Flock to Fedora 2026: Call for On-Site Volunteers

Hello everyone, 

Flock to Fedora 2026[1] is right around the corner—exciting! :) To help this community event run smoothly, we are asking if some in-person attendees would be willing to volunteer their time during it. The intake form[2] has more details about the kinds of volunteers we need. Our schedule for the event is live[3] and some tickets for the event[4] are still available. Attendance is capped, so if you plan to attend or are speaking and have not registered yet, secure your ticket soon!

This volunteer intake form will close on Tuesday, June 2, 2026. On behalf of the Flock organiser team, we really appreciate you giving your time to help make the event run successfully.

Kindest regards and many thanks,

Aoife, on behalf of the Flock organization team

[1] https://fedoraproject.org/flock/2026/

[2] https://forms.gle/TiV89PCphsUQfPsG6

[3] https://cfp.fedoraproject.org/flock-to-fedora-2026/schedule/

[4] https://rsvp.fedoraproject.org/community/flock-2026/

--

Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

-- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

confirm 3e3d3085b07b336fc9464e0d753e1d4385af7634

Your membership in the mailing list ubuntu-security-announce has been disabled due to excessive bounces The last bounce received from you was dated 25-May-2026. You will not get any more messages from this list until you re-enable your membership. You will receive 3 more reminders like this before your membership in the list is deleted. To re-enable your membership, you can simply respond to this message (leaving the Subject: line intact), or visit the confirmation page at https://lists.ubuntu.com/mailman/confirm/ubuntu-security-announce/3e3d3085b07b336fc9464e0d753e1d4385af7634 You can also visit your membership page at https://lists.ubuntu.com/mailman/options/ubuntu-security-announce/reallost1.fbsd2233449%40blogger.com On your membership page, you can change various delivery options such as your email address and whether you get digests or not. As a reminder, your membership password is quicker If you have any questions or problems, you can contact the list owner at ubuntu-security-announce-owner@lists.ubuntu.com

[USN-8301-1] SimpleEval vulnerability

========================================================================== Ubuntu Security Notice USN-8301-1 May 25, 2026 simpleeval vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: SimpleEval could be made to run programs if it received specially crafted input. Software Description: - simpleeval: Python library for evaluating expressions Details: Byambadalai Sumiya discovered that SimpleEval did not properly restrict attribute access and callback handling inside a sandbox. An attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS python3-simpleeval 1.0.3-1+deb13u1build0.26.04.1 Ubuntu 25.10 python3-simpleeval 1.0.3-1+deb13u1build0.25.10.1 Ubuntu 24.04 LTS python3-simpleeval 0.9.12-1+deb12u1build0.24.04.1 Ubuntu 22.04 LTS python3-simpleeval 0.9.11-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS python3-simpleeval 0.9.10-1+deb11u1build0.20.04.1 Available with Ubuntu Pro Ubuntu 18.04 LTS python-simpleeval 0.9.5-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-simpleeval 0.9.5-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS python-simpleeval 0.8.7-1ubuntu0.1~esm1 Available with Ubuntu Pro python3-simpleeval 0.8.7-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8301-1 CVE-2026-32640 Package Information: https://launchpad.net/ubuntu/+source/simpleeval/1.0.3-1+deb13u1build0.26.04.1 https://launchpad.net/ubuntu/+source/simpleeval/1.0.3-1+deb13u1build0.25.10.1 https://launchpad.net/ubuntu/+source/simpleeval/0.9.12-1+deb12u1build0.24.04.1

[USN-8291-3] Linux kernel (Low Latency) vulnerabilities

========================================================================== Ubuntu Security Notice USN-8291-3 May 25, 2026 linux-lowlatency vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-lowlatency: Linux low latency kernel Details: Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; - Netfilter; - io_uring subsystem; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS linux-image-5.15.0-178-lowlatency 5.15.0-178.188 linux-image-5.15.0-178-lowlatency-64k 5.15.0-178.188 linux-image-lowlatency 5.15.0.178.150 linux-image-lowlatency-5.15 5.15.0.178.150 linux-image-lowlatency-64k 5.15.0.178.150 linux-image-lowlatency-64k-5.15 5.15.0.178.150 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8291-3 https://ubuntu.com/security/notices/USN-8291-2 https://ubuntu.com/security/notices/USN-8291-1 CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351 Package Information: https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-178.188

