolen. The Perl length is discarded.The C code (or OpenSSL internally) calls strlen() on the buffer. Anypassword byte at or after the first NULL is silently dropped. Binary /KDF-derived / HMAC-derived passwords lose entropy without any warnings. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-17 19:16:00 UTC CVE-2026-8721 ### Summary`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'`and `encodeValuesOnly: true` on an array containing `null` or `undefined`.The throw is synchronous and not handled by any of qs's null-relatedoptions (`skipNulls`, `strictNullHandling`).### DetailsIn the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped thearray through the raw encoder before joining:```jsobj = utils.maybeMap(obj, encoder);````utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard,so a `null` or `undefined` element throws `TypeError`. `skipNulls` and`strictNullHandling` are both checked in the per-element loop below thisline and never get a chance to run.Same class of bug as the filter-array path fixed in 0c180a4. The vulnerableshape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d("encode comma values more consistently", PR #463, 2023-01-19), firstreleased in v6.11.1.#### PoC```jsconst qs = require('qs');qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma',encodeValuesOnly: true });qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma',encodeValuesOnly: true });qs.stringify({ a: [null] }, { arrayFormat: 'comma',encodeValuesOnly: true });// TypeError: Cannot read properties of null (reading 'length')// at encode (lib/utils.js:195:13)// at Object.maybeMap (lib/utils.js:322:37)// at stringify (lib/stringify.js:145:25)```#### Fix`lib/stringify.js:145`, applied in 21f80b3 on `main` and released asv6.15.2:```diff- obj = utils.maybeMap(obj, encoder);+ obj = utils.maybeMap(obj, function (v) {+ return v == null ? v : encoder(v);+ });````null` and `undefined` now pass through `maybeMap` unchanged and reach the`join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`,matching the non-`encodeValuesOnly` comma path (which already joins beforeencoding and produces `a=%2Cb` for the same input). Single-element `[null]`arrays still collapse via the existing `obj.join(',') || null` and remainsubject to `skipNulls` / `strictNullHandling` in the main loop.### Affected versions`>=6.11.1 <6.15.2` — fixed in v6.15.2.The vulnerable code shape was introduced in 4c4b23d and first shipped inv6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x,and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently(joining before encoding) and are not affected. Empirically verified acrossreleased versions.### ImpactApplication code that calls `qs.stringify` with both `arrayFormat: 'comma'`and `encodeValuesOnly: true` (both non-default) on input that may contain a`null` or `undefined` array element will throw synchronously instead ofproducing a query string. In a typical Node.js HTTP framework (Express,Fastify, Koa, hapi) the sync throw is caught by the framework's errorboundary and the affected request returns a 500; the worker process doesnot exit and subsequent requests are unaffected. The "kills the workerprocess" framing applies only to call sites outside a request-handler errorboundary (background jobs, startup paths, stream pipelines) or todeployments with framework error handling explicitly disabled.The vulnerable input is a `null` or `undefined` entry inside an array; thisis reachable from JSON request bodies or from application code constructingarrays from user input, but not from standard HTML form submissions (whichproduce strings or omitted fields, not literal `null`). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-17 00:16:00 UTC CVE-2026-8723 A vulnerability was found in lwIP up to 2.2.1. Affected is the functionsnmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of thecomponent snmpv3 USM Handler. Performing a manipulation of the argumentmsgAuthenticationParameters results in stack-based buffer overflow. Theattack may be initiated remotely. The patch is named0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install apatch to address this issue. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-18 19:16:00 UTC CVE-2026-8836 SOGo versions 5.12.7 and prior contains a SQL injection vulnerability inthe Access Control List management functionality that allows authenticatedusers to extract arbitrary data from the database by injecting SQLsubqueries through the uid parameter of the addUserInAcls endpoint.Attackers can inject malicious SQL code to write extracted data into thesogo_acl table and retrieve it through the /acls API, establishing anout-of-band data exfiltration channel. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-18 21:16:00 UTC CVE-2026-8851 A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext()function in the LDAP server does not enforce an upper bound on the numberof controls per LDAP message. A remote, unauthenticated attacker can send aspecially crafted LDAP request containing hundreds of thousands of minimalcontrols within the default maximum BER message size (2 MB), causingexcessive CPU consumption and heap allocation on the server. Underconcurrent exploitation, this leads to significant latency degradation,worker thread starvation, or out-of-memory termination, resulting in adenial of service. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-20 10:16:00 UTC CVE-2026-9064 The MongoDB C Driver's legacy GridFS API accepts malformed file metadatafrom the database without adequate validation. Crafted documents in aGridFS collection may cause any application that reads those files via thelegacy API to either crash (via a division-by-zero) or silently leakprocess memory contents (via an out-of-bounds read). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137217 CVE-2026-9100 A flaw was found in libsolv. This heap buffer overflow vulnerability occurswhen a victim processes a specially crafted `.solv` file containingnegative size values in the `repo_add_solv` function. This leads to anundersized memory allocation and a subsequent out-of-bounds write. Anattacker could exploit this to cause a denial of service (DoS). Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-9149 A flaw was found in libsolv. This stack-based buffer overflow vulnerabilityoccurs in libsolv's Debian metadata parser when processing speciallycrafted Debian repository metadata. An attacker could exploit this byproviding malicious SHA384 or SHA512 checksum tags, leading to memorycorruption and a denial of service (DoS) in the affected system. Ubuntu 26.04 LTS Medium Copyright (C) 2026 Canonical Ltd. 2026-05-21 CVE-2026-9150 /etc/lsb-release ^[\s\S]*DISTRIB_CODENAME=([a-z]+)$ 1 unix resolute 0:2.4.55-1ubuntu1 0:2.0.1-7ubuntu1 0:1.06.27-1ubuntu7 0:0.12.2-2.1ubuntu1 0:1.16.33-3.1ubuntu6 7.0.0-\d+(-generic|-generic-64k) 7.0.0-\d+(-aws|-aws-64k) 7.0.0-\d+(-azure) 7.0.0-\d+(-gcp|-gcp-64k) 7.0.0-\d+(-oracle|-oracle-64k) 7.0.0-\d+(-raspi|-raspi-realtime) 7.0.0-\d+(-ibm) 7.0.0-\d+(-azure-fde) 7.0.0-\d+(-nvidia|-nvidia-64k) 7.0.0-\d+(-realtime|-realtime-64k) 0:0.15.3-1ubuntu1 0:1.7.2-3ubuntu5 0:3.18.1-1ubuntu2 0:1.0.1f-1ubuntu9 0:2.06-1.2ubuntu2 4:4.13.97-0ubuntu2 0:2.04-1ubuntu37 0:4.16.4-1 0:40.0.2214.94-0ubuntu1.1120 1:2.1.4-2 2:1.16.2.901-1ubuntu4 0:44.0.2403.89-0ubuntu1.1195 0:0.98.7+dfsg-0ubuntu1 0:4.6.0-1ubuntu2 1:2.5+dfsg-1ubuntu5 0:2.1.1-1ubuntu1 0:0.6.1-1 0:1.009~3.4.1+dfsg-6 0:3.4.1+dfsg-6 2:4.22.3+dfsg-4ubuntu2 2:2.11.0+samba4.22.3+dfsg-4ubuntu2 2:2.4.3+samba4.22.3+dfsg-4ubuntu2 2:1.4.13+samba4.22.3+dfsg-4ubuntu2 2:0.16.2+samba4.22.3+dfsg-4ubuntu2 0:5.1.3-1 1:3.12.0-1.1ubuntu2 0:8.0-0ubuntu3 1:60.5.1+build2-0ubuntu1 0:55.0.2883.87-0ubuntu1 2:1.2.3-1 2:1.0.10-1 0:1.10.2-1ubuntu1 0:3.1.3-6 0:2.0.13-4ubuntu1 0:2.0.14-1ubuntu2 0:0.14.0-1ubuntu3 0:3.1.2+dfsg1-1 0:0.17.0-1ubuntu2 2:13.0.0~rc1-0ubuntu2 0:1.8-0.1 0:3.13-1+deb9u1 0:15.1+ds-1 0:2.1.1-1 0:0.18.8-2ubuntu1 0:17.11.2-1 0:0.3.0-3 0:3.00-1 0:0.14.0-1ubuntu4 0:1.18-1 0:2.2.8-1ubuntu1 7:4.0.2-1ubuntu6 0:3.29.91-1ubuntu1 0:2.2.5-5.2ubuntu1 0:3.31.90-1 0:3.31.90-1 0:4.1.8-1 0:2.18.4-2ubuntu0.18.10.1 0:2.9.8-1 0:9.28-2 0:2.2.6-2 1:2.11+dfsg-1ubuntu10 0:4.0.0-1ubuntu11 0:0.27.2-1ubuntu1 0:0.9.11+dfsg-1ubuntu1 0:1.76.0-1 0:1.4.2-1 0:2.4.41-1ubuntu1 0:1.6.17-1 0:1.2.1-1 0:3.27-6 0:0.7.2-5 0:3.20191115.1ubuntu1 0:3.32.0-1ubuntu1 0:0.2.68 0:2.9.8-2 0:2.3.1-1 0:2.9.8-3 1:1.31.2-1 0:0.9.58.2-2 0:2.3.1-1ubuntu4 0:0.14.2-1ubuntu2 8:6.9.10.23+dfsg-2.1ubuntu9 0:6.9.2-1 0:4.3.29-1 0:1.15.0+ds1-1 0:1.9.12~dfsg-2ubuntu2 0:79.0.3945.79-0ubuntu1 1:1.11.22-1ubuntu1 0:2.7.2-5 1:4.2-1ubuntu1 2:20190805-1 8:6.9.10.23+dfsg-2.1ubuntu2 0:1.5.0+dfsg.1-2 0:1.1.1d-2ubuntu1 0:70.0+build2-0ubuntu1 1:68.2.0+build1.1-0ubuntu1 0:78.0.3904.70-0ubuntu1 0:3.34.0-2 0:74.0+build3-0ubuntu1 1:68.6.0+build2-0ubuntu1 1:1.3.4-2.5ubuntu5 0:3.31.4+git20190225-1ubuntu1 0:2.0.5+dfsg1-1 2:2.9.0-20build1 0:2.0.0-1 0:67.0+build2-0ubuntu1 1:60.7.0+build1-0ubuntu3 0:2.01.5-2 0:1.4.3-1 0:3.27.2-3 0:5.3.28+dfsg1-0.6ubuntu1 0:18.9.0-6ubuntu1 0:0.2.71 2:2.9-1ubuntu10 0:248.3-1ubuntu3 0:2.3.0-4 0:2.1.73-1ubuntu3 0:0.14.3-1ubuntu2 0:3.5.1-1ubuntu1 0:11.0.9+11-0ubuntu2 1:1.31.8-1 0:82.0.2+build1-0ubuntu1 1:6.0+dfsg-1~ubuntu3 0:1.2.6-1 0:3.38.1-2ubuntu1.1 1:4.2-3ubuntu1 0:244.1-0ubuntu3 1:5.2+dfsg-2ubuntu1 0:4.1.0-2ubuntu2 0:0.20.0-1ubuntu0.1 0:11.0.6+10-1ubuntu1 0:2.3.1-1ubuntu5 0:2.15.0-0ubuntu1 0:1.4.2-0ubuntu2 1:0.0~git20201221.eec23a3-1 0:4.2.1-2 0:0.6.1-2ubuntu1 0:2.32-0ubuntu3 0:2.4.7-2+4.1ubuntu5 0:4.1.0-2ubuntu1 0:6.6.4p1-1 0:20190801-0ubuntu5 1:5.2+dfsg-6ubuntu2 1:6.2+dfsg-2ubuntu5 8:6.9.11.60+dfsg-1.3ubuntu1 0:3.7-2.1ubuntu1 0:4.1.48-2 0:4.1.48-3 0:4.1.48-4 0:8u292-b10-0ubuntu1 0:11.0.11+9-0ubuntu2 0:1.9.4p2-2ubuntu2 0:9.0.0-1 0:1.1.1j-1ubuntu1 0:8.1.2+dfsg-0.1ubuntu1 0:2.7.1+dfsg-2ubuntu1 0:4.13-10ubuntu5 0:5.21.3-0ubuntu1 2:2.2.19-1ubuntu1 0:1.3.2-1 0:4.13-10ubuntu1 0:0.20.2-2.1ubuntu1 1:1.10.12+submodules+notgz+20210212-1ubuntu1 0:93.0+build1-0ubuntu2 2:5.6.0-11ubuntu1 0:1.2.4-1ubuntu1 0:1.8.7-5ubuntu2 0:0.2.0-2ubuntu1 0:1.1.1j-1ubuntu3 1:6.2+dfsg-2ubuntu8 1:6.0+dfsg-2expubuntu1 0:2.5.0-2ubuntu2 0:4.6.1-1 8:6.9.11.60+dfsg-1.6ubuntu1 0:7.6.0-0ubuntu3 0:2020.81-3+deb11u1 0:0.17.0-1ubuntu1 0:5.32.1-3ubuntu3 0:1.1.1l-1ubuntu1 0:4.1.48-6 1:6.0.4-1 0:0.3.7-1 0:4.4.4+dfsg-2ubuntu2 0:2.21.0-0ubuntu1 0:5.62-0ubuntu2 0:5.9.1-1ubuntu3.1 0:0.7.5-2 1:91.5.0+build1-0ubuntu1 0:20230426.00-0ubuntu2 0:0.2.13-1 0:5.9.4-1ubuntu4 2:3.2.11-1 0:2.4.3-1 1:1snap1-0ubuntu1 0:0.281+dfsg1-1build1 0:5.2-1ubuntu5 0:0.9.1-1~exp1ubuntu2 0:3.0.2-0ubuntu1 0:3.0.2-0ubuntu2 0:2.2.3-2 0:1.21.9ubuntu1 0:3.0.5-2ubuntu1 0:3.20220510.0ubuntu1 0:21.11.2-0ubuntu1 0:11.0.15+10-0ubuntu0.22.04.1 0:17.0.3+7-0ubuntu0.22.04.1 0:11.0.16+8-0ubuntu1 0:17.0.4+8-1 0:22.1.0-2ubuntu2 0:4.3.30-2ubuntu1 2:21.1.3-2ubuntu3 2:22.1.2-1ubuntu1 0:2022.07+dfsg-1ubuntu7 0:2.4.3-2 0:2.4.3-3 0:2.8.1-1ubuntu3 0:22.4.0-1 0:8.2204.0-1ubuntu1 0:2.4.5-2 0:2.4.7-7.1ubuntu0.1~esm1 1:3.23-3ubuntu1 0:3.22.0-1 1:9.18.4-2ubuntu2 0:2.63+24.10 0:3.1.39-2ubuntu2 0:1.16.2-1 0:2.7.4-1ubuntu5 0:1.4.1-1ubuntu1 0:3.0.5-2ubuntu2 0:1.0.1-2ubuntu1 1:24.3.4.5+dfsg-1 0:8.1-1ubuntu3 1:44~alpha-0ubuntu1 0:0.5.3+git20220429-1ubuntu1 0:3.0.7-1ubuntu1 0:5.9.6-1ubuntu2 0:2.5.0-1 0:3.20230808.1 0:3.0.8-1ubuntu1 1:102.7.1+build2-0ubuntu1 0:2.31.0+git2023020814.488f8c83-0ubuntu1 2:21.1.0+git2023012815.c9e65529-0ubuntu1 2:26.0.0~b2+git2023012815.907c5626-0ubuntu1 3:26.1.0+git2023012815.98daf501-0ubuntu1 1:1.36.1-6ubuntu4 0:1.0.1-1ubuntu2 2:21.1.18-1ubuntu1 0:3.0.8-1ubuntu2 0:3.0.8-1ubuntu3 2:21.1.7-1ubuntu3 2:22.1.8-1ubuntu1 1:8.1.3+ds-1ubuntu1 0:3.1.0-1ubuntu1 0:1.2.4-0.1ubuntu1 0:3.20230808.1.1ubuntu1 0:3.20230719.1ubuntu1 0:11.0.18+10-0ubuntu1 0:17.0.6+10-0ubuntu1 0:11.0.19+7~us1-0ubuntu1 0:17.0.7+7~us1-0ubuntu1 0:11.0.20+8-1ubuntu1 3:3.2.16-1ubuntu2 3:3.2.18-1 0:2.4.55-1ubuntu2 1:2.66-4ubuntu1 0:2.1.0-4ubuntu1 1:9.18.12-1ubuntu2 0:7.88.1-10ubuntu1 0:1.9.13p1-1ubuntu2 0:9.0.70-2ubuntu3 0:535.129.03-0ubuntu1 0:2.0~b4-0ubuntu4 0:1.3.2-5ubuntu1 0:2.9.4-1.1ubuntu7 0:0.5.3+git20230121-2ubuntu1 1:9.3p1-1ubuntu2 0:8.2.1-1ubuntu3.1 0:2.4.58-1ubuntu8.1 0:2.5.0-2ubuntu1 0:1.2.25+ds1-2 0:5.6.5-4ubuntu2 0:11.4.0-4ubuntu1 0:12.3.0-9ubuntu1 0:13.2.0-4ubuntu1 0:21ubuntu2 0:19ubuntu2 0:14ubuntu4 2:6.23-1 0:1.58 0:15.8-0ubuntu1 3:4.2.4-1ubuntu1 0:2.0.0+~1.1.0-1ubuntu1 0:2.2.1-4ubuntu1 3:4.2.4-1ubuntu2 2:1.8.6-1ubuntu1 1:3.5.12-1.1ubuntu1 1:9.18.24-0ubuntu1 0:1.22.4-1ubuntu2 0:1.12.0-1ubuntu2 0:2.4.6-0ubuntu2 2:2.0~rc1-0ubuntu4 0:2.4.58-1ubuntu1 0:3.12.1-1ubuntu1 0:22.4.0-4ubuntu1 0:9.0.70-2ubuntu1.1 0:6.1-2ubuntu2 0:8.4.4-1.1ubuntu2 0:2.12~rc1-10ubuntu4 0:1.197 0:1.199 0:5.36.0-10ubuntu1 0:2.38-1ubuntu5 0:2023.11-7 1:9.6p1-3ubuntu1 0:2.12.0-2ubuntu4 0:2.10.1-2ubuntu1 0:3.66.4-1 0:2.2.2-0ubuntu2 0:1.11.2-1 0:1.19.1-1ubuntu1 0:2.90-1 0:10.2.0-1 0:4.97-3 0:4.5.1+git230720-4ubuntu1 0:2.6.0-1 0:3.0.10-1ubuntu2.1 0:3.3.0~git20240118.e802fe7-3ubuntu1 2:21.1.7-3ubuntu2.1 2:23.2.0-1ubuntu0.1 1:45.0-1ubuntu4 0:3.0.10-1ubuntu4 0:6.5-1ubuntu1 2:21.1.10-1ubuntu1 2:21.1.11-1ubuntu1 2:23.2.4-1 0:255.2-3ubuntu1 0:535.183.01-0ubuntu5 0:535.216.03-0ubuntu1 0:3.8.3-1ubuntu1 1:9.18.28-0ubuntu1 0:1.32.8-1 0:8.11.1-1ubuntu1 1:9.20.0-2ubuntu4 0:4.6.1-0ubuntu3 0:3.8.9-2ubuntu1 0:3.4.1-1ubuntu1 0:2025.02-8ubuntu3 0:4.7.0-3ubuntu2 0:10.0.0-2ubuntu8.1 0:1.3.1+dfsg-5ubuntu2 0:8u432-ga~us1-0ubuntu1 0:11.0.26~3ea-1ubuntu1 1:2.3.21.1+dfsg1-1ubuntu1 0:6.6-1ubuntu1 0:8.5.0-2ubuntu10.1 0:20240213.00-0ubuntu4 0:20240320.00-0ubuntu2 0:3.2.2-1ubuntu1 0:6.6-1ubuntu4 0:1.21.3-4ubuntu2 3:4.2.11-1 0:2.46.0-2 1:2.13.0-6ubuntu1 0:2.41-4ubuntu4 1:2.41-4ubuntu4 1:4.16.0-2+really2.41-4ubuntu4 0:3.20250512.1ubuntu1 0:4.1.48-10 0:4.1.0-1ubuntu1 0:2.39-0ubuntu8.1 2:21.1.12-1ubuntu1 0:3.5.0+dfsg1-0ubuntu1 0:1.14.6-1 2:24.1.0+git2024080717.383b830b-0ubuntu1 2:28.0.1-0ubuntu3 3:29.0.1-0ubuntu4 0:3.5.1+dfsg1-0ubuntu1 0:1.20.0-1ubuntu1 0:10.02.1~dfsg1-0ubuntu9 0:2.80.1-1 1:9.0.2+ds-4ubuntu2 0:2.32.3+dfsg-1ubuntu1 0:1.21.3-4ubuntu1 0:1.1.1-1ubuntu1 4:5.27.11.1-0ubuntu1 0:1.14.52-1ubuntu0.1 0:1.24.5-1ubuntu2 0:2.4.62-1ubuntu1 0:2.0.2-0ubuntu2 3:29.1.0+git2024080716.bb2d7f9c-0ubuntu1 0:26.1.3-0ubuntu2 0:3.3.4-2ubuntu6 3:4.2.15-1 1:1.8.7-1ubuntu1 0:2.4.64-1ubuntu2 0:3.3.6-1.1ubuntu1 3:4.2.15-1ubuntu1 0:0.16.0ubuntu1 0:6.4.2-5ubuntu4 0:1.8.1-1ubuntu1 0:3.0.4-1ubuntu1 0:2.74.3-8ubuntu1 0:2.82.1-0ubuntu1 0:6.4.2-1 3:4.2.17-2 0:3.2.2-1ubuntu2 3:4.2.18-1 0:10.2.0-1 0:2.5.0-2ubuntu3 0:3.3.1-2ubuntu2 0:2.24.33-5ubuntu1 0:3.24.43-1ubuntu1 0:4.5.1+git230720-4ubuntu4 0:8.9.1-2ubuntu1 0:9.0.2+ds-4ubuntu8 0:8.9.1-2ubuntu2 0:2.7.1-1 2:21.1.14-1ubuntu1 2:24.1.4-1 0:3.20251202.1ubuntu1 0:2.41-1ubuntu1 0:20240722.0-3ubuntu1 0:3.4.1+ds1-7 0:1.1.43-0.3 0:3.6.5-3 0:2.74.3-10.1ubuntu4 0:3.5.5-1ubuntu1 0:1.24.2-1ubuntu1 0:2.3.20-1ubuntu1 0:11.6.0-1ubuntu7 0:18.1-1ubuntu1 3:5.2.9-0ubuntu1 3:5.2.9-0ubuntu3 0:3.9.2-1ubuntu0.1~esm1 0:2.86.3-1 0:2.42-2ubuntu5 0:1.4.3+dfsg-0ubuntu1 0:8.4.5-0ubuntu1 0:11.0.28~3ea-1ubuntu1 0:17.0.15+6-1 0:17.0.15+6-0ubuntu1 0:21.0.7+6.1-0ubuntu1 0:2.4.5-0.1 0:2.4.64-1ubuntu1 0:0.16.10+~cs6.1.0-2ubuntu1 0:535.247.01-0ubuntu3 0:550.163.01-0ubuntu1 0:570.133.07-0ubuntu2 0:570.133.20-0ubuntu2 0:580.95.05-0ubuntu4 0:580.95.05-0ubuntu4 0:3.3.8-2ubuntu2 0:2.6.7-2ubuntu1 0:3.6.7-2ubuntu1 0:9.0.70-2ubuntu2 0:3.1.16-0.1 0:9.9p1-3ubuntu3 2:21.1.16-1ubuntu1 2:24.1.5-1ubuntu1 3:4.2.18-1ubuntu1 0:2.6.0+dfsg-1 0:3.3.7-1ubuntu2 1:27.3+dfsg-1ubuntu1 0:3.1.8-3ubuntu2 0:8u462-ga~us1-0ubuntu1 0:11.0.28+6-1ubuntu1 0:17.0.16+8-1 0:17.0.16+8-0ubuntu1 0:21.0.8+9-1 0:21.0.8+9-0ubuntu1 0:6.0.2+dfsg1-2ubuntu1 1:9.9p1-3ubuntu3.1 3:4.2.18-1ubuntu1.1 0:3.6.5-2 0:3.8.9-3ubuntu1 0:580.126.09-0ubuntu2 0:580.126.09-0ubuntu2 1:9.20.11-1ubuntu3 0:4.040-1 0:4.39-2 0:2.48.6-1ubuntu2 0:25.03.0-10 0:3.14.0-1 0:5.22.9-0.1 0:2.74.3-10.1ubuntu1 1:27.3.4.1+dfsg-1 0:0.2.8-1ubuntu2 0:2.10-1.3ubuntu1 3:20240905-3ubuntu2 0:6.4.2-2 0:2.0.5-0ubuntu1 0:1.8.1-3ubuntu1 3:5.2.4-1 2:24.1.6-1ubuntu1 0:8.4.6-0ubuntu1 0:8.4.7-0ubuntu2 0:8u472-ga-1 0:11.0.29+7-1ubuntu1 0:17.0.17+10-1 0:21.0.9+10-1 0:25.0.1+8-1 0:25.0.1+8 0:1.26.3-3ubuntu3 0:2.5.3-2.1 0:10.0.0~rc2-0ubuntu1 0:10.0.100~rc2-0ubuntu1 0:10.0.100-10.0.0~rc2-0ubuntu1 0:2.4.66-2ubuntu1 0:0.39.0-0ubuntu2 0:20250506.01-0ubuntu2 3:5.2.4-1ubuntu2 0:1.22.0-2ubuntu1 0:1.5.3-7ubuntu6 0:10.5.1-1ubuntu2 0:4.7.0-3ubuntu3 0:4.2.1-1 0:6.5.4-0ubuntu2 1:10.2p1-2ubuntu1 0:2.42.12+dfsg-4build1 8:7.1.2.8+dfsg1-1 2:21.1.21-1ubuntu1 2:24.1.9-1 0:6.0.1-6ubuntu5 0:1.22.21ubuntu1 0:1.9.1-1 2:28.0.0-0ubuntu2 0:1.1.1-6ubuntu1 0:4.57.0-3ubuntu1 0:2.5.0-1ubuntu1 0:3.27-1.1ubuntu1 0:1.21.2-1 0:3.26.1-0.4ubuntu0.1~esm1 0:3.46.1-6ubuntu1 0:10.05.0dfsg1-0ubuntu4 0:3.5.3-1ubuntu2 0:0.13.0-1ubuntu1 0:1.54.3-2ubuntu1 0:2.87.2-2 0:3.21.12-15ubuntu1 0:3.14.3-1 0:1.28.1-3ubuntu1 0:8.18.0-1ubuntu2 0:1.4.4+dfsg-0ubuntu0.26.04.1 0:2.52.3-0ubuntu0.26.04.2 0:8u482-ga~us1-0ubuntu1 0:11.0.30+7-1ubuntu1 0:17.0.18+8-1 0:17.0.18+8-0ubuntu1 0:21.0.10+7-1 0:25.0.2+10-1 0:25.0.2+10-0ubuntu1 0:8.4.8-0ubuntu1 0:1.6.54-1 0:3.20.2+dfsg-1 0:3.2.4-1ubuntu1 0:2.92-1ubuntu0.2 0:2.4.66-2ubuntu2.1 0:0.8-18ubuntu1.1 0:1.16.0-2ubuntu1 0:1.2.15.3-1ubuntu1 0:1.6.55-1 8:7.1.2.13+dfsg1-1ubuntu1 0:10.0.4-0ubuntu1 0:10.0.104-0ubuntu1 0:10.0.104-10.0.4-0ubuntu1 0:10.0.7-0ubuntu1~26.04.1 0:10.0.107-0ubuntu1~26.04.1 0:10.0.107-10.0.7-0ubuntu1~26.04.1 2:9.1.2141-1ubuntu2 0:3.5.5-1ubuntu3 0:1.68.0-2ubuntu0.1 0:3.1.13-2ubuntu0.26.04.1~esm1 2:3.120-1ubuntu1 0:3.4.1+ds1-7ubuntu0.2 1:9.20.18-1ubuntu2.1 0:6.5.4-0.1ubuntu0.1 0:1.8.1-4ubuntu2 0:1.24.2-1ubuntu2.1 0:5.11.0-3ubuntu0.1 3:5.2.9-0ubuntu4 0:3.2.12-1ubuntu0.1~esm1 0:3.2.9-1ubuntu2.1 0:29.1.3-0ubuntu4.1 0:3.8.12-2ubuntu1.1 0:2.7.0-1ubuntu1.1 2:9.1.2141-1ubuntu4.1 3:5.2.9-0ubuntu4.1 0:6.0.4-1ubuntu3 1:10.2p1-2ubuntu3.2 0:2.74.1+ubuntu26.04.3 0:2.1.1-0.1ubuntu0.26.04.1 0:1.4.8-1 0:12.1.1-2ubuntu1.1 0:0.12.10+~0.17.1-3ubuntu0.1 0:4.99.1-1ubuntu1.1 1:2022.10.3-5ubuntu1 0:2.5.0-1ubuntu0.1~esm1 0:1.3.10-3ubuntu0.1 0:2.17-1ubuntu0.1 0:1.3.4-3ubuntu1 0:2.17-1ubuntu0.2 0:1.28.3-2ubuntu1.1 0:3.10.6-4ubuntu2.1 0:3.8.5-1ubuntu2.1 0:4.99.1-1ubuntu1.2 0:8.18.0-1ubuntu2.1 0:4.9-2ubuntu1 0:2.5.4-1ubuntu0.1 0:18.4-0ubuntu0.26.04.1 0:0.6.1ubuntu0.1 0: gcc-arm-none-eabi gcc-arm-none-eabi-source gcc-h8300-hms g++-mingw-w64 g++-mingw-w64-i686 g++-mingw-w64-i686-posix g++-mingw-w64-i686-win32 g++-mingw-w64-x86-64 g++-mingw-w64-x86-64-posix g++-mingw-w64-x86-64-win32 gcc-mingw-w64 gcc-mingw-w64-base gcc-mingw-w64-i686 gcc-mingw-w64-i686-posix gcc-mingw-w64-i686-posix-runtime gcc-mingw-w64-i686-win32 gcc-mingw-w64-i686-win32-runtime gcc-mingw-w64-x86-64 gcc-mingw-w64-x86-64-posix gcc-mingw-w64-x86-64-posix-runtime gcc-mingw-w64-x86-64-win32 gcc-mingw-w64-x86-64-win32-runtime gfortran-mingw-w64 gfortran-mingw-w64-i686 gfortran-mingw-w64-i686-posix gfortran-mingw-w64-i686-win32 gfortran-mingw-w64-x86-64 gfortran-mingw-w64-x86-64-posix gfortran-mingw-w64-x86-64-win32 gnat-mingw-w64 gnat-mingw-w64-i686 gnat-mingw-w64-i686-posix gnat-mingw-w64-i686-win32 gnat-mingw-w64-x86-64 gnat-mingw-w64-x86-64-posix gnat-mingw-w64-x86-64-win32 gobjc++-mingw-w64 gobjc++-mingw-w64-i686 gobjc++-mingw-w64-i686-posix gobjc++-mingw-w64-i686-win32 gobjc++-mingw-w64-x86-64 gobjc++-mingw-w64-x86-64-posix gobjc++-mingw-w64-x86-64-win32 gobjc-mingw-w64 gobjc-mingw-w64-i686 gobjc-mingw-w64-i686-posix gobjc-mingw-w64-i686-win32 gobjc-mingw-w64-x86-64 gobjc-mingw-w64-x86-64-posix gobjc-mingw-w64-x86-64-win32 apache2 apache2-bin apache2-data apache2-suexec-custom apache2-suexec-pristine apache2-utils xine-console xine-ui flatnuke axfrdns djbdns-conf djbdns-utils dnscache rbldns tinydns walldns libcg libcggl nvidia-cg-toolkit ctn maildirsync mh-book expat libexpat1 libxmlrpc-c++9 libxmlrpc-core-c3t64 libxmlrpc-util4 xmlrpc-api-utils paraview python3-paraview sitecopy swish-e matanza gir1.2-poppler-0.18 libpoppler-cpp2 libpoppler-glib8t64 libpoppler-qt5-1t64 libpoppler-qt6-3t64 libpoppler147 poppler-utils ipe libipe7.2.30 cadaver libcoin-runtime libcoin80t64 blender blender-data mini-httpd erlang-yapp erlang-yaws yaws yaws-chat yaws-mail yaws-wiki yaws-yapp libipc-pubsub-perl libpoe-component-pubsub-perl loggerhead openarena openarena-server swi-prolog swi-prolog-bdb swi-prolog-core swi-prolog-core-packages swi-prolog-full swi-prolog-java swi-prolog-nox swi-prolog-odbc swi-prolog-test swi-prolog-x ioquake3 ioquake3-server libphp-adodb dokuwiki dokuwiki-farm php-htmlpurifier wordpress wordpress-l10n wordpress-theme-twentytwentyfive wordpress-theme-twentytwentyfour wordpress-theme-twentytwentythree libparallel-forkmanager-perl batmand gpw libxerces-c-samples libxerces-c3.2t64 libxerces2-java gir1.2-nm-1.0 libnm0 network-manager network-manager-config-connectivity-debian network-manager-config-connectivity-ubuntu network-manager-l10n libuser libuser1 python3-libuser 3270-common b3270 c3270 pr3287 s3270 tcl3270 x3270 xfonts-x3270-misc ht libmyth libmyth-python libmythtv-perl