[USN-7997-1] CRaC JDK 17 vulnerabilities
[USN-7996-1] CRaC JDK 25 vulnerabilities
[USN-7998-1] OpenJDK 17 vulnerabilities
[USN-7995-1] OpenJDK 25 vulnerabilities
[USN-8008-1] Keystone Middleware vulnerability
[USN-7989-1] The Internet Archive Python Library vulnerability
[USN-7984-1] Pagure vulnerabilities
[USN-8005-1] GNU C Library vulnerabilities
[USN-8004-1] FreeRDP vulnerabilities
[USN-7999-1] Filelock vulnerabilities
[USN-8009-1] Django vulnerabilities
[USN-7997-1] CRaC JDK 17 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7997-1
February 02, 2026
openjdk-17-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
Summary:
Several security issues were fixed in CRaC JDK 17.
Software Description:
- openjdk-17-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
It was discovered that the RMI component of CRaC JDK 17 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 17
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of CRaC JDK 17
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)
Ireneusz Pastusiak discovered that the Security component of CRaC JDK
17 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
openjdk-17-crac-jdk 17.0.18+8-0ubuntu1~25.10
openjdk-17-crac-jdk-headless 17.0.18+8-0ubuntu1~25.10
openjdk-17-crac-jre 17.0.18+8-0ubuntu1~25.10
openjdk-17-crac-jre-headless 17.0.18+8-0ubuntu1~25.10
openjdk-17-crac-jre-zero 17.0.18+8-0ubuntu1~25.10
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7997-1
CVE-2026-21925, CVE-2026-21932, CVE-2026-21933, CVE-2026-21945
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17-crac/17.0.18+8-0ubuntu1~25.10
[USN-7996-1] CRaC JDK 25 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7996-1
February 02, 2026
openjdk-25-crac vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
Summary:
Several security issues were fixed in CRaC JDK 25.
Software Description:
- openjdk-25-crac: Open Source Java implementation with Coordinated Restore at Checkpoints
Details:
It was discovered that the RMI component of CRaC JDK 25 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 25
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of CRaC JDK 25
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)
Ireneusz Pastusiak discovered that the Security component of CRaC JDK
25 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
openjdk-25-crac-jdk 25.0.2+10-0ubuntu1~25.10
openjdk-25-crac-jdk-headless 25.0.2+10-0ubuntu1~25.10
openjdk-25-crac-jre 25.0.2+10-0ubuntu1~25.10
openjdk-25-crac-jre-headless 25.0.2+10-0ubuntu1~25.10
openjdk-25-crac-jre-zero 25.0.2+10-0ubuntu1~25.10
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7996-1
CVE-2026-21925, CVE-2026-21932, CVE-2026-21933, CVE-2026-21945
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-25-crac/25.0.2+10-0ubuntu1~25.10
[USN-7998-1] OpenJDK 17 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7998-1
February 03, 2026
openjdk-17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in OpenJDK 17.
Software Description:
- openjdk-17: Open Source Java implementation
Details:
It was discovered that the RMI component of OpenJDK 17 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 17
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of OpenJDK 17
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)
Ireneusz Pastusiak discovered that the Security component of OpenJDK
17 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
openjdk-17-jdk 17.0.18+8-1~25.10.1
openjdk-17-jdk-headless 17.0.18+8-1~25.10.1
openjdk-17-jre 17.0.18+8-1~25.10.1
openjdk-17-jre-headless 17.0.18+8-1~25.10.1
openjdk-17-jre-zero 17.0.18+8-1~25.10.1
Ubuntu 24.04 LTS
openjdk-17-jdk 17.0.18+8-1~24.04.1
openjdk-17-jdk-headless 17.0.18+8-1~24.04.1
openjdk-17-jre 17.0.18+8-1~24.04.1
openjdk-17-jre-headless 17.0.18+8-1~24.04.1
openjdk-17-jre-zero 17.0.18+8-1~24.04.1
Ubuntu 22.04 LTS
openjdk-17-jdk 17.0.18+8-1~22.04.1
openjdk-17-jdk-headless 17.0.18+8-1~22.04.1
openjdk-17-jre 17.0.18+8-1~22.04.1
openjdk-17-jre-headless 17.0.18+8-1~22.04.1
openjdk-17-jre-zero 17.0.18+8-1~22.04.1
Ubuntu 20.04 LTS
openjdk-17-jdk 17.0.18+8-1~20.04
Available with Ubuntu Pro
openjdk-17-jdk-headless 17.0.18+8-1~20.04
