Curl, Exim, Sed updates for Ubuntu

Ubuntu 7073 Published by

Ubuntu released critical security updates to address serious vulnerabilities in curl, exim4, and sed across its supported distributions. The curl patches prevent attackers from stealing credentials or cookies by fixing how the tool reuses network connections under specific configurations. Exim4 gets corrected for dangerous parsing flaws that could allow remote code execution or information disclosure through malformed email headers and authentication inputs. A final fix in sed stops local attackers from overwriting arbitrary files by correcting how the text editor processes symbolic links during modifications.

[USN-8227-1] curl vulnerabilities
[USN-8228-1] Exim vulnerabilities
[USN-8229-1] sed vulnerability




[USN-8227-1] curl vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8227-1
May 04, 2026

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

curl could be made to expose sensitive information over the network.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

It was discovered that curl incorrectly reused non-TLS connections when
TLS was required in some STARTTLS configurations. A remote attacker could
possibly use this issue to obtain sensitive information. (CVE-2026-4873)

It was discovered that curl incorrectly reused certain HTTP Negotiate
connections. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-5545)

It was discovered that curl incorrectly reused certain SMB connections. A
remote attacker could possibly use this issue to obtain sensitive
information. (CVE-2026-5773)

It was discovered that curl could leak proxy credentials when handling
redirects in some configurations. A remote attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-6253)

It was discovered that curl could leak cookies because of stale custom
cookie host handling in some requests. A remote attacker could possibly
use this issue to obtain sensitive information. (CVE-2026-6276)

It was discovered that curl could leak .netrc credentials when reusing
proxy connections in some situations. A remote attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-6429)

It was discovered that curl could leak Digest authentication state when
switching proxies in some situations. A remote attacker could possibly use
this issue to obtain sensitive information. (CVE-2026-7168)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
curl 8.18.0-1ubuntu2.1
libcurl3t64-gnutls 8.18.0-1ubuntu2.1
libcurl4t64 8.18.0-1ubuntu2.1

Ubuntu 25.10
curl 8.14.1-2ubuntu1.3
libcurl3t64-gnutls 8.14.1-2ubuntu1.3
libcurl4t64 8.14.1-2ubuntu1.3

Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.9
libcurl3t64-gnutls 8.5.0-2ubuntu10.9
libcurl4t64 8.5.0-2ubuntu10.9

Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.24
libcurl3-gnutls 7.81.0-1ubuntu1.24
libcurl3-nss 7.81.0-1ubuntu1.24
libcurl4 7.81.0-1ubuntu1.24

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8227-1
CVE-2026-4873, CVE-2026-5545, CVE-2026-5773, CVE-2026-6253,
CVE-2026-6276, CVE-2026-6429, CVE-2026-7168

Package Information:
https://launchpad.net/ubuntu/+source/curl/8.18.0-1ubuntu2.1
https://launchpad.net/ubuntu/+source/curl/8.14.1-2ubuntu1.3
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.9
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.24



[USN-8228-1] Exim vulnerabilities


==========================================================================
Ubuntu Security Notice USN-8228-1
May 04, 2026

exim4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Exim.

Software Description:
- exim4: Exim is a mail transport agent

Details:

It was discovered that Exim incorrectly handled parsing malformed JSON
in message headers. A remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2026-40685)

It was discovered that Exim incorrectly handled processing of UTF-8
trailing characters. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2026-40686)

It was discovered that Exim incorrectly handled SPA authenticator input.
An authenticated user could possibly use this issue to execute arbitrary
code. (CVE-2026-40687)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
exim4 4.99.1-1ubuntu1.1
exim4-base 4.99.1-1ubuntu1.1
eximon4 4.99.1-1ubuntu1.1

Ubuntu 25.10
exim4 4.98.2-1ubuntu2.1
exim4-base 4.98.2-1ubuntu2.1
eximon4 4.98.2-1ubuntu2.1

Ubuntu 24.04 LTS
exim4 4.97-4ubuntu4.4
exim4-base 4.97-4ubuntu4.4
eximon4 4.97-4ubuntu4.4

Ubuntu 22.04 LTS
exim4 4.95-4ubuntu2.7
exim4-base 4.95-4ubuntu2.7
eximon4 4.95-4ubuntu2.7

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8228-1
CVE-2026-40685, CVE-2026-40686, CVE-2026-40687

Package Information:
https://launchpad.net/ubuntu/+source/exim4/4.99.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/exim4/4.98.2-1ubuntu2.1
https://launchpad.net/ubuntu/+source/exim4/4.97-4ubuntu4.4
https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.7



[USN-8229-1] sed vulnerability


==========================================================================
Ubuntu Security Notice USN-8229-1
May 04, 2026

sed vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

sed could be made to overwrite files.

Software Description:
- sed: GNU stream editor for filtering/transforming text

Details:

MichaƂ Majchrowicz and Marcin Wyczechowski discovered that sed incorrectly
handled symbolic links when performing in-place edits. A local attacker
could possibly use this issue to overwrite arbitrary files.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
sed 4.9-2ubuntu1

Ubuntu 25.10
sed 4.9-2ubuntu0.25.10.1

Ubuntu 24.04 LTS
sed 4.9-2ubuntu0.24.04.1

Ubuntu 22.04 LTS
sed 4.8-1ubuntu2.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8229-1
CVE-2026-5958

Package Information:
https://launchpad.net/ubuntu/+source/sed/4.9-2ubuntu1
https://launchpad.net/ubuntu/+source/sed/4.9-2ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/sed/4.9-2ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/sed/4.8-1ubuntu2.1


Xen, FreeRDP, Hauler, and more updates for SUSE

UniGetUI 2026.1.8 released

Windows

Linux

macOS

Community

  • Lexonight
    Hey everyone,Wanted to share a project I've been b ...
  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...