UbuntuUpdates.org

Latest Changelogs for all releases

All releases Bionic Focal Jammy Noble Plucky Questing Resolute
Include all PPAs Exclude daily builds PPAs Exclude all PPAs
Include levels: securityupdatesbackportsproposedbase

Note: Only updates for "head" packages where the changelog is available are shown on this page (view all).

avahi May 12th 10:08
Release: resolute Repo: universe Level: security New version: 0.8-18ubuntu1.1
Packages in group:  avahi-autoipd avahi-discover avahi-dnsconfd avahi-ui-utils python3-avahi

  avahi (0.8-18ubuntu1.1) resolute-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 13:28:46 +0100
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: resolute Repo: main Level: updates New version: 2.92-1ubuntu0.2
Packages in group:  dnsmasq-base dnsmasq-utils

  dnsmasq (2.92-1ubuntu0.2) resolute-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 12:33:48 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:08
Release: resolute Repo: main Level: security New version: 0.8-18ubuntu1.1
Packages in group:  avahi-daemon avahi-utils gir1.2-avahi-0.6 libavahi-client3 libavahi-client-dev libavahi-common3 libavahi-common-data libavahi-common-dev libavahi-compat-libdnssd1 libavahi-compat-libdnssd-dev libavahi-core7 (... see all)

  avahi (0.8-18ubuntu1.1) resolute-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 13:28:46 +0100
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: questing Repo: universe Level: updates New version: 2.91-1ubuntu0.2
Packages in group:  dnsmasq-base-lua

  dnsmasq (2.91-1ubuntu0.2) questing-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 12:38:36 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:08
Release: questing Repo: universe Level: security New version: 0.8-16ubuntu3.2
Packages in group:  avahi-autoipd avahi-discover avahi-dnsconfd avahi-ui-utils python3-avahi

  avahi (0.8-16ubuntu3.2) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-24401.patch: core: fix uncontrolled
      recursion bug using a simple loop detection algorithm
    - CVE-2026-24401
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 13:14:47 +0100
CVE-2026-24401 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daem
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: questing Repo: main Level: updates New version: 2.91-1ubuntu0.2
Packages in group:  dnsmasq-base dnsmasq-utils

  dnsmasq (2.91-1ubuntu0.2) questing-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 12:38:36 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:08
Release: questing Repo: main Level: security New version: 0.8-16ubuntu3.2
Packages in group:  avahi-daemon avahi-utils gir1.2-avahi-0.6 libavahi-client3 libavahi-client-dev libavahi-common3 libavahi-common-data libavahi-common-dev libavahi-compat-libdnssd1 libavahi-compat-libdnssd-dev libavahi-core7 (... see all)

  avahi (0.8-16ubuntu3.2) questing-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-24401.patch: core: fix uncontrolled
      recursion bug using a simple loop detection algorithm
    - CVE-2026-24401
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 13:14:47 +0100
CVE-2026-24401 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daem
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: noble Repo: universe Level: updates New version: 2.90-2ubuntu0.3
Packages in group:  dnsmasq-base-lua

  dnsmasq (2.90-2ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 12:39:03 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:08
Release: noble Repo: universe Level: security New version: 0.8-13ubuntu6.2
Packages in group:  avahi-autoipd avahi-discover avahi-dnsconfd avahi-ui-utils libavahi-gobject-dev python3-avahi

  avahi (0.8-13ubuntu6.2) noble-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-24401.patch: core: fix uncontrolled
      recursion bug using a simple loop detection algorithm
    - CVE-2026-24401
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 15:32:41 +0100
CVE-2026-24401 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daem
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: noble Repo: main Level: updates New version: 2.90-2ubuntu0.3
Packages in group:  dnsmasq-base dnsmasq-utils

  dnsmasq (2.90-2ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 12:39:03 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:08
Release: noble Repo: main Level: security New version: 0.8-13ubuntu6.2
Packages in group:  avahi-daemon avahi-utils gir1.2-avahi-0.6 libavahi-client3 libavahi-client-dev libavahi-common3 libavahi-common-data libavahi-common-dev libavahi-compat-libdnssd1 libavahi-compat-libdnssd-dev libavahi-core7 (... see all)