Available with Ubuntu Pro
openjdk-17-jre 17.0.18+8-1~20.04
Available with Ubuntu Pro
openjdk-17-jre-headless 17.0.18+8-1~20.04
Available with Ubuntu Pro
openjdk-17-jre-zero 17.0.18+8-1~20.04
Available with Ubuntu Pro
Ubuntu 18.04 LTS
openjdk-17-jdk 17.0.18+8-1~18.04
Available with Ubuntu Pro
openjdk-17-jdk-headless 17.0.18+8-1~18.04
Available with Ubuntu Pro
openjdk-17-jre 17.0.18+8-1~18.04
Available with Ubuntu Pro
openjdk-17-jre-headless 17.0.18+8-1~18.04
Available with Ubuntu Pro
openjdk-17-jre-zero 17.0.18+8-1~18.04
Available with Ubuntu Pro
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7998-1
CVE-2026-21925, CVE-2026-21932, CVE-2026-21933, CVE-2026-21945
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.18+8-1~25.10.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.18+8-1~24.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.18+8-1~22.04.1
[USN-7995-1] OpenJDK 25 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7995-1
February 02, 2026
openjdk-25 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in OpenJDK 25.
Software Description:
- openjdk-25: Open Source Java implementation
Details:
It was discovered that the RMI component of OpenJDK 25 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 25
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of OpenJDK 25
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)
Ireneusz Pastusiak discovered that the Security component of OpenJDK
25 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
openjdk-25-jdk 25.0.2+10-1~25.10
openjdk-25-jdk-headless 25.0.2+10-1~25.10
openjdk-25-jre 25.0.2+10-1~25.10
openjdk-25-jre-headless 25.0.2+10-1~25.10
openjdk-25-jre-zero 25.0.2+10-1~25.10
openjdk-25-jvmci-jdk 25.0.2+10-1~25.10
Ubuntu 24.04 LTS
openjdk-25-jdk 25.0.2+10-1~24.04
openjdk-25-jdk-headless 25.0.2+10-1~24.04
openjdk-25-jre 25.0.2+10-1~24.04
openjdk-25-jre-headless 25.0.2+10-1~24.04
openjdk-25-jre-zero 25.0.2+10-1~24.04
openjdk-25-jvmci-jdk 25.0.2+10-1~24.04
Ubuntu 22.04 LTS
openjdk-25-jdk 25.0.2+10-1~22.04
openjdk-25-jdk-headless 25.0.2+10-1~22.04
openjdk-25-jre 25.0.2+10-1~22.04
openjdk-25-jre-headless 25.0.2+10-1~22.04
openjdk-25-jre-zero 25.0.2+10-1~22.04
openjdk-25-jvmci-jdk 25.0.2+10-1~22.04
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart Java
applications to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7995-1
CVE-2026-21925, CVE-2026-21932, CVE-2026-21933, CVE-2026-21945
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.2+10-1~25.10
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.2+10-1~24.04
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.2+10-1~22.04
[USN-8008-1] Keystone Middleware vulnerability
==========================================================================
Ubuntu Security Notice USN-8008-1
February 03, 2026
python-keystonemiddleware vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
Keystone Middleware could allow unintended access to network services.
Software Description:
- python-keystonemiddleware: Middleware for OpenStack Identity (Keystone)
Details:
Grzegorz Grasza discovered that the Keystone Middleware incorrectly
sanitized authentication headers before processing OAuth 2.0 tokens. An
attacker could possibly use this issue to escalate privileges or
impersonate other users.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
python3-keystonemiddleware 10.12.0-0ubuntu1.1
Ubuntu 24.04 LTS
python3-keystonemiddleware 10.6.0-0ubuntu1.1
After a standard system update you need to restart Keystone to make all the
necessary changes.
References:
https://ubuntu.com/security/notices/USN-8008-1
CVE-2026-22797
Package Information:
https://launchpad.net/ubuntu/+source/python-keystonemiddleware/10.12.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/python-keystonemiddleware/10.6.0-0ubuntu1.1
[USN-7989-1] The Internet Archive Python Library vulnerability
==========================================================================
Ubuntu Security Notice USN-7989-1
February 02, 2026
python-internetarchive vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
The Internet Archive Python Library would allow unintended access to files.