mytharchive mythbrowser mythgame mythmusic mythnews mythplugins mythtv mythtv-backend mythtv-backend-master mythtv-common mythtv-database mythtv-frontend mythtv-theme-mythbuntu mythtv-transcode-utils mythweather mythzoneminder php-mythtv gstreamer1.0-libav libqt5webengine-data libqt5webengine5 libqt5webenginecore5 libqt5webenginewidgets5 qml-module-qtwebengine qtwebengine5-examples libxmlrpc-c++9 libxmlrpc-core-c3t64 libxmlrpc-util4 xmlrpc-api-utils python3-pyrad libapache-session-perl libraw-bin libraw23t64 rawtherapee rawtherapee-data chicken-bin libchicken11t64 librrd8t64 librrdp-perl librrds-perl lua-rrd python3-rrdtool rrdcached rrdtool rrdtool-tcl ruby-rrd ibutils libibdm1 smokeping gir1.2-guestfs-1.0 guestfish guestfsd guestmount libguestfs-gfs2 libguestfs-gobject-1.0-0t64 libguestfs-hfsplus libguestfs-java libguestfs-jfs libguestfs-nilfs libguestfs-ocaml libguestfs-perl libguestfs-rescue libguestfs-rsync libguestfs-tools libguestfs-xfs libguestfs0t64 lua-guestfs php-guestfs python3-guestfs ruby-guestfs libgadu3t64 ruby-i18n perdition perdition-ldap perdition-mysql perdition-odbc perdition-postgresql dcmtk dcmtk-data libdcmtk19 c-icap libicapapi5t64 gambas3 gambas3-examples gambas3-gb-args gambas3-gb-cairo gambas3-gb-chart gambas3-gb-clipper gambas3-gb-clipper2 gambas3-gb-complex gambas3-gb-compress gambas3-gb-compress-bzlib2 gambas3-gb-compress-zlib gambas3-gb-compress-zstd gambas3-gb-crypt gambas3-gb-data gambas3-gb-db gambas3-gb-db-form gambas3-gb-db-mysql gambas3-gb-db-odbc gambas3-gb-db-postgresql gambas3-gb-db-sqlite3 gambas3-gb-db2 gambas3-gb-db2-form gambas3-gb-db2-mysql gambas3-gb-db2-odbc gambas3-gb-db2-postgresql gambas3-gb-db2-sqlite3 gambas3-gb-dbus gambas3-gb-dbus-trayicon gambas3-gb-desktop gambas3-gb-desktop-x11 gambas3-gb-eval-highlight gambas3-gb-form gambas3-gb-form-dialog gambas3-gb-form-editor gambas3-gb-form-htmlview gambas3-gb-form-mdi gambas3-gb-form-print gambas3-gb-form-stock gambas3-gb-form-terminal gambas3-gb-gmp gambas3-gb-gsl gambas3-gb-gtk3 gambas3-gb-gtk3-opengl gambas3-gb-gtk3-wayland gambas3-gb-gtk3-webview gambas3-gb-gtk3-x11 gambas3-gb-gui gambas3-gb-hash gambas3-gb-highlight gambas3-gb-httpd gambas3-gb-image gambas3-gb-image-effect gambas3-gb-image-imlib gambas3-gb-image-io gambas3-gb-inotify gambas3-gb-jit gambas3-gb-libxml gambas3-gb-logging gambas3-gb-map gambas3-gb-markdown gambas3-gb-media gambas3-gb-media-form gambas3-gb-memcached gambas3-gb-mime gambas3-gb-mysql gambas3-gb-ncurses gambas3-gb-net gambas3-gb-net-curl gambas3-gb-net-pop3 gambas3-gb-net-smtp gambas3-gb-openal gambas3-gb-opengl gambas3-gb-opengl-glsl gambas3-gb-opengl-glu gambas3-gb-opengl-sge gambas3-gb-openssl gambas3-gb-option gambas3-gb-pcre gambas3-gb-pdf gambas3-gb-poppler gambas3-gb-qt6 gambas3-gb-qt6-ext gambas3-gb-qt6-opengl gambas3-gb-qt6-wayland gambas3-gb-qt6-webview gambas3-gb-qt6-x11 gambas3-gb-report gambas3-gb-report2 gambas3-gb-scanner gambas3-gb-sdl2 gambas3-gb-sdl2-audio gambas3-gb-settings gambas3-gb-signal gambas3-gb-term gambas3-gb-term-form gambas3-gb-util gambas3-gb-util-web gambas3-gb-v4l gambas3-gb-vb gambas3-gb-web gambas3-gb-web-feed gambas3-gb-web-form gambas3-gb-web-gui gambas3-gb-xml gambas3-gb-xml-html gambas3-gb-xml-rpc gambas3-gb-xml-xslt gambas3-ide gambas3-runtime gambas3-scripter eog libseafile0t64 python3-seafile seafile-cli seafile-daemon python3-beaker ruby-net-ldap libjava-xmlbuilder-java node-sanitize-html mediawiki mediawiki-classes 9base php-font-lib libcastor-anttasks-java libcastor-codegen-java libcastor-core-java libcastor-ddlgen-java libcastor-jdo-java libcastor-xml-java libcastor-xml-schema-java xemacs21-basesupport xemacs21-basesupport-el xemacs21-mulesupport xemacs21-mulesupport-el libssl3t64 openssl openssl-provider-legacy pound liblzo2-2 krfb grub-common grub-coreboot grub-coreboot-bin grub-efi grub-efi-amd64-signed-template grub-efi-arm grub-efi-arm-bin grub-efi-arm-unsigned grub-efi-arm64-signed-template grub-efi-ia32 grub-efi-ia32-bin grub-efi-ia32-unsigned grub-efi-riscv64 grub-efi-riscv64-bin grub-efi-riscv64-unsigned grub-emu grub-firmware-qemu grub-ieee1275 grub-ieee1275-bin grub-linuxbios grub-pc grub-pc-bin grub-rescue-pc grub-theme-starfield grub-uboot grub-uboot-bin grub-xen grub-xen-bin grub-xen-host grub2 grub2-common liblwipv6-2t64 micro-httpd php-pear tightvncpasswd tightvncserver xtightvncviewer ace-gperf ace-netsvcs libace-8.0.5 libace-flreactor-8.0.5 libace-foxreactor-8.0.5 libace-htbp-8.0.5 libace-inet-8.0.5 libace-inet-ssl-8.0.5 libace-rmcast-8.0.5 libace-ssl-8.0.5 libace-tkreactor-8.0.5 libace-tmcast-8.0.5 libace-xml-utils-8.0.5 libace-xtreactor-8.0.5 libacexml-8.0.5 libkokyu-8.0.5 libnetsvcs-8.0.5 mpc-ace node-express chromium-browser chromium-browser-l10n chromium-chromedriver chromium-codecs-ffmpeg chromium-codecs-ffmpeg-extra zoph git git-all git-cvs git-email git-gui git-man git-svn gitk gitweb xnest xorg-server-source xserver-common xserver-xephyr xserver-xorg-core xserver-xorg-legacy xvfb node-markdown-it php-xdebug php8.5-xdebug pax kgb-bot kgb-client clamav clamav-base clamav-daemon clamav-freshclam clamav-milter clamav-testfiles clamdscan libclamav12 byzanz racket racket-common kodi kodi-bin kodi-data kodi-eventclients-common kodi-eventclients-kodi-send kodi-eventclients-ps3 kodi-eventclients-python kodi-eventclients-wiiremote kodi-eventclients-zeroconf kodi-repository-kodi kodi-tools-texturepacker freeipa-client freeipa-client-epn freeipa-client-samba freeipa-common python3-ipaclient python3-ipalib icedtea-netx libcommons-collections4-java libxencall1 libxendevicemodel1 libxenevtchn1 libxenforeignmemory1 libxengnttab1 libxenhypfs1 libxenmisc4.20 libxenstore4 libxentoolcore1 libxentoollog1 xen-hypervisor-4.20-amd64 xen-hypervisor-4.20-arm64 xen-hypervisor-common xen-system-amd64 xen-system-arm64 xen-utils-4.20 xen-utils-common xenstore-utils darktable exactimage libexactimage-perl python3-exactimage libxencall1 libxendevicemodel1 libxenevtchn1 libxenforeignmemory1 libxengnttab1 libxenhypfs1 libxenmisc4.20 libxenstore4 libxentoolcore1 libxentoollog1 xen-hypervisor-4.20-amd64 xen-hypervisor-4.20-arm64 xen-hypervisor-common xen-system-amd64 xen-system-arm64 xen-utils-4.20 xen-utils-common xenstore-utils qemu-block-extra qemu-block-supplemental qemu-guest-agent qemu-system qemu-system-arm qemu-system-common qemu-system-data qemu-system-gui qemu-system-mips qemu-system-misc qemu-system-modules-opengl qemu-system-modules-spice qemu-system-ppc qemu-system-riscv qemu-system-s390x qemu-system-sparc qemu-system-x86 qemu-system-x86-xen qemu-system-xen qemu-user qemu-user-binfmt qemu-utils stalin ruby-omniauth gdm3 gir1.2-gdm-1.0 libgdm1 libapache2-mod-fcgid libowasp-antisamy-java php-swiftmailer calibre calibre-bin quantlib-refman-html node-negotiator fonts-glyphicons-halflings libjs-bootstrap ruby-oauth libqtmirserver2 qml-module-qtmir qtmir qtmir-android qtmir-desktop qtmir-tests xwpe ytree yasr pinfo iselect ctdb libnss-winbind libpam-winbind libsmbclient0 libwbclient0 python3-samba registry-tools samba samba-ad-dc samba-ad-provision samba-common samba-common-bin samba-dsdb-modules samba-libs samba-testsuite samba-vfs-ceph samba-vfs-glusterfs samba-vfs-modules samba-vfs-modules-extra smbclient winbind ldb-tools libldb2 python3-ldb libtalloc2 python3-talloc libtdb1 python3-tdb tdb-tools libtevent0t64 libjgroups-java binutils-h8300-hms gir1.2-polkit-1.0 libpolkit-agent-1-0 libpolkit-gobject-1-0 pkexec polkitd gir1.2-spiceclientglib-2.0 gir1.2-spiceclientgtk-3.0 libspice-client-glib-2.0-8 libspice-client-gtk-3.0-5 spice-client-glib-usb-acl-helper spice-client-gtk libxmpcore-java valgrind valgrind-mpi gdb gdb-minimal gdb-multiarch gdb-source gdbserver libjs-mediaelement mingw-w64 mingw-w64-common mingw-w64-tools 389-ds 389-ds-base 389-ds-base-libs cockpit-389-ds python3-lib389 thunderbird sogo sogo-activesync sogo-common libundertow-java capstone-tool libcapstone5 python3-capstone libxtst6 libxvmc1 bluetooth bluez bluez-cups bluez-hcidump bluez-meshd bluez-obexd bluez-source bluez-test-scripts bluez-test-tools libbluetooth3 gir1.2-gst-plugins-bad-1.0 gstreamer1.0-opencv gstreamer1.0-plugins-bad gstreamer1.0-plugins-bad-apps libgstreamer-opencv1.0-0 libgstreamer-plugins-bad1.0-0 rsync klibc-utils libklibc zsync klibc-utils libklibc jruby epiphany epiphany-data rbenv unrar-free vorbis-tools libao-common libao4 timidity timidity-daemon timidity-el timidity-interfaces-extra fontforge fontforge-common fontforge-extras fontforge-nox libfontforge4 python3-fontforge sipcrack gcc-avr libquicktime2 quicktime-utils quicktime-x11utils libspice-server1 libminidjvu0t64 minidjvu kodi-inputstream-adaptive ledger python3-ledger binutils binutils-aarch64-linux-gnu binutils-alpha-linux-gnu binutils-arc-linux-gnu binutils-arm-linux-gnueabi binutils-arm-linux-gnueabihf binutils-common binutils-for-build binutils-for-host binutils-hppa-linux-gnu binutils-hppa64-linux-gnu binutils-i686-gnu binutils-i686-linux-gnu binutils-loongarch64-linux-gnu binutils-m68k-linux-gnu binutils-multiarch binutils-powerpc-linux-gnu binutils-powerpc64-linux-gnu binutils-powerpc64le-linux-gnu binutils-riscv64-linux-gnu binutils-s390x-linux-gnu binutils-sh4-linux-gnu binutils-source binutils-sparc-linux-gnu binutils-sparc64-linux-gnu binutils-x86-64-gnu binutils-x86-64-linux-gnu binutils-x86-64-linux-gnux32 libbinutils libctf-nobfd0 libctf0 libgprofng0 libsframe3 dcraw graphicsmagick libgraphics-magick-perl libgraphicsmagick++-q16-12t64 libgraphicsmagick-q16-3t64 gedit gedit-common python3-scrapy kannel kannel-extras spice-vdagent cinder-api cinder-backup cinder-common cinder-scheduler cinder-volume python3-cinder texlive texlive-base texlive-fonts-recommended texlive-full texlive-latex-base texlive-latex-recommended texlive-luatex texlive-metapost texlive-pictures texlive-xetex context libkpathsea6 libptexenc1 libsynctex2 libtexlua53-5 libtexluajit2 texlive-binaries texlive-binaries-sse2 ocaml-batteries-included libgiac0t64 xcas scummvm scummvm-data abiword abiword-common abiword-plugin-grammar gir1.2-abi-3.0 libabiword-3.0 kiwi kiwi-dracut-lib kiwi-dracut-live kiwi-dracut-oem-dump kiwi-dracut-oem-repart kiwi-dracut-overlay kiwi-dracut-verity kiwi-systemdeps kiwi-systemdeps-bootloaders kiwi-systemdeps-containers kiwi-systemdeps-core kiwi-systemdeps-disk-images kiwi-systemdeps-filesystems kiwi-systemdeps-iso-media gjots2 lxc-templates node-chownr libveyon-core veyon-configurator veyon-master veyon-plugins veyon-service logcheck logcheck-database logtail libitext-java libitext-rtf-java npm libqt6pdf6 libqt6pdfquick6 libqt6pdfwidgets6 libqt6webengine6-data libqt6webenginecore6 libqt6webenginecore6-bin libqt6webenginequick6 libqt6webenginewidgets6 qml6-module-qtquick-pdf qml6-module-qtwebengine qml6-module-qtwebengine-controlsdelegates qt6-image-formats-plugin-pdf qt6-webengine-examples mistral-api mistral-common mistral-engine mistral-event-engine mistral-executor python3-mistral r-cran-readxl liblucene3-contrib-java liblucene3-java snapd libmp3splt mp3splt-gtk mp3splt praat apng2gif libcairo-gobject2 libcairo-script-interpreter2 libcairo2 dmitry obs-productconverter obs-server obs-utils obs-worker zypper zypper-common dnstracer libnet-remctl-perl libremctl1t64 php-remctl python3-pyremctl remctl-client remctl-server ruby-remctl libstb0t64 libmbedcrypto16 libmbedtls21 libmbedx509-7 triplea umlet libdom4j-java latexdraw libprocessing-core-java python3-pykmip libjackson2-databind-java gegl gir1.2-gegl-0.4 libgegl-0.4-0t64 libgegl-common libjpeg-turbo-progs libjpeg-turbo8 libturbojpeg-java libturbojpeg0 libjpeg62 libjpeg-progs libjpeg9 libradare2-6.0.0t64 libradare2-common radare2 mruby htp nasm dpdk librte-acl25 librte-argparse25 librte-baseband-acc25 librte-baseband-fpga-5gnr-fec25 librte-baseband-fpga-lte-fec25 librte-baseband-la12xx25 librte-baseband-null25 librte-baseband-turbo-sw25 librte-bbdev25 librte-bitratestats25 librte-bpf25 librte-bus-auxiliary25 librte-bus-cdx25 librte-bus-dpaa25 librte-bus-fslmc25 librte-bus-ifpga25 librte-bus-pci25 librte-bus-platform25 librte-bus-uacce25 librte-bus-vdev25 librte-bus-vmbus25 librte-cfgfile25 librte-cmdline25 librte-common-cnxk25 librte-common-cpt25 librte-common-dpaax25 librte-common-iavf25 librte-common-idpf25 librte-common-ionic25 librte-common-mlx5-25 librte-common-nfp25 librte-common-nitrox25 librte-common-octeontx25 librte-common-qat25 librte-common-sfc-efx25 librte-compress-isal25 librte-compress-mlx5-25 librte-compress-nitrox25 librte-compress-octeontx25 librte-compress-zlib25 librte-compressdev25 librte-crypto-bcmfs25 librte-crypto-caam-jr25 librte-crypto-ccp25 librte-crypto-cnxk25 librte-crypto-dpaa-sec25 librte-crypto-dpaa2-sec25 librte-crypto-ionic25 librte-crypto-ipsec-mb25 librte-crypto-mlx5-25 librte-crypto-nitrox25 librte-crypto-null25 librte-crypto-octeontx25 librte-crypto-openssl25 librte-crypto-scheduler25 librte-crypto-virtio25 librte-cryptodev25 librte-dispatcher25 librte-distributor25 librte-dma-cnxk25 librte-dma-dpaa2-25 librte-dma-dpaa25 librte-dma-hisilicon25 librte-dma-idxd25 librte-dma-ioat25 librte-dma-odm25 librte-dma-skeleton25 librte-dmadev25 librte-eal25 librte-efd25 librte-ethdev25 librte-event-cnxk25 librte-event-dlb2-25 librte-event-dpaa2-25 librte-event-dpaa25 librte-event-dsw25 librte-event-octeontx25 librte-event-opdl25 librte-event-skeleton25 librte-event-sw25 librte-eventdev25 librte-fib25 librte-gpudev25 librte-graph25 librte-gro25 librte-gso25 librte-hash25 librte-ip-frag25 librte-ipsec25 librte-jobstats25 librte-kvargs25 librte-latencystats25 librte-log25 librte-lpm25 librte-mbuf25 librte-member25 librte-mempool-bucket25 librte-mempool-cnxk25 librte-mempool-dpaa2-25 librte-mempool-dpaa25 librte-mempool-octeontx25 librte-mempool-ring25 librte-mempool-stack25 librte-mempool25 librte-meta-all librte-meta-allpmds librte-meta-baseband librte-meta-bus librte-meta-common librte-meta-compress librte-meta-crypto librte-meta-dma librte-meta-event librte-meta-mempool librte-meta-net librte-meta-raw librte-meter25 librte-metrics25 librte-ml-cnxk25 librte-mldev25 librte-net-af-packet25 librte-net-af-xdp25 librte-net-ark25 librte-net-atlantic25 librte-net-avp25 librte-net-axgbe25 librte-net-bnx2x25 librte-net-bnxt25 librte-net-bond25 librte-net-cnxk25 librte-net-cpfl25 librte-net-cxgbe25 librte-net-dpaa2-25 librte-net-dpaa25 librte-net-e1000-25 librte-net-ena25 librte-net-enetc25 librte-net-enetfec25 librte-net-enic25 librte-net-failsafe25 librte-net-fm10k25 librte-net-gve25 librte-net-hinic25 librte-net-hns3-25 librte-net-i40e25 librte-net-iavf25 librte-net-ice25 librte-net-idpf25 librte-net-igc25 librte-net-ionic25 librte-net-ipn3ke25 librte-net-ixgbe25 librte-net-mana25 librte-net-memif25 librte-net-mlx4-25 librte-net-mlx5-25 librte-net-netvsc25 librte-net-nfp25 librte-net-ngbe25 librte-net-ntnic25 librte-net-null25 librte-net-octeon-ep25 librte-net-octeontx25 librte-net-pcap25 librte-net-pfe25 librte-net-qede25 librte-net-r8169-25 librte-net-ring25 librte-net-sfc25 librte-net-softnic25 librte-net-tap25 librte-net-thunderx25 librte-net-txgbe25 librte-net-vdev-netvsc25 librte-net-vhost25 librte-net-virtio25 librte-net-vmxnet3-25 librte-net-zxdh25 librte-net25 librte-node25 librte-pcapng25 librte-pci25 librte-pdcp25 librte-pdump25 librte-pipeline25 librte-port25 librte-power-acpi25 librte-power-amd-pstate25 librte-power-cppc25 librte-power-intel-pstate25 librte-power-intel-uncore25 librte-power-kvm-vm25 librte-power25 librte-raw-cnxk-bphy25 librte-raw-cnxk-gpio25 librte-raw-cnxk-rvu-lf25 librte-raw-dpaa2-cmdif25 librte-raw-gdtc25 librte-raw-ifpga25 librte-raw-ntb25 librte-raw-skeleton25 librte-rawdev25 librte-rcu25 librte-regex-cn9k25 librte-regex-mlx5-25 librte-regexdev25 librte-reorder25 librte-rib25 librte-ring25 librte-sched25 librte-security25 librte-stack25 librte-table25 librte-telemetry25 librte-timer25 librte-vdpa-ifc25 librte-vdpa-mlx5-25 librte-vdpa-nfp25 librte-vdpa-sfc25 librte-vhost25 gir1.2-gxps-0.1 libgxps-utils libgxps2t64 transmission transmission-cli transmission-common transmission-daemon transmission-gtk transmission-qt bibutils libbibutils8 etcd-client etcd-server xpdf jbig2 libjbig2enc0t64 upx-ucl r-cran-haven jpegoptim libmobi-tools libmobi0t64 libtsk19t64 sleuthkit libtika-java libcommons-compress-java dirmngr gnupg gnupg-agent gnupg-l10n gnupg-utils gnupg2 gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv gpgv-static scdaemon tpm2daemon libtinyexr1d libwolfssl44 yarnpkg virtualbox virtualbox-dkms virtualbox-guest-utils virtualbox-guest-utils-hwe virtualbox-guest-x11 virtualbox-guest-x11-hwe virtualbox-qt virtualbox-source phpldapadmin gimp gimp-data gir1.2-gimp-3.0 libgimp-3.0-0 libgimp-3.0-bin jmeter jmeter-apidoc jmeter-ftp jmeter-help jmeter-http jmeter-java jmeter-jms jmeter-junit jmeter-ldap jmeter-mail jmeter-mongodb jmeter-tcp gcc-snapshot fonts-wine libwine wine wine-binfmt wine-common wine32 wine32-preloader wine32-tools wine64 wine64-preloader wine64-tools libcommons-compress-java chromium-browser chromium-browser-l10n chromium-chromedriver chromium-codecs-ffmpeg chromium-codecs-ffmpeg-extra ffmpeg libavcodec-extra libavcodec-extra61 libavcodec61 libavdevice61 libavfilter-extra libavfilter-extra10 libavfilter10 libavformat-extra libavformat-extra61 libavformat61 libavutil59 libpostproc58 libswresample5 libswscale8 htslib-test libhts3t64 tabix clementine libjsf-api-java gdm3 gir1.2-gdm-1.0 libgdm1 gigtools libakai0t64 libgig13 mitmproxy aubio-tools libaubio5 python3-aubio libgd-tools libgd3 doxygen doxygen-doxyparse doxygen-gui doxygen-latex btrfsmaintenance evolution evolution-common evolution-plugin-bogofilter evolution-plugin-pstimport evolution-plugin-spamassassin evolution-plugins evolution-plugins-experimental libevolution evolution-data-server evolution-data-server-common evolution-data-server-tests gir1.2-camel-1.2 gir1.2-ebackend-1.2 gir1.2-ebook-1.2 gir1.2-ebookcontacts-1.2 gir1.2-ecal-2.0 gir1.2-edatabook-1.2 gir1.2-edatacal-2.0 gir1.2-edataserver-1.2 gir1.2-edataserverui-1.2 gir1.2-edataserverui4-1.0 libcamel-1.2-64t64 libebackend-1.2-11t64 libebook-1.2-21t64 libebook-contacts-1.2-4t64 libecal-2.0-3 libedata-book-1.2-27t64 libedata-cal-2.0-2t64 libedataserver-1.2-27t64 libedataserverui-1.2-4t64 libedataserverui4-1.0-0t64 awscli modsecurity-crs pdns-recursor amphora-agent octavia-api octavia-common octavia-driver-agent octavia-health-manager octavia-housekeeping octavia-worker python3-octavia gitolite3 libsixel-bin libsixel-examples libsixel1 love mame mame-data mame-tools retroarch zam-plugins zynaddsubfx zynaddsubfx-data zynaddsubfx-dssi zynaddsubfx-lv2 zynaddsubfx-vst libsfml-audio3.0 libsfml-graphics3.0 libsfml-network3.0 libsfml-system3.0 libsfml-window3.0 goxel catimg hdf5-helpers hdf5-tools libhdf5-310 libhdf5-cpp-310 libhdf5-fortran-310 libhdf5-hl-310 libhdf5-hl-cpp-310 libhdf5-hl-fortran-310 libhdf5-java libhdf5-jni libhdf5-mpich-310 libhdf5-mpich-cpp-310 libhdf5-mpich-fortran-310 libhdf5-mpich-hl-310 libhdf5-mpich-hl-cpp-310 libhdf5-mpich-hl-fortran-310 libhdf5-openmpi-310 libhdf5-openmpi-cpp-310 libhdf5-openmpi-fortran-310 libhdf5-openmpi-hl-310 libhdf5-openmpi-hl-cpp-310 libhdf5-openmpi-hl-fortran-310 libzzip-0-13t64 zziplib-bin python3-requests icingacli icingaweb2 icingaweb2-common icingaweb2-module-monitoring php-icinga gir1.2-thunarx-3.0 libthunarx-3-0 thunar thunar-data kio-extras kio-extras-data sludge-compiler sludge-engine libjackson2-databind-java arm-trusted-firmware arm-trusted-firmware-tools tryton-client dcraw libqt5hunspellinputmethod5 libqt5virtualkeyboard5 qml-module-qtquick-virtualkeyboard qtvirtualkeyboard-plugin qtvirtualkeyboard5-examples qt5-image-formats-plugins libmxml1 tcc catdoc libjs-bootstrap4 libvterm-bin libvterm0 emscripten texmaker texmaker-data gridengine-client gridengine-common gridengine-drmaa1.0 gridengine-exec gridengine-master gridengine-qmon libdrmaa1.0-java libdrmaa1.0-ruby re2c admesh libadmesh1 smarty3 libjs-chosen barcode bochs bochs-sdl bochs-term bochs-wx bochs-x bochsbios bximage sb16ctrl-bochs sc crashmail pms libnss-libvirt libvirt-clients libvirt-clients-qemu libvirt-common libvirt-daemon libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-storage-zfs libvirt-daemon-driver-vbox libvirt-daemon-driver-xen libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-plugin-sanlock libvirt-daemon-system libvirt-daemon-system-systemd libvirt-daemon-system-sysv libvirt-l10n libvirt-login-shell libvirt-sanlock libvirt-ssh-proxy libvirt-wireshark libvirt0 node-mixin-deep node-hoek xserver-xorg-video-nouveau mkvtoolnix mkvtoolnix-gui libmpv2 mpv puppet-module-puppetlabs-apt puppet-module-puppetlabs-apache puppet-module-puppetlabs-mysql icinga2 icinga2-bin icinga2-common icinga2-ido-mysql icinga2-ido-pgsql vim-icinga2 libjs-dojo-core libjs-dojo-dijit libjs-dojo-dojox shrinksafe sfcb sfcb-test patch libvncclient1 libvncserver1 mpg321 