Unix News Tutorials Events and Stuff

Thursday, May 7, 2026

[USN-8241-1] Coin3D vulnerabilities

========================================================================== Ubuntu Security Notice USN-8241-1 May 07, 2026 coin3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Coin3D. Software Description: - coin3: high-level 3D graphics kit implementing the Open Inventor API Details: It was discovered that Expat, vendored in Coin3D incorrectly handled certain files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS libcoin80-runtime 3.1.4~abc9f50+dfsg3-2ubuntu0.1~esm1 Available with Ubuntu Pro libcoin80v5 3.1.4~abc9f50+dfsg3-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libcoin80-runtime 3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm2 Available with Ubuntu Pro libcoin80v5 3.1.4~abc9f50+dfsg1-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 14.04 LTS libcoin80 3.1.4~abc9f50-4ubuntu2+esm2 Available with Ubuntu Pro libcoin80-runtime 3.1.4~abc9f50-4ubuntu2+esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8241-1 CVE-2022-25235, CVE-2022-25236

[USN-8235-1] ITK vulnerabilities

========================================================================== Ubuntu Security Notice USN-8235-1 May 07, 2026 insighttoolkit vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in ITK. Software Description: - insighttoolkit: Toolkit for N-dimensional scientific image processing, segmentation, and registration Details: It was discovered that Expat, vendored in ITK incorrectly handled certain files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2022-25235, CVE-2022-25236) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS libinsighttoolkit3.20 3.20.1+git20120521-6ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8235-1 CVE-2022-25235, CVE-2022-25236

