[USN-8338-2] Apache HTTP Server regression
[USN-8344-2] pip regression
[USN-8347-1] QT WebEngine vulnerability
[USN-8345-1] GDAL vulnerability
[USN-8346-1] Texmaker vulnerabilities
[USN-8338-2] Apache HTTP Server regression
==========================================================================
Ubuntu Security Notice USN-8338-2
May 29, 2026
apache2 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
USN-8338-1 introduced a regression in Apache HTTP Server
Software Description:
- apache2: Apache HTTP server
Details:
USN-8338-1 fixed vulnerabilities in Apache HTTP Server. The update
introduced a regression that prevented mod_http2 from loading on Ubuntu
18.04 LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Apache HTTP Server incorrectly handled certain
response headers. An attacker could possibly use this issue to perform
HTTP response splitting attacks. This issue only affected Ubuntu 14.04
LTS. (CVE-2023-38709)
Will Dormann and David Warren discovered that Apache HTTP Server's HTTP/2
implementation did not properly reclaim memory when streams were reset by
clients. A remote attacker could possibly use this issue to cause Apache
HTTP Server to consume resources, leading to a denial of service. This
issue only affected Ubuntu 18.04 LTS. (CVE-2023-45802)
Keran Mu and Jianjun Chen discovered that Apache HTTP Server incorrectly
handled certain response headers. An attacker could possibly use this issue
to perform HTTP response splitting attacks. This issue only affected Ubuntu
14.04 LTS. (CVE-2024-24795)
Orange Tsai discovered that Apache HTTP Server mod_proxy incorrectly
handled URL encoding. A remote attacker could possibly use this issue to
bypass authentication via crafted requests. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-38473)
Orange Tsai discovered that Apache HTTP Server could be caused to perform
server-side request forgery (SSRF) via malicious backend response headers.
A remote attacker could possibly use this issue to conduct SSRF attacks or
disclose sensitive information. This issue only affected Ubuntu 14.04 LTS.
(CVE-2024-38476)
Orange Tsai discovered that Apache HTTP Server mod_proxy did not properly
handle certain null pointer conditions. A remote attacker could possibly use this
issue to cause Apache HTTP Server to crash, resulting in a denial of
service. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-38477)
Orange Tsai discovered that Apache HTTP Server mod_rewrite could be made
to perform server-side request forgery (SSRF) via unsafe RewriteRules. A
remote attacker could possibly use this issue to conduct SSRF attacks. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-39573)
It was discovered that Apache HTTP Server incorrectly handled certain
response headers. An attacker could possibly use this issue to perform
HTTP response splitting attacks. This issue only affected Ubuntu 14.04 LTS.
(CVE-2024-42516)
It was discovered that Apache HTTP Server could be caused to perform
server-side request forgery (SSRF) via mod_headers modifying Content-Type
headers. A remote attacker could possibly use this issue to conduct SSRF
attacks. This issue only affected Ubuntu 14.04 LTS. (CVE-2024-43204)
John Runyon discovered that Apache HTTP Server mod_ssl did not properly
escape user-supplied data before writing log entries. A remote attacker
could possibly use this issue to insert escape sequences into log files.
This issue only affected Ubuntu 14.04 LTS. (CVE-2024-47252)
Robert Merget discovered that Apache HTTP Server with SSLEngine optional was
vulnerable to HTTP desynchronisation attacks. An attacker in a privileged
network position could possibly use this issue to hijack HTTP sessions. This issue
only affected Ubuntu 14.04 LTS. (CVE-2025-49812)
It was discovered that Apache HTTP Server mod_md had an integer overflow in
the ACME certificate renewal backoff timer. An attacker could possibly use
this issue to cause excessive certificate renewal requests. This issue only
affected Ubuntu 20.04 LTS. (CVE-2025-55753)
Anthony Parfenov discovered that Apache HTTP Server with SSI enabled and
mod_cgid passed shell-escaped query strings to #exec cmd directives. A
remote attacker could possibly use this issue to perform command injection.
(CVE-2025-58098)
Mattias Åsander discovered that Apache HTTP Server incorrectly gave
precedence to environment variables from HTTP headers over server-calculated
CGI variables. A remote attacker could possibly use this issue to influence
the environment of CGI programs. (CVE-2025-65082)
Mattias Åsander discovered that Apache HTTP Server mod_userdir with suexec
could be caused to run CGI scripts under an unexpected user ID via
RequestHeader directives in .htaccess files. An attacker with .htaccess
write access could possibly use this issue to bypass suexec user restrictions.
(CVE-2025-66200)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
apache2 2.4.29-1ubuntu4.27+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8338-2
https://ubuntu.com/security/notices/USN-8338-1
https://bugs.launchpad.net/bugs/2154546
[USN-8344-2] pip regression
==========================================================================
Ubuntu Security Notice USN-8344-2
May 29, 2026
python-pip regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
USN-8344-1 introduced a regression in pip.
Software Description:
- python-pip: Python package installer
Details:
USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when
using pip. The patches for CVE-2025-66471 have been temporarily reverted
pending investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that pip incorrectly handled TLS certificate
verification in session connections. If a session was first used with
certificate verification disabled, subsequent requests to the same host
would also skip verification regardless of the session's current settings.
