Ubuntu has released urgent security patches for multiple LTS distributions to address critical flaws in the Apache HTTP Server and GStreamer Base Plugins. The Apache update resolves four distinct CVEs that could allow local or remote attackers to crash services, steal sensitive data, or execute malicious code through compromised modules like mod_rewrite and mod_proxy_ajp. Meanwhile the GStreamer fix targets a parsing error in AVI media handling that previously enabled denial of service attacks or arbitrary program execution on affected systems running Ubuntu 16.04 LTS. Administrators should apply these package updates immediately and restart the web server to ensure all security changes take effect across their infrastructure.

[USN-8396-1] Apache HTTP Server vulnerabilities
[USN-8130-3] GStreamer Base Plugins vulnerability

[USN-8396-1] Apache HTTP Server vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8396-1
June 08, 2026

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

It was discovered that the Apache HTTP Server mod_rewrite module
incorrectly handled certain privileges. A local attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-24072)

Andrew Lacambra, Elhanan Haenel, Tianshuo Han, and Tristan Madani
discovered that the Apache HTTP Server mod_proxy_ajp module incorrectly
handled certain AJP server messages. An attacker in control of a
backend AJP server could use this issue to cause Apache HTTP Server to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2026-28780)

Pavel Kohout discovered that the Apache HTTP Server incorrectly handled
certain memory operations in mod_dav_lock. A remote attacker could possibly
use this issue to cause Apache HTTP Server to crash, resulting in a denial
of service. (CVE-2026-29169)

Elhanan Haenel discovered that Apache HTTP Server incorrectly handled
certain memory operations in mod_proxy_ajp. A remote attacker could use
this issue to cause Apache HTTP Server to crash, resulting in a denial of
service, or possibly obtain sensitive information. (CVE-2026-34059)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
apache2 2.4.41-4ubuntu3.23+esm4
Available with Ubuntu Pro
apache2-bin 2.4.41-4ubuntu3.23+esm4
Available with Ubuntu Pro
apache2-dev 2.4.41-4ubuntu3.23+esm4
Available with Ubuntu Pro
apache2-ssl-dev 2.4.41-4ubuntu3.23+esm4
Available with Ubuntu Pro
apache2-utils 2.4.41-4ubuntu3.23+esm4
Available with Ubuntu Pro
libapache2-mod-md 2.4.41-4ubuntu3.23+esm4
Available with Ubuntu Pro

Ubuntu 18.04 LTS
apache2 2.4.29-1ubuntu4.27+esm9
Available with Ubuntu Pro
apache2-bin 2.4.29-1ubuntu4.27+esm9
Available with Ubuntu Pro
apache2-dev 2.4.29-1ubuntu4.27+esm9
Available with Ubuntu Pro
apache2-ssl-dev 2.4.29-1ubuntu4.27+esm9
Available with Ubuntu Pro
apache2-utils 2.4.29-1ubuntu4.27+esm9
Available with Ubuntu Pro

Ubuntu 16.04 LTS
apache2 2.4.18-2ubuntu3.17+esm18
Available with Ubuntu Pro
apache2-bin 2.4.18-2ubuntu3.17+esm18
Available with Ubuntu Pro
apache2-data 2.4.18-2ubuntu3.17+esm18
Available with Ubuntu Pro
apache2-dev 2.4.18-2ubuntu3.17+esm18
Available with Ubuntu Pro
apache2-utils 2.4.18-2ubuntu3.17+esm18
Available with Ubuntu Pro

Ubuntu 14.04 LTS
apache2 2.4.7-1ubuntu4.22+esm13
Available with Ubuntu Pro
apache2-bin 2.4.7-1ubuntu4.22+esm13
Available with Ubuntu Pro
apache2-dev 2.4.7-1ubuntu4.22+esm13
Available with Ubuntu Pro
apache2-utils 2.4.7-1ubuntu4.22+esm13
Available with Ubuntu Pro
apache2.2-bin 2.4.7-1ubuntu4.22+esm13
Available with Ubuntu Pro

After a standard system update you need to restart apache2 to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8396-1
CVE-2026-24072, CVE-2026-28780, CVE-2026-29169, CVE-2026-34059

[USN-8130-3] GStreamer Base Plugins vulnerability

==========================================================================
Ubuntu Security Notice USN-8130-3
June 10, 2026

gst-plugins-base1.0 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

GStreamer Base Plugins could be made to crash or run programs if it opened
a specially crafted file.

Software Description:
- gst-plugins-base1.0: GStreamer plugins

Details:

USN-8130-1 fixed a vulnerability in GStreamer Base Plugins. This update
provides the corresponding update for Ubuntu 16.04 LTS.

Original advisory details:

It was discovered that GStreamer Base Plugins incorrectly handled certain
AVI media files. A remote attacker could use this issue to cause GStreamer
Base Plugins to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS
gstreamer1.0-plugins-base 1.8.3-1ubuntu0.3+esm4
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8130-3
https://ubuntu.com/security/notices/USN-8130-2
https://ubuntu.com/security/notices/USN-8130-1
CVE-2026-2921