[USN-8300-1] ngtcp2 vulnerability

========================================================================== Ubuntu Security Notice USN-8300-1 May 25, 2026 ngtcp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: ngtcp2 could be made to run programs as your login if it received specially crafted network traffic when qlog was enabled. Software Description: - ngtcp2: RFC9000 QUIC protocol implementation Details: Zou Dikai discovered that ngtcp2 serialized peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog was enabled, a remote attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libngtcp2-16 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls-dev 1.16.0-1ubuntu0.1 libngtcp2-crypto-gnutls8 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl-dev 1.16.0-1ubuntu0.1 libngtcp2-crypto-ossl0 1.16.0-1ubuntu0.1 libngtcp2-dev 1.16.0-1ubuntu0.1 Ubuntu 25.10 libngtcp2-16 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls-dev 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-crypto-gnutls8 1.11.0-1+deb13u1build0.25.10.1 libngtcp2-dev 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-client 1.11.0-1+deb13u1build0.25.10.1 ngtcp2-server 1.11.0-1+deb13u1build0.25.10.1 Ubuntu 24.04 LTS libngtcp2-9 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls-dev 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-crypto-gnutls2 0.12.1+dfsg-1+deb12u1build0.24.04.1 libngtcp2-dev 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-client 0.12.1+dfsg-1+deb12u1build0.24.04.1 ngtcp2-server 0.12.1+dfsg-1+deb12u1build0.24.04.1 Ubuntu 22.04 LTS libngtcp2-0 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-crypto-gnutls-dev 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-crypto-gnutls0 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro libngtcp2-dev 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro ngtcp2-client 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro ngtcp2-server 0.1.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8300-1 CVE-2026-40170 Package Information: https://launchpad.net/ubuntu/+source/ngtcp2/1.16.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/ngtcp2/1.11.0-1+deb13u1build0.25.10.1 https://launchpad.net/ubuntu/+source/ngtcp2/0.12.1+dfsg-1+deb12u1build0.24.04.1

[USN-8299-1] Rclone vulnerabilities

========================================================================== Ubuntu Security Notice USN-8299-1 May 25, 2026 rclone vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Rclone. Software Description: - rclone: rsync for commercial cloud storage Details: It was discovered that Rclone incorrectly handled authorization in the remote control API. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-41176) It was discovered that Rclone incorrectly handled backend instantiation via the remote control API. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-41179) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS rclone 1.60.1+dfsg-4ubuntu3.1 Ubuntu 25.10 rclone 1.60.1+dfsg-4ubuntu2.1 Ubuntu 24.04 LTS rclone 1.60.1+dfsg-3ubuntu0.24.04.5 Ubuntu 22.04 LTS rclone 1.53.3-4ubuntu1.22.04.4 Ubuntu 20.04 LTS rclone 1.50.2-2ubuntu0.2+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8299-1 CVE-2026-41176, CVE-2026-41179 Package Information: https://launchpad.net/ubuntu/+source/rclone/1.60.1+dfsg-4ubuntu3.1 https://launchpad.net/ubuntu/+source/rclone/1.60.1+dfsg-4ubuntu2.1 https://launchpad.net/ubuntu/+source/rclone/1.60.1+dfsg-3ubuntu0.24.04.5 https://launchpad.net/ubuntu/+source/rclone/1.53.3-4ubuntu1.22.04.4

[arch-announce] Breaking changes for all users of `varnish`, which is renamed to `vinyl-cache`

