Jaraco.context and OpenSSL updates for Ubuntu

Ubuntu 6962 Published by

Two security notices have been released for Ubuntu: USN-7979-1 and USN-7980-2. USN-7979-1 addresses a vulnerability in jaraco.context, which could allow an attacker to overwrite files, affecting only Ubuntu 25.10. USN-7980-2 addresses multiple vulnerabilities in OpenSSL, including issues with memory handling, data truncation, and denial of service attacks, affecting various Ubuntu releases, including 20.04 LTS, 18.04 LTS, and others.

[USN-7979-1] jaraco.context vulnerability
[USN-7980-1] OpenSSL vulnerabilities
[USN-7980-2] OpenSSL vulnerabilities




[USN-7979-1] jaraco.context vulnerability


==========================================================================
Ubuntu Security Notice USN-7979-1
January 27, 2026

jaraco.context vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10

Summary:

jaraco.context could be made to overwrite files.

Software Description:
- jaraco.context: context managers extending functionality of Python's contextlib

Details:

It was discovered that jaraco.context incorrectly handled certain zip file
paths. An attacker could possibly use this issue to extract arbitrary files
outside of the intented extraction directory.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
python3-jaraco.context 6.0.1-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7979-1
CVE-2026-23949

Package Information:
https://launchpad.net/ubuntu/+source/jaraco.context/6.0.1-1ubuntu0.1



[USN-7980-1] OpenSSL vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7980-1
January 27, 2026

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Stanislav Fort, Petr Šimeček, and Hamza discovered that OpenSSL
incorrectly validated PBMAC1 parameters when doing PKCS#12 MAC
verification. An attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service. This issue only affected Ubuntu
25.10. (CVE-2025-11187)

Stanislav Fort discovered that OpenSSL incorrectly parsed CMS
AuthEnvelopedData messages. An attacker could possibly use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2025-15467)

Stanislav Fort discovered that OpenSSL incorrectly handled memory in the
SSL_CIPHER_find() function. An attacker could possibly use this issue to
cause OpenSSL to crash, resulting in a denial of service. This issue only
affected Ubuntu 25.10. (CVE-2025-15468)

Stanislav Fort discovered that the OpenSSL "openssl dgst" command line
tool incorrectly truncated data to 16MB. An attacker could posibly use this
issue to hide unauthenticated data beyond the 16MB limit. This issue only
affected Ubuntu 25.10. (CVE-2025-15469)

Tomas Dulka and Stanislav Fort discovered that OpenSSL incorrectly handled
memory with TLS 1.3 connections using certificate compression. An attacker
could possibly use this issue to consume resources, leading to a denial of
service. This issue only affected Ubuntu 25.10. (CVE-2025-66199)

Petr Simecek and Stanislav Fort discovered that OpenSSL incorrectly handled
memory when writing large data into a BIO chain. An attacker could possibly
use this issue to consume resources, leading to a denial of service.
(CVE-2025-68160)

Stanislav Fort discovered that the OpenSSL OCB API could incorrectly leave
final partial blocks unencrypted and unauthenticated. An attacker could
possibly use this issue to read or tamper with the affected final bytes.
(CVE-2025-69418)

Stanislav Fort discovered that OpenSSL incorrectly handled the
PKCS12_get_friendlyname() utf-8 conversion. An attacker could possibly use
this issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2025-69419)

Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE
validation in the TS_RESP_verify_response() function. An attacker could
possibly use this issue to cause OpenSSL to crash, resulting in a denial of
service. (CVE-2025-69420)

Luigino Camastra discovered that OpenSSL incorrectly handled memory in the
PKCS12_item_decrypt_d2i_ex function. An attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2025-69421)

Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE
validation in PKCS#12 parsing. An attacker could possibly use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2026-22795)

Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE
validation in the PKCS7_digest_from_attributes() function. An attacker
could possibly use this issue to cause OpenSSL to crash, resulting in a
denial of service. (CVE-2026-22796)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
libssl3t64 3.5.3-1ubuntu3
openssl 3.5.3-1ubuntu3

Ubuntu 24.04 LTS
libssl3t64 3.0.13-0ubuntu3.7
openssl 3.0.13-0ubuntu3.7

Ubuntu 22.04 LTS
libssl3 3.0.2-0ubuntu1.21
openssl 3.0.2-0ubuntu1.21

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7980-1
CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469,
CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419,
CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796

Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.5.3-1ubuntu3
https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.7
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.21



[USN-7980-2] OpenSSL vulnerabilities


==========================================================================
Ubuntu Security Notice USN-7980-2
January 27, 2026

openssl, openssl1.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-7980-2 fixed vulnerabilities in OpenSSL. This update provides the
corresponding updates for CVE-2025-68160 for openssl and openssl1.0,
CVE-2025-69418 for openssl on Ubuntu 18.04 LTS and Ubuntu 20.04 LTS,
CVE-2025-69419 for openssl on Ubuntu 18.04 LTS and Ubuntu 20.04 LTS,
CVE-2025-69420 for openssl on Ubuntu 18.04 LTS and Ubuntu 20.04 LTS,
CVE-2025-69421 for openssl and openssl1.0, CVE-2026-22795 for openssl on
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, and CVE-2026-22796 for openssl and
openssl1.0.