leptonica-progs libleptonica6 libuima-adapter-vinci-java libuima-core-java libuima-cpe-java libuima-tools-java libuima-vinci-java uima-examples uima-utils mono-libraries mono-libraries-debug mono-runtime fdkaac f2fs-tools activemq libactivemq-java libmqtt-client-java libaxis-java python3-slixmpp python3-libnmap nfdump nfdump-sflow mgetty mgetty-fax mgetty-pvftools mgetty-viewfax mgetty-voice libcrypt-jwt-perl elpa-helm elpa-helm-core libintellij-core-java libintellij-extensions-java libintellij-jps-model-java libintellij-platform-api-java libintellij-platform-impl-java libintellij-utils-java freeradius freeradius-common freeradius-config freeradius-dhcp freeradius-iodbc freeradius-krb5 freeradius-ldap freeradius-memcached freeradius-mysql freeradius-postgresql freeradius-python3 freeradius-redis freeradius-rest freeradius-utils freeradius-yubikey libfreeradius3 libreswan golang-github-containers-image libhibernate-validator-java jetty9 libjetty9-extra-java libjetty9-java lrzip claws-mail claws-mail-acpi-notifier claws-mail-address-keeper claws-mail-archiver-plugin claws-mail-attach-remover claws-mail-attach-warner claws-mail-bogofilter claws-mail-bsfilter-plugin claws-mail-clamd-plugin claws-mail-dillo-viewer claws-mail-extra-plugins claws-mail-fancy-plugin claws-mail-feeds-reader claws-mail-fetchinfo-plugin claws-mail-i18n claws-mail-keyword-warner claws-mail-libravatar claws-mail-litehtml-viewer claws-mail-mailmbox-plugin claws-mail-managesieve claws-mail-multi-notifier claws-mail-newmail-plugin claws-mail-pdf-viewer claws-mail-perl-filter claws-mail-pgpinline claws-mail-pgpmime claws-mail-plugins claws-mail-python-plugin claws-mail-smime-plugin claws-mail-spam-report claws-mail-spamassassin claws-mail-tnef-parser claws-mail-tools claws-mail-vcalendar-plugin libeclipse-jem-util-java libeclipse-wst-common-core-java libeclipse-wst-common-emf-java libeclipse-wst-common-emfworkbench-integration-java libeclipse-wst-common-frameworks-java libeclipse-wst-common-frameworks-ui-java libeclipse-wst-common-environment-java libeclipse-wst-common-project-facet-core-java libeclipse-wst-common-ui-java libeclipse-wst-common-uriresolver-java libeclipse-wst-sse-core-java libeclipse-wst-sse-ui-java libeclipse-wst-validation-java libeclipse-wst-validation-ui-java libeclipse-wst-xml-core-java libeclipse-wst-xml-ui-java libeclipse-wst-xsd-core-java phppgadmin jupyter-notebook python3-notebook teeworlds teeworlds-data teeworlds-server intel-microcode bwa evince evince-common gir1.2-evince-3.0 libevdocument3-4t64 libevview3-3t64 libwhoopsie0 whoopsie libduo3t64 libpam-duo login-duo libthrift-0.22.0 libthrift-c-glib0t64 libthrift-perl php-thrift python3-thrift thrift-compiler qemu-block-extra qemu-block-supplemental qemu-guest-agent qemu-system qemu-system-arm qemu-system-common qemu-system-data qemu-system-gui qemu-system-mips qemu-system-misc qemu-system-modules-opengl qemu-system-modules-spice qemu-system-ppc qemu-system-riscv qemu-system-s390x qemu-system-sparc qemu-system-x86 qemu-system-x86-xen qemu-system-xen qemu-user qemu-user-binfmt qemu-utils ubuntu-virt libfreeimage3 libfreeimageplus3 buildbot buildbot-worker libapache-poi-java mediawiki mediawiki-classes squid squid-common squid-openssl firejail firejail-profiles libopenjp2-7 libopenjp2-tools libopenjpip-dec-server libopenjpip-viewer libopenjpip7 libapache2-mod-auth-mellon zoneminder imagemagick imagemagick-7-common imagemagick-7.q16 imagemagick-7.q16hdri libimage-magick-perl libimage-magick-q16-perl libimage-magick-q16hdri-perl libmagick++-7-headers libmagick++-7.q16-5 libmagick++-7.q16hdri-5 libmagickcore-7-arch-config libmagickcore-7-headers libmagickcore-7.q16-10 libmagickcore-7.q16-10-extra libmagickcore-7.q16hdri-10 libmagickcore-7.q16hdri-10-extra libmagickwand-7-headers libmagickwand-7.q16-10 libmagickwand-7.q16hdri-10 perlmagick audiofile-tools libaudiofile1 nsd groonga groonga-bin groonga-examples groonga-munin-plugins groonga-plugin-suggest groonga-server-common groonga-server-gqtp groonga-server-http groonga-token-filter-stem groonga-tokenizer-mecab libgroonga0t64 libonig5 xymon xymon-client libmupdf25.1 mupdf mupdf-tools python3-mupdf jackd2 jackd2-firewire libjack-jackd2-0 libmodsecurity3t64 dpic libquartz-java python3-django libmcpp0 mcpp basilisk2 fs-uae slirp libvde0 vde-switch vde-wirefilter vde2 vde2-cryptcab schism sphinxsearch brandy gnupg1 gnupg1-l10n gpgv1 gradle libgradle-core-java libgradle-plugins-java roundcube roundcube-core roundcube-mysql roundcube-pgsql roundcube-plugins roundcube-sqlite3 python3-django-js-reverse vncsnapshot x2vnc ssvnc krfb libns3.46 ns3 libwbxml2-1 libwbxml2-utils tdom firefox cflow cflow-l10n python3-lmdb focuswriter postfix-mta-sts-resolver pterm putty putty-tools ruby-netaddr libpdl-io-matlab-perl libnb-absolutelayout-java proftpd-core proftpd-mod-crypto proftpd-mod-geoip proftpd-mod-ldap proftpd-mod-mysql proftpd-mod-odbc proftpd-mod-pgsql proftpd-mod-snmp proftpd-mod-sqlite proftpd-mod-wrap condor condor-annex-ec2 condor-kbdd condor-test condor-vm-gahp minicondor libmailutils9t64 libmu-dbm9t64 mailutils mailutils-common mailutils-comsatd mailutils-guile mailutils-imap4d mailutils-mda mailutils-mh mailutils-pop3d python3-mailutils libzypp-bin libzypp-common libzypp-config libzypp1735 libunivalue0 gnome-font-viewer gnome-sushi dia dia-common smplayer smplayer-l10n yabasic libapache2-mod-mapcache libmapcache1t64 mapcache-cgi mapcache-tools scilab scilab-cli scilab-data scilab-full-bin scilab-include scilab-minimal-bin scilab-test libmatio14 matio-tools keepass2 maptool navit navit-data navit-graphics-gtk-drawing-area navit-gui-gtk navit-gui-internal libnetcdf-mpi-22 libnetcdf-pnetcdf-22 ganglia-webfrontend python3-ruamel.yaml libusrsctp-examples libusrsctp2 libopendmarc2t64 opendmarc libvo-amrwbenc0 python3-mysql.connector libusbguard1 usbguard openvswitch-common openvswitch-ipsec openvswitch-pki openvswitch-source openvswitch-switch openvswitch-switch-dpdk openvswitch-test openvswitch-testcontroller openvswitch-vtep python3-openvswitch rtcw rtcw-common rtcw-server gsoap libgsoap-2.8.139 finch libpurple-bin libpurple0t64 pidgin pidgin-data deluge deluge-common deluge-console deluge-gtk deluge-web deluged dnss r-base r-base-core r-base-html r-mathlib r-recommended filezilla filezilla-common osc libnfsidmap-regex libnfsidmap1 nfs-common nfs-kernel-server libopenwsman1 libwsman-client4t64 libwsman-clientpp1t64 libwsman-curl-client-transport1 libwsman-server1t64 libwsman1t64 openwsman evolution-ews evolution-ews-core libsdl2-image-2.0-0 libsdl2-image-tests eapoltest hostapd wpagui wpasupplicant eapoltest hostapd wpagui wpasupplicant libshadowsocks-libev2 shadowsocks-libev faad libfaad2 flex libfl2 libopenjp2-7 libopenjp2-tools libopenjpip-dec-server libopenjpip-viewer libopenjpip7 binaryen tintin++ mpop lemon libsqlite3-0 libsqlite3-ext-csv libsqlite3-ext-icu libsqlite3-tcl sqlite3 sqlite3-tools db5.3-util libdb5.3++t64 libdb5.3t64 libsqlcipher2 sqlcipher libopencv-calib3d410 libopencv-contrib410 libopencv-core410 libopencv-dnn410 libopencv-features2d410 libopencv-flann410 libopencv-highgui410 libopencv-imgcodecs410 libopencv-imgproc410 libopencv-java libopencv-ml410 libopencv-objdetect410 libopencv-photo410 libopencv-shape410 libopencv-stitching410 libopencv-superres410 libopencv-video410 libopencv-videoio410 libopencv-videostab410 libopencv-viz410 libopencv410-jni opencv-data python3-opencv python3-twisted libgrpc++1.51t64 libgrpc29t64 protobuf-compiler-grpc python3-grpcio ruby-grpc ruby-grpc-tools golang-google-grpc-dev protoc-gen-go-grpc gir1.2-poppler-0.18 libpoppler-cpp3 libpoppler-glib8t64 libpoppler-qt5-1t64 libpoppler-qt6-3t64 libpoppler156 poppler-utils graphviz graphviz-tools libcdt6 libcgraph8 libgv-guile libgv-lua libgv-perl libgv-ruby libgv-tcl libgvc7 libgvplugin-gd8 libgvplugin-gs8 libgvplugin-neato-layout8 libgvplugin-pango8 libgvplugin-poppler8 libgvplugin-rsvg8 libgvplugin-vt100 libgvplugin-vt8 libgvplugin-webp8 libgvplugin-xlib8 libgvpr2 libpathplan4 libxdot4 python3-gv tcl-gv telnet-ssl telnetd-ssl libresteasy-java codeblocks codeblocks-common codeblocks-contrib libcodeblocks0t64 libwxsmithlib0t64 libbatik-java libxmlgraphics-commons-java libsqlite3-mod-blobtoxy libsqlite3-mod-csvtable libsqlite3-mod-impexp libsqlite3-mod-xpath libsqlite3-mod-zipfile libsqliteodbc sabnzbdplus amarok amarok-common amarok-utils libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libpam-systemd libsystemd-shared libsystemd0 libudev1 systemd systemd-boot systemd-boot-efi systemd-boot-tools systemd-container systemd-coredump systemd-cryptsetup systemd-homed systemd-journal-remote systemd-oomd systemd-repart systemd-resolved systemd-standalone-shutdown systemd-standalone-sysusers systemd-standalone-tmpfiles systemd-sysv systemd-tests systemd-timesyncd systemd-ukify systemd-userdbd udev rebar gcc-opt singularity-container kramdown ruby-kramdown python3-rtslib-fb bsdiff ansible chrony openjdk-11-demo openjdk-11-jdk openjdk-11-jdk-headless openjdk-11-jre openjdk-11-jre-headless openjdk-11-jre-zero openjdk-11-source freedroidrpg freedroidrpg-data tuxguitar tuxguitar-alsa tuxguitar-fluidsynth tuxguitar-jack tuxguitar-synth-lv2 ruby-faye-websocket rails ruby-actioncable ruby-actionmailbox ruby-actionmailer ruby-actionpack ruby-actiontext ruby-actionview ruby-activejob ruby-activemodel ruby-activerecord ruby-activestorage ruby-activesupport ruby-rails ruby-railties python3-django-filters hylafax-client hylafax-server nim nim kotlin libetpan20t64 kdepim-runtime accountwizard libcpan-checksums-perl python3-django-celery-results groovy cyclonedds-tools libcycloneddsidl0t64 libddsc0t64 exiv2 libexiv2-28 libexiv2-data libz3-4 libz3-java libz3-jni python3-z3 z3 gifsicle libmpv2 mpv libslirp0 oggvideotools liblwip0t64 pdfcrack phpmyadmin python3-selenium nomacs nomacs-l10n advancecomp cloop-src cloop-utils asn1c salmon node-node-sass libluajit-5.1-2 libluajit-5.1-common luajit selinux-policy-default selinux-policy-mls selinux-policy-src shotcut shotcut-data kleopatra checkinstall libappimage1.0abi1t64 python3-djangorestframework libresteasy3.0-java python3-m2crypto imagemagick imagemagick-7-common imagemagick-7.q16 imagemagick-7.q16hdri libimage-magick-perl libimage-magick-q16-perl libimage-magick-q16hdri-perl libmagick++-7-headers libmagick++-7.q16-5 libmagick++-7.q16hdri-5 libmagickcore-7-arch-config libmagickcore-7-headers libmagickcore-7.q16-10 libmagickcore-7.q16-10-extra libmagickcore-7.q16hdri-10 libmagickcore-7.q16hdri-10-extra libmagickwand-7-headers libmagickwand-7.q16-10 libmagickwand-7.q16hdri-10 perlmagick etcd-discovery kdeconnect kdeconnect-libs nautilus-kdeconnect qml6-module-org-kde-kdeconnect libwireshark-data libwireshark19 libwiretap16 libwsutil17 tshark wireshark wireshark-common stratoshark motion civetweb libcivetweb1 libjs-prototype pngcheck openvswitch-common openvswitch-ipsec openvswitch-pki openvswitch-source openvswitch-switch openvswitch-switch-dpdk openvswitch-test openvswitch-testcontroller openvswitch-vtep python3-openvswitch lldpd elpa-password-store pass vim-redact-pass node-axios libmaxminddb0 mmdb-bin libjackson2-dataformat-cbor libjs-three node-elliptic libjs-lodash node-lodash node-lodash-packages libtinyobjloader2rc13 python3-tinyobjloader prusa-slicer openscad openscad-testing openscad-testing-data sma libvncclient1 libvncserver1 x11vnc odoo-18 golang-golang-x-crypto-dev nagios4 nagios4-cgi nagios4-common nagios4-core pure-ftpd pure-ftpd-common pure-ftpd-ldap pure-ftpd-mysql pure-ftpd-postgresql crmsh asterisk asterisk-config asterisk-dahdi asterisk-mobile asterisk-modules asterisk-mp3 asterisk-mysql asterisk-ooh323 asterisk-tests python3-autobahn opensmtpd libopendkim11 librbl1 libvbr2 miltertest opendkim opendkim-tools node-socket.io-parser jupyterhub libsharpyuv0 libwebp7 libwebpdecoder3 libwebpdemux2 libwebpmux3 webp libaxmlrpc-java uptimed libeddsa-java ruby-ed25519 libio-compress-brotli-perl monit gnome-font-viewer redir gir1.2-babl-0.1 libbabl-0.1-0 exchange-bmc-os-info ipmitool python3-cmarkgfm libghc-cmark-gfm-prof r-cran-commonmark uap-core libspring-aop-java libspring-beans-java libspring-context-java libspring-context-support-java libspring-core-java libspring-expression-java libspring-instrument-java libspring-jdbc-java libspring-jms-java libspring-messaging-java libspring-orm-java libspring-oxm-java libspring-test-java libspring-transaction-java libspring-web-java libspring-web-portlet-java libspring-web-servlet-java gds-tools libcufile-rdma1 libcufile0 libaccinj64-12.4 libcudart12 libcuinj64-12.4 libcupti12 libnvfatbin12 libnvjitlink12 libnvrtc-builtins12.4 libnvrtc12 libnvtoolsext1 nvidia-cuda-gdb nvidia-profiler libarrow500 libparquet500 libcublas12 libcublaslt12 libnvblas12 libcufft11 libcufftw11 libcurand10 libcusolver11 libcusolvermg11 libcusparse12 libnppc12 libnppial12 libnppicc12 libnppidei12 libnppif12 libnppig12 libnppim12 libnppist12 libnppisu12 libnppitc12 libnpps12 libnvjpeg12 libnvvm4 nvidia-cuda-toolkit nsight-compute nsight-compute-target nsight-systems nsight-systems-target nvidia-cuda-toolkit-gcc nvidia-fs-dkms glibc-source libc-bin libc6 libc6-amd64 libc6-i386 libc6-x32 locales locales-all nscd freediameter freediameter-extensions freediameterd libfdcore7 libfdproto7 libgoogle-oauth-client-java python3-uvicorn uvicorn node-ua-parser-js node-ini puppet-terminus-puppetdb puppetdb obs-build jison ppp opensmtpd gce-compute-image-packages google-compute-engine node-jsdom due libf95getdata7 libfgetdata6 libgetdata++7 libgetdata-perl libgetdata-tools libgetdata8 python3-pygetdata isync libhogweed6t64 libnettle8t64 nettle-bin libmongodb-java cairosvg python3-cairosvg libnetty-java syncthing syncthing-discosrv syncthing-relaysrv python3-django-registration openjdk-8-demo openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-zero openjdk-8-source libdxflib3 librecad librecad-data spring spring-common spring-javaai ruby-kas-grpc caja-nextcloud dolphin-nextcloud libnextcloudsync0t64 nautilus-nextcloud nemo-nextcloud nextcloud-desktop nextcloud-desktop-cmd nextcloud-desktop-common nextcloud-desktop-l10n cacti libnss-sudo sudo node-prismjs handlebars libjs-handlebars libjs-handlebars.runtime node-jszip bikeshed libjs-mootools node-object-path python3-pil python3-pil.imagetk node-set-value libjs-jquery-datatables node-cached-path-relative juce-modules-source juce-modules-source-data juce-tools guake node-postcss mocha libtwelvemonkeys-java node-http-server python3-django-hyperkitty python3-markdown2 libopenexr-3-1-30 openexr steghide python3-pygments eric eric-api-files libzint2.15 zint zint-qt libfontbox2-java libpdfbox2-java libfontbox-java libjempbox-java libpdfbox-java exif libqt6svg6 libqt6svgwidgets6 qt6-svg-plugins squid squid-cgi squid-common squid-openssl squid-purge squidclient kde-config-updates plasma-discover plasma-discover-backend-flatpak plasma-discover-backend-fwupd plasma-discover-backend-snap plasma-discover-common plasma-discover-notifier libjakarta-el-api-java node-color-string ircii python3-pikepdf libnetwork-ipv4addr-perl siftool dlt-daemon dlt-tools libdlt-examples libdlt3 seafile-gui dma git-big-picture python3-git-big-picture libpodofo-utils libpodofo0.9.8t64 gogoprotobuf golang-gogoprotobuf-dev libtcmu2 tcmu-runner xscreensaver xscreensaver-data xscreensaver-data-extra xscreensaver-gl xscreensaver-gl-extra xscreensaver-screensaver-bsod xscreensaver-screensaver-webcollage python3-impacket leocad wget inn2 inn2-inews php-mongodb php8.5-mongodb cgi-mapserver libmapscript-java libmapscript-perl libmapserver2t64 mapserver-bin php-mapscript-ng python3-mapscript welle.io faust faust-common libfaust-static libfaust2t64 hcxtools schism php-pear dmg2img php-league-flysystem node-xmldom node-tar ruby-bindata libjs-jquery-minicolors bellesip-data libbellesip3 nagvis nagvis-demos libapache-jena-java libtidy58 tidy yasm gocr gocr-tk libpgm2asc0.52t64 node-got gir1.2-gupnp-1.6 libgupnp-1.6-0 libgcrypt-bin libgcrypt20 node-css-what librnp0 rnp node-trim-newlines libpano13-3t64 libpano13-bin libjdom1-java libjdom2-java python3-websockets dino-im dino-im-common apacheds libapacheds-i18n-java libapacheds-java libapacheds-kerberos-codec-java libytnef0 ytnef-tools libebml5 gitsome mp3gain ttyd thefuck slapi-nis libqt5svg5 qtsvg5-examples quassel quassel-client quassel-core quassel-data libhivex-bin libhivex-ocaml libhivex0 libwin-hivex-perl python3-hivex ruby-hivex pdfresurrect postgresql-18-pglogical librpm10 librpmbuild10 librpmio10 librpmsign10 python3-rpm rpm rpm-common rpm2cpio postsrsd tpm2-tools buildah otrs2 znuny optee-os dropbear dropbear-bin dropbear-initramfs ant ant-optional fossil node-uri-js liballegro-acodec5.2t64 liballegro-audio5.2t64 liballegro-dialog5.2t64 liballegro-image5.2t64 liballegro-physfs5.2t64 liballegro-ttf5.2t64 liballegro-video5.2t64 liballegro5.2t64 libperl5.40 perl perl-base perl-debug perl-modules-5.40 libencode-perl nbdkit nbdkit-plugin-guestfs nbdkit-plugin-libvirt nbdkit-plugin-lua nbdkit-plugin-perl nbdkit-plugin-python nbdkit-plugin-tcl nbdkit-plugin-vddk atomicparsley fcitx5 fcitx5-data fcitx5-frontend-all fcitx5-modules libfcitx5config6 libfcitx5core7 libfcitx5utils2 suricata ldap-account-manager ldap-account-manager-lamdaemon request-tracker4 rt4-apache2 rt4-clients rt4-db-mysql rt4-db-postgresql rt4-db-sqlite rt4-fcgi rt4-standalone libitext5-java libopencryptoki0 opencryptoki node-ansi-regex courier-base courier-faxmail courier-ldap courier-mlm courier-mta courier-pcp courier-pop courier-webadmin courier-imap sqwebmail perm cpp-11 g++-11 g++-11-multilib gcc-11 gcc-11-base gcc-11-hppa64-linux-gnu gcc-11-locales gcc-11-multilib gcc-11-offload-amdgcn gcc-11-offload-nvptx gcc-11-source gcc-11-test-results gccgo-11 gccgo-11-multilib gdc-11 gdc-11-multilib gfortran-11 gfortran-11-multilib gnat-11 gobjc++-11 gobjc++-11-multilib gobjc-11 gobjc-11-multilib lib32asan6 lib32go19 lib32gphobos2 lib64asan6 lib64go19 lib64gphobos2 libasan6 libgnat-11 libgo19 libgphobos2 libstdc++-11-pic libtsan0 libx32asan6 libx32go19 libx32gphobos2 libzephyr4 libzephyr4-krb5 zephyr-clients zephyr-server zephyr-server-krb5 golang-golang-x-text-dev request-tracker4 rt4-apache2 rt4-clients rt4-db-mysql rt4-db-postgresql rt4-db-sqlite rt4-fcgi rt4-standalone libqt5gui5-gles gitit libghc-gitit-data libghc-gitit-prof apport apport-core-dump-handler apport-gtk apport-kde apport-noui apport-retrace apport-valgrind dh-apport python3-apport python3-problem-report fonts-povray povray povray-examples povray-includes gir1.2-gda-5.0 libgda-5.0-4t64 libgda-5.0-bin libgda-5.0-common libgda-5.0-mysql libgda-5.0-postgres opensysusers xfig xfig-libs gerbv libcrypto++-utils libcrypto++8t64 zangband zangband-data man2html man2html-base lemonldap-ng lemonldap-ng-fastcgi-server lemonldap-ng-handler lemonldap-ng-uwsgi-app liblemonldap-ng-common-perl liblemonldap-ng-handler-perl liblemonldap-ng-manager-perl liblemonldap-ng-portal-perl liblemonldap-ng-ssoaas-apache-client-perl php-getid3 libpaho-mqtt1.3 paho.mqtt.c-examples tcpslice elvish bluetooth bluez bluez-cups bluez-hcidump bluez-meshd bluez-obexd bluez-source bluez-test-scripts bluez-test-tools libbluetooth3 libompl17 ompl-demos ompl-plannerarena libsquirrel3-0 squirrel3 openssh-client-ssh1 python3-httpx charon-cmd charon-systemd libcharon-extauth-plugins libcharon-extra-plugins libstrongswan libstrongswan-extra-plugins libstrongswan-standard-plugins strongswan strongswan-charon strongswan-libcharon strongswan-nm strongswan-pki strongswan-starter strongswan-swanctl cufflinks libgclib3t64 stringtie libjss-java webhook micropython halibut python3-srp adminer astcenc libastcenc5d teeworlds teeworlds-data teeworlds-server scorched3d scorched3d-data blobby blobby-data blobby-server widelands widelands-data naev naev-data scite vifm golly tup bam wcc golang-golang-x-crypto-dev libxstream-java libwavpack1 wavpack e2guardian yotta tmate-ssh-server libnode127 nodejs libolm3 python3-olm google-guest-agent python3-mistral-dashboard heimdal-clients heimdal-kcm heimdal-kdc heimdal-multidev heimdal-servers libasn1-8t64-heimdal libgssapi3t64-heimdal libhcrypto5t64-heimdal libhdb9t64-heimdal libheimbase1t64-heimdal libheimntlm0t64-heimdal libhx509-5t64-heimdal libkadm5clnt7t64-heimdal libkadm5srv8t64-heimdal libkafs0t64-heimdal libkdc2t64-heimdal libkrb5-26t64-heimdal libotp0t64-heimdal libroken19t64-heimdal libsl0t64-heimdal libwind0t64-heimdal liblog4j2-java libtoxcore2 toxcore-utils node-minimist insighttoolkit5-examples libinsighttoolkit5.4 libmdb3t64 libmdbsql3t64 mdbtools odbc-mdbtools python3-pandas python3-pandas-lib giftrans zabbix-agent zabbix-agent2 zabbix-frontend-php zabbix-java-gateway zabbix-proxy-mysql zabbix-proxy-pgsql zabbix-proxy-sqlite3 zabbix-sender zabbix-server-mysql zabbix-server-pgsql zabbix-web-service libpocoactiverecord112 libpococrypto112 libpocodata112 