Software Description:
- python-internetarchive: A Python and Command-Line Interface to Archive.org
Details:
Pengo Wray discovered that The Internet Archive Python Library incorrectly
handled certain file paths when downloading files. An attacker could
possibly use this issue to write files to arbitrary locations on the file
system.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
internetarchive 5.4.0-1ubuntu0.1
python3-internetarchive 5.4.0-1ubuntu0.1
Ubuntu 24.04 LTS
internetarchive 3.5.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-internetarchive 3.5.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
internetarchive 1.9.9-1ubuntu0.1
python3-internetarchive 1.9.9-1ubuntu0.1
Ubuntu 20.04 LTS
internetarchive 1.9.0-3ubuntu0.1~esm1
Available with Ubuntu Pro
python3-internetarchive 1.9.0-3ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7989-1
CVE-2025-58438
Package Information:
https://launchpad.net/ubuntu/+source/python-internetarchive/5.4.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-internetarchive/1.9.9-1ubuntu0.1
[USN-7984-1] Pagure vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7984-1
January 29, 2026
pagure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Pagure.
Software Description:
- pagure: A git-centered forge using pygit2
Details:
Thomas Chauchefoin discovered that Pagure incorrectly handled symbolic
links in Git repositories. A remote attacker could possibly use this
issue to cause Pagure to expose files outside the intended repository
boundaries. (CVE-2024-4981)
Thomas Chauchefoin discovered that Pagure did not properly sanitize path
inputs. A remote attacker could possibly use this issue to read arbitrary
files. (CVE-2024-4982)
Thomas Chauchefoin discovered that Pagure incorrectly handled symbolic
links during repository archiving. A remote attacker could possibly use
this issue to disclose local files on the server. (CVE-2024-47515)
Thomas Chauchefoin discovered that Pagure incorrectly handled certain
inputs. A remote attacker could possibly use this issue to execute
arbitrary code on the server. (CVE-2024-47516)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
pagure 5.11.3+dfsg-2.1ubuntu0.2
Ubuntu 22.04 LTS
pagure 5.11.3+dfsg-1ubuntu0.1
Ubuntu 20.04 LTS
pagure 5.8.1+dfsg-3ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7984-1
CVE-2024-47515, CVE-2024-47516, CVE-2024-4981, CVE-2024-4982
Package Information:
https://launchpad.net/ubuntu/+source/pagure/5.11.3+dfsg-2.1ubuntu0.2
https://launchpad.net/ubuntu/+source/pagure/5.11.3+dfsg-1ubuntu0.1
[USN-8005-1] GNU C Library vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8005-1
February 03, 2026
glibc vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in GNU C Library.
Software Description:
- glibc: GNU C Library
Details:
Vitaly Simonovich discovered that the GNU C Library did not properly
initialize the input when WRDE_REUSE is used. An attacker could possibly
use this issue to cause applications to crash, leading to a denial of
service. (CVE-2025-15281)
Anastasia Belova discovered that the GNU C Library incorrectly handled
the regcomp function when memory allocation failures occured. An attacker
could possibly use this issue to cause applications to crash, leading to
a denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2025-8058)
Igor Morgenstern discovered that the GNU C Library incorrectly handled
the memalign function when doing memory allocation. An attacker could
possibly use this issue to cause applications to crash, leading to a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu
25.10. (CVE-2026-0861)
Igor Morgenstern discovered that the GNU C Library incorrectly handled
certain DNS backend when queries for a zero-valued network. An attacker
could possibly use this issue to cause a denial of service or obtain
sensitive information. (CVE-2026-0915)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libc6 2.42-0ubuntu3.1
nscd 2.42-0ubuntu3.1
Ubuntu 24.04 LTS
libc6 2.39-0ubuntu8.7
nscd 2.39-0ubuntu8.7
Ubuntu 22.04 LTS
libc6 2.35-0ubuntu3.13
nscd 2.35-0ubuntu3.13
Ubuntu 20.04 LTS
libc6 2.31-0ubuntu9.18+esm1
Available with Ubuntu Pro
nscd 2.31-0ubuntu9.18+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libc6 2.27-3ubuntu1.6+esm6
Available with Ubuntu Pro
nscd 2.27-3ubuntu1.6+esm6
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libc6 2.23-0ubuntu11.3+esm9
Available with Ubuntu Pro
nscd 2.23-0ubuntu11.3+esm9
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8005-1
CVE-2025-15281, CVE-2025-8058, CVE-2026-0861, CVE-2026-0915
Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.42-0ubuntu3.1
https://launchpad.net/ubuntu/+source/glibc/2.39-0ubuntu8.7
https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.13
[USN-8004-1] FreeRDP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8004-1
February 03, 2026
freerdp2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in FreeRDP.
