UbuntuUpdates.org

Bugs addressed in recent updates

All Launchpad Ubuntu Debian CVE

Origin Bug number Title Packages
CVE CVE-2026-5090 Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quo libtemplate-perl libtemplate-perl libtemplate-perl libtemplate-perl libtemplate-perl libtemplate-perl libtemplate-perl libtemplate-perl
CVE CVE-2026-8368 LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the re libwww-perl libwww-perl libwww-perl libwww-perl libwww-perl libwww-perl libwww-perl libwww-perl
CVE CVE-2026-42304 Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to twisted twisted twisted twisted twisted twisted twisted twisted
CVE CVE-2026-44432 urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portio python-urllib3 python-urllib3
CVE CVE-2026-44431 urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.conn python-urllib3 python-urllib3 python-urllib3 python-urllib3 python-urllib3 python-urllib3 python-urllib3 python-urllib3
CVE CVE-2026-37459 An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UP frr frr frr frr frr frr frr frr
CVE CVE-2026-37458 Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denia frr frr frr frr frr frr frr frr frr frr frr frr frr frr frr frr
CVE CVE-2026-37457 An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 al frr frr frr frr frr frr frr frr frr frr frr frr frr frr frr frr
CVE CVE-2026-28532 FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a frr frr frr frr frr frr frr frr frr frr frr frr frr frr frr frr
Launchpad 2154780 [SRU] Include libcrypt-dev in build-essential for resolute build-essential build-essential
Launchpad 2150297 nautilus have frequent crashes while navigating fast through directories on 26.04 release gtk4 gtk4
Launchpad 2154281 [SRU] [MRE] Update gtk4 to 4.22.4 gtk4 gtk4
CVE CVE-2025-48924 Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to libcommons-lang-java libcommons-lang3-java libcommons-lang-java libcommons-lang-java libcommons-lang3-java libcommons-lang-java
CVE CVE-2026-34293 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.45. Easily ex mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0
CVE CVE-2026-34278 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Eas mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0
CVE CVE-2026-34267 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45. Eas mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0 mysql-8.0
CVE CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot
CVE CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot
CVE CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot
CVE CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot dovecot



About   -   Send Feedback to @ubuntu_updates