libpocodatamysql112 libpocodataodbc112 libpocodatapostgresql112 libpocodatasqlite112 libpocoencodings112 libpocofoundation112 libpocojson112 libpocojwt112 libpocomongodb112 libpoconet112 libpoconetssl112 libpocoprometheus112 libpocoredis112 libpocoutil112 libpocoxml112 libpocozip112 libvisp-ar3.7t64 libvisp-blob3.7t64 libvisp-core3.7t64 libvisp-detection3.7t64 libvisp-dnn-tracker3.7t64 libvisp-gui3.7t64 libvisp-imgproc3.7t64 libvisp-io3.7t64 libvisp-klt3.7t64 libvisp-mbt3.7t64 libvisp-me3.7t64 libvisp-robot3.7t64 libvisp-sensor3.7t64 libvisp-tt-mi3.7t64 libvisp-tt3.7t64 libvisp-vision3.7t64 libvisp-visual-features3.7t64 libvisp-vs3.7t64 visp-tools astropy-utils python3-astropy emboss emboss-data emboss-lib emboss-test jemboss coda libcoda-java libcoda-jni libcoda16 python3-coda mame mame-data mame-tools harp libharp13 python3-harp libsmltk0t64 libsynthesis0t64 xsdcxx spin freefem++ libfreefem++ kissplice libxdmf3t64 python3-xdmf ams wireguard wireguard-tools python3-jsonpickle libjboss-xnio-java libvirglrenderer1 virgl-server prosody python3-loguru libmodbus5 httpie libnbd-bin libnbd-ocaml libnbd0 python3-libnbd pat puppet-module-puppetlabs-firewall ruby-kubeclient gir1.2-packagekitglib-1.0 gstreamer1.0-packagekit libpackagekit-glib2-18 packagekit packagekit-command-not-found packagekit-gtk3-module pesign mutt bwm-ng dpkg dselect libdpkg-perl ignition nanopb nuitka chafa libchafa0t64 libhtsjdk-java libopenjfx-java libopenjfx-jni openjfx openjfx-source openjdk-17-demo openjdk-17-jdk openjdk-17-jdk-headless openjdk-17-jre openjdk-17-jre-headless openjdk-17-jre-zero openjdk-17-source r-cran-cluster libjawn-java pipenv libjs-marked node-marked guestfs-tools libapache2-mod-apreq2 libapache2-request-perl libapreq2-3t64 python3-dnslib libspring-aop-java libspring-beans-java libspring-context-java libspring-context-support-java libspring-core-java libspring-expression-java libspring-instrument-java libspring-jdbc-java libspring-jms-java libspring-messaging-java libspring-orm-java libspring-oxm-java libspring-test-java libspring-transaction-java libspring-web-java libspring-web-portlet-java libspring-web-servlet-java xwayland pcf2bdf openrazer-daemon openrazer-driver-dkms openrazer-meta python3-openrazer u-boot-amlogic u-boot-amlogic-binaries u-boot-asahi u-boot-exynos u-boot-exynos-binaries u-boot-imx u-boot-microchip u-boot-mvebu u-boot-omap u-boot-qcom u-boot-qemu u-boot-rockchip u-boot-rpi u-boot-sifive u-boot-sitara-binaries u-boot-starfive u-boot-stm32 u-boot-sunxi u-boot-tegra u-boot-tools python3-sentry-sdk ruby-rails-html-sanitizer python3-treq xrdp spip thunderbird kate kate-data kwrite ktexteditor-data ktexteditor-katepart libkf5texteditor-bin libkf5texteditor5 doris python3-doris libvarnishapi3 varnish xterm libmadlib python3-paramiko python3-git libmetadata-extractor-java libzip4j-java argyll argyll-ref burp lnav r-cran-jsonlite ruby-yajl libogdf-tulip-6.0 libtulip-core-6.0 libtulip-gui-6.0 libtulip-ogl-6.0 libtulip-python-6.0 tulip ruby-asciidoctor-include-ext libnetty-buffer-java libnetty-common-java libnetty-java lua-cjson lua-cmsgpack libnekohtml-java rsyslog rsyslog-clickhouse rsyslog-czmq rsyslog-elasticsearch rsyslog-gnutls rsyslog-gssapi rsyslog-hiredis rsyslog-kafka rsyslog-kubernetes rsyslog-mongodb rsyslog-mysql rsyslog-openssl rsyslog-pgsql rsyslog-relp rsyslog-snmp atheme-services atheme-services-contrib kde-config-cron rtl-433 python3-fava libqt6concurrent6 libqt6core6t64 libqt6dbus6 libqt6gui6 libqt6network6 libqt6opengl6 libqt6openglwidgets6 libqt6printsupport6 libqt6sql6 libqt6sql6-ibase libqt6sql6-mysql libqt6sql6-odbc libqt6sql6-psql libqt6sql6-sqlite libqt6test6 libqt6waylandclient6 libqt6widgets6 libqt6wlshellintegration6 libqt6xml6 qmake6 qmake6-bin qt6-base-examples qt6-gtk-platformtheme qt6-qpa-plugins qt6-xdgdesktopportal-platformtheme booth booth-pacemaker ruby-git ansible-core libjs-terser node-terser terser libjs-angularjs libonnx-testdata libonnx1t64 python3-onnx node-semver node-fetch libdnnl3.6 python3-poetry python3-poetry-core buffer pandorafms-agent nbd-client nbd-server v4l2loopback-dkms v4l2loopback-source v4l2loopback-utils tryton-proteus tryton-server tryton-server-all-in-one tryton-server-nginx tryton-server-postgresql tryton-server-uwsgi liblouis-bin liblouis-data liblouis20 python3-louis libsdl2-ttf-2.0-0 crun ocrfeeder libkiwix14 cpp-12 g++-12 g++-12-multilib gcc-12 gcc-12-base gcc-12-hppa64-linux-gnu gcc-12-locales gcc-12-multilib gcc-12-offload-amdgcn gcc-12-offload-nvptx gcc-12-source gcc-12-test-results gccgo-12 gccgo-12-multilib gdc-12 gdc-12-multilib gfortran-12 gfortran-12-multilib gm2-12 gnat-12 gobjc++-12 gobjc++-12-multilib gobjc-12 gobjc-12-multilib lib32go21 lib32gphobos3 lib64go21 lib64gphobos3 libgm2-17 libgnat-12 libgo21 libgphobos3 libstdc++-12-pic libx32go21 libx32gphobos3 bind9 bind9-dnsutils bind9-host bind9-libs bind9-utils isc-dhcp-client isc-dhcp-client-ddns isc-dhcp-common isc-dhcp-keama isc-dhcp-relay isc-dhcp-server isc-dhcp-server-ldap nats-server jhead snap-confine snapd snapd-xdg-open ubuntu-core-launcher ubuntu-core-snapd-units ubuntu-snappy ubuntu-snappy-cli smarty3 gosa gosa-desktop gosa-help-de gosa-help-en gosa-help-fr gosa-help-nl gosa-schema jupyter-server python3-jupyter-server php-guzzlehttp-guzzle libtomcat10-embed-java libtomcat10-java tomcat10 tomcat10-admin tomcat10-common tomcat10-examples tomcat10-user python3-scciclient exfat-fuse libunbound8 python3-unbound unbound unbound-anchor unbound-host ruby-mechanize ruby-octokit icingaweb2-module-reactbundle icinga-php-thirdparty postfixadmin gnucash gnucash-common python3-gnucash node-undici ruby-tzinfo libpostgresql-jdbc-java firejail firejail-profiles libjpeg-tools exo-utils libexo-2-0 libexo-common toybox ruby-jmespath libshiro-java knot-resolver6 knot-resolver6-module-dnstap knot-resolver6-module-http zpaq gir1.2-harfbuzz-0.0 libharfbuzz-bin libharfbuzz-cairo0 libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0b libprotobuf-c1 protobuf-c-compiler libpg-query1706.0 libsignal-protocol-c2.3.2 ocserv ruby-diffy libxalan2-java libxsltc-java asymptote asymptote-x11 octave-psychtoolbox-3 psychtoolbox-3-common psychtoolbox-3-lib rbdoom3bfg milkytracker cherrytree artemis libbpf1 mat2 jpegqs libjsoup-java jose libjose0 libopenimageio2.5 openimageio-tools python3-openimageio erlang erlang-asn1 erlang-base erlang-common-test erlang-crypto erlang-debugger erlang-dialyzer erlang-diameter erlang-edoc erlang-eldap erlang-et erlang-eunit erlang-examples erlang-ftp erlang-inets erlang-jinterface erlang-megaco erlang-mnesia erlang-mode erlang-nox erlang-observer erlang-odbc erlang-os-mon erlang-parsetools erlang-public-key erlang-reltool erlang-runtime-tools erlang-snmp erlang-src erlang-ssh erlang-ssl erlang-syntax-tools erlang-tftp erlang-tools erlang-wx erlang-x11 erlang-xmerl frr frr-pythontools frr-rpki-rtrlib frr-snmp gir1.2-nautilus-4.1 libnautilus-extension4 nautilus nautilus-data gir1.2-nemo-3.0 libnemo-extension1 nemo nemo-data caja caja-common gir1.2-caja-2.0 libcaja-extension1 libchemistry-openbabel-perl libopenbabel7 openbabel openbabel-gui python3-openbabel node-loader-utils node-js-beautify enlightenment enlightenment-data w3m w3m-img assimp-testmodels assimp-utils libassimp6 python3-pyassimp mencoder mplayer syslog-ng syslog-ng-core syslog-ng-mod-add-contextual-data syslog-ng-mod-amqp syslog-ng-mod-examples syslog-ng-mod-extra syslog-ng-mod-geoip2 syslog-ng-mod-graphite syslog-ng-mod-http syslog-ng-mod-mongodb syslog-ng-mod-python syslog-ng-mod-rdkafka syslog-ng-mod-redis syslog-ng-mod-riemann syslog-ng-mod-slog syslog-ng-mod-snmp syslog-ng-mod-sql syslog-ng-mod-stardate syslog-ng-mod-stomp syslog-ng-mod-xml-parser syslog-ng-scl jgraph freeciv freeciv-client-extras freeciv-client-gtk3 freeciv-client-gtk4 freeciv-client-qt freeciv-client-sdl freeciv-data freeciv-ruleset-tools freeciv-server python3-pywatchman watchman python3-matrix-nio nheko pspp libjettison-java 0ad libsingular4m4n1 singular singular-data singular-modules singular-ui singular-ui-emacs singular-ui-xterm libconfuse-common libconfuse2 xdg-utils ruby-dalli testng glance glance-api glance-common python3-glance libosip2-15t64 check backport-iwlwifi-dkms rxvt-unicode hsqldb-utils libhsqldb-java binutils-avr powerline-gitstatus python3-powerline-gitstatus python3-cleo timg python-rdflib-tools python3-rdflib liblodepng0.1 lodepng-utils libmotif-common libmrm4 libuil4 libxm4 mwm uil libtorch-test libtorch2.9 python3-torch xemacs21 xemacs21-bin xemacs21-mule xemacs21-mule-canna-wnn xemacs21-nomule xemacs21-support xemacs21-supportel prometheus promtool derby-tools libderby-java libderbyclient-java sslh mpd 7zip 7zip-standalone graphite-web kraken python3-swift swift swift-account swift-container swift-object swift-object-expirer swift-proxy glance glance-api glance-common python3-glance nova-ajax-console-proxy nova-api nova-api-metadata nova-api-os-compute nova-api-os-volume nova-cells nova-common nova-compute nova-compute-ironic nova-compute-kvm nova-compute-libvirt nova-compute-lxc nova-compute-qemu nova-compute-vmware nova-compute-xen nova-conductor nova-novncproxy nova-scheduler nova-serialproxy nova-spiceproxy nova-volume python3-nova busybox busybox-initramfs busybox-static busybox-syslogd udhcpc udhcpd libuev3t64 libnetplan1 netplan-generator netplan.io python3-netplan xnest xorg-server-source xserver-common xserver-xephyr xserver-xorg-core xserver-xorg-legacy xvfb xwayland node-xml2js sccache puppetserver amd64-microcode amd64-microcode node-nunjucks libpgpool2 pgpool2 postgresql-18-pgpool2 cmark libcmark0.30.2 libreact-ocaml libeconf-utils libeconf0 ruby-globalid libreswan libworkflow1 crasm fastdds-tools libfastdds3.3 golang-goprotobuf-dev protoc-gen-go-1-3 protoc-gen-go-1-5 ippsample ippsample-data nethack-common nethack-console nethack-qt nethack-x11 ipython3 python3-ipython libcommons-fileupload-java libcap2 libcap2-bin libpam-cap epiphany-browser epiphany-browser-data node-graphql afl++ python3-markdown-it pdns-recursor node-webfont wabt php-phpseclib php-phpseclib3 edb-debugger edb-debugger-plugins ofono ofono-scripts flatpak flatpak-tests gir1.2-flatpak-1.0 libflatpak0 webpack curl libcurl3t64-gnutls libcurl4t64 doas opendoas stellarium stellarium-data liblambdaisland-uri-clojure libtomcat9-java libtomcat11-embed-java libtomcat11-java tomcat11 tomcat11-admin tomcat11-common tomcat11-examples tomcat11-user libtomcat9-java python3-redis golang-golang-x-image-dev flintqs libopendsp3t64 libopenvlbi3t64 openvlbi openvlbi-bin openvlbi-data libcoap3-bin libcoap3t64 cpu-x qbittorrent qbittorrent-nox libnvidia-cfg1-535-server libnvidia-common-535-server libnvidia-compute-535-server libnvidia-decode-535-server libnvidia-encode-535-server libnvidia-extra-535-server libnvidia-fbc1-535-server libnvidia-gl-535-server nvidia-compute-utils-535-server nvidia-dkms-535-server nvidia-dkms-535-server-open nvidia-driver-535-server nvidia-driver-535-server-open nvidia-headless-535-server nvidia-headless-535-server-open nvidia-headless-no-dkms-535-server nvidia-headless-no-dkms-535-server-open nvidia-kernel-common-535-server nvidia-kernel-source-535-server nvidia-kernel-source-535-server-open nvidia-utils-535-server xserver-xorg-video-nvidia-535-server liblog4cxx15 teeworlds teeworlds-data teeworlds-server libjose4j-java libvirtodbc0 virtuoso-minimal virtuoso-opensource virtuoso-opensource-7 virtuoso-opensource-7-bin virtuoso-opensource-7-common virtuoso-server virtuoso-vad-bpel virtuoso-vad-conductor virtuoso-vad-demo virtuoso-vad-isparql virtuoso-vad-rdfmappers virtuoso-vad-sparqldemo virtuoso-vad-syncml virtuoso-vad-tutorial virtuoso-vsp-startpage redis redis-sentinel redis-server redis-tools in-toto gtkwave libpam-heimdal libpam-krb5 libipa-hbac0t64 libnss-sss libpam-sss libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 libsss-sudo python3-libipa-hbac python3-libsss-nss-idmap python3-sss sssd sssd-ad sssd-ad-common sssd-common sssd-dbus sssd-idp sssd-ipa sssd-kcm sssd-krb5 sssd-krb5-common sssd-ldap sssd-passkey sssd-proxy sssd-tools liborthancframework1 orthanc erofs-utils erofsfuse cpdb-libs-tools libcpdb-frontend2t64 libcpdb-libs-tools libcpdb2t64 xml-rs libsnappy-java libsnappy-jni python3-mechanicalsoup libshiro-java libmjson-java libjtidy-java evolution evolution-common evolution-plugin-bogofilter evolution-plugin-pstimport evolution-plugin-spamassassin evolution-plugins evolution-plugins-experimental libevolution suricata yt-dlp pandoc sngrep flvmeta hamster-time-tracker libokio-java neutron-api neutron-common neutron-dhcp-agent neutron-l3-agent neutron-macvtap-agent neutron-metadata-agent neutron-metering-agent neutron-openvswitch-agent neutron-ovn-agent neutron-ovn-maintenance-worker neutron-ovn-metadata-agent neutron-periodic-workers neutron-plugin-ml2 neutron-rpc-server neutron-server neutron-sriov-agent python3-neutron python3-pypdf sqlfluff monitoring-plugins monitoring-plugins-basic monitoring-plugins-common monitoring-plugins-standard python3-hnswlib nsis nsis-common nsis-pluginapi libplexus-archiver-java libcjose0 libipa-hbac0t64 libnss-sss libpam-sss libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 libsss-sudo python3-libipa-hbac python3-libsss-nss-idmap python3-sss sssd sssd-ad sssd-ad-common sssd-common sssd-dbus sssd-idp sssd-ipa sssd-kcm sssd-krb5 sssd-krb5-common sssd-ldap sssd-passkey sssd-proxy sssd-tools libpixman-1-0 openbgpd iperf3 libiperf0 openssh-client openssh-client-gssapi openssh-server openssh-server-gssapi openssh-sftp-server openssh-tests ssh ssh-askpass-gnome ruby-protocol-http1 libcamp0.8t64 cppcheck cppcheck-gui cacti efibootguard libebgenv0 puma cpp-11 g++-11 g++-11-multilib gcc-11 gcc-11-base gcc-11-hppa64-linux-gnu gcc-11-locales gcc-11-multilib gcc-11-offload-amdgcn gcc-11-offload-nvptx gcc-11-source gcc-11-test-results gccgo-11 gccgo-11-multilib gdc-11 gdc-11-multilib gfortran-11 gfortran-11-multilib gnat-11 gobjc++-11 gobjc++-11-multilib gobjc-11 gobjc-11-multilib lib32asan6 lib32go19 lib32gphobos2 lib64asan6 lib64go19 lib64gphobos2 libasan6 libgnat-11 libgo19 libgphobos2 libstdc++-11-pic libtsan0 libx32asan6 libx32go19 libx32gphobos2 cpp-12 g++-12 g++-12-multilib gcc-12 gcc-12-base gcc-12-hppa64-linux-gnu gcc-12-locales gcc-12-multilib gcc-12-offload-amdgcn gcc-12-offload-nvptx gcc-12-source gcc-12-test-results gccgo-12 gccgo-12-multilib gdc-12 gdc-12-multilib gfortran-12 gfortran-12-multilib gm2-12 gnat-12 gobjc++-12 gobjc++-12-multilib gobjc-12 gobjc-12-multilib lib32go21 lib32gphobos3 lib64go21 lib64gphobos3 libgm2-17 libgnat-12 libgo21 libgphobos3 libstdc++-12-pic libx32go21 libx32gphobos3 cpp-13 cpp-13-aarch64-linux-gnu cpp-13-arm-linux-gnueabihf cpp-13-for-build cpp-13-for-host cpp-13-i686-linux-gnu cpp-13-powerpc64le-linux-gnu cpp-13-riscv64-linux-gnu cpp-13-s390x-linux-gnu cpp-13-x86-64-linux-gnu g++-13 g++-13-aarch64-linux-gnu g++-13-arm-linux-gnueabihf g++-13-for-build g++-13-for-host g++-13-i686-linux-gnu g++-13-multilib g++-13-powerpc64le-linux-gnu g++-13-riscv64-linux-gnu g++-13-s390x-linux-gnu g++-13-x86-64-linux-gnu gcc-13 gcc-13-aarch64-linux-gnu gcc-13-arm-linux-gnueabihf gcc-13-base gcc-13-for-build gcc-13-for-host gcc-13-hppa64-linux-gnu gcc-13-i686-linux-gnu gcc-13-locales gcc-13-multilib gcc-13-offload-amdgcn gcc-13-offload-nvptx gcc-13-powerpc64le-linux-gnu gcc-13-riscv64-linux-gnu gcc-13-s390x-linux-gnu gcc-13-source gcc-13-test-results gcc-13-x86-64-linux-gnu gccgo-13 gccgo-13-aarch64-linux-gnu gccgo-13-arm-linux-gnueabihf gccgo-13-for-build gccgo-13-for-host gccgo-13-i686-linux-gnu gccgo-13-multilib gccgo-13-powerpc64le-linux-gnu gccgo-13-riscv64-linux-gnu gccgo-13-s390x-linux-gnu gccgo-13-x86-64-linux-gnu gdc-13 gdc-13-aarch64-linux-gnu gdc-13-arm-linux-gnueabihf gdc-13-for-build gdc-13-for-host gdc-13-i686-linux-gnu gdc-13-multilib gdc-13-powerpc64le-linux-gnu gdc-13-riscv64-linux-gnu gdc-13-s390x-linux-gnu gdc-13-x86-64-linux-gnu gfortran-13 gfortran-13-aarch64-linux-gnu gfortran-13-arm-linux-gnueabihf gfortran-13-for-build gfortran-13-for-host gfortran-13-i686-linux-gnu gfortran-13-multilib gfortran-13-powerpc64le-linux-gnu gfortran-13-riscv64-linux-gnu gfortran-13-s390x-linux-gnu gfortran-13-x86-64-linux-gnu gm2-13 gm2-13-aarch64-linux-gnu gm2-13-arm-linux-gnueabihf gm2-13-for-build gm2-13-for-host gm2-13-i686-linux-gnu gm2-13-powerpc64le-linux-gnu gm2-13-riscv64-linux-gnu gm2-13-s390x-linux-gnu gm2-13-x86-64-linux-gnu gnat-13 gnat-13-aarch64-linux-gnu gnat-13-arm-linux-gnueabihf gnat-13-for-build gnat-13-for-host gnat-13-i686-linux-gnu gnat-13-powerpc64le-linux-gnu gnat-13-riscv64-linux-gnu gnat-13-s390x-linux-gnu gnat-13-x86-64-linux-gnu gobjc++-13 gobjc++-13-aarch64-linux-gnu gobjc++-13-arm-linux-gnueabihf gobjc++-13-for-build gobjc++-13-for-host gobjc++-13-i686-linux-gnu gobjc++-13-multilib gobjc++-13-powerpc64le-linux-gnu gobjc++-13-riscv64-linux-gnu gobjc++-13-s390x-linux-gnu gobjc++-13-x86-64-linux-gnu gobjc-13 gobjc-13-aarch64-linux-gnu gobjc-13-arm-linux-gnueabihf gobjc-13-for-build gobjc-13-for-host gobjc-13-i686-linux-gnu gobjc-13-multilib gobjc-13-powerpc64le-linux-gnu gobjc-13-riscv64-linux-gnu gobjc-13-s390x-linux-gnu gobjc-13-x86-64-linux-gnu lib32go22 lib32gphobos4 lib64go22 lib64gphobos4 libgm2-18 libgnat-13 libgo22 libgphobos4 libstdc++-13-pic libx32go22 libx32gphobos4 cpp-11-aarch64-linux-gnu cpp-11-arm-linux-gnueabi cpp-11-arm-linux-gnueabihf cpp-11-i686-linux-gnu cpp-11-powerpc-linux-gnu cpp-11-powerpc64le-linux-gnu cpp-11-s390x-linux-gnu cpp-11-x86-64-linux-gnu g++-11-aarch64-linux-gnu g++-11-arm-linux-gnueabi g++-11-arm-linux-gnueabihf g++-11-i686-linux-gnu g++-11-multilib-i686-linux-gnu g++-11-multilib-powerpc-linux-gnu g++-11-multilib-x86-64-linux-gnu g++-11-powerpc-linux-gnu g++-11-powerpc64le-linux-gnu g++-11-s390x-linux-gnu g++-11-x86-64-linux-gnu gcc-11-aarch64-linux-gnu gcc-11-aarch64-linux-gnu-base gcc-11-arm-linux-gnueabi gcc-11-arm-linux-gnueabi-base gcc-11-arm-linux-gnueabihf gcc-11-arm-linux-gnueabihf-base gcc-11-cross-base gcc-11-i686-linux-gnu gcc-11-i686-linux-gnu-base gcc-11-multilib-i686-linux-gnu gcc-11-multilib-powerpc-linux-gnu gcc-11-multilib-x86-64-linux-gnu gcc-11-powerpc-linux-gnu gcc-11-powerpc-linux-gnu-base gcc-11-powerpc64le-linux-gnu gcc-11-powerpc64le-linux-gnu-base gcc-11-s390x-linux-gnu gcc-11-s390x-linux-gnu-base gcc-11-x86-64-linux-gnu gcc-11-x86-64-linux-gnu-base gccgo-11-aarch64-linux-gnu gccgo-11-arm-linux-gnueabi gccgo-11-arm-linux-gnueabihf gccgo-11-i686-linux-gnu gccgo-11-multilib-i686-linux-gnu gccgo-11-multilib-powerpc-linux-gnu gccgo-11-multilib-x86-64-linux-gnu gccgo-11-powerpc-linux-gnu gccgo-11-powerpc64le-linux-gnu gccgo-11-s390x-linux-gnu gccgo-11-x86-64-linux-gnu gdc-11-aarch64-linux-gnu gdc-11-arm-linux-gnueabi gdc-11-arm-linux-gnueabihf gdc-11-i686-linux-gnu gdc-11-multilib-i686-linux-gnu gdc-11-multilib-powerpc-linux-gnu gdc-11-multilib-x86-64-linux-gnu gdc-11-powerpc-linux-gnu gdc-11-powerpc64le-linux-gnu gdc-11-s390x-linux-gnu gdc-11-x86-64-linux-gnu gfortran-11-aarch64-linux-gnu gfortran-11-arm-linux-gnueabi gfortran-11-arm-linux-gnueabihf gfortran-11-i686-linux-gnu gfortran-11-multilib-i686-linux-gnu gfortran-11-multilib-powerpc-linux-gnu gfortran-11-multilib-x86-64-linux-gnu gfortran-11-powerpc-linux-gnu gfortran-11-powerpc64le-linux-gnu gfortran-11-s390x-linux-gnu gfortran-11-x86-64-linux-gnu gnat-11-aarch64-linux-gnu gnat-11-arm-linux-gnueabi gnat-11-arm-linux-gnueabihf gnat-11-i686-linux-gnu gnat-11-powerpc-linux-gnu gnat-11-powerpc64le-linux-gnu gnat-11-s390x-linux-gnu gnat-11-x86-64-linux-gnu gobjc++-11-aarch64-linux-gnu gobjc++-11-arm-linux-gnueabi gobjc++-11-arm-linux-gnueabihf gobjc++-11-i686-linux-gnu gobjc++-11-multilib-i686-linux-gnu gobjc++-11-multilib-powerpc-linux-gnu gobjc++-11-multilib-x86-64-linux-gnu gobjc++-11-powerpc-linux-gnu gobjc++-11-powerpc64le-linux-gnu gobjc++-11-s390x-linux-gnu gobjc++-11-x86-64-linux-gnu gobjc-11-aarch64-linux-gnu gobjc-11-arm-linux-gnueabi gobjc-11-arm-linux-gnueabihf gobjc-11-i686-linux-gnu gobjc-11-multilib-i686-linux-gnu gobjc-11-multilib-powerpc-linux-gnu gobjc-11-multilib-x86-64-linux-gnu gobjc-11-powerpc-linux-gnu gobjc-11-powerpc64le-linux-gnu gobjc-11-s390x-linux-gnu gobjc-11-x86-64-linux-gnu lib32asan6-amd64-cross lib32go19-amd64-cross lib32gphobos2-amd64-cross lib64asan6-i386-cross lib64asan6-powerpc-cross lib64go19-i386-cross lib64go19-powerpc-cross lib64gphobos2-i386-cross lib64gphobos2-powerpc-cross libasan6-amd64-cross libasan6-arm64-cross libasan6-armel-cross libasan6-armhf-cross libasan6-i386-cross libasan6-powerpc-cross libasan6-ppc64el-cross libasan6-s390x-cross libgnat-11-amd64-cross libgnat-11-arm64-cross libgnat-11-armel-cross libgnat-11-armhf-cross libgnat-11-i386-cross libgnat-11-powerpc-cross libgnat-11-ppc64el-cross libgnat-11-s390x-cross libgo19-amd64-cross libgo19-arm64-cross libgo19-armel-cross libgo19-armhf-cross