The Varnish project has [renamed itself to Vinyl Cache][0]. We followed this rename with a [new `vinyl-cache` package][1]. This upgrade results in [breaking changes][2] and users are advised to study these changes and how it affects them before following the replacement. All references to "`varnish`" have been changed to "`vinyl`" in all binaries and directories. At minimum, users will have to: - rename `/etc/varnish` to `/etc/vinyl-cache` - rename `/var/lib/varnish` to `/var/lib/vinyl-cache` - fix up ownership of files inside `/var/lib/varnish` - user `varnish` becomes `vinyl` - group `varnish` becomes `vinyl` - user `varnishlog` becomes `vinyllog` - user `vcache` remains the same - disable the old `varnish.service` and `varnishncsa.service` systemd units - enable the new `vinyl-cache.service` and `vinylncsa.service` systemd units Meanwhile, the `varnish` package has been dropped from `[extra]`. We're not currently planning to maintain a new `varnish` package as it's a different upstream project. [0]: https://vinyl-cache.org/organization/on_vinyl_cache_and_varnish_cache.html#org-vinyl-varnish [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/vinyl-cache [2]: https://vinyl-cache.org/docs/9.0/whats-new/upgrading-9.0.html URL: https://archlinux.org/news/breaking-changes-for-all-users-of-varnish-which-is-renamed-to-vinyl-cache/

[USN-8280-2] Linux kernel (Azure)vulnerabilities

========================================================================== Ubuntu Security Notice USN-8280-2 May 22, 2026 linux-azure, linux-azure-5.4, linux-azure-fips vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems Details: It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; - TLS protocol; (CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1163-azure 5.4.0-1163.169 Available with Ubuntu Pro linux-image-5.4.0-1163-azure-fips 5.4.0-1163.169+fips1 Available with Ubuntu Pro linux-image-azure-5.4 5.4.0.1163.155 Available with Ubuntu Pro linux-image-azure-fips 5.4.0.1163.99 Available with Ubuntu Pro linux-image-azure-fips-5.4 5.4.0.1163.99 Available with Ubuntu Pro linux-image-azure-lts-20.04 5.4.0.1163.155 Available with Ubuntu Pro Ubuntu 18.04 LTS linux-image-5.4.0-1163-azure 5.4.0-1163.169~18.04.1 Available with Ubuntu Pro linux-image-azure 5.4.0.1163.169~18.04.1 Available with Ubuntu Pro linux-image-azure-5.4 5.4.0.1163.169~18.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8280-2 https://ubuntu.com/security/notices/USN-8280-1 CVE-2026-31431, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078

[USN-8290-1] Path-to-Regexp vulnerability

========================================================================== Ubuntu Security Notice USN-8290-1 May 21, 2026 node-path-to-regexp vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Path-to-Regexp could be made to crash if it received specially crafted network traffic. Software Description: - node-path-to-regexp: Turn a path string such as /user/:name into a regular expression. Details: It was discovered that Path-to-Regexp incorrectly handled route patterns containing multiple named parameters separated by non-delimiter characters such as hyphens. An attacker could possibly use this issue to cause a denial of service via catastrophic backtracking in the generated regular expressions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS node-path-to-regexp 6.2.1-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS node-path-to-regexp 6.2.0-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS node-path-to-regexp 6.1.0-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS node-path-to-regexp 1.0.1-1ubuntu0.18.04.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS node-path-to-regexp 1.0.1-1ubuntu0.16.04.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8290-1 CVE-2024-45296

[USN-8291-2] Linux kernel (Low Latency) vulnerabilities

========================================================================== Ubuntu Security Notice USN-8291-2 May 22, 2026 linux-lowlatency-hwe-5.15 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-lowlatency-hwe-5.15: Linux low latency kernel Details: Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; - Netfilter; - io_uring subsystem; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.15.0-178-lowlatency 5.15.0-178.188~20.04.1 Available with Ubuntu Pro linux-image-5.15.0-178-lowlatency-64k 5.15.0-178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-5.15 5.15.0.178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-64k-5.15 5.15.0.178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-64k-hwe-20.04 5.15.0.178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-hwe-20.04 5.15.0.178.188~20.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8291-2 https://ubuntu.com/security/notices/USN-8291-1 CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351