  avahi (0.8-13ubuntu6.2) noble-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-24401.patch: core: fix uncontrolled
      recursion bug using a simple loop detection algorithm
    - CVE-2026-24401
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 15:32:41 +0100
CVE-2026-24401 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daem
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: jammy Repo: universe Level: updates New version: 2.90-0ubuntu0.22.04.3
Packages in group:  dnsmasq-base-lua

  dnsmasq (2.90-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172
  * This update does not include the changes from 2.90-0ubuntu0.22.04.2.

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 13:56:04 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:08
Release: jammy Repo: universe Level: security New version: 0.8-5ubuntu5.5
Packages in group:  avahi-discover avahi-dnsconfd avahi-ui-utils python3-avahi

  avahi (0.8-5ubuntu5.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-24401.patch: core: fix uncontrolled
      recursion bug using a simple loop detection algorithm
    - CVE-2026-24401
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 15:36:46 +0100
CVE-2026-24401 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daem
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg

dnsmasq May 12th 10:08
Release: jammy Repo: main Level: updates New version: 2.90-0ubuntu0.22.04.3
Packages in group:  dnsmasq-base dnsmasq-utils

  dnsmasq (2.90-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: Heap buffer overflow on malicious caches in DNS
    forwarding.
    - debian/patches/CVE-2026-2291.patch: Expand char name size in
      src/dnsmasq.h.
    - CVE-2026-2291
  * SECURITY UPDATE: NSEC bitmap parsing infinite loop
    - debian/patches/CVE-2026-4890.patch: Correct erroneous iteration index
      in src/dnssec.c
    - CVE-2026-4890
  * SECURITY UPDATE: Unbounded length field in RRSIG packets.
    - debian/patches/CVE-2026-4891.patch: Validate rdlen in src/dnssec.c
    - CVE-2026-4891
  * SECURITY UPDATE: Buffer overflow in create_helper
    - debian/patches/CVE-2026-4892.patch: Add upper bound to for loop in
      src/helper.c
    - CVE-2026-4892
  * SECURITY UPDATE: Erroneous client subnet validation
    - debian/patches/CVE-2026-4893.patch: Fixed length passed to check_source
      in src/forward.c
    - CVE-2026-4893
  * SECURITY UPDATE: Buffer overflow in extract_addresses.
    - debian/patches/CVE-2026-5172.patch: Check index after extracting name
      in src/rfc1035.c
    - CVE-2026-5172
  * This update does not include the changes from 2.90-0ubuntu0.22.04.2.

 -- Kyle Kernick <email address hidden> Wed, 29 Apr 2026 13:56:04 -0600
CVE-2026-2291 dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could r
CVE-2026-4890 A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS pa
CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted
CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pri
CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subn
More...

avahi May 12th 10:07
Release: jammy Repo: main Level: security New version: 0.8-5ubuntu5.5
Packages in group:  avahi-autoipd avahi-daemon avahi-utils gir1.2-avahi-0.6 libavahi-client3 libavahi-client-dev libavahi-common3 libavahi-common-data libavahi-common-dev libavahi-compat-libdnssd1 libavahi-compat-libdnssd-dev (... see all)

  avahi (0.8-5ubuntu5.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-24401.patch: core: fix uncontrolled
      recursion bug using a simple loop detection algorithm
    - CVE-2026-24401
  * SECURITY UPDATE: Denial of Service
    - debian/patches/CVE-2026-34933-1.patch: core: refuse to accept
      publish flags where both wide_area and multicast are set
    - debian/patches/CVE-2026-34933-2.patch: tests: make sure
      AVAHI_PUBLISH_USE_WIDE_AREA is refused
    - CVE-2026-34933

 -- Allen Huang <email address hidden> Tue, 05 May 2026 15:36:46 +0100
CVE-2026-24401 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daem
CVE-2026-34933 Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileg


About   -   Send Feedback to @ubuntu_updates