libgo19-i386-cross libgo19-powerpc-cross libgo19-ppc64el-cross libgo19-s390x-cross libgphobos2-amd64-cross libgphobos2-arm64-cross libgphobos2-armel-cross libgphobos2-armhf-cross libgphobos2-i386-cross libgphobos2-powerpc-cross libgphobos2-ppc64el-cross libgphobos2-s390x-cross libstdc++-11-pic-amd64-cross libstdc++-11-pic-arm64-cross libstdc++-11-pic-armel-cross libstdc++-11-pic-armhf-cross libstdc++-11-pic-i386-cross libstdc++-11-pic-powerpc-cross libstdc++-11-pic-ppc64el-cross libstdc++-11-pic-s390x-cross libtsan0-amd64-cross libtsan0-arm64-cross libtsan0-ppc64el-cross libx32asan6-amd64-cross libx32asan6-i386-cross libx32go19-amd64-cross libx32go19-i386-cross libx32gphobos2-amd64-cross libx32gphobos2-i386-cross cpp-11-alpha-linux-gnu cpp-11-arc-linux-gnu cpp-11-hppa-linux-gnu cpp-11-m68k-linux-gnu cpp-11-powerpc64-linux-gnu cpp-11-riscv64-linux-gnu cpp-11-sh4-linux-gnu cpp-11-sparc64-linux-gnu cpp-11-x86-64-linux-gnux32 g++-11-alpha-linux-gnu g++-11-arc-linux-gnu g++-11-hppa-linux-gnu g++-11-m68k-linux-gnu g++-11-multilib-powerpc64-linux-gnu g++-11-multilib-sparc64-linux-gnu g++-11-multilib-x86-64-linux-gnux32 g++-11-powerpc64-linux-gnu g++-11-riscv64-linux-gnu g++-11-sh4-linux-gnu g++-11-sparc64-linux-gnu g++-11-x86-64-linux-gnux32 gcc-11-alpha-linux-gnu gcc-11-alpha-linux-gnu-base gcc-11-arc-linux-gnu gcc-11-arc-linux-gnu-base gcc-11-cross-base-ports gcc-11-hppa-linux-gnu gcc-11-hppa-linux-gnu-base gcc-11-m68k-linux-gnu gcc-11-m68k-linux-gnu-base gcc-11-multilib-powerpc64-linux-gnu gcc-11-multilib-sparc64-linux-gnu gcc-11-multilib-x86-64-linux-gnux32 gcc-11-powerpc64-linux-gnu gcc-11-powerpc64-linux-gnu-base gcc-11-riscv64-linux-gnu gcc-11-riscv64-linux-gnu-base gcc-11-sh4-linux-gnu gcc-11-sh4-linux-gnu-base gcc-11-sparc64-linux-gnu gcc-11-sparc64-linux-gnu-base gcc-11-x86-64-linux-gnux32 gcc-11-x86-64-linux-gnux32-base gccgo-11-alpha-linux-gnu gccgo-11-multilib-powerpc64-linux-gnu gccgo-11-multilib-sparc64-linux-gnu gccgo-11-multilib-x86-64-linux-gnux32 gccgo-11-powerpc64-linux-gnu gccgo-11-riscv64-linux-gnu gccgo-11-sparc64-linux-gnu gccgo-11-x86-64-linux-gnux32 gdc-11-alpha-linux-gnu gdc-11-hppa-linux-gnu gdc-11-m68k-linux-gnu gdc-11-multilib-powerpc64-linux-gnu gdc-11-multilib-sparc64-linux-gnu gdc-11-multilib-x86-64-linux-gnux32 gdc-11-powerpc64-linux-gnu gdc-11-riscv64-linux-gnu gdc-11-sh4-linux-gnu gdc-11-sparc64-linux-gnu gdc-11-x86-64-linux-gnux32 gfortran-11-alpha-linux-gnu gfortran-11-arc-linux-gnu gfortran-11-hppa-linux-gnu gfortran-11-m68k-linux-gnu gfortran-11-multilib-powerpc64-linux-gnu gfortran-11-multilib-sparc64-linux-gnu gfortran-11-multilib-x86-64-linux-gnux32 gfortran-11-powerpc64-linux-gnu gfortran-11-riscv64-linux-gnu gfortran-11-sh4-linux-gnu gfortran-11-sparc64-linux-gnu gfortran-11-x86-64-linux-gnux32 gnat-11-alpha-linux-gnu gnat-11-hppa-linux-gnu gnat-11-powerpc64-linux-gnu gnat-11-riscv64-linux-gnu gnat-11-sh4-linux-gnu gnat-11-sparc64-linux-gnu gnat-11-x86-64-linux-gnux32 gobjc++-11-alpha-linux-gnu gobjc++-11-arc-linux-gnu gobjc++-11-hppa-linux-gnu gobjc++-11-m68k-linux-gnu gobjc++-11-multilib-powerpc64-linux-gnu gobjc++-11-multilib-sparc64-linux-gnu gobjc++-11-multilib-x86-64-linux-gnux32 gobjc++-11-powerpc64-linux-gnu gobjc++-11-riscv64-linux-gnu gobjc++-11-sh4-linux-gnu gobjc++-11-sparc64-linux-gnu gobjc++-11-x86-64-linux-gnux32 gobjc-11-alpha-linux-gnu gobjc-11-arc-linux-gnu gobjc-11-hppa-linux-gnu gobjc-11-m68k-linux-gnu gobjc-11-multilib-powerpc64-linux-gnu gobjc-11-multilib-sparc64-linux-gnu gobjc-11-multilib-x86-64-linux-gnux32 gobjc-11-powerpc64-linux-gnu gobjc-11-riscv64-linux-gnu gobjc-11-sh4-linux-gnu gobjc-11-sparc64-linux-gnu gobjc-11-x86-64-linux-gnux32 lib32asan6-ppc64-cross lib32asan6-sparc64-cross lib32asan6-x32-cross lib32go19-ppc64-cross lib32go19-sparc64-cross lib32go19-x32-cross lib32gphobos2-ppc64-cross lib32gphobos2-sparc64-cross lib32gphobos2-x32-cross lib64asan6-x32-cross lib64go19-x32-cross lib64gphobos2-x32-cross libasan6-ppc64-cross libasan6-riscv64-cross libasan6-sparc64-cross libasan6-x32-cross libgnat-11-alpha-cross libgnat-11-hppa-cross libgnat-11-ppc64-cross libgnat-11-riscv64-cross libgnat-11-sh4-cross libgnat-11-sparc64-cross libgnat-11-x32-cross libgo19-alpha-cross libgo19-ppc64-cross libgo19-riscv64-cross libgo19-sparc64-cross libgo19-x32-cross libgphobos2-hppa-cross libgphobos2-ppc64-cross libgphobos2-riscv64-cross libgphobos2-sparc64-cross libgphobos2-x32-cross libstdc++-11-pic-alpha-cross libstdc++-11-pic-arc-cross libstdc++-11-pic-hppa-cross libstdc++-11-pic-m68k-cross libstdc++-11-pic-ppc64-cross libstdc++-11-pic-riscv64-cross libstdc++-11-pic-sh4-cross libstdc++-11-pic-sparc64-cross libstdc++-11-pic-x32-cross libtsan0-ppc64-cross cpp-12-aarch64-linux-gnu cpp-12-arm-linux-gnueabi cpp-12-arm-linux-gnueabihf cpp-12-i686-linux-gnu cpp-12-powerpc-linux-gnu cpp-12-powerpc64le-linux-gnu cpp-12-s390x-linux-gnu cpp-12-x86-64-linux-gnu g++-12-aarch64-linux-gnu g++-12-arm-linux-gnueabi g++-12-arm-linux-gnueabihf g++-12-i686-linux-gnu g++-12-multilib-i686-linux-gnu g++-12-multilib-powerpc-linux-gnu g++-12-multilib-x86-64-linux-gnu g++-12-powerpc-linux-gnu g++-12-powerpc64le-linux-gnu g++-12-s390x-linux-gnu g++-12-x86-64-linux-gnu gcc-12-aarch64-linux-gnu gcc-12-aarch64-linux-gnu-base gcc-12-arm-linux-gnueabi gcc-12-arm-linux-gnueabi-base gcc-12-arm-linux-gnueabihf gcc-12-arm-linux-gnueabihf-base gcc-12-cross-base gcc-12-i686-linux-gnu gcc-12-i686-linux-gnu-base gcc-12-multilib-i686-linux-gnu gcc-12-multilib-powerpc-linux-gnu gcc-12-multilib-x86-64-linux-gnu gcc-12-powerpc-linux-gnu gcc-12-powerpc-linux-gnu-base gcc-12-powerpc64le-linux-gnu gcc-12-powerpc64le-linux-gnu-base gcc-12-s390x-linux-gnu gcc-12-s390x-linux-gnu-base gcc-12-x86-64-linux-gnu gcc-12-x86-64-linux-gnu-base gccgo-12-aarch64-linux-gnu gccgo-12-arm-linux-gnueabi gccgo-12-arm-linux-gnueabihf gccgo-12-i686-linux-gnu gccgo-12-multilib-i686-linux-gnu gccgo-12-multilib-powerpc-linux-gnu gccgo-12-multilib-x86-64-linux-gnu gccgo-12-powerpc-linux-gnu gccgo-12-powerpc64le-linux-gnu gccgo-12-s390x-linux-gnu gccgo-12-x86-64-linux-gnu gdc-12-aarch64-linux-gnu gdc-12-arm-linux-gnueabi gdc-12-arm-linux-gnueabihf gdc-12-i686-linux-gnu gdc-12-multilib-i686-linux-gnu gdc-12-multilib-powerpc-linux-gnu gdc-12-multilib-x86-64-linux-gnu gdc-12-powerpc-linux-gnu gdc-12-powerpc64le-linux-gnu gdc-12-s390x-linux-gnu gdc-12-x86-64-linux-gnu gfortran-12-aarch64-linux-gnu gfortran-12-arm-linux-gnueabi gfortran-12-arm-linux-gnueabihf gfortran-12-i686-linux-gnu gfortran-12-multilib-i686-linux-gnu gfortran-12-multilib-powerpc-linux-gnu gfortran-12-multilib-x86-64-linux-gnu gfortran-12-powerpc-linux-gnu gfortran-12-powerpc64le-linux-gnu gfortran-12-s390x-linux-gnu gfortran-12-x86-64-linux-gnu gm2-12-aarch64-linux-gnu gm2-12-arm-linux-gnueabi gm2-12-arm-linux-gnueabihf gm2-12-i686-linux-gnu gm2-12-powerpc64le-linux-gnu gm2-12-s390x-linux-gnu gm2-12-x86-64-linux-gnu gnat-12-aarch64-linux-gnu gnat-12-arm-linux-gnueabi gnat-12-arm-linux-gnueabihf gnat-12-i686-linux-gnu gnat-12-powerpc-linux-gnu gnat-12-powerpc64le-linux-gnu gnat-12-s390x-linux-gnu gnat-12-x86-64-linux-gnu gobjc++-12-aarch64-linux-gnu gobjc++-12-arm-linux-gnueabi gobjc++-12-arm-linux-gnueabihf gobjc++-12-i686-linux-gnu gobjc++-12-multilib-i686-linux-gnu gobjc++-12-multilib-powerpc-linux-gnu gobjc++-12-multilib-x86-64-linux-gnu gobjc++-12-powerpc-linux-gnu gobjc++-12-powerpc64le-linux-gnu gobjc++-12-s390x-linux-gnu gobjc++-12-x86-64-linux-gnu gobjc-12-aarch64-linux-gnu gobjc-12-arm-linux-gnueabi gobjc-12-arm-linux-gnueabihf gobjc-12-i686-linux-gnu gobjc-12-multilib-i686-linux-gnu gobjc-12-multilib-powerpc-linux-gnu gobjc-12-multilib-x86-64-linux-gnu gobjc-12-powerpc-linux-gnu gobjc-12-powerpc64le-linux-gnu gobjc-12-s390x-linux-gnu gobjc-12-x86-64-linux-gnu lib32go21-amd64-cross lib32gphobos3-amd64-cross lib64go21-i386-cross lib64go21-powerpc-cross lib64gphobos3-i386-cross lib64gphobos3-powerpc-cross libgm2-17-amd64-cross libgm2-17-arm64-cross libgm2-17-armel-cross libgm2-17-armhf-cross libgm2-17-i386-cross libgm2-17-ppc64el-cross libgm2-17-s390x-cross libgnat-12-amd64-cross libgnat-12-arm64-cross libgnat-12-armel-cross libgnat-12-armhf-cross libgnat-12-i386-cross libgnat-12-powerpc-cross libgnat-12-ppc64el-cross libgnat-12-s390x-cross libgo21-amd64-cross libgo21-arm64-cross libgo21-armel-cross libgo21-armhf-cross libgo21-i386-cross libgo21-powerpc-cross libgo21-ppc64el-cross libgo21-s390x-cross libgphobos3-amd64-cross libgphobos3-arm64-cross libgphobos3-armel-cross libgphobos3-armhf-cross libgphobos3-i386-cross libgphobos3-powerpc-cross libgphobos3-ppc64el-cross libgphobos3-s390x-cross libstdc++-12-pic-amd64-cross libstdc++-12-pic-arm64-cross libstdc++-12-pic-armel-cross libstdc++-12-pic-armhf-cross libstdc++-12-pic-i386-cross libstdc++-12-pic-powerpc-cross libstdc++-12-pic-ppc64el-cross libstdc++-12-pic-s390x-cross libx32go21-amd64-cross libx32go21-i386-cross libx32gphobos3-amd64-cross libx32gphobos3-i386-cross cpp-12-alpha-linux-gnu cpp-12-arc-linux-gnu cpp-12-hppa-linux-gnu cpp-12-m68k-linux-gnu cpp-12-powerpc64-linux-gnu cpp-12-riscv64-linux-gnu cpp-12-sh4-linux-gnu cpp-12-sparc64-linux-gnu cpp-12-x86-64-linux-gnux32 g++-12-alpha-linux-gnu g++-12-arc-linux-gnu g++-12-hppa-linux-gnu g++-12-m68k-linux-gnu g++-12-multilib-powerpc64-linux-gnu g++-12-multilib-sparc64-linux-gnu g++-12-multilib-x86-64-linux-gnux32 g++-12-powerpc64-linux-gnu g++-12-riscv64-linux-gnu g++-12-sh4-linux-gnu g++-12-sparc64-linux-gnu g++-12-x86-64-linux-gnux32 gcc-12-alpha-linux-gnu gcc-12-alpha-linux-gnu-base gcc-12-arc-linux-gnu gcc-12-arc-linux-gnu-base gcc-12-cross-base-ports gcc-12-hppa-linux-gnu gcc-12-hppa-linux-gnu-base gcc-12-m68k-linux-gnu gcc-12-m68k-linux-gnu-base gcc-12-multilib-powerpc64-linux-gnu gcc-12-multilib-sparc64-linux-gnu gcc-12-multilib-x86-64-linux-gnux32 gcc-12-powerpc64-linux-gnu gcc-12-powerpc64-linux-gnu-base gcc-12-riscv64-linux-gnu gcc-12-riscv64-linux-gnu-base gcc-12-sh4-linux-gnu gcc-12-sh4-linux-gnu-base gcc-12-sparc64-linux-gnu gcc-12-sparc64-linux-gnu-base gcc-12-x86-64-linux-gnux32 gcc-12-x86-64-linux-gnux32-base gccgo-12-alpha-linux-gnu gccgo-12-multilib-powerpc64-linux-gnu gccgo-12-multilib-sparc64-linux-gnu gccgo-12-multilib-x86-64-linux-gnux32 gccgo-12-powerpc64-linux-gnu gccgo-12-riscv64-linux-gnu gccgo-12-sparc64-linux-gnu gccgo-12-x86-64-linux-gnux32 gdc-12-hppa-linux-gnu gdc-12-multilib-powerpc64-linux-gnu gdc-12-multilib-sparc64-linux-gnu gdc-12-multilib-x86-64-linux-gnux32 gdc-12-powerpc64-linux-gnu gdc-12-riscv64-linux-gnu gdc-12-sparc64-linux-gnu gdc-12-x86-64-linux-gnux32 gfortran-12-alpha-linux-gnu gfortran-12-arc-linux-gnu gfortran-12-hppa-linux-gnu gfortran-12-m68k-linux-gnu gfortran-12-multilib-powerpc64-linux-gnu gfortran-12-multilib-sparc64-linux-gnu gfortran-12-multilib-x86-64-linux-gnux32 gfortran-12-powerpc64-linux-gnu gfortran-12-riscv64-linux-gnu gfortran-12-sh4-linux-gnu gfortran-12-sparc64-linux-gnu gfortran-12-x86-64-linux-gnux32 gm2-12-alpha-linux-gnu gm2-12-arc-linux-gnu gm2-12-hppa-linux-gnu gm2-12-m68k-linux-gnu gm2-12-riscv64-linux-gnu gm2-12-sparc64-linux-gnu gm2-12-x86-64-linux-gnux32 gnat-12-alpha-linux-gnu gnat-12-hppa-linux-gnu gnat-12-m68k-linux-gnu gnat-12-powerpc64-linux-gnu gnat-12-riscv64-linux-gnu gnat-12-sh4-linux-gnu gnat-12-sparc64-linux-gnu gnat-12-x86-64-linux-gnux32 gobjc++-12-alpha-linux-gnu gobjc++-12-arc-linux-gnu gobjc++-12-hppa-linux-gnu gobjc++-12-m68k-linux-gnu gobjc++-12-multilib-powerpc64-linux-gnu gobjc++-12-multilib-sparc64-linux-gnu gobjc++-12-multilib-x86-64-linux-gnux32 gobjc++-12-powerpc64-linux-gnu gobjc++-12-riscv64-linux-gnu gobjc++-12-sh4-linux-gnu gobjc++-12-sparc64-linux-gnu gobjc++-12-x86-64-linux-gnux32 gobjc-12-alpha-linux-gnu gobjc-12-arc-linux-gnu gobjc-12-hppa-linux-gnu gobjc-12-m68k-linux-gnu gobjc-12-multilib-powerpc64-linux-gnu gobjc-12-multilib-sparc64-linux-gnu gobjc-12-multilib-x86-64-linux-gnux32 gobjc-12-powerpc64-linux-gnu gobjc-12-riscv64-linux-gnu gobjc-12-sh4-linux-gnu gobjc-12-sparc64-linux-gnu gobjc-12-x86-64-linux-gnux32 lib32go21-ppc64-cross lib32go21-sparc64-cross lib32go21-x32-cross lib32gphobos3-ppc64-cross lib32gphobos3-sparc64-cross lib32gphobos3-x32-cross lib64go21-x32-cross lib64gphobos3-x32-cross libgm2-17-alpha-cross libgm2-17-arc-cross libgm2-17-hppa-cross libgm2-17-m68k-cross libgm2-17-riscv64-cross libgm2-17-sparc64-cross libgm2-17-x32-cross libgnat-12-alpha-cross libgnat-12-hppa-cross libgnat-12-m68k-cross libgnat-12-ppc64-cross libgnat-12-riscv64-cross libgnat-12-sh4-cross libgnat-12-sparc64-cross libgnat-12-x32-cross libgo21-alpha-cross libgo21-ppc64-cross libgo21-riscv64-cross libgo21-sparc64-cross libgo21-x32-cross libgphobos3-hppa-cross libgphobos3-ppc64-cross libgphobos3-riscv64-cross libgphobos3-sparc64-cross libgphobos3-x32-cross libstdc++-12-pic-alpha-cross libstdc++-12-pic-arc-cross libstdc++-12-pic-hppa-cross libstdc++-12-pic-m68k-cross libstdc++-12-pic-ppc64-cross libstdc++-12-pic-riscv64-cross libstdc++-12-pic-sh4-cross libstdc++-12-pic-sparc64-cross libstdc++-12-pic-x32-cross cpp-13-alpha-linux-gnu cpp-13-arc-linux-gnu cpp-13-arm-linux-gnueabi cpp-13-hppa-linux-gnu cpp-13-loongarch64-linux-gnu cpp-13-m68k-linux-gnu cpp-13-powerpc64-linux-gnu cpp-13-sh4-linux-gnu cpp-13-sparc64-linux-gnu cpp-13-x86-64-linux-gnux32 g++-13-alpha-linux-gnu g++-13-arc-linux-gnu g++-13-arm-linux-gnueabi g++-13-hppa-linux-gnu g++-13-loongarch64-linux-gnu g++-13-m68k-linux-gnu g++-13-multilib-powerpc64-linux-gnu g++-13-multilib-sparc64-linux-gnu g++-13-multilib-x86-64-linux-gnux32 g++-13-powerpc64-linux-gnu g++-13-sh4-linux-gnu g++-13-sparc64-linux-gnu g++-13-x86-64-linux-gnux32 gcc-13-alpha-linux-gnu gcc-13-alpha-linux-gnu-base gcc-13-arc-linux-gnu gcc-13-arc-linux-gnu-base gcc-13-arm-linux-gnueabi gcc-13-arm-linux-gnueabi-base gcc-13-cross-base-ports gcc-13-hppa-linux-gnu gcc-13-hppa-linux-gnu-base gcc-13-loongarch64-linux-gnu gcc-13-loongarch64-linux-gnu-base gcc-13-m68k-linux-gnu gcc-13-m68k-linux-gnu-base gcc-13-multilib-powerpc64-linux-gnu gcc-13-multilib-sparc64-linux-gnu gcc-13-multilib-x86-64-linux-gnux32 gcc-13-powerpc64-linux-gnu gcc-13-powerpc64-linux-gnu-base gcc-13-sh4-linux-gnu gcc-13-sh4-linux-gnu-base gcc-13-sparc64-linux-gnu gcc-13-sparc64-linux-gnu-base gcc-13-x86-64-linux-gnux32 gcc-13-x86-64-linux-gnux32-base gccgo-13-alpha-linux-gnu gccgo-13-arm-linux-gnueabi gccgo-13-multilib-powerpc64-linux-gnu gccgo-13-multilib-sparc64-linux-gnu gccgo-13-multilib-x86-64-linux-gnux32 gccgo-13-powerpc64-linux-gnu gccgo-13-sparc64-linux-gnu gccgo-13-x86-64-linux-gnux32 gdc-13-arm-linux-gnueabi gdc-13-hppa-linux-gnu gdc-13-multilib-powerpc64-linux-gnu gdc-13-multilib-sparc64-linux-gnu gdc-13-multilib-x86-64-linux-gnux32 gdc-13-powerpc64-linux-gnu gdc-13-sparc64-linux-gnu gdc-13-x86-64-linux-gnux32 gfortran-13-alpha-linux-gnu gfortran-13-arc-linux-gnu gfortran-13-arm-linux-gnueabi gfortran-13-hppa-linux-gnu gfortran-13-loongarch64-linux-gnu gfortran-13-m68k-linux-gnu gfortran-13-multilib-powerpc64-linux-gnu gfortran-13-multilib-sparc64-linux-gnu gfortran-13-multilib-x86-64-linux-gnux32 gfortran-13-powerpc64-linux-gnu gfortran-13-sh4-linux-gnu gfortran-13-sparc64-linux-gnu gfortran-13-x86-64-linux-gnux32 gm2-13-alpha-linux-gnu gm2-13-arc-linux-gnu gm2-13-arm-linux-gnueabi gm2-13-hppa-linux-gnu gm2-13-m68k-linux-gnu gm2-13-sparc64-linux-gnu gm2-13-x86-64-linux-gnux32 gnat-13-alpha-linux-gnu gnat-13-arm-linux-gnueabi gnat-13-hppa-linux-gnu gnat-13-m68k-linux-gnu gnat-13-powerpc64-linux-gnu gnat-13-sh4-linux-gnu gnat-13-sparc64-linux-gnu gnat-13-x86-64-linux-gnux32 gobjc++-13-alpha-linux-gnu gobjc++-13-arc-linux-gnu gobjc++-13-arm-linux-gnueabi gobjc++-13-hppa-linux-gnu gobjc++-13-loongarch64-linux-gnu gobjc++-13-m68k-linux-gnu gobjc++-13-multilib-powerpc64-linux-gnu gobjc++-13-multilib-sparc64-linux-gnu gobjc++-13-multilib-x86-64-linux-gnux32 gobjc++-13-powerpc64-linux-gnu gobjc++-13-sh4-linux-gnu gobjc++-13-sparc64-linux-gnu gobjc++-13-x86-64-linux-gnux32 gobjc-13-alpha-linux-gnu gobjc-13-arc-linux-gnu gobjc-13-arm-linux-gnueabi gobjc-13-hppa-linux-gnu gobjc-13-loongarch64-linux-gnu gobjc-13-m68k-linux-gnu gobjc-13-multilib-powerpc64-linux-gnu gobjc-13-multilib-sparc64-linux-gnu gobjc-13-multilib-x86-64-linux-gnux32 gobjc-13-powerpc64-linux-gnu gobjc-13-sh4-linux-gnu gobjc-13-sparc64-linux-gnu gobjc-13-x86-64-linux-gnux32 lib32go22-ppc64-cross lib32go22-sparc64-cross lib32go22-x32-cross lib32gphobos4-ppc64-cross lib32gphobos4-sparc64-cross lib32gphobos4-x32-cross lib64go22-x32-cross lib64gphobos4-x32-cross libgm2-18-alpha-cross libgm2-18-arc-cross libgm2-18-armel-cross libgm2-18-hppa-cross libgm2-18-m68k-cross libgm2-18-sparc64-cross libgm2-18-x32-cross libgnat-13-alpha-cross libgnat-13-armel-cross libgnat-13-hppa-cross libgnat-13-m68k-cross libgnat-13-ppc64-cross libgnat-13-sh4-cross libgnat-13-sparc64-cross libgnat-13-x32-cross libgo22-alpha-cross libgo22-armel-cross libgo22-ppc64-cross libgo22-sparc64-cross libgo22-x32-cross libgphobos4-armel-cross libgphobos4-hppa-cross libgphobos4-ppc64-cross libgphobos4-sparc64-cross libgphobos4-x32-cross libstdc++-13-pic-alpha-cross libstdc++-13-pic-arc-cross libstdc++-13-pic-armel-cross libstdc++-13-pic-hppa-cross libstdc++-13-pic-loong64-cross libstdc++-13-pic-m68k-cross libstdc++-13-pic-ppc64-cross libstdc++-13-pic-sh4-cross libstdc++-13-pic-sparc64-cross libstdc++-13-pic-x32-cross libtinyxml2.6.2v5 rar shim-signed shim python3-pyramid libpf4j-java gir1.2-zbar-1.0 libbarcode-zbar-perl libzbar0t64 libzbargtk0t64 libzbarqt0t64 python3-zbar zbar-tools zbarcam-gtk zbarcam-qt firebird3.0-common firebird3.0-examples firebird3.0-server firebird3.0-server-core firebird3.0-utils python3-relational relational relational-cli exim4 exim4-base exim4-config exim4-daemon-heavy exim4-daemon-light eximon4 libmail-spf-xs-perl libspf2-2t64 spfquery node-ip busybox busybox-initramfs busybox-static busybox-syslogd udhcpc udhcpd libqt5concurrent5t64 libqt5core5t64 libqt5dbus5t64 libqt5gui5t64 libqt5network5t64 libqt5opengl5t64 libqt5printsupport5t64 libqt5sql5-ibase libqt5sql5-mysql libqt5sql5-odbc libqt5sql5-psql libqt5sql5-sqlite libqt5sql5-tds libqt5sql5t64 libqt5test5t64 libqt5widgets5t64 libqt5xml5t64 qt5-gtk-platformtheme qt5-qmake qt5-qmake-bin qt5-xdgdesktopportal-platformtheme qtbase5-examples libarm-compute43 bibledit bibledit-data bibledit-cloud bibledit-cloud-data tiny-dnn utox libcue2 node-get-func-name libx11-6 libx11-data libx11-xcb1 libxpm4 xpmutils musescore musescore-common musescore3 musescore3-common libxml-security-java libvpx9 vpx-tools mycli cups cups-bsd cups-client cups-common cups-core-drivers cups-daemon cups-ipp-utils cups-ppdc cups-server-common libcups2t64 libcupsimage2t64 libppd-tests libppd-utils libppd2 libppd2-common ppdc lua-http cfengine3 libpromises3 python3-pdm libslang2 libslang2-modules libslang2-pic slsh rabbitmq-server librabbitmq-client-java pleaser jbig2dec libjbig2dec0 esptool grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-unsigned grub-efi-arm64 grub-efi-arm64-bin grub-efi-arm64-unsigned grub-efi-amd64-signed grub-efi-arm64-signed libjs-bootbox raku minidlna jgit-cli libjgit-ant-java libjgit-java efi-shell-aa64 efi-shell-arm efi-shell-ia32 efi-shell-loongarch64 efi-shell-riscv64 efi-shell-x64 ovmf ovmf-ia32 ovmf-inteltdx qemu-efi-aarch64 qemu-efi-arm qemu-efi-loongarch64 qemu-efi-riscv64 dropbear dropbear-bin dropbear-initramfs python3-asyncssh filezilla filezilla-common fish fish-common gemmi python3-gemmi falcosecurity-scap-dkms libfalcosecurity0t64 libnvpair3linux libpam-zfs libuutil3linux libzfs6linux libzfsbootenv1linux libzpool6linux python3-pyzfs zfs-dkms zfs-dracut zfs-initramfs zfs-test zfs-zed zfsutils-linux budgie-app-launcher-applet budgie-applications-menu-applet budgie-brightness-controller-applet budgie-clockworks-applet budgie-countdown-applet budgie-dropby-applet budgie-extras-common budgie-extras-daemon budgie-fuzzyclock-applet budgie-hotcorners-applet budgie-kangaroo-applet budgie-keyboard-autoswitch-applet budgie-network-manager-applet budgie-previews budgie-quickchar budgie-quicknote-applet budgie-recentlyused-applet budgie-rotation-lock-applet budgie-screencast-applet budgie-showtime-applet budgie-showtime-widget budgie-takeabreak-applet budgie-trash-applet budgie-visualspace-applet budgie-wallstreet budgie-weathershow-applet budgie-window-shuffler budgie-workspace-stopwatch-applet budgie-workspace-wallpaper-applet budgie-workspace-wallpaper-widget tinyproxy tinyproxy-bin libtiles-java libpam-slurm libpam-slurm-adopt libpmi0t64 libpmi2-0t64 libslurm-perl libslurm44t64 libslurmdb-perl sackd slurm-client slurm-client-emulator slurm-wlm slurm-wlm-basic-plugins slurm-wlm-elasticsearch-plugin slurm-wlm-emulator slurm-wlm-hdf5-plugin slurm-wlm-influxdb-plugin slurm-wlm-ipmi-plugins slurm-wlm-jwt-plugin slurm-wlm-kafka-plugin slurm-wlm-mysql-plugin slurm-wlm-plugins slurm-wlm-rsmi-plugin