Software Description:
- freerdp2: RDP client for Windows Terminal Services
Details:
Kim Dong Han discovered that FreeRDP did not correctly validate the size of
certain variables, which could cause a buffer overflow. An attacker could
possibly use this issue to cause a denial of service or execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libfreerdp2-2t64 2.11.5+dfsg1-1ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libfreerdp2-2 2.6.1+dfsg1-3ubuntu2.8
Ubuntu 20.04 LTS
libfreerdp2-2 2.6.1+dfsg1-0ubuntu0.20.04.2+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libfreerdp2-2 2.2.0+dfsg1-0ubuntu0.18.04.4+esm3
Available with Ubuntu Pro
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8004-1
CVE-2026-23530, CVE-2026-23531, CVE-2026-23532, CVE-2026-23533,
CVE-2026-23534
Package Information:
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.8
[USN-7999-1] Filelock vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7999-1
February 02, 2026
python-filelock vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Filelock.
Software Description:
- python-filelock: A platform-independent file lock for Python
Details:
It was discovered that Filelock incorrectly handled symlinks in temp files.
A local attacker could possibly use this issue to cause lock operations to
fail or behave unexpectedly. (CVE-2026-22701)
It was discovered that the file locking implementation in the Filelock
package contained a race condition. A local attacker could possibly use
this to cause a denial of service or corrupt arbitrary user files.
(CVE-2025-68146)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
python3-filelock 3.13.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-filelock 3.6.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
python3-filelock 3.0.12-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-filelock 3.0.4-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-filelock 3.0.4-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7999-1
CVE-2025-68146, CVE-2026-22701
[USN-8009-1] Django vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8009-1
February 03, 2026
python-django vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Django.
Software Description:
- python-django: High-level Python web development framework
Details:
It was discovered that Django exposed timing information when checking
passwords. An attacker could possibly use this issue to obtain sensitive
information. (CVE-2025-13473)
Jiyong Yang discovered that Django incorrectly handled malformed requests
with duplicate headers. An attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 25.10. (CVE-2025-14550)
Tarek Nakkouch discovered that Django incorrectly parsed raster lookups. An
attacker could possibly use this issue to perform SQL injection attacks.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1207)
Seokchan Yoon discovered that Django incorrectly handled malformed HTML
inputs containing a large amount of unmatched HTML end tags. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-1285)
Solomon Kebede discovered that Django incorrectly handled control
characters in the dictionary expansion of certain QuerySet methods. An
attacker could possibly use this issue to perform SQL injection attacks.
(CVE-2026-1287)
Solomon Kebede discovered that Django incorrectly handled column alias
parsing with dictionary expansion. An attacker could possibly use this
issue to perform SQL injection attacks. This issue only affected Ubuntu
24.04 LTS and Ubuntu 25.10. (CVE-2026-1312)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
python3-django 3:5.2.4-1ubuntu2.3
Ubuntu 24.04 LTS
python3-django 3:4.2.11-1ubuntu1.14
Ubuntu 22.04 LTS
python3-django 2:3.2.12-2ubuntu1.25
Ubuntu 20.04 LTS
python3-django 2:2.2.12-1ubuntu0.29+esm7
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-django 1:1.11.11-1ubuntu1.21+esm14
Available with Ubuntu Pro
python3-django 1:1.11.11-1ubuntu1.21+esm14
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-django 1.8.7-1ubuntu5.15+esm11
Available with Ubuntu Pro
python3-django 1.8.7-1ubuntu5.15+esm11
Available with Ubuntu Pro
Ubuntu 14.04 LTS
python-django 1.6.11-0ubuntu1.3+esm10
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8009-1
CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285,
CVE-2026-1287, CVE-2026-1312
Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:5.2.4-1ubuntu2.3
https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.14
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.25