[USN-8245-1] Linux kernel vulnerabilities

========================================================================== Ubuntu Security Notice USN-8245-1 May 07, 2026 linux-azure, linux-azure-6.17, linux-oem-6.17 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-6.17: Linux kernel for Microsoft Azure cloud systems - linux-oem-6.17: Linux kernel for OEM systems Details: Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo discovered that some AMD Zen processors did not properly verify the signature of CPU microcode. This flaw is known as EntrySign. A privileged attacker could possibly use this issue to cause load malicious CPU microcode causing loss of integrity and confidentiality. (CVE-2024-36347) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - MIPS architecture; - PowerPC architecture; - User-Mode Linux (UML); - x86 architecture; - Block layer subsystem; - Cryptographic API; - ACPI drivers; - Ublk userspace block driver; - Bluetooth drivers; - Character device driver; - TPM device driver; - Clock framework and drivers; - GPU drivers; - Hardware monitoring drivers; - Intel Trace Hub HW tracing drivers; - InfiniBand drivers; - Input Device core drivers; - Input Device (Mouse) drivers; - IOMMU subsystem; - Multiple devices driver; - Media drivers; - Network drivers; - Mellanox network drivers; - STMicroelectronics network drivers; - Ethernet team driver; - NVME drivers; - PA-RISC drivers; - Chrome hardware platform drivers; - x86 platform drivers; - SCSI subsystem; - SPI subsystem; - TCM subsystem; - Freescale USB OTG Transceiver Driver; - USB Type-C Connector System Software Interface driver; - Watchdog drivers; - BTRFS file system; - exFAT file system; - Ext4 file system; - F2FS file system; - FUSE (File system in Userspace); - HFS+ file system; - File systems infrastructure; - Network file system (NFS) server daemon; - File system notification infrastructure; - NTFS3 file system; - OCFS2 file system; - SMB network file system; - XFS file system; - User-space API (UAPI); - io_uring subsystem; - Scheduler infrastructure; - Shadow Call Stack mechanism; - Tracing infrastructure; - Memory management; - BPF subsystem; - CAIF protocol; - Ceph Core library; - Networking core; - Ethtool driver; - Handshake API; - HSR network protocol; - IPv4 networking; - IPv6 networking; - Multipath TCP; - Netfilter; - NET/ROM layer; - NFC subsystem; - Open vSwitch; - Rose network layer; - Network traffic control; - Sun RPC protocol; - Key management; - Landlock security; - STMicroelectronics SoC drivers; - USB sound devices; - KVM subsystem; (CVE-2025-68351, CVE-2025-68353, CVE-2025-68365, CVE-2025-68368, CVE-2025-68725, CVE-2025-68736, CVE-2025-68745, CVE-2025-68767, CVE-2025-68768, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68781, CVE-2025-68782, CVE-2025-68783, CVE-2025-68784, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68791, CVE-2025-68792, CVE-2025-68793, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68802, CVE-2025-68803, CVE-2025-68804, CVE-2025-68805, CVE-2025-68806, CVE-2025-68807, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-68822, CVE-2025-68823, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71070, CVE-2025-71071, CVE-2025-71072, CVE-2025-71073, CVE-2025-71075, CVE-2025-71076, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71099, CVE-2025-71100, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71115, CVE-2025-71116, CVE-2025-71117, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71124, CVE-2025-71125, CVE-2025-71126, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71143, CVE-2025-71146, CVE-2025-71147, CVE-2025-71148, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2025-71156, CVE-2025-71157, CVE-2026-23091, CVE-2026-23112, CVE-2026-23209, CVE-2026-23231) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 linux-image-6.17.0-1013-azure 6.17.0-1013.13 linux-image-azure 6.17.0-1013.13 linux-image-azure-6.17 6.17.0-1013.13 Ubuntu 24.04 LTS linux-image-6.17.0-1013-azure 6.17.0-1013.13~24.04.1 linux-image-6.17.0-1020-oem 6.17.0-1020.20 linux-image-azure 6.17.0-1013.13~24.04.1 linux-image-azure-6.17 6.17.0-1013.13~24.04.1 linux-image-oem-24.04 6.17.0-1020.20 linux-image-oem-24.04a 6.17.0-1020.20 linux-image-oem-24.04b 6.17.0-1020.20 linux-image-oem-24.04c 6.17.0-1020.20 linux-image-oem-24.04d 6.17.0-1020.20 linux-image-oem-6.17 6.17.0-1020.20 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8245-1 CVE-2024-36347, CVE-2025-68351, CVE-2025-68353, CVE-2025-68365, CVE-2025-68368, CVE-2025-68725, CVE-2025-68736, CVE-2025-68745, CVE-2025-68767, CVE-2025-68768, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68781, CVE-2025-68782, CVE-2025-68783, CVE-2025-68784, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68791, CVE-2025-68792, CVE-2025-68793, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68802, CVE-2025-68803, CVE-2025-68804, CVE-2025-68805, CVE-2025-68806, CVE-2025-68807, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-68822, CVE-2025-68823, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71070, CVE-2025-71071, CVE-2025-71072, CVE-2025-71073, CVE-2025-71075, CVE-2025-71076, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71099, CVE-2025-71100, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71115, CVE-2025-71116, CVE-2025-71117, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71124, CVE-2025-71125, CVE-2025-71126, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71143, CVE-2025-71146, CVE-2025-71147, CVE-2025-71148, CVE-2025-71149, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2025-71156, CVE-2025-71157, CVE-2026-23091, CVE-2026-23112, CVE-2026-23209, CVE-2026-23231 Package Information: https://launchpad.net/ubuntu/+source/linux-azure/6.17.0-1013.13 https://launchpad.net/ubuntu/+source/linux-azure-6.17/6.17.0-1013.13~24.04.1 https://launchpad.net/ubuntu/+source/linux-oem-6.17/6.17.0-1020.20

[USN-8248-1] NASM vulnerabilities

========================================================================== Ubuntu Security Notice USN-8248-1 May 07, 2026 nasm vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in NASM. Software Description: - nasm: Netwide Assembler Details: Daisy Chen discovered that NASM was vulnerable to a heap buffer overflow when handling certain input. An attacker could possibly use this issue to cause NASM to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-31722) It was discovered that NASM incorrectly handled memory allocation. An attacker could possibly use this issue to cause NASM to use excessive resources, leading to a denial of service. This issue only affected Ubuntu 24.04 LTS. (CVE-2021-33452, CVE-2021-33450) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS nasm 2.16.01-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS nasm 2.15.05-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8248-1 CVE-2021-33450, CVE-2021-33452, CVE-2023-31722

[USN-8247-1] OWSLib vulnerability

========================================================================== Ubuntu Security Notice USN-8247-1 May 07, 2026 owslib vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: OWSLib could be made to expose sensitive information. Software Description: - owslib: Client library for Open Geospatial (OGC) web services Details: It was discovered that OWSLib did not properly disable entity resolution within its XML parser. An attacker could possibly use this issue to read arbitrary files via a crafted XML payload. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS python3-owslib 0.25.0-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS python3-owslib 0.19.1-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS python-owslib 0.16.0-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-owslib 0.16.0-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS python-owslib 0.10.3-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-owslib 0.10.3-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8247-1 CVE-2023-27476