slurm-wlm-torque slurmctld slurmd slurmdbd slurmrestd dnsmasq dnsmasq-base dnsmasq-base-lua dnsmasq-utils libjline3-java exiftags libjenkins-json-java libjson-java erlang-jose libjsonpath-java libmupdf27.0 mupdf mupdf-tools python3-mupdf libnetpbm11t64 netpbm opencpn opencpn-data exim4 exim4-base exim4-config exim4-daemon-heavy exim4-daemon-light eximon4 ruby-json-jwt libtiff-opengl libtiff-tools libtiff6 libtiffxx6 libeclipse-osgi-compatibility-state-java libeclipse-osgi-java libeclipse-osgi-services-java libequinox-app-java libequinox-metatype-java libequinox-servletbridge-java libequinox-bidi-java libequinox-cm-java libequinox-coordinator-java libequinox-common-java libequinox-concurrent-java libequinox-jsp-jasper-registry-java libequinox-console-java libequinox-event-java libequinox-executable-jni libequinox-http-jetty-java libequinox-http-registry-java libequinox-transforms-hook-java libequinox-http-servlet-java libequinox-http-servletbridge-java libequinox-jsp-jasper-java libequinox-launcher-java libequinox-preferences-java libequinox-region-java libequinox-registry-java libequinox-security-java libequinox-security-ui-java libequinox-transforms-xslt-java libequinox-weaving-caching-java libequinox-useradmin-java libequinox-weaving-hook-java xnest xorg-server-source xserver-common xserver-xephyr xserver-xorg-core xserver-xorg-legacy xvfb gnome-control-center gnome-control-center-data gnome-control-center-faces geotiff-bin libgeotiff5 libtk-img ffmpeg libavcodec-extra libavcodec-extra62 libavcodec62 libavdevice62 libavfilter-extra libavfilter-extra11 libavfilter11 libavformat-extra libavformat-extra62 libavformat62 libavutil60 libswresample6 libswscale9 python3-jwcrypto libpcp-archive1 libpcp-gui2 libpcp-import-perl libpcp-import1 libpcp-logsummary-perl libpcp-mmv-perl libpcp-mmv1 libpcp-pmda-perl libpcp-pmda3 libpcp-trace2 libpcp-web1 libpcp3 libpcp4 pcp pcp-conf pcp-export-pcp2elasticsearch pcp-export-pcp2graphite pcp-export-pcp2influxdb pcp-export-pcp2json pcp-export-pcp2spark pcp-export-pcp2xlsx pcp-export-pcp2xml pcp-export-pcp2zabbix pcp-export-zabbix-agent pcp-gui pcp-import-benchmarks pcp-import-collectl2pcp pcp-import-ganglia2pcp pcp-import-guidellm2pcp pcp-import-iostat2pcp pcp-import-mrtg2pcp pcp-import-sar2pcp pcp-import-sheet2pcp pcp-pmda-infiniband pcp-testsuite pcp-zeroconf python3-pcp cpio libnvidia-cfg1-550 libnvidia-common-550 libnvidia-compute-550 libnvidia-decode-550 libnvidia-encode-550 libnvidia-extra-550 libnvidia-fbc1-550 libnvidia-gl-550 nvidia-compute-utils-550 nvidia-dkms-550 nvidia-dkms-550-open nvidia-driver-550 nvidia-driver-550-open nvidia-headless-550 nvidia-headless-550-open nvidia-headless-no-dkms-550 nvidia-headless-no-dkms-550-open nvidia-kernel-common-550 nvidia-kernel-source-550 nvidia-kernel-source-550-open nvidia-utils-550 xserver-xorg-video-nvidia-550 libnvidia-cfg1-560 libnvidia-common-560 libnvidia-compute-560 libnvidia-decode-560 libnvidia-encode-560 libnvidia-extra-560 libnvidia-fbc1-560 libnvidia-gl-560 nvidia-compute-utils-560 nvidia-dkms-560 nvidia-dkms-560-open nvidia-driver-560 nvidia-driver-560-open nvidia-headless-560 nvidia-headless-560-open nvidia-headless-no-dkms-560 nvidia-headless-no-dkms-560-open nvidia-kernel-common-560 nvidia-kernel-source-560 nvidia-kernel-source-560-open nvidia-utils-560 xserver-xorg-video-nvidia-560 gnutls-bin libgnutls-dane0t64 libgnutls-openssl27t64 libgnutls30t64 runsc libmpg123-0t64 libout123-0t64 libsyn123-0t64 mpg123 podman podman-remote gunicorn gunicorn-examples python3-gunicorn python3-glance-store node-serialize-javascript node-tar-fs efi-shell-aa64 efi-shell-arm efi-shell-ia32 efi-shell-loongarch64 efi-shell-riscv64 efi-shell-x64 ovmf ovmf-ia32 ovmf-inteltdx qemu-efi-aarch64 qemu-efi-arm qemu-efi-loongarch64 qemu-efi-riscv64 libstring-compare-constanttime-perl libbatterycontrol6 libkfontinst6 libkfontinstui6 libklipper6 libklookandfeel6 libkmpris6 libkworkspace6-6 libnotificationmanager1 libtaskmanager6 plasma-session-wayland plasma-session-x11 plasma-workspace plasma-workspace-data black node-markdown-to-jsx apktool libapache-mime4j-java libgcrypt-bin libgcrypt20 python3-djangorestframework-simplejwt php-tcpdf clojure libclojure-java dovecot-auth-lua dovecot-core dovecot-flatcurve dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-solr dovecot-sqlite dovecot-submissiond rear python3-aiohttp python3-ecdsa libglut3.12 libcrypt-openssl-rsa-perl golang-google-protobuf-dev protoc-gen-go google-osconfig-agent python3-uamqp libjwt-gnutls2 libjwt2 hugin hugin-data hugin-tools libimlib2t64 libdnsjava-java python3-xhtml2pdf python3-cbor2 krb5-admin-server krb5-gss-samples krb5-k5tls krb5-kdc krb5-kdc-ldap krb5-kpropd krb5-locales krb5-multidev krb5-otp krb5-pkinit krb5-user libgssapi-krb5-2 libgssrpc4t64 libk5crypto3 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10t64 libkrad0 libkrb5-3 libkrb5support0 node-es5-ext python3-aiosmtpd dcm2niix python3-rpyc gir1.2-javascriptcoregtk-4.1 gir1.2-javascriptcoregtk-6.0 gir1.2-webkit-6.0 gir1.2-webkit2-4.1 libjavascriptcoregtk-4.0-bin libjavascriptcoregtk-4.1-0 libjavascriptcoregtk-6.0-1 libjavascriptcoregtk-bin libwebkit2gtk-4.1-0 libwebkitgtk-6.0-4 webkit2gtk-driver webkitgtk-webdriver amavisd-new amavisd-new-postfix bsdextrautils eject fdisk lastlog2 libblkid1 libfdisk1 liblastlog2-2 libmount1 libpam-lastlog2 libsmartcols1 libuuid1 mount rfkill util-linux util-linux-extra util-linux-locales uuid-runtime bsdutils login fop libfop-java weasyprint python3-cloudscraper magnum-api magnum-common magnum-conductor python3-magnum openvpn-auth-ldap intel-microcode libtss2-esys-3.0.2-0t64 libtss2-fapi1t64 libtss2-mu-4.0.1-0t64 libtss2-policy0t64 libtss2-rc0t64 libtss2-sys1t64 libtss2-tcti-cmd0t64 libtss2-tcti-i2c-ftdi0 libtss2-tcti-i2c-helper0 libtss2-tcti-libtpms0t64 libtss2-tcti-mssim0t64 libtss2-tcti-pcap0t64 libtss2-tcti-spi-ftdi0 libtss2-tcti-spi-helper0t64 libtss2-tcti-spi-ltt2go0 libtss2-tcti-spidev0 libtss2-tcti-swtpm0t64 libtss2-tctildr0t64 node-ip libmdc3t64 medcon xmedcon distrobox influxdb influxdb-client synapse lua-bitop libxmlunit-java libblosc2-7 freerdp3-proxy freerdp3-proxy-modules freerdp3-sdl freerdp3-shadow-x11 freerdp3-wayland freerdp3-x11 libfreerdp-client3-3 libfreerdp-server-proxy3-3 libfreerdp-server3-3 libfreerdp-shadow-subsystem3-3 libfreerdp-shadow3-3 libfreerdp3-3 libwinpr-tools3-3 libwinpr3-3 winpr3-utils fceux flatpak flatpak-tests gir1.2-flatpak-1.0 libflatpak0 hugo ruby-kaminari ruby-kaminari-actionview ruby-kaminari-activerecord ruby-kaminari-core lua-nginx-memcached lua-nginx-redis lua-nginx-websocket ghostscript libgs-common libgs10 libgs10-common form gir1.2-girepository-3.0 gir1.2-glib-2.0 girepository-tools libgirepository-2.0-0 libglib2.0-0t64 libglib2.0-bin libglib2.0-data libglib2.0-tests maxima maxima-emacs maxima-share maxima-src maxima-test xmaxima libxml-security-c30 xml-security-c-utils python3-pip python3-pip-whl python3-sqlitedict python3-pymysql libbatterycontrol6 libcolorcorrect6 libkfontinst6 libkfontinstui6 libklipper6 libkmpris6 libkworkspace6-6 libnotificationmanager1 libtaskmanager6 libweather-ion7 plasma-session-wayland plasma-session-x11 plasma-workspace plasma-workspace-data libqt5networkauth5 qtnetworkauth5-examples nix-bin nix-setup-systemd gir1.2-gsf-1 libgsf-1-114 libgsf-1-common libgsf-bin dnscrypt-proxy python3-authlib cvc5 libcvc5-1 libcvc5parser1 python3-cvc5 node-ws roundcube roundcube-core roundcube-mysql roundcube-pgsql roundcube-plugins roundcube-sqlite3 wget global efi-shell-aa64 efi-shell-loongarch64 efi-shell-riscv64 efi-shell-x64 ovmf ovmf-amdsev ovmf-generic ovmf-inteltdx ovmf-legacy qemu-efi-aarch64 qemu-efi-loongarch64 qemu-efi-riscv64 libde265-0 libde265-examples libjs-requirejs node-requirejs mimetex python3-fastapi containerd node-micromatch android-platform-libcore-headers libandroid-json-java node-braces docker.io keepalived libemail-mime-perl sdop libruby3.3 ruby3.3 u-boot-amlogic u-boot-amlogic-binaries u-boot-asahi u-boot-exynos u-boot-exynos-binaries u-boot-imx u-boot-microchip u-boot-mvebu u-boot-omap u-boot-qcom u-boot-qemu u-boot-rockchip u-boot-rpi u-boot-sifive u-boot-sitara-binaries u-boot-starfive u-boot-stm32 u-boot-sunxi u-boot-tegra u-boot-tools python3-webob smartdns invesalius invesalius-bin invesalius-examples php-geshi xfpt ruby-request-store node-serve-static jupyterlab ironic-api ironic-common ironic-conductor python3-ironic ironic-python-agent gir1.2-gst-rtsp-server-1.0 gstreamer1.0-rtsp libgstrtspserver-1.0-0 node-express cpanminus golang-1.24 golang-1.24-go golang-1.24-src adsys adsys-windows golang-golang-x-net-dev golang-1.23 golang-1.23-go golang-1.23-src tgt tgt-glusterfs tgt-rbd logiops grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-unsigned grub-efi-arm64 grub-efi-arm64-bin grub-efi-arm64-unsigned grub-efi-amd64-signed grub-efi-arm64-signed node-dompurify libapache2-mod-jk redict redict-sentinel redict-server redict-tools rollup python3-meshtastic ruby-webrick libqt63danimation6 libqt63dcore6 libqt63dextras6 libqt63dinput6 libqt63dlogic6 libqt63dquick6 libqt63dquickextras6 libqt63dquickscene2d6 libqt63dquickscene3d6 libqt63drender6 qml6-module-qt3d-animation qml6-module-qt3d-core qml6-module-qt3d-extras qml6-module-qt3d-input qml6-module-qt3d-logic qml6-module-qt3d-render qml6-module-qtquick-scene2d qml6-module-qtquick-scene3d qt6-3d-assimpsceneimport-plugin qt6-3d-defaultgeometryloader-plugin qt6-3d-examples qt6-3d-gltfsceneio-plugin qt6-3d-scene2d-plugin libqt6quick3d6 libqt6quick3dassetimport6 libqt6quick3dassetutils6 libqt6quick3dglslparser6 libqt6quick3diblbaker6 libqt6quick3druntimerender6 libqt6quick3dutils6 libqt6quick3dxr6 qml6-module-qtquick3d qml6-module-qtquick3d-assetutils qml6-module-qtquick3d-effects qml6-module-qtquick3d-helpers qml6-module-qtquick3d-lightmapviewer qml6-module-qtquick3d-materialeditor qml6-module-qtquick3d-particleeffects qml6-module-qtquick3d-particles3d qml6-module-qtquick3d-xr qt6-qmltooling-quick3dprofiler-plugin qt6-quick3d-assetimporters-plugin qt6-quick3d-examples mutt neomutt python3-werkzeug python3-quart php-symfony php-symfony-aha-send-mailer php-symfony-all-my-sms-notifier php-symfony-amazon-dynamo-db-lock php-symfony-amazon-mailer php-symfony-amazon-sns-notifier php-symfony-amazon-sqs-messenger php-symfony-amqp-messenger php-symfony-asset php-symfony-asset-mapper php-symfony-azure-mailer php-symfony-bandwidth-notifier php-symfony-beanstalkd-messenger php-symfony-bluesky-notifier php-symfony-brevo-mailer php-symfony-brevo-notifier php-symfony-browser-kit php-symfony-cache php-symfony-chatwork-notifier php-symfony-click-send-notifier php-symfony-clickatell-notifier php-symfony-clock php-symfony-config php-symfony-console php-symfony-contact-everyone-notifier php-symfony-crowdin-translation-provider php-symfony-css-selector php-symfony-debug-bundle php-symfony-dependency-injection php-symfony-discord-notifier php-symfony-dom-crawler php-symfony-dotenv php-symfony-emoji php-symfony-engagespot-notifier php-symfony-error-handler php-symfony-esendex-notifier php-symfony-event-dispatcher php-symfony-expo-notifier php-symfony-expression-language php-symfony-fake-chat-notifier php-symfony-fake-sms-notifier php-symfony-filesystem php-symfony-finder php-symfony-firebase-notifier php-symfony-form php-symfony-forty-six-elks-notifier php-symfony-framework-bundle php-symfony-free-mobile-notifier php-symfony-gateway-api-notifier php-symfony-go-ip-notifier php-symfony-google-chat-notifier php-symfony-google-mailer php-symfony-html-sanitizer php-symfony-http-client php-symfony-http-foundation php-symfony-http-kernel php-symfony-infobip-mailer php-symfony-infobip-notifier php-symfony-intl php-symfony-iqsms-notifier php-symfony-isendpro-notifier php-symfony-joli-notif-notifier php-symfony-json-path php-symfony-json-streamer php-symfony-kaz-info-teh-notifier php-symfony-ldap php-symfony-light-sms-notifier php-symfony-line-bot-notifier php-symfony-line-notify-notifier php-symfony-linked-in-notifier php-symfony-lock php-symfony-loco-translation-provider php-symfony-lokalise-translation-provider php-symfony-lox24-notifier php-symfony-mail-pace-mailer php-symfony-mailchimp-mailer php-symfony-mailer php-symfony-mailer-send-mailer php-symfony-mailgun-mailer php-symfony-mailjet-mailer php-symfony-mailjet-notifier php-symfony-mailomat-mailer php-symfony-mailtrap-mailer php-symfony-mastodon-notifier php-symfony-matrix-notifier php-symfony-mattermost-notifier php-symfony-mercure-notifier php-symfony-message-bird-notifier php-symfony-message-media-notifier php-symfony-messenger php-symfony-microsoft-graph-mailer php-symfony-microsoft-teams-notifier php-symfony-mime php-symfony-mobyt-notifier php-symfony-monolog-bridge php-symfony-notifier php-symfony-novu-notifier php-symfony-ntfy-notifier php-symfony-object-mapper php-symfony-octopush-notifier php-symfony-one-signal-notifier php-symfony-options-resolver php-symfony-orange-sms-notifier php-symfony-ovh-cloud-notifier php-symfony-pager-duty-notifier php-symfony-password-hasher php-symfony-phpunit-bridge php-symfony-phrase-translation-provider php-symfony-plivo-notifier php-symfony-postal-mailer php-symfony-postmark-mailer php-symfony-primotexto-notifier php-symfony-process php-symfony-property-access php-symfony-property-info php-symfony-psr-http-message-bridge php-symfony-pushover-notifier php-symfony-pushy-notifier php-symfony-rate-limiter php-symfony-redis-messenger php-symfony-redlink-notifier php-symfony-remote-event php-symfony-resend-mailer php-symfony-ring-central-notifier php-symfony-rocket-chat-notifier php-symfony-routing php-symfony-runtime php-symfony-scaleway-mailer php-symfony-scheduler php-symfony-security-bundle php-symfony-security-core php-symfony-security-csrf php-symfony-security-http php-symfony-semaphore php-symfony-sendberry-notifier php-symfony-sendgrid-mailer php-symfony-serializer php-symfony-sevenio-notifier php-symfony-simple-textin-notifier php-symfony-sinch-notifier php-symfony-sipgate-notifier php-symfony-slack-notifier php-symfony-sms-biuras-notifier php-symfony-sms-factor-notifier php-symfony-sms-sluzba-notifier php-symfony-sms77-notifier php-symfony-smsapi-notifier php-symfony-smsbox-notifier php-symfony-smsc-notifier php-symfony-smsense-notifier php-symfony-smsmode-notifier php-symfony-spot-hit-notifier php-symfony-stopwatch php-symfony-string php-symfony-sweego-mailer php-symfony-sweego-notifier php-symfony-telegram-notifier php-symfony-telnyx-notifier php-symfony-termii-notifier php-symfony-translation php-symfony-turbo-sms-notifier php-symfony-twig-bridge php-symfony-twig-bundle php-symfony-twilio-notifier php-symfony-twitter-notifier php-symfony-type-info php-symfony-uid php-symfony-unifonic-notifier php-symfony-validator php-symfony-var-dumper php-symfony-var-exporter php-symfony-vonage-notifier php-symfony-web-link php-symfony-web-profiler-bundle php-symfony-webhook php-symfony-workflow php-symfony-yaml php-symfony-yunpian-notifier php-symfony-zendesk-notifier php-symfony-zulip-notifier oscar gsl-bin libgsl28 libgslcblas0 libsndfile1 sndfile-programs libtinyxml2-11 pymol pymol-data python3-pymol netsurf-common netsurf-fb netsurf-gtk notation redis-redisearch jwt git git-all git-cvs git-email git-gui git-man git-svn gitk gitweb libmina2-java python3-sklearn python3-sklearn-lib tuned tuned-gtk tuned-ppd tuned-utils tuned-utils-systemtap rclone gir1.2-soup-2.4 libsoup-2.4-1 libsoup-gnome-2.4-1 libsoup2.4-common libsoup2.4-tests python3-lxml-html-clean simplesamlphp python3-tornado libngtcp2-16 libngtcp2-crypto-gnutls8 libngtcp2-crypto-ossl0 iptraf-ng libpcl-apps1.15 libpcl-common1.15 libpcl-features1.15 libpcl-filters1.15 libpcl-io1.15 libpcl-kdtree1.15 libpcl-keypoints1.15 libpcl-ml1.15 libpcl-octree1.15 libpcl-outofcore1.15 libpcl-people1.15 libpcl-recognition1.15 libpcl-registration1.15 libpcl-sample-consensus1.15 libpcl-search1.15 libpcl-segmentation1.15 libpcl-stereo1.15 libpcl-surface1.15 libpcl-tracking1.15 libpcl-visualization1.15 pcl-tools iperf libasync-http-client-java tcpreplay socat dante-client dante-server libdsocksd0t64 libsocksd0t64 terminus libcolpack0t64 ratfor libgraphics-colornames-perl sympa fastnetmon fort-validator age libsubid5 login.defs passwd uidmap gir1.2-harfbuzz-0.0 libharfbuzz-bin libharfbuzz-cairo0 libharfbuzz-gobject0 libharfbuzz-icu0 libharfbuzz-subset0 libharfbuzz0b ghostty libjson-smart-java libweb-api-perl libnet-dropbox-api-perl libmojolicious-perl gir1.2-gtk-2.0 gtk2-engines-pixbuf libgail-common libgail18t64 libgtk2.0-0t64 libgtk2.0-bin libgtk2.0-common gir1.2-gtk-3.0 gtk-3-examples libgail-3-0t64 libgtk-3-0t64 libgtk-3-bin libgtk-3-common heat-api heat-api-cfn heat-common heat-engine python3-heat bolt-17 clang-17 clang-17-examples clang-format-17 clang-tidy-17 clang-tools-17 clangd-17 flang-17 libc++1-17t64 libc++abi1-17t64 libclang-cpp17t64 libclang1-17t64 libclc-17 liblld-17 liblldb-17t64 libllvm17t64 libmlir-17t64 libomp5-17t64 libunwind-17t64 lld-17 lldb-17 llvm-17 llvm-17-examples llvm-17-linker-tools llvm-17-runtime llvm-17-tools mlir-17-tools python3-clang-17 python3-lldb-17 cura golang-github-containers-common amd64-microcode pgagent docker-buildx libabsl20240722 pypy3 pypy3-lib pypy3-lib-testsuite pypy3-tk pypy3-venv rsync fio fio-examples libxslt1.1 xsltproc libruby3.3 ruby3.3 libogre1.12.10t64 ogre-1.12-tools python3-ogre-1.12 blender-ogrexml-1.9 libogre-1.9.0t64 ogre-1.9-tools gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-common libsoup-3.0-tests gir1.2-soup-2.4 libsoup-2.4-1 libsoup-gnome-2.4-1 libsoup2.4-common libsoup2.4-tests jetty12 libjetty12-extra-java libjetty12-java apt-cacher-ng node-static libssl3t64 openssl openssl-provider-legacy libunbound8 python3-unbound unbound unbound-anchor unbound-host libluksmeta0 luksmeta libyaml-syck-perl libpcap0.8t64 jython libbson2-2 libmongoc2-2 liblz4-java liblz4-jni kamailio kamailio-autheph-modules kamailio-cnxcc-modules kamailio-cpl-modules kamailio-erlang-modules kamailio-extra-modules kamailio-geoip2-modules kamailio-ims-modules kamailio-json-modules kamailio-kafka-modules kamailio-kazoo-modules kamailio-ldap-modules kamailio-lua-modules kamailio-lwsc-modules kamailio-memcached-modules kamailio-microhttpd-modules kamailio-mongodb-modules kamailio-mqtt-modules kamailio-mysql-modules kamailio-nats-modules kamailio-outbound-modules kamailio-perl-modules kamailio-phonenum-modules kamailio-postgres-modules kamailio-presence-modules kamailio-python3-modules kamailio-rabbitmq-modules kamailio-radius-modules kamailio-redis-modules kamailio-ruby-modules kamailio-sctp-modules kamailio-secsipid-modules kamailio-snmpstats-modules kamailio-sqlite-modules kamailio-systemd-modules kamailio-tls-modules kamailio-tls-wolfssl-modules kamailio-unixodbc-modules kamailio-utils-modules kamailio-websocket-modules kamailio-xml-modules kamailio-xmpp-modules libqt6labsplatform6 libqt6labssynchronizer6 libqt6qml6 libqt6qmlcompiler6 libqt6qmlmeta6 libqt6qmlmodels6 libqt6qmlnetwork6 libqt6qmlworkerscript6 libqt6quick6 libqt6quickcontrols2-6 libqt6quickshapes6 libqt6quickshapesdesignhelpers6 libqt6quicktemplates2-6 libqt6quicktest6 libqt6quickvectorimage6 libqt6quickvectorimagegenerator6 libqt6quickvectorimagehelpers6 libqt6quickwidgets6 qml-qt6 qml6-module-qml qml6-module-qmltime qml6-module-qt-labs-animation qml6-module-qt-labs-assetdownloader qml6-module-qt-labs-folderlistmodel qml6-module-qt-labs-platform qml6-module-qt-labs-qmlmodels qml6-module-qt-labs-settings qml6-module-qt-labs-sharedimage qml6-module-qt-labs-synchronizer qml6-module-qt-labs-wavefrontmesh qml6-module-qtcore qml6-module-qtnetwork qml6-module-qtqml qml6-module-qtqml-models qml6-module-qtqml-workerscript qml6-module-qtqml-xmllistmodel qml6-module-qtquick qml6-module-qtquick-controls qml6-module-qtquick-dialogs qml6-module-qtquick-effects qml6-module-qtquick-layouts qml6-module-qtquick-localstorage qml6-module-qtquick-particles qml6-module-qtquick-shapes qml6-module-qtquick-shapes-designhelpers qml6-module-qtquick-templates qml6-module-qtquick-tooling qml6-module-qtquick-vectorimage qml6-module-qtquick-vectorimage-helpers qml6-module-qtquick-window qml6-module-qttest qmlscene-qt6 qt6-declarative-examples qt6-qmllint-plugins qt6-qmlls-plugins qt6-qmltooling-plugins libqt5quick5-gles libqt5quickparticles5-gles lighttpd lighttpd-mod-authn-gssapi lighttpd-mod-authn-pam lighttpd-mod-authn-sasl lighttpd-mod-deflate lighttpd-mod-gnutls lighttpd-mod-maxminddb lighttpd-mod-mbedtls lighttpd-mod-nss lighttpd-mod-openssl lighttpd-mod-vhostdb-pgsql lighttpd-mod-webdav lighttpd-mod-wolfssl lighttpd-modules-dbi lighttpd-modules-ldap lighttpd-modules-lua lighttpd-modules-mysql libquickjs quickjs libnss-libvirt libvirt-clients libvirt-clients-qemu libvirt-common libvirt-daemon libvirt-daemon-common libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-interface