[USN-8071-2] NSS vulnerability
[USN-8078-1] Zutty vulnerability
[USN-8079-1] less vulnerability
[USN-8076-1] Qt vulnerabilities
[USN-8077-1] Bleach vulnerabilities
[USN-8071-2] NSS vulnerability
==========================================================================
Ubuntu Security Notice USN-8071-2
March 05, 2026
nss vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
NSS could be made to crash or run programs if it received specially crafted
network traffic.
Software Description:
- nss: Network Security Service library
Details:
USN-8071-1 fixed a vulnerability in nss. This update provides the
corresponding fix for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that NSS incorrectly handled memory when performing
certain GHASH operations. A remote attacker could use this issue to cause
NSS to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
libnss3 2:3.98-0ubuntu0.20.04.2+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libnss3 2:3.35-2ubuntu2.16+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libnss3 2:3.28.4-0ubuntu0.16.04.14+esm5
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libnss3 2:3.28.4-0ubuntu0.14.04.5+esm13
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8071-2
https://ubuntu.com/security/notices/USN-8071-1
CVE-2026-2781
[USN-8078-1] Zutty vulnerability
==========================================================================
Ubuntu Security Notice USN-8078-1
March 05, 2026
zutty vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Zutty could be made to execute arbitrary commands.
Software Description:
- zutty: X terminal emulator
Details:
Carter Sande discovered that Zutty did not correctly echo invalid input to
the console on DECRQSS. An attacker could possibly use this issue to
execute arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
zutty 0.11.2.20220109.192032+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8078-1
CVE-2022-41138
[USN-8079-1] less vulnerability
==========================================================================
Ubuntu Security Notice USN-8079-1
March 05, 2026
less vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
less could be made to crash or run arbitrary commands if it received
crafted input.
Software Description:
- less: pager program similar to more
Details:
It was discovered that less incorrectly handled certain file names. An
attacker could possibly use this issue to cause a denial of service or
execute arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS
less 458-2ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8079-1
CVE-2022-48624
[USN-8076-1] Qt vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8076-1
March 05, 2026
qtbase-opensource-src vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Qt.
Software Description:
- qtbase-opensource-src: Qt 5 libraries
Details:
It was discovered that Qt did not correctly handle OpenSSL's error queue.
An attacker could possibly use this issue to cause a denial of service.
This issue was only addressed in Ubuntu 20.04 LTS. (CVE-2020-13962)
It was discovered that Qt incorrectly handled certain XBM image files. If a
user or automated system were tricked into opening a specially crafted PPM
file, a remote attacker could cause Qt to crash, resulting in a denial of
service. This issue was only addressed in Ubuntu 16.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-17507)
It was discovered that Qt did not correctly handle executing specific
binaries. If a user or automated system were tricked into executing a
binary at a specific file path, an attacker could cause a denial of
service or execute arbitrary code. This issue was only addressed in
Ubuntu 20.04 LTS. (CVE-2022-25255)
It was discovered that Qt did not correctly handle certain integer
arithmetic. An attacker could possibly use this issue to cause a denial
of service. This issue was only addressed in Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-51714)
It was discovered that Qt did not correctly handle certain encrypted
connections. An attacker could possibly use this issue to leak sensitive
information. This issue was only addressed in Ubuntu 24.04 LTS.
(CVE-2024-39936)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libqt5core5t64 5.15.13+dfsg-1ubuntu1+esm1
Available with Ubuntu Pro
libqt5gui5t64 5.15.13+dfsg-1ubuntu1+esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libqt5core5a 5.15.3+dfsg-2ubuntu0.2+esm3
Available with Ubuntu Pro
libqt5gui5 5.15.3+dfsg-2ubuntu0.2+esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libqt5core5a 5.12.8+dfsg-0ubuntu2.1+esm3
Available with Ubuntu Pro
libqt5gui5 5.12.8+dfsg-0ubuntu2.1+esm3
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libqt5core5a 5.9.5+dfsg-0ubuntu2.6+esm2
Available with Ubuntu Pro
libqt5gui5 5.9.5+dfsg-0ubuntu2.6+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libqt5core5a 5.5.1+dfsg-16ubuntu7.7+esm2
Available with Ubuntu Pro
libqt5gui5 5.5.1+dfsg-16ubuntu7.7+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8076-1
CVE-2020-13962, CVE-2020-17507, CVE-2022-25255, CVE-2023-51714,
CVE-2024-39936
[USN-8077-1] Bleach vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8077-1
March 05, 2026
python-bleach vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Bleach.
Software Description:
- python-bleach: An allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
Details:
It was discovered that Bleach did not properly sanitize URI attributes
containing character entities. An attacker could possibly use this issue
to construct a URI with a disallowed scheme that would bypass
sanitization, leading to cross-site scripting. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-7753)
Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with the noscript tag
and a raw tag in the allowed tags list. An attacker could possibly
use this issue to inject malicious content, leading to cross-site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-6802)
Yaniv Nizry discovered that Bleach was vulnerable to a mutation
cross-site scripting issue when sanitizing HTML with RCDATA together
with svg or math tags in the allowed tags list. An attacker could
possibly use this issue to inject malicious content, leading to
cross-site scripting. (CVE-2020-6816)
It was discovered that Bleach incorrectly handled parsing of style
attributes when sanitizing HTML. An attacker could possibly use this
issue to perform a regular expression denial of service, leading to
excessive resource consumption. (CVE-2020-6817)
Yaniv Nizry and Michał Bentkowski discovered that Bleach was vulnerable
to a mutation cross-site scripting issue when sanitizing HTML with
certain combinations of allowed tags. An attacker could possibly use
this issue to inject malicious content, leading to cross-site scripting.
(CVE-2021-23980)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
python-bleach-doc 3.1.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-bleach 3.1.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
python-bleach 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python-bleach-doc 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-bleach 2.1.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
python-bleach 1.4.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python-bleach-doc 1.4.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-bleach 1.4.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8077-1
CVE-2018-7753, CVE-2020-6802, CVE-2020-6816, CVE-2020-6817,
CVE-2021-23980