[USN-8244-1] Linux kernel vulnerabilities

========================================================================== Ubuntu Security Notice USN-8244-1 May 07, 2026 linux, linux-aws, linux-aws-6.17, linux-gcp, linux-gcp-6.17, linux-hwe-6.17, linux-oracle, linux-realtime, linux-realtime-6.17 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-oracle: Linux kernel for Oracle Cloud systems - linux-realtime: Linux kernel for Real-time systems - linux-aws-6.17: Linux kernel for Amazon Web Services (AWS) systems - linux-gcp-6.17: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe-6.17: Linux hardware enablement (HWE) kernel - linux-realtime-6.17: Linux kernel for Real-time systems Details: Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Network drivers; - NVME drivers; - Netfilter; (CVE-2026-23112, CVE-2026-23231, CVE-2026-23273) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 linux-image-6.17.0-1011-realtime 6.17.0-1011.12 linux-image-6.17.0-1012-oracle 6.17.0-1012.12 linux-image-6.17.0-1012-oracle-64k 6.17.0-1012.12 linux-image-6.17.0-1013-aws 6.17.0-1013.13 linux-image-6.17.0-1013-aws-64k 6.17.0-1013.13 linux-image-6.17.0-1013-gcp 6.17.0-1013.13 linux-image-6.17.0-1013-gcp-64k 6.17.0-1013.13 linux-image-6.17.0-23-generic 6.17.0-23.23 linux-image-6.17.0-23-generic-64k 6.17.0-23.23 linux-image-aws 6.17.0-1013.13 linux-image-aws-6.17 6.17.0-1013.13 linux-image-aws-64k 6.17.0-1013.13 linux-image-aws-64k-6.17 6.17.0-1013.13 linux-image-gcp 6.17.0-1013.13 linux-image-gcp-6.17 6.17.0-1013.13 linux-image-gcp-64k 6.17.0-1013.13 linux-image-gcp-64k-6.17 6.17.0-1013.13 linux-image-generic 6.17.0-23.23 linux-image-generic-6.17 6.17.0-23.23 linux-image-generic-64k 6.17.0-23.23 linux-image-generic-64k-6.17 6.17.0-23.23 linux-image-oracle 6.17.0-1012.12 linux-image-oracle-6.17 6.17.0-1012.12 linux-image-oracle-64k 6.17.0-1012.12 linux-image-oracle-64k-6.17 6.17.0-1012.12 linux-image-realtime 6.17.0-1011.12 linux-image-realtime-6.17 6.17.0-1011.12 linux-image-virtual 6.17.0-23.23 linux-image-virtual-6.17 6.17.0-23.23 Ubuntu 24.04 LTS linux-image-6.17.0-1011-realtime 6.17.0-1011.12~24.04.1 Available with Ubuntu Pro linux-image-6.17.0-1013-aws 6.17.0-1013.13~24.04.1 linux-image-6.17.0-1013-aws-64k 6.17.0-1013.13~24.04.1 linux-image-6.17.0-1013-gcp 6.17.0-1013.13~24.04.1 linux-image-6.17.0-1013-gcp-64k 6.17.0-1013.13~24.04.1 linux-image-6.17.0-23-generic 6.17.0-23.23~24.04.1 linux-image-6.17.0-23-generic-64k 6.17.0-23.23~24.04.1 linux-image-aws 6.17.0-1013.13~24.04.1 linux-image-aws-6.17 6.17.0-1013.13~24.04.1 linux-image-aws-64k 6.17.0-1013.13~24.04.1 linux-image-aws-64k-6.17 6.17.0-1013.13~24.04.1 linux-image-gcp 6.17.0-1013.13~24.04.1 linux-image-gcp-6.17 6.17.0-1013.13~24.04.1 linux-image-gcp-64k 6.17.0-1013.13~24.04.1 linux-image-gcp-64k-6.17 6.17.0-1013.13~24.04.1 linux-image-generic-6.17 6.17.0-23.23~24.04.1 linux-image-generic-64k-6.17 6.17.0-23.23~24.04.1 linux-image-generic-64k-hwe-24.04 6.17.0-23.23~24.04.1 linux-image-generic-hwe-24.04 6.17.0-23.23~24.04.1 linux-image-realtime-6.17 6.17.0-1011.12~24.04.1 Available with Ubuntu Pro linux-image-realtime-hwe-24.04 6.17.0-1011.12~24.04.1 Available with Ubuntu Pro linux-image-virtual-6.17 6.17.0-23.23~24.04.1 linux-image-virtual-hwe-24.04 6.17.0-23.23~24.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8244-1 CVE-2026-23112, CVE-2026-23231, CVE-2026-23273 Package Information: https://launchpad.net/ubuntu/+source/linux/6.17.0-23.23 https://launchpad.net/ubuntu/+source/linux-aws/6.17.0-1013.13 https://launchpad.net/ubuntu/+source/linux-gcp/6.17.0-1013.13 https://launchpad.net/ubuntu/+source/linux-oracle/6.17.0-1012.12 https://launchpad.net/ubuntu/+source/linux-realtime/6.17.0-1011.12 https://launchpad.net/ubuntu/+source/linux-aws-6.17/6.17.0-1013.13~24.04.1 https://launchpad.net/ubuntu/+source/linux-gcp-6.17/6.17.0-1013.13~24.04.1 https://launchpad.net/ubuntu/+source/linux-hwe-6.17/6.17.0-23.23~24.04.1 https://launchpad.net/ubuntu/+source/linux-realtime-6.17/6.17.0-1011.12~24.04.1