libvirt-daemon-driver-lxc libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage libvirt-daemon-driver-storage-disk libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-iscsi libvirt-daemon-driver-storage-iscsi-direct libvirt-daemon-driver-storage-logical libvirt-daemon-driver-storage-mpath libvirt-daemon-driver-storage-rbd libvirt-daemon-driver-storage-scsi libvirt-daemon-driver-storage-zfs libvirt-daemon-driver-vbox libvirt-daemon-driver-xen libvirt-daemon-lock libvirt-daemon-log libvirt-daemon-plugin-lockd libvirt-daemon-plugin-sanlock libvirt-daemon-system libvirt-daemon-system-systemd libvirt-daemon-system-sysv libvirt-l10n libvirt-login-shell libvirt-sanlock libvirt-ssh-proxy libvirt-wireshark libvirt0 idle-python3.14 libpython3.14 libpython3.14-minimal libpython3.14-stdlib libpython3.14-testsuite python3.14 python3.14-examples python3.14-full python3.14-gdbm python3.14-minimal python3.14-nopie python3.14-tk python3.14-venv libecpg-compat3 libecpg6 libpgtypes3 libpq-oauth libpq5 postgresql-18 postgresql-18-jit postgresql-client-18 postgresql-plperl-18 postgresql-plpython3-18 postgresql-pltcl-18 pgbouncer gokey python3-django node-body-parser python3-django debuginfod elfutils libasm1t64 libdebuginfod-common libdebuginfod1t64 libdw1t64 libelf1t64 duc duc-nox opensc opensc-pkcs11 python3-nltk robocode libchdr0 gir1.2-girepository-3.0 gir1.2-glib-2.0 girepository-tools libgirepository-2.0-0 libglib2.0-0t64 libglib2.0-bin libglib2.0-data libglib2.0-tests gir1.2-soup-2.4 libsoup-2.4-1 libsoup-gnome-2.4-1 libsoup2.4-common libsoup2.4-tests libwhisper1 whisper.cpp ruby-aws-sdk libbcjmail-java libbcmail-java libbcpg-java libbcpkix-java libbcprov-java libbctls-java libbcutil-java node-nodemailer libnetcdf22 netcdf-bin glibc-source libc-bin libc-gconv-modules-extra libc6 libc6-amd64 libc6-i386 libc6-x32 locales locales-all nscd node-qs libopencolorio2.5 opencolorio-tools python3-pyopencolorio inkscape inkscape-tutorials libmapnik4.2 mapnik-utils libdata-entropy-perl libmysqlclient24 mysql-client mysql-client-core mysql-router mysql-server mysql-server-core mysql-source mysql-testsuite openjdk-17-crac-demo openjdk-17-crac-jdk openjdk-17-crac-jdk-headless openjdk-17-crac-jre openjdk-17-crac-jre-headless openjdk-17-crac-jre-zero openjdk-17-crac-source openjdk-21-crac-demo openjdk-21-crac-jdk openjdk-21-crac-jdk-headless openjdk-21-crac-jre openjdk-21-crac-jre-headless openjdk-21-crac-jre-zero openjdk-21-crac-source openjdk-21-crac-testsupport golang-golang-x-oauth2-dev golang-golang-x-oauth2-google-dev libfcgi-bin libfcgi0t64 icingaweb2-module-director fonts-katex katex libjs-katex libnvidia-cfg1-550-server libnvidia-common-550-server libnvidia-compute-550-server libnvidia-decode-550-server libnvidia-encode-550-server libnvidia-extra-550-server libnvidia-fbc1-550-server libnvidia-gl-550-server nvidia-compute-utils-550-server nvidia-dkms-550-server nvidia-dkms-550-server-open nvidia-driver-550-server nvidia-driver-550-server-open nvidia-headless-550-server nvidia-headless-550-server-open nvidia-headless-no-dkms-550-server nvidia-headless-no-dkms-550-server-open nvidia-kernel-common-550-server nvidia-kernel-source-550-server nvidia-kernel-source-550-server-open nvidia-utils-550-server xserver-xorg-video-nvidia-550-server libnvidia-cfg1-570 libnvidia-common-570 libnvidia-compute-570 libnvidia-decode-570 libnvidia-encode-570 libnvidia-extra-570 libnvidia-fbc1-570 libnvidia-gl-570 nvidia-compute-utils-570 nvidia-dkms-570 nvidia-dkms-570-open nvidia-driver-570 nvidia-driver-570-open nvidia-headless-570 nvidia-headless-570-open nvidia-headless-no-dkms-570 nvidia-headless-no-dkms-570-open nvidia-kernel-common-570 nvidia-kernel-source-570 nvidia-kernel-source-570-open nvidia-utils-570 xserver-xorg-video-nvidia-570 libnvidia-cfg1-570-server libnvidia-common-570-server libnvidia-compute-570-server libnvidia-decode-570-server libnvidia-encode-570-server libnvidia-extra-570-server libnvidia-fbc1-570-server libnvidia-gl-570-server nvidia-compute-utils-570-server nvidia-dkms-570-server nvidia-dkms-570-server-open nvidia-driver-570-server nvidia-driver-570-server-open nvidia-headless-570-server nvidia-headless-570-server-open nvidia-headless-no-dkms-570-server nvidia-headless-no-dkms-570-server-open nvidia-kernel-common-570-server nvidia-kernel-source-570-server nvidia-kernel-source-570-server-open nvidia-utils-570-server xserver-xorg-video-nvidia-570-server libnvidia-cfg1-535-server libnvidia-common-535-server libnvidia-compute-535-server libnvidia-decode-535-server libnvidia-encode-535-server libnvidia-extra-535-server libnvidia-fbc1-535-server libnvidia-gl-535-server nvidia-compute-utils-535-server nvidia-dkms-535-server nvidia-dkms-535-server-open nvidia-driver-535-server nvidia-driver-535-server-open nvidia-headless-535-server nvidia-headless-535-server-open nvidia-headless-no-dkms-535-server nvidia-headless-no-dkms-535-server-open nvidia-kernel-common-535-server nvidia-kernel-source-535-server nvidia-kernel-source-535-server-open nvidia-utils-535-server xserver-xorg-video-nvidia-535-server libnvidia-cfg1-550-server libnvidia-common-550-server libnvidia-compute-550-server libnvidia-decode-550-server libnvidia-encode-550-server libnvidia-extra-550-server libnvidia-fbc1-550-server libnvidia-gl-550-server nvidia-compute-utils-550-server nvidia-dkms-550-server nvidia-dkms-550-server-open nvidia-driver-550-server nvidia-driver-550-server-open nvidia-headless-550-server nvidia-headless-550-server-open nvidia-headless-no-dkms-550-server nvidia-headless-no-dkms-550-server-open nvidia-kernel-common-550-server nvidia-kernel-source-550-server nvidia-kernel-source-550-server-open nvidia-utils-550-server xserver-xorg-video-nvidia-550-server libnvidia-cfg1-570 libnvidia-common-570 libnvidia-compute-570 libnvidia-decode-570 libnvidia-encode-570 libnvidia-extra-570 libnvidia-fbc1-570 libnvidia-gl-570 nvidia-compute-utils-570 nvidia-dkms-570 nvidia-dkms-570-open nvidia-driver-570 nvidia-driver-570-open nvidia-headless-570 nvidia-headless-570-open nvidia-headless-no-dkms-570 nvidia-headless-no-dkms-570-open nvidia-kernel-common-570 nvidia-kernel-source-570 nvidia-kernel-source-570-open nvidia-utils-570 xserver-xorg-video-nvidia-570 libnvidia-cfg1-570-server libnvidia-common-570-server libnvidia-compute-570-server libnvidia-decode-570-server libnvidia-encode-570-server libnvidia-extra-570-server libnvidia-fbc1-570-server libnvidia-gl-570-server nvidia-compute-utils-570-server nvidia-dkms-570-server nvidia-dkms-570-server-open nvidia-driver-570-server nvidia-driver-570-server-open nvidia-headless-570-server nvidia-headless-570-server-open nvidia-headless-no-dkms-570-server nvidia-headless-no-dkms-570-server-open nvidia-kernel-common-570-server nvidia-kernel-source-570-server nvidia-kernel-source-570-server-open nvidia-utils-570-server xserver-xorg-video-nvidia-570-server libnvidia-cfg1-575 libnvidia-common-575 libnvidia-compute-575 libnvidia-decode-575 libnvidia-encode-575 libnvidia-extra-575 libnvidia-fbc1-575 libnvidia-gl-575 nvidia-compute-utils-575 nvidia-dkms-575 nvidia-dkms-575-open nvidia-driver-575 nvidia-driver-575-open nvidia-headless-575 nvidia-headless-575-open nvidia-headless-no-dkms-575 nvidia-headless-no-dkms-575-open nvidia-kernel-common-575 nvidia-kernel-source-575 nvidia-kernel-source-575-open nvidia-utils-575 xserver-xorg-video-nvidia-575 libnvidia-cfg1-580 libnvidia-common-580 libnvidia-compute-580 libnvidia-decode-580 libnvidia-encode-580 libnvidia-extra-580 libnvidia-fbc1-580 libnvidia-gl-580 nvidia-compute-utils-580 nvidia-dkms-580 nvidia-dkms-580-open nvidia-driver-580 nvidia-driver-580-open nvidia-firmware-580-580.95.05 nvidia-headless-580 nvidia-headless-580-open nvidia-headless-no-dkms-580 nvidia-headless-no-dkms-580-open nvidia-kernel-common-580 nvidia-kernel-source-580 nvidia-kernel-source-580-open nvidia-utils-580 xserver-xorg-video-nvidia-580 libnvidia-cfg1-580-server libnvidia-common-580-server libnvidia-compute-580-server libnvidia-decode-580-server libnvidia-encode-580-server libnvidia-extra-580-server libnvidia-fbc1-580-server libnvidia-gl-580-server nvidia-compute-utils-580-server nvidia-dkms-580-server nvidia-dkms-580-server-open nvidia-driver-580-server nvidia-driver-580-server-open nvidia-firmware-580-server-580.95.05 nvidia-headless-580-server nvidia-headless-580-server-open nvidia-headless-no-dkms-580-server nvidia-headless-no-dkms-580-server-open nvidia-kernel-common-580-server nvidia-kernel-source-580-server nvidia-kernel-source-580-server-open nvidia-utils-580-server xserver-xorg-video-nvidia-580-server gerbera cyrus-admin cyrus-caldav cyrus-clients cyrus-common cyrus-imapd cyrus-murder cyrus-nntpd cyrus-pop3d cyrus-replication libcyrus-imap-perl mercurial mercurial-common libpam-pkcs11 libruby3.3 ruby3.3 bundler ruby-bundler ruby-rubygems r-cran-boot zx libndpi-bin libndpi-wireshark libndpi4.2t64 ruby-rack libjs-vega node-vega libx264-165 x264 augeas-lenses augeas-tools libaugeas0 musl musl-tools wsl libapache2-mod-passenger passenger monero monero-tests libopenh264-8 libopenh264-cisco8 jose-util python3-spotipy icingaweb2-module-reporting ruby-graphql libdbix-class-encodedcolumn-perl libcommons-vfs-java python3-pythonjsonlogger node-babel7 node-babel7-debug node-babel7-runtime node-babel7-standalone libhttpclient-java libhttpmime-java libcrypt-cbc-perl spim libmupen64plus2 mupen64plus-data gir1.2-vips-8.0 libvips-tools libvips42t64 finit finit-plugins finit-sysv glslang-tools jupyter jupyter-core python3-jupyter-core mydumper corosync corosync-notifyd corosync-vqsim libcfg7 libcmap4 libcorosync-common4 libcpg4 libquorum5 libsam4 libvotequorum8 openjdk-11-demo openjdk-11-jdk openjdk-11-jdk-headless openjdk-11-jre openjdk-11-jre-headless openjdk-11-jre-zero openjdk-11-source openjdk-17-crac-demo openjdk-17-crac-jdk openjdk-17-crac-jdk-headless openjdk-17-crac-jre openjdk-17-crac-jre-headless openjdk-17-crac-jre-zero openjdk-17-crac-source openjdk-21-demo openjdk-21-jdk openjdk-21-jdk-headless openjdk-21-jre openjdk-21-jre-headless openjdk-21-jre-zero openjdk-21-source openjdk-21-testsupport openjdk-21-crac-demo openjdk-21-crac-jdk openjdk-21-crac-jdk-headless openjdk-21-crac-jre openjdk-21-crac-jre-headless openjdk-21-crac-jre-zero openjdk-21-crac-source openjdk-21-crac-testsupport atop gnuplot gnuplot-data gnuplot-nox gnuplot-qt gnuplot-x11 miniflux gir1.2-soup-3.0 libsoup-3.0-0 libsoup-3.0-common libsoup-3.0-tests connman connman-tests connman-vpn libsail-c++0t64 libsail-common0t64 libsail-manip0t64 libsail0t64 sail-codecs libnvidia-cfg1-580 libnvidia-common-580 libnvidia-compute-580 libnvidia-decode-580 libnvidia-encode-580 libnvidia-extra-580 libnvidia-fbc1-580 libnvidia-gl-580 nvidia-compute-utils-580 nvidia-dkms-580 nvidia-dkms-580-open nvidia-driver-580 nvidia-driver-580-open nvidia-firmware-580-580.82.07 nvidia-headless-580 nvidia-headless-580-open nvidia-headless-no-dkms-580 nvidia-headless-no-dkms-580-open nvidia-kernel-common-580 nvidia-kernel-source-580 nvidia-kernel-source-580-open nvidia-utils-580 xserver-xorg-video-nvidia-580 libnvidia-cfg1-580-server libnvidia-common-580-server libnvidia-compute-580-server libnvidia-decode-580-server libnvidia-encode-580-server libnvidia-extra-580-server libnvidia-fbc1-580-server libnvidia-gl-580-server nvidia-compute-utils-580-server nvidia-dkms-580-server nvidia-dkms-580-server-open nvidia-driver-580-server nvidia-driver-580-server-open nvidia-firmware-580-server-580.82.07 nvidia-headless-580-server nvidia-headless-580-server-open nvidia-headless-no-dkms-580-server nvidia-headless-no-dkms-580-server-open nvidia-kernel-common-580-server nvidia-kernel-source-580-server nvidia-kernel-source-580-server-open nvidia-utils-580-server xserver-xorg-video-nvidia-580-server kissfft-tools libkissfft-float131 scrcpy libproxychains4 proxychains4 direwolf libhibernate-validator4-java kalkun kalkun-plugin-blacklist-number kalkun-plugin-external-script kalkun-plugin-jsonrpc kalkun-plugin-phonebook-ldap kalkun-plugin-phonebook-lookup kalkun-plugin-rest-api kalkun-plugin-server-alert kalkun-plugin-simple-autoreply kalkun-plugin-sms-credit kalkun-plugin-sms-member kalkun-plugin-sms-to-email kalkun-plugin-sms-to-twitter kalkun-plugin-sms-to-wordpress kalkun-plugin-sms-to-xmpp kalkun-plugin-soap kalkun-plugin-stop-manager kalkun-plugin-welcome kalkun-plugin-whitelist-number kalkun-plugin-xmlrpc python3-webpy libapache2-mod-auth-openidc openvpn3-client bind9 bind9-dnsutils bind9-host bind9-libs bind9-utils libauthen-sasl-perl libcatalyst-plugin-session-perl libcgi-simple-perl libjson-xs-perl libcpanel-json-xs-perl libapache-sessionx-perl gir1.2-javascriptcoregtk-4.1 gir1.2-javascriptcoregtk-6.0 gir1.2-webkit-6.0 gir1.2-webkit2-4.1 libjavascriptcoregtk-4.0-bin libjavascriptcoregtk-4.1-0 libjavascriptcoregtk-6.0-1 libjavascriptcoregtk-bin libwebkit2gtk-4.1-0 libwebkitgtk-6.0-4 webkit2gtk-driver webkitgtk-webdriver gir1.2-poppler-0.18 libpoppler-cpp2 libpoppler-glib8t64 libpoppler-qt5-1t64 libpoppler-qt6-3t64 libpoppler147 poppler-utils digikam digikam-data digikam-private-libs showfoto tor tor-geoipdb idle-python3.14 libpython3.14 libpython3.14-minimal libpython3.14-stdlib libpython3.14-testsuite python3.14 python3.14-examples python3.14-full python3.14-gdbm python3.14-minimal python3.14-nopie python3.14-tk python3.14-venv tar tar-scripts ruby-jwt php-lcobucci-jwt libphp-adodb libcommons-configuration-java biosig-tools libbiosig3 octave-biosig python3-biosig opkssh node-formidable sudo-rs libcpp-httplib0.26 net-tools iputils-arping iputils-clockdiff iputils-ping iputils-tracepath golang-1.25 golang-1.25-go golang-1.25-src jq libjq1 libchm-bin libchm1 libavif-bin libavif-gdk-pixbuf libavif16 python3-django-select2 libgdcm-java libgdcm-tools libgdcm3.0t64 libvtkgdcm-9.1t64 libvtkgdcm-tools python3-gdcm python3-vtkgdcm libcommons-beanutils-java libcommons-lang-java python3-pycares python3-signxml konsole konsole-kpart xwayland aerc pcsx2 mtr mtr-tiny liblua5.1-0 lua5.1 libllama0 llama.cpp llama.cpp-examples llama.cpp-tests llama.cpp-tools llama.cpp-tools-extra python3-gguf gnome-remote-desktop eslint igmpproxy libicu78 libunrar-headers libunrar5t64 unrar gnu-coreutils incus incus-agent incus-base incus-client incus-extra libjackson2-core-java jupyter-nbconvert python3-nbconvert libmysqlclient24 mysql-client mysql-client-core mysql-router mysql-server mysql-server-core mysql-source mysql-testsuite openjdk-8-demo openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-zero openjdk-8-source openjdk-11-demo openjdk-11-jdk openjdk-11-jdk-headless openjdk-11-jre openjdk-11-jre-headless openjdk-11-jre-zero openjdk-11-source openjdk-17-demo openjdk-17-jdk openjdk-17-jdk-headless openjdk-17-jre openjdk-17-jre-headless openjdk-17-jre-zero openjdk-17-source openjdk-17-crac-demo openjdk-17-crac-jdk openjdk-17-crac-jdk-headless openjdk-17-crac-jre openjdk-17-crac-jre-headless openjdk-17-crac-jre-zero openjdk-17-crac-source openjdk-21-demo openjdk-21-jdk openjdk-21-jdk-headless openjdk-21-jre openjdk-21-jre-headless openjdk-21-jre-zero openjdk-21-source openjdk-21-testsupport openjdk-21-crac-demo openjdk-21-crac-jdk openjdk-21-crac-jdk-headless openjdk-21-crac-jre openjdk-21-crac-jre-headless openjdk-21-crac-jre-zero openjdk-21-crac-source openjdk-21-crac-testsupport openjdk-25-demo openjdk-25-jdk openjdk-25-jdk-headless openjdk-25-jre openjdk-25-jre-headless openjdk-25-jre-zero openjdk-25-jvmci-jdk openjdk-25-source openjdk-25-testsupport openjdk-25-crac-demo openjdk-25-crac-jdk openjdk-25-crac-jdk-headless openjdk-25-crac-jre openjdk-25-crac-jre-headless openjdk-25-crac-jre-zero openjdk-25-crac-source openjdk-25-crac-testsupport openjdk-25-demo openjdk-25-jdk openjdk-25-jdk-headless openjdk-25-jre openjdk-25-jre-headless openjdk-25-jre-zero openjdk-25-jvmci-jdk openjdk-25-source openjdk-25-testsupport librlottie0-1 junit5 libognl-java rtpengine rtpengine-daemon rtpengine-kernel-dkms rtpengine-perftest rtpengine-perftest-data rtpengine-recording-daemon rtpengine-utils libhtp2 libjackrabbit-java libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-perl libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-stream-geoip nginx nginx-common nginx-core nginx-extras nginx-full nginx-light libgoogle-gson-java python3-starlette ruby-thor python3-knack docker.io node-tmp lego icingaweb2-module-pdfexport libopenjp2-7 libopenjp2-tools libopenjpip-dec-server libopenjpip-viewer libopenjpip7 r-cran-gh stardict stardict-common stardict-gtk stardict-plugin stardict-plugin-cal stardict-plugin-espeak stardict-plugin-festival stardict-plugin-fortune stardict-plugin-info stardict-plugin-network-dictionary stardict-plugin-spell stardict-tools skanpage aspnetcore-runtime-10.0 aspnetcore-targeting-pack-10.0 dotnet-apphost-pack-10.0 dotnet-host-10.0 dotnet-hostfxr-10.0 dotnet-runtime-10.0 dotnet-targeting-pack-10.0 dotnet-sdk-10.0 dotnet-sdk-10.0-source-built-artifacts dotnet-sdk-aot-10.0 dotnet-templates-10.0 dotnet10 libtensorflow-lite2.14.1 apache2 apache2-bin apache2-data apache2-suexec-custom apache2-suexec-pristine apache2-utils qt6-image-formats-plugins libvtk9-java libvtk9.5 libvtk9.5-qt python3-vtk9 vtk9 vtk9-examples libsmb2-6 python3-h2 ntpd-rs ntpd-rs-metrics python3-eventlet google-guest-agent libzookeeper-java libzookeeper-mt2 libzookeeper-st2 python3-zookeeper zookeeper zookeeper-bin zookeeperd libowasp-esapi-java python3-kdcproxy avahi-autoipd avahi-daemon avahi-discover avahi-dnsconfd avahi-ui-utils avahi-utils gir1.2-avahi-0.6 libavahi-client3 libavahi-common-data libavahi-common3 libavahi-compat-libdnssd1 libavahi-core7 libavahi-glib1 libavahi-gobject0 libavahi-ui-gtk3-0 python3-avahi python3-django libmicrohttpd12t64 nncp libpam-modules libpam-modules-bin libpam-runtime libpam0g uxplay geographiclib-tools libgeographiclib26 frr frr-pythontools frr-rpki-rtrlib frr-snmp libtiff-opengl libtiff-tools libtiff6 libtiffxx6 libtiff-opengl libtiff-tools libtiff6 libtiffxx6 python3-socketio python3-pyvista python3-social-django icingadb-web request-tracker5 rt5-apache2 rt5-clients rt5-db-mysql rt5-db-postgresql rt5-db-sqlite rt5-fcgi rt5-standalone ruby-rack-protection ruby-sinatra ruby-sinatra-contrib fetchmail openssh-client openssh-client-gssapi openssh-server openssh-server-gssapi openssh-sftp-server openssh-tests ssh ssh-askpass-gnome gdk-pixbuf-tests gir1.2-gdkpixbuf-2.0 libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common imagemagick imagemagick-7-common imagemagick-7.q16 imagemagick-7.q16hdri libimage-magick-perl libimage-magick-q16-perl libimage-magick-q16hdri-perl libmagick++-7-headers libmagick++-7.q16-5 libmagick++-7.q16hdri-5 libmagickcore-7-arch-config libmagickcore-7-headers libmagickcore-7.q16-10 libmagickcore-7.q16-10-extra libmagickcore-7.q16hdri-10 libmagickcore-7.q16hdri-10-extra libmagickwand-7-headers libmagickwand-7.q16-10 libmagickwand-7.q16hdri-10 perlmagick xnest xorg-server-source xserver-common xserver-xephyr xserver-xorg-core xserver-xorg-legacy xvfb xwayland charon-cmd charon-systemd libcharon-extauth-plugins libcharon-extra-plugins libstrongswan libstrongswan-extra-plugins libstrongswan-standard-plugins strongswan strongswan-charon strongswan-libcharon strongswan-nm strongswan-pki strongswan-starter strongswan-swanctl python3-aiomysql devrplay3 librplay-perl librplay3 rplay-client rplay-contrib rplay-server awstats tinyproxy tinyproxy-bin dosage ruby-webrick pdfminer-data python3-pdfminer node-js-yaml libjs-codemirror libtidy58 tidy python3-joserfc keystone keystone-common python3-keystone python3-swift swift swift-account swift-container swift-object swift-object-expirer swift-proxy firebird-utils firebird4.0-common firebird4.0-examples firebird4.0-server firebird4.0-server-core firebird4.0-utils libfbclient2 libib-util apptainer librec1 recutils unrtf python3-django-allauth node-pbkdf2 sd smb4k usbmuxd fonttools python3-fonttools gir1.2-javascriptcoregtk-4.1 gir1.2-javascriptcoregtk-6.0 gir1.2-webkit-6.0 gir1.2-webkit2-4.1 libjavascriptcoregtk-4.1-0 libjavascriptcoregtk-6.0-1 libjavascriptcoregtk-bin libwebkit2gtk-4.1-0 libwebkitgtk-6.0-4 webkitgtk-webdriver expat libexpat1 python3-urllib3 librhino-java rhino libdocopt0 gpsd gpsd-clients gpsd-tools libgps32 libqgpsmm32 python3-gps containernetworking-plugins foomuuri foomuuri-firewalld composer liburiparser1 python3-pymdownx python3-filelock heif-gdk-pixbuf heif-thumbnailer heif-view libheif-examples libheif-plugin-aomdec libheif-plugin-aomenc libheif-plugin-dav1d libheif-plugin-ffmpegdec libheif-plugin-j2kdec libheif-plugin-j2kenc libheif-plugin-jpegdec libheif-plugin-jpegenc libheif-plugin-kvazaar libheif-plugin-libde265 libheif-plugin-rav1e libheif-plugin-svtenc libheif-plugin-x265 libheif-plugins-all libheif1 freedombox python3-biopython python3-biopython-sql python3-marshmallow fluidsynth libfluidsynth3 ruby-httparty ckermit libwget3 wget2 