A remote attacker could possibly use this issue to perform a machine-in-the-middle
attack and expose sensitive information. (CVE-2024-35195)
It was discovered that pip's bundled urllib3 library did not limit the
number of decompression steps when processing HTTP responses. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66418)
It was discovered that pip's bundled urllib3 library improperly
handled streaming decompression of highly compressed data. A remote
attacker could possibly use this issue to cause pip to consume excessive resources,
leading to a denial of service. (CVE-2025-66471)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
python3-pip 25.1.1+dfsg-1ubuntu2+esm2
Available with Ubuntu Pro
python3-pip-whl 25.1.1+dfsg-1ubuntu2+esm2
Available with Ubuntu Pro
Ubuntu 24.04 LTS
python3-pip 24.0+dfsg-1ubuntu1.3+esm2
Available with Ubuntu Pro
python3-pip-whl 24.0+dfsg-1ubuntu1.3+esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-pip 22.0.2+dfsg-1ubuntu0.7+esm2
Available with Ubuntu Pro
python3-pip-whl 22.0.2+dfsg-1ubuntu0.7+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8344-2
https://ubuntu.com/security/notices/USN-8344-1
https://launchpad.net/bugs/2154576
[USN-8347-1] QT WebEngine vulnerability
==========================================================================
Ubuntu Security Notice USN-8347-1
May 28, 2026
qtwebengine-opensource-src vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
QT WebEngine could be made to crash or run programs if it received specially
crafted input.
Software Description:
- qtwebengine-opensource-src: QT application web browser engine
Details:
It was discovered that the vendored LibTIFF in QT WebEngine incorrectly
handled memory when parsing malformed TIFF image metadata. An attacker
could possibly use this issue to cause a denial of service, obtain
sensitive information, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libqt5webengine-data 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webengine5 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webenginecore5 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webenginewidgets5 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
qml-module-qtwebengine 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-dev 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-dev-tools 5.15.19+dfsg2-4ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 24.04 LTS
libqt5pdf5 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5pdfwidgets5 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webengine-data 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webengine5 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webenginecore5 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webenginewidgets5 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qml-module-qtquick-pdf 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qml-module-qtwebengine 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qt5-image-formats-plugin-pdf 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qtpdf5-dev 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-dev 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-dev-tools 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-private-dev 5.15.16+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libqt5pdf5 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5pdfwidgets5 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webengine-data 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webengine5 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webenginecore5 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
libqt5webenginewidgets5 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
qml-module-qtquick-pdf 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
qml-module-qtwebengine 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
qt5-image-formats-plugin-pdf 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
qtpdf5-dev 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-dev 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
qtwebengine5-dev-tools 5.15.9+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libqt5webengine-data 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
libqt5webengine5 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
libqt5webenginecore5 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
libqt5webenginewidgets5 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
qml-module-qtwebengine 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
qtwebengine5-dev 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
qtwebengine5-dev-tools 5.12.8+dfsg-0ubuntu1.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libqt5webengine-data 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
libqt5webengine5 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
libqt5webenginecore5 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
libqt5webenginewidgets5 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
qml-module-qtwebengine 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
qtwebengine5-dev 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
qtwebengine5-dev-tools 5.9.5+dfsg-0ubuntu2+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8347-1
CVE-2025-9900
[USN-8345-1] GDAL vulnerability
==========================================================================
Ubuntu Security Notice USN-8345-1
May 28, 2026
gdal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
GDAL could be made to crash or run programs if it received specially
crafted input.
Software Description:
- gdal: Geospatial Data Abstraction Library
Details:
It was discovered that the vendored LibTIFF in GDAL incorrectly handled
memory when parsing malformed TIFF image metadata. An attacker could
possibly use this issue to cause a denial of service, obtain sensitive
information, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
gdal-bin 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libgdal-dev 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libgdal-java 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libgdal-perl 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
libgdal1i 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
python-gdal 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
python3-gdal 1.11.3+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 14.04 LTS
gdal-bin 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
libgdal-dev 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
libgdal-java 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
libgdal-perl 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
libgdal1h 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
python-gdal 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
python3-gdal 1.10.1+dfsg-5ubuntu1+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8345-1
CVE-2025-9900
[USN-8346-1] Texmaker vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8346-1
May 28, 2026
texmaker vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Texmaker could be made to crash or run programs if it received specially
crafted input.
Software Description:
- texmaker: Free cross-platform LaTeX editor
Details:
It was discovered that the vendored LibTIFF in Texmaker incorrectly
handled memory when parsing malformed TIFF image metadata. An attacker
could possibly use this issue to cause a denial of service, obtain
sensitive information, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
texmaker 5.1.3+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
texmaker-data 5.1.3+dfsg-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
texmaker 5.0.3-1ubuntu0.22.04.1~esm1
Available with Ubuntu Pro
texmaker-data 5.0.3-1ubuntu0.22.04.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
texmaker 5.0.3-1ubuntu0.20.04.1~esm1
Available with Ubuntu Pro
texmaker-data 5.0.3-1ubuntu0.20.04.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
texmaker 5.0.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
texmaker-data 5.0.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8346-1
CVE-2025-9900
