[USN-8233-1] nghttp2 vulnerability
[USN-8232-1] Django vulnerabilities
[USN-8234-1] Mako vulnerability
[USN-8230-1] Docker vulnerabilities
[USN-8233-1] nghttp2 vulnerability
==========================================================================
Ubuntu Security Notice USN-8233-1
May 05, 2026
nghttp2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
nghttp2 could be made to crash if it received specially crafted
network traffic.
Software Description:
- nghttp2: HTTP/2 C Library and tools
Details:
Andrew MacPherson discovered that nghttp2 did not properly validate
internal state when the session termination API was called. A remote
attacker could possibly use this issue to cause nghttp2 to crash, resulting
in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libnghttp2-14 1.64.0-1.1ubuntu1.1
nghttp2 1.64.0-1.1ubuntu1.1
Ubuntu 24.04 LTS
libnghttp2-14 1.59.0-1ubuntu0.3
nghttp2 1.59.0-1ubuntu0.3
Ubuntu 22.04 LTS
libnghttp2-14 1.43.0-1ubuntu0.3
nghttp2 1.43.0-1ubuntu0.3
Ubuntu 20.04 LTS
libnghttp2-14 1.40.0-1ubuntu0.3+esm1
Available with Ubuntu Pro
nghttp2 1.40.0-1ubuntu0.3+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libnghttp2-14 1.30.0-1ubuntu1+esm3
Available with Ubuntu Pro
nghttp2 1.30.0-1ubuntu1+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libnghttp2-14 1.7.1-1ubuntu0.1~esm3
Available with Ubuntu Pro
nghttp2 1.7.1-1ubuntu0.1~esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-8233-1
CVE-2026-27135
Package Information:
https://launchpad.net/ubuntu/+source/nghttp2/1.64.0-1.1ubuntu1.1
https://launchpad.net/ubuntu/+source/nghttp2/1.59.0-1ubuntu0.3
https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubuntu0.3
[USN-8232-1] Django vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8232-1
May 05, 2026
python-django vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Django.
Software Description:
- python-django: High-level Python web development framework
Details:
It was discovered that Django did not vary cached response headers on
cookies when sessions were not modified while SESSION_SAVE_EVERY_REQUEST
was enabled. A remote attacker could possibly use this issue to steal a
user's session. (CVE-2026-35192)
Kyle Agronick and Jacob Walls discovered that Django incorrectly handled
ASGI requests with missing or understated Content-Length header values.
A remote attacker could possibly use this issue to cause Django to use
excessive resources, leading to a denial of service. (CVE-2026-5766)
Ahmad Sadeddin discovered that Django UpdateCacheMiddleware incorrectly
cached requests where the Vary header contained an asterisk. A remote
attacker could possibly use this issue to obtain sensitive information.
(CVE-2026-6907)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
python3-django 3:5.2.9-0ubuntu4.1
Ubuntu 25.10
python3-django 3:5.2.4-1ubuntu2.5
Ubuntu 24.04 LTS
python3-django 3:4.2.11-1ubuntu1.16
Ubuntu 22.04 LTS
python3-django 2:3.2.12-2ubuntu1.27
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8232-1
CVE-2026-35192, CVE-2026-5766, CVE-2026-6907
Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:5.2.9-0ubuntu4.1
https://launchpad.net/ubuntu/+source/python-django/3:5.2.4-1ubuntu2.5
https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.16
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.27
[USN-8234-1] Mako vulnerability
==========================================================================
Ubuntu Security Notice USN-8234-1
May 05, 2026
python-mako vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Mako could be made to expose sensitive information over the network.
Software Description:
- mako: fast and lightweight templating for the Python platform
Details:
It was discovered that Mako incorrectly handled URIs with double-slash
prefixes in TemplateLookup. A remote attacker could possibly use this issue
to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
python3-mako 1.3.10-3ubuntu0.1
Ubuntu 25.10
python3-mako 1.3.9-1ubuntu0.1
Ubuntu 24.04 LTS
python3-mako 1.3.2-1ubuntu0.1
Ubuntu 22.04 LTS
python3-mako 1.1.3+ds1-2ubuntu0.2
Ubuntu 20.04 LTS
python-mako 1.1.0+ds1-1ubuntu2.1+esm1
Available with Ubuntu Pro
python3-mako 1.1.0+ds1-1ubuntu2.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-mako 1.0.7+ds1-1ubuntu0.2+esm1
Available with Ubuntu Pro
python3-mako 1.0.7+ds1-1ubuntu0.2+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-mako 1.0.3+ds1-1ubuntu1+esm2
Available with Ubuntu Pro
python3-mako 1.0.3+ds1-1ubuntu1+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8234-1
CVE-2026-41205
Package Information:
https://launchpad.net/ubuntu/+source/mako/1.3.10-3ubuntu0.1
https://launchpad.net/ubuntu/+source/mako/1.3.9-1ubuntu0.1
https://launchpad.net/ubuntu/+source/mako/1.3.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/mako/1.1.3+ds1-2ubuntu0.2
[USN-8230-1] Docker vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8230-1
May 06, 2026
docker.io-app vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Docker.
Software Description:
- docker.io-app: Linux container runtime
Details:
It was discovered that BuildKit, contained within Docker, incorrectly
handled file path validation when processing frontend API messages. An
attacker could possibly use this issue to write files outside of the
intended state directory. (CVE-2026-33747)
It was discovered that BuildKit, contained within Docker, incorrectly
validated the subdir component of Git URL fragments. An attacker could
possibly use this issue to access files outside of the checked-out
repository root. (CVE-2026-33748)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
docker.io 29.1.3-0ubuntu4.1
Ubuntu 24.04 LTS
docker.io 29.1.3-0ubuntu3~24.04.2
Ubuntu 22.04 LTS
docker.io 29.1.3-0ubuntu3~22.04.2
Ubuntu 20.04 LTS
docker.io 26.1.3-0ubuntu1~20.04.1+esm2
Available with Ubuntu Pro
After a standard system update you need to restart Docker to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8230-1
CVE-2026-33747, CVE-2026-33748
Package Information:
https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu4.1
https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu3~24.04.2
https://launchpad.net/ubuntu/+source/docker.io-app/29.1.3-0ubuntu3~22.04.2