arduino-core-avr coturn libwasmedge0 wasmedge libkpim6messagecomposer6 libkpim6messagecore6 libkpim6messagelist6 libkpim6messageviewer6 libkpim6mimetreeparser6 libkpim6templateparser6 libkpim6webengineviewer6 messagelib-data medusa python3-diskcache node-ajv libjs-leaflet node-leaflet osslsigncode libpf4j-update-java python3-pytest python3-pytest-subtests mumble mumble-server node-on-headers libxslt1.1 xsltproc ghostscript libgs-common libgs10 libgs10-common gobgpd libjakarta-mail-java netavark devscripts autogen libopts25 libssl3t64 openssl openssl-provider-legacy cmake cmake-curses-gui cmake-data cmake-qt-gui python3-xmltodict jq libjq1 ruby-foreman gir1.2-nm-1.0 libnm0 network-manager network-manager-config-connectivity-debian network-manager-config-connectivity-ubuntu network-manager-l10n node-turndown libapache2-mod-shib libshibsp-plugins libshibsp12 shibboleth-sp-common shibboleth-sp-utils dnsdist plantuml libharfbuzz-shaper-perl gir1.2-girepository-3.0 gir1.2-glib-2.0 girepository-tools libgirepository-2.0-0 libglib2.0-0t64 libglib2.0-bin libglib2.0-data libglib2.0-tests elpa-protobuf-mode libprotobuf-java libprotobuf-lite32t64 libprotobuf32t64 libprotoc32t64 php-google-protobuf protobuf-compiler python3-protobuf ruby-google-protobuf liblogback-java idle-python3.14 libpython3.14 libpython3.14-minimal libpython3.14-stdlib libpython3.14-testsuite python3.14 python3.14-examples python3.14-full python3.14-gdbm python3.14-minimal python3.14-nopie python3.14-tk python3.14-venv libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-perl libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-stream-geoip nginx nginx-common nginx-core nginx-extras nginx-full nginx-light libxml2-16 libxml2-source libxml2-utils python3-libxml2 curl libcurl3t64-gnutls libcurl4t64 libuvc0 clamav clamav-base clamav-daemon clamav-freshclam clamav-milter clamav-testfiles clamdscan libclamav12 libraw-bin libraw23t64 libmsgpack-java rebar3 erlang erlang-asn1 erlang-base erlang-common-test erlang-crypto erlang-debugger erlang-dialyzer erlang-diameter erlang-edoc erlang-eldap erlang-et erlang-eunit erlang-examples erlang-ftp erlang-inets erlang-jinterface erlang-megaco erlang-mnesia erlang-mode erlang-nox erlang-observer erlang-odbc erlang-os-mon erlang-parsetools erlang-public-key erlang-reltool erlang-runtime-tools erlang-snmp erlang-src erlang-ssh erlang-ssl erlang-syntax-tools erlang-tftp erlang-tools erlang-wx erlang-x11 erlang-xmerl python3-parsl openjdk-8-demo openjdk-8-jdk openjdk-8-jdk-headless openjdk-8-jre openjdk-8-jre-headless openjdk-8-jre-zero openjdk-8-source openjdk-11-demo openjdk-11-jdk openjdk-11-jdk-headless openjdk-11-jre openjdk-11-jre-headless openjdk-11-jre-zero openjdk-11-source openjdk-17-demo openjdk-17-jdk openjdk-17-jdk-headless openjdk-17-jre openjdk-17-jre-headless openjdk-17-jre-zero openjdk-17-source openjdk-21-demo openjdk-21-jdk openjdk-21-jdk-headless openjdk-21-jre openjdk-21-jre-headless openjdk-21-jre-zero openjdk-21-source openjdk-21-testsupport openjdk-25-demo openjdk-25-jdk openjdk-25-jdk-headless openjdk-25-jre openjdk-25-jre-headless openjdk-25-jre-zero openjdk-25-jvmci-jdk openjdk-25-source openjdk-25-testsupport libmysqlclient24 mysql-client mysql-client-core mysql-router mysql-server mysql-server-core mysql-source mysql-testsuite dtrace dtrace-tests libdtrace2 openjdk-25-demo openjdk-25-jdk openjdk-25-jdk-headless openjdk-25-jre openjdk-25-jre-headless openjdk-25-jre-zero openjdk-25-jvmci-jdk openjdk-25-source openjdk-25-testsupport node-preact liblmdb0 lmdb-utils wlc libmediainfo0v5 python3-mediainfodll python3-virtualenv virtualenv cosign libpng-tools libpng16-16t64 freerdp3-proxy freerdp3-proxy-modules freerdp3-sdl freerdp3-shadow-x11 freerdp3-wayland freerdp3-x11 libfreerdp-client3-3 libfreerdp-server-proxy3-3 libfreerdp-server3-3 libfreerdp-shadow-subsystem3-3 libfreerdp-shadow3-3 libfreerdp3-3 libwinpr-tools3-3 libwinpr3-3 winpr3-utils ruby-rack dnsmasq dnsmasq-base dnsmasq-base-lua dnsmasq-utils ruby-mongo python3-distributed rekor giflib-tools libgif7 apache2 apache2-bin apache2-data apache2-suexec-custom apache2-suexec-pristine apache2-utils node-diff libassertj-core-java php-twig php-twig-cache-extra php-twig-cssinliner-extra php-twig-extra-bundle php-twig-html-extra php-twig-inky-extra php-twig-intl-extra php-twig-markdown-extra php-twig-string-extra libvpx12 vpx-tools libqgis-3d3.40.15 libqgis-analysis3.40.15 libqgis-app3.40.15 libqgis-core3.40.15 libqgis-customwidgets libqgis-gui3.40.15 libqgis-native3.40.15 libqgis-server3.40.15 libqgisgrass8-3.40.15 libqgispython3.40.15 python3-qgis python3-qgis-common qgis qgis-common qgis-plugin-grass qgis-plugin-grass-common qgis-provider-grass qgis-providers qgis-providers-common qgis-server qgis-server-bin qgis-server-common qgis-server-landingpage qgis-server-wcs qgis-server-wfs qgis-server-wfs3 qgis-server-wms qgis-server-wmts qgis-sip python3-python-multipart phpunit python3-kanboard tcpflow tcpflow-nox libasound2-data libasound2-plugin-smixer libasound2t64 libatopology2t64 node-brace-expansion python3-requests libpng-tools libpng16-16t64 python3-django golang-1.26 golang-1.26-go golang-1.26-src ruby-faraday libunity-core-6.0-9 unity unity-autopilot unity-schemas unity-services unity-uwidgets go-git libcrypt-sysrandom-xs-perl aspnetcore-runtime-10.0 aspnetcore-targeting-pack-10.0 dotnet-apphost-pack-10.0 dotnet-host-10.0 dotnet-hostfxr-10.0 dotnet-runtime-10.0 dotnet-targeting-pack-10.0 dotnet-sdk-10.0 dotnet-sdk-10.0-source-built-artifacts dotnet-sdk-aot-10.0 dotnet-templates-10.0 dotnet10 aspnetcore-runtime-10.0 aspnetcore-targeting-pack-10.0 dotnet-apphost-pack-10.0 dotnet-host-10.0 dotnet-hostfxr-10.0 dotnet-runtime-10.0 dotnet-targeting-pack-10.0 dotnet-sdk-10.0 dotnet-sdk-10.0-source-built-artifacts dotnet-sdk-aot-10.0 dotnet-templates-10.0 dotnet10 python3-ormar librpm-sequoia-1 vim vim-common vim-gtk3 vim-gui-common vim-motif vim-nox vim-runtime vim-tiny xxd arduino universal-ctags minisat libssl3t64 openssl openssl-provider-legacy node-minimatch liquidprompt libnghttp2-14 nghttp2 nghttp2-client nghttp2-proxy nghttp2-server adsys adsys-windows lib32z1 lib64z1 libminizip1t64 libx32z1 minizip zlib1g php-zumba-json-serializer node-bn.js cups cups-bsd cups-client cups-common cups-core-drivers cups-daemon cups-ipp-utils cups-ppdc cups-server-common libcups2t64 libcupsimage2t64 bsdextrautils eject fdisk lastlog2 libblkid1 libfdisk1 liblastlog2-2 libmount1 libpam-lastlog2 libsmartcols1 libuuid1 mount rfkill util-linux util-linux-extra util-linux-locales uuid-runtime bsdutils login caddy node-agent-base node-args node-basic-ftp node-data-uri-to-buffer node-degenerator node-get-uri node-http-proxy-agent node-https-proxy-agent node-pac-proxy-agent node-pac-resolver node-proxy node-proxy-agent node-socks-proxy-agent python3-psd-tools libnss3 libnss3-tools libc3p0-java node-dottie dovecot-auth-lua dovecot-core dovecot-flatcurve dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-solr dovecot-sqlite dovecot-submissiond python3-multipart libstdlib-ocaml ocaml ocaml-base ocaml-interp ocaml-man ocaml-source python3-vitrage vitrage-api vitrage-collector vitrage-common vitrage-graph vitrage-ml vitrage-notifier vitrage-persistor vitrage-snmp-parsing inetutils-ftp inetutils-ftpd inetutils-inetd inetutils-ping inetutils-syslogd inetutils-talk inetutils-talkd inetutils-telnet inetutils-telnetd inetutils-tools inetutils-traceroute telnet telnetd libswupdate0.1 lua-swupdate swupdate swupdate-www frr frr-pythontools frr-rpki-rtrlib frr-snmp python3-dotenv dosbox-x dosbox-x-data libfaudio0 octave-ltfat octave-ltfat-common qtads libroc0.4 roc-toolkit-tests roc-toolkit-tools node-immutable liblexbor2 gstreamer1.0-plugins-ugly rsync bind9 bind9-dnsutils bind9-host bind9-libs bind9-utils php-league-commonmark glances pyro5-examples python3-pyro5 python3-apscheduler postgresql-18-pgvector cockpit cockpit-bridge cockpit-networkmanager cockpit-packagekit cockpit-sosreport cockpit-storaged cockpit-system cockpit-ws python3-tornado samtools samtools-test node-yauzl magic-wormhole libjs-flatted node-flatted capnproto libcapnp-1.1.0 python3-simpleeval python3-pydicom python3-memray libscitokens0t64 scitokens-cpp heif-gdk-pixbuf heif-thumbnailer heif-view libheif-examples libheif-plugin-aomdec libheif-plugin-aomenc libheif-plugin-dav1d libheif-plugin-ffmpegdec libheif-plugin-j2kdec libheif-plugin-j2kenc libheif-plugin-jpegdec libheif-plugin-jpegenc libheif-plugin-kvazaar libheif-plugin-libde265 libheif-plugin-rav1e libheif-plugin-svtenc libheif-plugin-x265 libheif-plugins-all libheif1 libexif12 libunbound8 python3-unbound unbound unbound-anchor unbound-host python3-ujson botan libbotan-3-10 python3-botan php-seclib python3-django python3-mistune pagure pagure-ci pagure-ev-server pagure-loadjson pagure-logcom pagure-milters pagure-mirror pagure-webhook fuse fuse3 libfuse3-4 python3-dynaconf python3-deepdiff ruby-json pdns-backend-bind pdns-backend-geoip pdns-backend-ldap pdns-backend-lmdb pdns-backend-lua2 pdns-backend-mysql pdns-backend-odbc pdns-backend-pgsql pdns-backend-pipe pdns-backend-remote pdns-backend-sqlite3 pdns-backend-tinydns pdns-ixfrdist pdns-server pdns-tools dasel node-yaml docker-registry keystone keystone-common python3-keystone freeipmi freeipmi-bmc-watchdog freeipmi-common freeipmi-ipmidetect freeipmi-ipmiseld freeipmi-tools libfreeipmi17 libipmiconsole2 libipmidetect0 libipmimonitoring6 haproxy vim-haproxy kitty kitty-shell-integration kitty-terminfo node-anymatch gnutls-bin libgnutls-dane0t64 libgnutls-openssl27t64 libgnutls30t64 freerdp-proxy freerdp-proxy-modules freerdp-sdl freerdp-shadow-x11 freerdp-wayland freerdp-x11 freerdp3-proxy freerdp3-proxy-modules freerdp3-sdl freerdp3-shadow-x11 freerdp3-wayland freerdp3-x11 libfreerdp-client3-3 libfreerdp-server-proxy3-3 libfreerdp-server3-3 libfreerdp-shadow-subsystem3-3 libfreerdp-shadow3-3 libfreerdp3-3 libwinpr-tools3-3 libwinpr3-3 winpr-utils winpr3-utils jwt-tools libjwt14 rauc rauc-service libmariadb3 libmariadbd19t64 mariadb-backup mariadb-client mariadb-client-compat mariadb-client-core mariadb-common mariadb-plugin-connect mariadb-plugin-connect-jdbc mariadb-plugin-cracklib-password-check mariadb-plugin-gssapi-client mariadb-plugin-gssapi-server mariadb-plugin-hashicorp-key-management mariadb-plugin-mroonga mariadb-plugin-oqgraph mariadb-plugin-provider-bzip2 mariadb-plugin-provider-lz4 mariadb-plugin-provider-lzma mariadb-plugin-provider-lzo mariadb-plugin-provider-snappy mariadb-plugin-rocksdb mariadb-plugin-s3 mariadb-plugin-spider mariadb-server mariadb-server-compat mariadb-server-core mariadb-test mariadb-test-data tigervnc-common tigervnc-scraping-server tigervnc-standalone-server tigervnc-tools tigervnc-viewer tigervnc-xorg-extension python3-lupa liblog4j1.2-java python3-flask-httpauth liblzma5 xz-utils xzdec golang-gopkg-square-go-jose.v2-dev openvpn libinput-bin libinput-tools libinput10 vim vim-common vim-gtk3 vim-gui-common vim-motif vim-nox vim-runtime vim-tiny xxd discount libmarkdown2 charon-cmd charon-systemd libcharon-extauth-plugins libcharon-extra-plugins libstrongswan libstrongswan-extra-plugins libstrongswan-standard-plugins strongswan strongswan-charon strongswan-libcharon strongswan-nm strongswan-pki strongswan-starter strongswan-swanctl rust-coreutils openssh-client openssh-client-gssapi openssh-server openssh-server-gssapi openssh-sftp-server openssh-tests ssh ssh-askpass-gnome aardvark-dns libsdl2-image-2.0-0 libsdl2-image-tests libsdl3-image-tests libsdl3-image0 libsdl-image1.2 ruby-addressable ettercap-common ettercap-graphical ettercap-text-only libssh-4 dnf5 dnf5-server libdnf5-2 libdnf5-cli3 libjs-spin.js snapd ntfy ruby-rack-session liblxc-common liblxc1t64 libpam-cgfs lxc lxc-tests mold flatpak-builder flatpak-builder-tests liblog4net1.2-cil python3-pil python3-pil.imagetk libnet-cidr-lite-perl cyborg-agent cyborg-api cyborg-common cyborg-conductor python3-cyborg libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libpam-systemd libsystemd-shared libsystemd0 libudev1 systemd systemd-boot systemd-boot-efi systemd-boot-tools systemd-container systemd-coredump systemd-cryptsetup systemd-homed systemd-journal-remote systemd-oomd systemd-repart systemd-resolved systemd-standalone-shutdown systemd-standalone-sysusers systemd-standalone-tmpfiles systemd-sysv systemd-tests systemd-timesyncd systemd-ukify systemd-userdbd udev libgphoto2-6t64 libgphoto2-l10n libgphoto2-port12t64 krb5-admin-server krb5-gss-samples krb5-k5tls krb5-kdc krb5-kdc-ldap krb5-kpropd krb5-locales krb5-multidev krb5-otp krb5-pkinit krb5-user libgssapi-krb5-2 libgssrpc4t64 libk5crypto3 libkadm5clnt-mit12 libkadm5srv-mit12 libkdb5-10t64 libkrad0 libkrb5-3 libkrb5support0 glibc-source libc-bin libc-gconv-modules-extra libc6 libc6-amd64 libc6-i386 libc6-x32 locales locales-all nscd libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-perl libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-stream-geoip nginx nginx-common nginx-core nginx-extras nginx-full nginx-light editorconfig libeditorconfig0 gdown starman starlet libapache-opennlp-java opennlp exim4 exim4-base exim4-config exim4-daemon-heavy exim4-daemon-light eximon4 libntfs-3g89t64 ntfs-3g node-follow-redirects libpng-tools libpng16-16t64 luanti luanti-data luanti-server minetest minetest-data minetest-server csync2 haveged libhavege2 python3-lxml openvpn-auth-oauth2 opam opam-installer bubblewrap python3-mako liblcms2-2 liblcms2-utils deskflow yard dolphin dolphin-data libdolphinvcs6 libkf5coreaddons-data libkf5coreaddons5 libkf6coreaddons-data libkf6coreaddons6 qml6-module-org-kde-coreaddons libcryptx-perl keepassxc keepassxc-full keepassxc-minimal libixml11t64 libupnp17t64 node-uuid caca-utils libcaca0 beets arianna cimg-examples python3-twisted node-ip-address libocct-data-exchange-7.9 libocct-draw-7.9 libocct-foundation-7.9 libocct-ivtk-7.9 libocct-modeling-algorithms-7.9 libocct-modeling-data-7.9 libocct-ocaf-7.9 libocct-visualization-7.9 occt-draw occt-misc hashcat hashcat-data gopls liblcms2-2 liblcms2-utils openstack-dashboard openstack-dashboard-common openstack-dashboard-ubuntu-theme python3-django-horizon python3-django-openstack-auth libxpm4 xpmutils postfix postfix-cdb postfix-ldap postfix-lmdb postfix-mongodb postfix-mysql postfix-pcre postfix-pgsql postfix-sqlite erlang-cowlib a2boot atalkd libatalk macipgw netatalk netatalk-tests netatalk-tools papd timelord libarchive-tools libarchive13t64 fonts-opensymbol gir1.2-lokdocview-0.1 libjuh-java libjurt-java liblibreoffice-java liblibreofficekitgtk libofficebean-java libreoffice libreoffice-base libreoffice-base-core libreoffice-base-drivers libreoffice-base-nogui libreoffice-calc libreoffice-calc-nogui libreoffice-common libreoffice-core libreoffice-core-nogui libreoffice-draw libreoffice-draw-nogui libreoffice-evolution libreoffice-gnome libreoffice-gtk3 libreoffice-gtk4 libreoffice-help-ca libreoffice-help-common libreoffice-help-cs libreoffice-help-da libreoffice-help-de libreoffice-help-dz libreoffice-help-el libreoffice-help-en-gb libreoffice-help-en-us libreoffice-help-es libreoffice-help-et libreoffice-help-eu libreoffice-help-fi libreoffice-help-fr libreoffice-help-gl libreoffice-help-hi libreoffice-help-hu libreoffice-help-id libreoffice-help-it libreoffice-help-ja libreoffice-help-km libreoffice-help-ko libreoffice-help-nl libreoffice-help-om libreoffice-help-pl libreoffice-help-pt libreoffice-help-pt-br libreoffice-help-ru libreoffice-help-sk libreoffice-help-sl libreoffice-help-sv libreoffice-help-tr libreoffice-help-vi libreoffice-help-zh-cn libreoffice-help-zh-tw libreoffice-impress libreoffice-impress-nogui libreoffice-java-common libreoffice-kf6 libreoffice-l10n-af libreoffice-l10n-am libreoffice-l10n-ar libreoffice-l10n-as libreoffice-l10n-ast libreoffice-l10n-be libreoffice-l10n-bg libreoffice-l10n-bn libreoffice-l10n-br libreoffice-l10n-bs libreoffice-l10n-ca libreoffice-l10n-cs libreoffice-l10n-cy libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-dz libreoffice-l10n-el libreoffice-l10n-en-gb libreoffice-l10n-en-za libreoffice-l10n-eo libreoffice-l10n-es libreoffice-l10n-et libreoffice-l10n-eu libreoffice-l10n-fa libreoffice-l10n-fi libreoffice-l10n-fr libreoffice-l10n-ga libreoffice-l10n-gd libreoffice-l10n-gl libreoffice-l10n-gu libreoffice-l10n-gug libreoffice-l10n-he libreoffice-l10n-hi libreoffice-l10n-hr libreoffice-l10n-hu libreoffice-l10n-hy libreoffice-l10n-id libreoffice-l10n-in libreoffice-l10n-is libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-ka libreoffice-l10n-kk libreoffice-l10n-km libreoffice-l10n-kmr libreoffice-l10n-kn libreoffice-l10n-ko libreoffice-l10n-lt libreoffice-l10n-lv libreoffice-l10n-mk libreoffice-l10n-ml libreoffice-l10n-mn libreoffice-l10n-mr libreoffice-l10n-nb libreoffice-l10n-ne libreoffice-l10n-nl libreoffice-l10n-nn libreoffice-l10n-nr libreoffice-l10n-nso libreoffice-l10n-oc libreoffice-l10n-om libreoffice-l10n-or libreoffice-l10n-pa-in libreoffice-l10n-pl libreoffice-l10n-pt libreoffice-l10n-pt-br libreoffice-l10n-ro libreoffice-l10n-ru libreoffice-l10n-rw libreoffice-l10n-si libreoffice-l10n-sk libreoffice-l10n-sl libreoffice-l10n-sr libreoffice-l10n-ss libreoffice-l10n-st libreoffice-l10n-sv libreoffice-l10n-szl libreoffice-l10n-ta libreoffice-l10n-te libreoffice-l10n-tg libreoffice-l10n-th libreoffice-l10n-tl libreoffice-l10n-tn libreoffice-l10n-tr libreoffice-l10n-ts libreoffice-l10n-ug libreoffice-l10n-uk libreoffice-l10n-uz libreoffice-l10n-ve libreoffice-l10n-vi libreoffice-l10n-xh libreoffice-l10n-za libreoffice-l10n-zh-cn libreoffice-l10n-zh-tw libreoffice-l10n-zu libreoffice-librelogo libreoffice-math libreoffice-math-nogui libreoffice-nogui libreoffice-officebean libreoffice-plasma libreoffice-qt6 libreoffice-report-builder libreoffice-report-builder-bin libreoffice-report-builder-bin-nogui libreoffice-rust-uno-example libreoffice-script-provider-bsh libreoffice-script-provider-js libreoffice-script-provider-python libreoffice-sdbc-firebird libreoffice-sdbc-hsqldb libreoffice-sdbc-mysql libreoffice-sdbc-postgresql libreoffice-smoketest-data libreoffice-style-breeze libreoffice-style-colibre libreoffice-style-elementary libreoffice-style-karasa-jaga libreoffice-style-sifr libreoffice-style-sukapura libreoffice-style-tango libreoffice-style-yaru libreoffice-subsequentcheckbase libreoffice-uiconfig-base libreoffice-uiconfig-calc libreoffice-uiconfig-common libreoffice-uiconfig-draw libreoffice-uiconfig-impress libreoffice-uiconfig-math libreoffice-uiconfig-report-builder libreoffice-uiconfig-writer libreoffice-writer libreoffice-writer-nogui libreofficekit-data libridl-java libuno-cppu3t64 libuno-cppuhelpergcc3-3t64 libuno-purpenvhelpergcc3-3t64 libuno-sal3t64 libuno-salhelpergcc3-3t64 libunoil-java libunoloader-java python3-access2base python3-scriptforge python3-uno uno-libs-private ure ure-java libreoffice-nlpsolver libreoffice-wiki-publisher gitsign ruby-css-parser python3-streamlink streamlink python3-paramiko python3-urllib3 gittuf libyang3 libyang3-tools python3-django-postorius gir1.2-malcontent-0 gir1.2-malcontentui-1 libmalcontent-0-0 libmalcontent-common libmalcontent-ui-1-1 libnss-malcontent libpam-malcontent malcontent malcontent-gui kdenlive kdenlive-data libcommons-configuration2-java python3-pygments tinysshd gh atril atril-common gir1.2-atrildocument-1.5.0 gir1.2-atrilview-1.5.0 libatrildocument3t64 libatrilview3t64 evince evince-common gir1.2-evince-4.0 libevdocument-4.0-6 libevview-4.0-5 gir1.2-evince-3.0 libevdocument3-4t64 libevview3-3t64 gir1.2-papers-4.0 libppsdocument-4.0-6 libppsview-4.0-5 papers papers-common libcrypt-saltedhash-perl woof-doom tmate memcached curl libcurl3t64-gnutls libcurl4t64 firewall-applet firewall-config firewalld firewalld-tests python3-firewall libcgif0 libdancer-perl libtemplate-perl ovn-central ovn-common ovn-controller-vtep ovn-host ovn-ic ovn-ic-db asc asc-data libogmrip1 ogmrip ogmrip-plugins miniupnpd miniupnpd-iptables miniupnpd-nftables sed libskia146 libecpg-compat3 libecpg6 libpgtypes3 libpq-oauth libpq5 postgresql-18 postgresql-18-jit postgresql-client-18 postgresql-plperl-18 postgresql-plpython3-18 postgresql-pltcl-18 libcrypt-passwdmd5-perl nano nano-tiny emacs emacs-bin-common emacs-common emacs-el emacs-gtk emacs-lucid emacs-nox emacs-pgtk efivar libefiboot1t64 libefisec1t64 libefivar1t64 authd libhttp-tiny-perl libtext-csv-xs-perl binwalk python3-binwalk libplack-perl libimage-exiftool-perl libssh2-1t64 gdal-bin gdal-data gdal-plugins libgdal38 python3-gdal bettercap aria2 libaria2-0 libwww-perl libcrypt-argon2-perl erlang-cowboy erlang-cowboy-examples libapache-session-browseable-perl libcrypt-openssl-pkcs12-perl libimager-perl libcrypt-dsa-perl libnginx-mod-http-js libnginx-mod-stream-js njs libsolv-perl libsolv-tools libsolv1 libsolvext1 python3-solv