[USN-7954-1] Libtasn1 vulnerabilities
[USN-7951-1] Python vulnerability
[USN-7953-1] PHP vulnerabilities
[USN-7927-2] urllib3 regression
[USN-7922-5] Linux kernel (IoT) vulnerabilities
[USN-7955-1] urllib3 vulnerability
[USN-7954-1] Libtasn1 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7954-1
January 12, 2026
libtasn1-6 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Libtasn1 could be made to crash if it received specially crafted input.
Software Description:
- libtasn1-6: Library to manage ASN.1 structures
Details:
It was discovered that Libtasn1 incorrectly handled decoding ASN.1 content.
An attacker could possibly use this issue to cause Libtasn1 to crash,
resulting in a denial of service. (CVE-2025-13151)
It was discovered that Libtasn1 incorrectly handled encoding ASN.1 content.
An attacker could possibly use this issue to cause Libtasn1 to crash,
resulting in a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2021-46848)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libtasn1-6 4.20.0-2ubuntu0.25.10.1
Ubuntu 25.04
libtasn1-6 4.20.0-2ubuntu0.25.04.1
Ubuntu 24.04 LTS
libtasn1-6 4.19.0-3ubuntu0.24.04.2
Ubuntu 22.04 LTS
libtasn1-6 4.18.0-4ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7954-1
CVE-2021-46848, CVE-2025-13151
Package Information:
https://launchpad.net/ubuntu/+source/libtasn1-6/4.20.0-2ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/libtasn1-6/4.20.0-2ubuntu0.25.04.1
https://launchpad.net/ubuntu/+source/libtasn1-6/4.19.0-3ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/libtasn1-6/4.18.0-4ubuntu0.2
[USN-7951-1] Python vulnerability
==========================================================================
Ubuntu Security Notice USN-7951-1
January 12, 2026
python3.8, python3.9, python3.10, python3.11, python3.12, python3.13,
python3.14 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Python could be made to crash if it received specially crafted network
traffic.
Software Description:
- python3.13: An interactive high-level object-oriented language
- python3.14: An interactive high-level object-oriented language
- python3.12: An interactive high-level object-oriented language
- python3.10: An interactive high-level object-oriented language
- python3.11: An interactive high-level object-oriented language
- python3.8: An interactive high-level object-oriented language
- python3.9: An interactive high-level object-oriented language
Details:
It was discovered that Python's http.client did not properly handle the
Content-Length header in HTTP responses. A malicious server could exploit
this to cause Python to allocate excessive memory, leading to a denial of
service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
libpython3.13 3.13.7-1ubuntu0.2
libpython3.14 3.14.0-1ubuntu0.1
python3.13 3.13.7-1ubuntu0.2
python3.14 3.14.0-1ubuntu0.1
Ubuntu 25.04
libpython3.13 3.13.3-1ubuntu0.5
python3.13 3.13.3-1ubuntu0.5
Ubuntu 24.04 LTS
libpython3.12t64 3.12.3-1ubuntu0.10
python3.12 3.12.3-1ubuntu0.10
Ubuntu 22.04 LTS
libpython3.10 3.10.12-1~22.04.13
libpython3.11 3.11.0~rc1-1~22.04.1~esm7
Available with Ubuntu Pro
python3.10 3.10.12-1~22.04.13
python3.11 3.11.0~rc1-1~22.04.1~esm7
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libpython3.8 3.8.10-0ubuntu1~20.04.18+esm4
Available with Ubuntu Pro
libpython3.9 3.9.5-3ubuntu0~20.04.1+esm8
Available with Ubuntu Pro
python3.8 3.8.10-0ubuntu1~20.04.18+esm4
Available with Ubuntu Pro
python3.9 3.9.5-3ubuntu0~20.04.1+esm8
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libpython3.8 3.8.0-3ubuntu1~18.04.2+esm8
Available with Ubuntu Pro
python3.8 3.8.0-3ubuntu1~18.04.2+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7951-1
CVE-2025-13836
Package Information:
https://launchpad.net/ubuntu/+source/python3.13/3.13.7-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python3.14/3.14.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python3.13/3.13.3-1ubuntu0.5
https://launchpad.net/ubuntu/+source/python3.12/3.12.3-1ubuntu0.10
[USN-7953-1] PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7953-1
January 12, 2026
php7.2, php7.4, php8.1, php8.3, php8.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php8.4: HTML-embedded scripting language interpreter
- php8.3: HTML-embedded scripting language interpreter
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled memory while reading images
in multi-chunk mode. An attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.04 and Ubuntu 25.10. (CVE-2025-14177)
It was discovered that PHP incorrectly handled memory when element count
exceeds 32-bit limit. An attacker could possibly use this issue to cause