Original advisory details:

Stanislav Fort, Petr Šimeček, and Hamza discovered that OpenSSL
incorrectly validated PBMAC1 parameters when doing PKCS#12 MAC
verification. An attacker could possibly use this issue to cause OpenSSL
to crash, resulting in a denial of service. This issue only affected
Ubuntu 25.10. (CVE-2025-11187)

Stanislav Fort discovered that OpenSSL incorrectly parsed CMS
AuthEnvelopedData messages. An attacker could possibly use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2025-15467)

Stanislav Fort discovered that OpenSSL incorrectly handled memory in the
SSL_CIPHER_find() function. An attacker could possibly use this issue to
cause OpenSSL to crash, resulting in a denial of service. This issue only
affected Ubuntu 25.10. (CVE-2025-15468)

Stanislav Fort discovered that the OpenSSL "openssl dgst" command line
tool incorrectly truncated data to 16MB. An attacker could posibly use
this issue to hide unauthenticated data beyond the 16MB limit. This issue
only affected Ubuntu 25.10. (CVE-2025-15469)

Tomas Dulka and Stanislav Fort discovered that OpenSSL incorrectly handled
memory with TLS 1.3 connections using certificate compression. An attacker
could possibly use this issue to consume resources, leading to a denial of
service. This issue only affected Ubuntu 25.10. (CVE-2025-66199)

Petr Simecek and Stanislav Fort discovered that OpenSSL incorrectly
handled memory when writing large data into a BIO chain. An attacker could
possibly use this issue to consume resources, leading to a denial of
service. (CVE-2025-68160)

Stanislav Fort discovered that the OpenSSL OCB API could incorrectly leave
final partial blocks unencrypted and unauthenticated. An attacker could
possibly use this issue to read or tamper with the affected final bytes.
(CVE-2025-69418)

Stanislav Fort discovered that OpenSSL incorrectly handled the
PKCS12_get_friendlyname() utf-8 conversion. An attacker could possibly use
this issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2025-69419)

Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE
validation in the TS_RESP_verify_response() function. An attacker could
possibly use this issue to cause OpenSSL to crash, resulting in a denial
of service. (CVE-2025-69420)

Luigino Camastra discovered that OpenSSL incorrectly handled memory in the
PKCS12_item_decrypt_d2i_ex function. An attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2025-69421)

Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE
validation in PKCS#12 parsing. An attacker could possibly use this issue
to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2026-22795)

Luigino Camastra discovered that OpenSSL incorrectly handled ASN1_TYPE
validation in the PKCS7_digest_from_attributes() function. An attacker
could possibly use this issue to cause OpenSSL to crash, resulting in a
denial of service. (CVE-2026-22796)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
libssl1.1 1.1.1f-1ubuntu2.24+esm2
Available with Ubuntu Pro
openssl 1.1.1f-1ubuntu2.24+esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libssl1.0.0 1.0.2n-1ubuntu5.13+esm3
Available with Ubuntu Pro
libssl1.1 1.1.1-1ubuntu2.1~18.04.23+esm7
Available with Ubuntu Pro
openssl 1.1.1-1ubuntu2.1~18.04.23+esm7
Available with Ubuntu Pro
openssl1.0 1.0.2n-1ubuntu5.13+esm3
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libssl1.0.0 1.0.2g-1ubuntu4.20+esm14
Available with Ubuntu Pro
openssl 1.0.2g-1ubuntu4.20+esm14
Available with Ubuntu Pro

Ubuntu 14.04 LTS
libssl1.0.0 1.0.1f-1ubuntu2.27+esm12
Available with Ubuntu Pro
openssl 1.0.1f-1ubuntu2.27+esm12
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7980-2
https://ubuntu.com/security/notices/USN-7980-1
CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420,
CVE-2025-69421, CVE-2026-22795, CVE-2026-22796


Thunderbird update for Slackware

OpenSSL security update for Debian 12 and 13

Windows

Linux

macOS

Community

  • SeveG
    need some help here... situationPC= Packard BellOS= win1 ...
  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...