[USN-8295-1] Evince vulnerability

========================================================================== Ubuntu Security Notice USN-8295-1 May 22, 2026 evince vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Evince could be made to run programs as your login if it opened a specially crafted file. Software Description: - evince: Document viewer Details: It was discovered that Evince did not properly sanitize command-line arguments in PDF /GoToR actions. If a user opened a specially crafted PDF file, an attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS evince 49~alpha-2ubuntu2.1 evince-common 49~alpha-2ubuntu2.1 Ubuntu 25.10 evince 48.1-3ubuntu2.1 evince-common 48.1-3ubuntu2.1 Ubuntu 24.04 LTS evince 46.3.1-0ubuntu1.1 evince-common 46.3.1-0ubuntu1.1 Ubuntu 22.04 LTS evince 42.3-0ubuntu3.2 evince-common 42.3-0ubuntu3.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8295-1 CVE-2026-46529 Package Information: https://launchpad.net/ubuntu/+source/evince/49~alpha-2ubuntu2.1 https://launchpad.net/ubuntu/+source/evince/48.1-3ubuntu2.1 https://launchpad.net/ubuntu/+source/evince/46.3.1-0ubuntu1.1 https://launchpad.net/ubuntu/+source/evince/42.3-0ubuntu3.2

[USN-8294-1] PostgreSQL vulnerabilities

========================================================================== Ubuntu Security Notice USN-8294-1 May 21, 2026 postgresql-14, postgresql-16, postgresql-17, postgresql-18 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in PostgreSQL. Software Description: - postgresql-18: Object-relational SQL database - postgresql-17: Object-relational SQL database - postgresql-16: Object-relational SQL database - postgresql-14: Object-relational SQL database Details: It was discovered that PostgreSQL did not correctly enforce authorization for CREATE TYPE. An attacker could possibly use this issue to execute arbitrary SQL functions. (CVE-2026-6472) It was discovered that PostgreSQL incorrectly handled large user input in multiple server features. An attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-6473) It was discovered that PostgreSQL incorrectly handled format strings in the timeofday() function. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6474) It was discovered that PostgreSQL incorrectly followed symbolic links in pg_basebackup and pg_rewind. An attacker could possibly use this issue to overwrite local files and execute arbitrary code. (CVE-2026-6475) It was discovered that PostgreSQL had an SQL injection vulnerability in pg_createsubscriber. An attacker could possibly use this issue to execute arbitrary SQL as a superuser. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-6476) It was discovered that PostgreSQL used an unsafe libpq function in large object operations. An attacker could possibly use this issue to overwrite client memory and execute arbitrary code. (CVE-2026-6477) It was discovered that PostgreSQL did not compare MD5-hashed passwords in constant time. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6478) It was discovered that PostgreSQL had uncontrolled recursion during SSL and GSS negotiation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-6479) It was discovered that PostgreSQL incorrectly handled array length mismatches in pg_restore_attribute_stats(). An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-6575) It was discovered that PostgreSQL had a stack buffer overflow in the refint module. An attacker could use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-6637) It was discovered that PostgreSQL had an SQL injection vulnerability in logical replication REFRESH PUBLICATION. An attacker could possibly use this issue to execute arbitrary SQL. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-6638) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS postgresql-18 18.4-0ubuntu0.26.04.1 Ubuntu 25.10 postgresql-17 17.10-0ubuntu0.25.10.1 Ubuntu 24.04 LTS postgresql-16 16.14-0ubuntu0.24.04.1 Ubuntu 22.04 LTS postgresql-14 14.23-0ubuntu0.22.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475, CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479, CVE-2026-6575, CVE-2026-6637, CVE-2026-6638 Package Information: https://launchpad.net/ubuntu/+source/postgresql-18/18.4-0ubuntu0.26.04.1 https://launchpad.net/ubuntu/+source/postgresql-17/17.10-0ubuntu0.25.10.1 https://launchpad.net/ubuntu/+source/postgresql-16/16.14-0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/postgresql-14/14.23-0ubuntu0.22.04.1