[USN-8251-1] libpng vulnerabilities

========================================================================== Ubuntu Security Notice USN-8251-1 May 07, 2026 libpng1.6 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in libpng. Software Description: - libpng1.6: PNG (Portable Network Graphics) file library Details: It was discovered that libpng incorrectly handled memory when processing certain PNG files. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-33416) It was discovered that libpng incorrectly handled expanding 8-bit paletted rows to RGB or RGBA on ARM processors. If a user or automated system were tricked into opening a specially crafted PNG file, an attacker could use this issue to cause libpng to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-33636) It was discovered that libpng incorrectly handled certain setter APIs. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-34757) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 libpng16-16t64 1.6.50-1ubuntu0.5 Ubuntu 24.04 LTS libpng16-16t64 1.6.43-5ubuntu0.6 Ubuntu 22.04 LTS libpng16-16 1.6.37-3ubuntu0.5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8251-1 CVE-2026-33416, CVE-2026-33636, CVE-2026-34757 Package Information: https://launchpad.net/ubuntu/+source/libpng1.6/1.6.50-1ubuntu0.5 https://launchpad.net/ubuntu/+source/libpng1.6/1.6.43-5ubuntu0.6 https://launchpad.net/ubuntu/+source/libpng1.6/1.6.37-3ubuntu0.5

[USN-8249-1] dpkg vulnerability

========================================================================== Ubuntu Security Notice USN-8249-1 May 07, 2026 dpkg vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS Summary: dpkg could be made to stop responding if it opened a specially crafted file. Software Description: - dpkg: Debian package management system Details: Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 dpkg 1.22.21ubuntu3.2 Ubuntu 24.04 LTS dpkg 1.22.6ubuntu6.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8249-1 CVE-2026-2219 Package Information: https://launchpad.net/ubuntu/+source/dpkg/1.22.21ubuntu3.2 https://launchpad.net/ubuntu/+source/dpkg/1.22.6ubuntu6.6

[USN-8250-1] Little CMS vulnerability

========================================================================== Ubuntu Security Notice USN-8250-1 May 07, 2026 lcms2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 Summary: Little CMS could be made to crash if it opened a specially crafted ICC profile. Software Description: - lcms2: Little CMS color management library Details: It was discovered that Little CMS incorrectly handled certain malformed ICC profiles. An attacker could possibly use this issue to cause Little CMS to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS liblcms2-2 2.17-1ubuntu0.2 Ubuntu 25.10 liblcms2-2 2.16-2ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8250-1 CVE-2026-42798 Package Information: https://launchpad.net/ubuntu/+source/lcms2/2.17-1ubuntu0.2 https://launchpad.net/ubuntu/+source/lcms2/2.16-2ubuntu0.2