a denial of service. (CVE-2025-14178)
It was discovered that PHP incorrectly handled memory when using the PDO
PostgreSQL driver. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-14180)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
php8.4 8.4.11-1ubuntu1.1
Ubuntu 25.04
php8.4 8.4.5-1ubuntu1.2
Ubuntu 24.04 LTS
php8.3 8.3.6-0ubuntu0.24.04.6
Ubuntu 22.04 LTS
php8.1 8.1.2-1ubuntu2.23
Ubuntu 20.04 LTS
php7.4 7.4.3-4ubuntu2.29+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
php7.2 7.2.24-0ubuntu0.18.04.17+esm12
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7953-1
CVE-2025-14177, CVE-2025-14178, CVE-2025-14180
Package Information:
https://launchpad.net/ubuntu/+source/php8.4/8.4.11-1ubuntu1.1
https://launchpad.net/ubuntu/+source/php8.4/8.4.5-1ubuntu1.2
https://launchpad.net/ubuntu/+source/php8.3/8.3.6-0ubuntu0.24.04.6
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.23
[USN-7927-2] urllib3 regression
==========================================================================
Ubuntu Security Notice USN-7927-2
January 12, 2026
python-urllib3 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
Summary:
USN-7927-1 introduced a regression in urllib3
Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling
Details:
USN-7927-1 fixed vulnerabilities in urllib3. The update for CVE-2025-66471
introduced a regression in the zstd decompression component inside urllib3.
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Illia Volochii discovered that urllib3 did not limit the steps in a
decompression chain. An attacker could possibly use this issue to cause
urllib3 to use excessive resources, causing a denial of service.
(CVE-2025-66418)
Rui Xi discovered that urllib3 incorrectly handled highly compressed data.
An attacker could possibly use this issue to cause urllib3 to use
excessive resources, causing a denial of service. This issue only affected
Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-66471)
For the brotli encoding, the fix for CVE-2025-66471 requires an additional
security update in the brotli package.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
python3-urllib3 2.3.0-3ubuntu0.3
Ubuntu 25.04
python3-urllib3 2.3.0-2ubuntu0.4
Ubuntu 24.04 LTS
python3-urllib3 2.0.7-1ubuntu0.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7927-2
https://ubuntu.com/security/notices/USN-7927-1
CVE-2025-66471, https://launchpad.net/bugs/2136906
Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0-3ubuntu0.3
https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0-2ubuntu0.4
https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7-1ubuntu0.5
[USN-7922-5] Linux kernel (IoT) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7922-5
January 12, 2026
linux-iot vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-iot: Linux kernel for IoT platforms
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1057-iot 5.4.0-1057.60
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7922-5
https://ubuntu.com/security/notices/USN-7922-4
https://ubuntu.com/security/notices/USN-7922-3
https://ubuntu.com/security/notices/USN-7922-2
https://ubuntu.com/security/notices/USN-7922-1
CVE-2022-49026, CVE-2022-49390, CVE-2024-47691, CVE-2024-49935,
CVE-2024-50067, CVE-2024-50095, CVE-2024-50196, CVE-2024-53090,
CVE-2024-53218, CVE-2025-21855, CVE-2025-37958, CVE-2025-38666,
CVE-2025-39964, CVE-2025-39993, CVE-2025-40018
[USN-7955-1] urllib3 vulnerability
==========================================================================
Ubuntu Security Notice USN-7955-1
January 12, 2026
python-urllib3 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
urllib3 could be made to use excessive resources if it received specially
crafted network traffic.
Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling
Details:
It was discovered that urllib3 incorrectly handled decompression during
HTTP redirects. An attacker could possibly use this issue to cause urllib3
to use excessive resources, causing a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
python3-urllib3 2.3.0-3ubuntu0.2
Ubuntu 25.04
python3-urllib3 2.3.0-2ubuntu0.3
Ubuntu 24.04 LTS
python3-urllib3 2.0.7-1ubuntu0.4
Ubuntu 22.04 LTS
python3-urllib3 1.26.5-1~exp1ubuntu0.5
Ubuntu 20.04 LTS
python3-urllib3 1.25.8-2ubuntu0.4+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7955-1
CVE-2026-21441
Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0-3ubuntu0.2
https://launchpad.net/ubuntu/+source/python-urllib3/2.3.0-2ubuntu0.3
https://launchpad.net/ubuntu/+source/python-urllib3/2.0.7-1ubuntu0.4
https://launchpad.net/ubuntu/+source/python-urllib3/1.26.5-1~exp1ubuntu0.5