[USN-8236-1] Slurm vulnerabilities

========================================================================== Ubuntu Security Notice USN-8236-1 May 06, 2026 slurm-wlm vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Slurm. Software Description: - slurm-wlm: Simple Linux Utility for Resource Management Details: It was discovered that Slurm did not correctly handle certain file system operations. An attacker could possibly use this issue to modify files or leak sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-41914) Ryan Hall discovered that Slurm did not correctly enforce certain message integrity checks. An attacker could possibly use this issue to bypass integrity checks. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-49933) Ryan Hall discovered that Slurm did not correctly handle certain memory operations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-49937) Ryan Hall discovered that Slurm did not correctly handle certain access control mechanisms. An attacker could possibly use this issue to modify files or leak sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-49938) It was discovered that Slurm did not correctly handle user promotion. An attacker could possibly use this issue to promote themselves to an administrator. (CVE-2025-43904) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libpam-slurm 23.11.4-1.2ubuntu5+esm1 Available with Ubuntu Pro libpam-slurm-dev 23.11.4-1.2ubuntu5+esm1 Available with Ubuntu Pro libslurm-dev 23.11.4-1.2ubuntu5+esm1 Available with Ubuntu Pro slurm-wlm 23.11.4-1.2ubuntu5+esm1 Available with Ubuntu Pro slurmctld 23.11.4-1.2ubuntu5+esm1 Available with Ubuntu Pro slurmd 23.11.4-1.2ubuntu5+esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS libpam-slurm 21.08.5-2ubuntu1+esm2 Available with Ubuntu Pro libslurm-dev 21.08.5-2ubuntu1+esm2 Available with Ubuntu Pro slurm-wlm 21.08.5-2ubuntu1+esm2 Available with Ubuntu Pro slurmctld 21.08.5-2ubuntu1+esm2 Available with Ubuntu Pro slurmd 21.08.5-2ubuntu1+esm2 Available with Ubuntu Pro After a standard system update you need to restart Slurm to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8236-1 CVE-2023-41914, CVE-2023-49933, CVE-2023-49937, CVE-2023-49938, CVE-2025-43904

Wednesday, May 6, 2026

s390x builder outage

Just to notify a wider audience, our s390x builders have been offline today due to a failure of a storage array. Folks have been working today to bring it back up, but the fix will require parts that need to be overnight shipped. Hopefully the machines will be back online tomorrow after the replacement is installed. Arched Builds submitted now will wait for s390x builders to be back to complete. You can watch https://www.fedorastatus.org/ and/or https://forge.fedoraproject.org/infra/tickets/issues/13326 for further status. Sorry for the outage. kevin -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

[USN-8239-1] Apache HTTP Server vulnerabilities

========================================================================== Ubuntu Security Notice USN-8239-1 May 06, 2026 apache2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Apache HTTP Server. Software Description: - apache2: Apache HTTP server Details: Bartlomiej Dmitruk and Stanislaw Strzalkowski discovered that Apache HTTP Server incorrectly handled certain memory operations when using the HTTP/2 protocol. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-23918) It was discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain privileges. A local attacker could possibly use this issue to obtain sensitive information. (CVE-2026-24072) Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly handled certain AJP server messages. An attacker in control of a backend AJP server could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-28780) Pavel Kohout discovered that Apache HTTP Server did not properly limit resource allocation in mod_md when processing OCSP response data. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-29168) Pavel Kohout discovered that the Apache HTTP Server incorrectly handled certain memory operations in mod_dav_lock. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-29169) Nitescu Lucian discovered that Apache HTTP Server had a timing attack vulnerability in mod_auth_digest. A remote attacker could possibly use this issue to bypass Digest authentication. (CVE-2026-33006) Pavel Kohout and Arkadi Vainbrand discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_authn_socache. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-33007) Haruki Oyama, Merih Mengisteab, and Dawit Jeong discovered that Apache HTTP Server had an HTTP response splitting vulnerability in multiple modules when used with untrusted or compromised backend servers. An attacker could possibly use this issue to inject arbitrary HTTP headers. (CVE-2026-33523) Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_proxy_ajp. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-33857) Tianshuo Han and Jérôme Djouder discovered that Apache HTTP Server incorrectly handled certain string operations in mod_proxy_ajp. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-34032) Elhanan Haenel discovered that Apache HTTP Server incorrectly handled certain memory operations in mod_proxy_ajp. A remote attacker could use this issue to cause Apache HTTP Server to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2026-34059) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS apache2 2.4.66-2ubuntu2.1 Ubuntu 25.10 apache2 2.4.64-1ubuntu3.4 Ubuntu 24.04 LTS apache2 2.4.58-1ubuntu8.12 Ubuntu 22.04 LTS apache2 2.4.52-1ubuntu4.20 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8239-1 CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059 Package Information: https://launchpad.net/ubuntu/+source/apache2/2.4.66-2ubuntu2.1 https://launchpad.net/ubuntu/+source/apache2/2.4.64-1ubuntu3.4 https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.12 https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.20