[USN-7280-3] Python 2.7 regression
[USN-7015-7] Python 2.7 regression
[USN-7782-1] Ghostscript vulnerabilities
[USN-5495-2] curl regression
[USN-7785-1] Open VM Tools vulnerability
[USN-7784-1] Rack vulnerability
[USN-7783-1] LibTIFF vulnerabilities
[USN-7280-3] Python 2.7 regression
==========================================================================
Ubuntu Security Notice USN-7280-3
September 29, 2025
python2.7 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
USN-7280-2 introduced a regression in Python 2.7
Software Description:
- python2.7: An interactive high-level object-oriented language
Details:
USN-7280-2 fixed vulnerabilities in Python. It was discovered that the
fixes for CVE-2025-0938 and CVE-2024-11168 were incorrectly applied on
Ubuntu 14.04 LTS as a result. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Python incorrectly handled parsing domain names that
included square brackets. A remote attacker could possibly use this issue
to perform a Server-Side Request Forgery (SSRF) attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS
libpython2.7 2.7.6-8ubuntu0.6+esm28
Available with Ubuntu Pro
python2.7 2.7.6-8ubuntu0.6+esm28
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7280-3
https://ubuntu.com/security/notices/USN-7280-2
https://ubuntu.com/security/notices/USN-7280-1
CVE-2024-11168, CVE-2025-0938, https://launchpad.net/bugs/2125702
[USN-7015-7] Python 2.7 regression
==========================================================================
Ubuntu Security Notice USN-7015-7
September 29, 2025
python2.7 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
USN-7015-4 introduced a regression in Python 2.7
Software Description:
- python2.7: An interactive high-level object-oriented language
Details:
USN-7015-4 fixed vulnerabilities in Python. It was discovered that the fix
for CVE-2023-27043 for python2.7 was incorrectly applied on Ubuntu 16.04
LTS and Ubuntu 18.04 LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the Python email module incorrectly parsed email
addresses that contain special characters. A remote attacker could
possibly use this issue to bypass certain protection mechanisms.
(CVE-2023-27043)
It was discovered that Python allowed excessive backtracking while parsing
certain tarfile headers. A remote attacker could possibly use this issue
to cause Python to consume resources, leading to a denial of service.
(CVE-2024-6232)
It was discovered that the Python email module incorrectly quoted newlines
for email headers. A remote attacker could possibly use this issue to
perform header injection. (CVE-2024-6923)
It was discovered that the Python http.cookies module incorrectly handled
parsing cookies that contained backslashes for quoted characters. A remote
attacker could possibly use this issue to cause Python to consume
resources, leading to a denial of service. (CVE-2024-7592)
It was discovered that the Python zipfile module incorrectly handled
certain malformed zip files. A remote attacker could possibly use this
issue to cause Python to stop responding, resulting in a denial of
service. (CVE-2024-8088)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
libpython2.7 2.7.17-1~18.04ubuntu1.13+esm13
Available with Ubuntu Pro
python2.7 2.7.17-1~18.04ubuntu1.13+esm13
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libpython2.7 2.7.12-1ubuntu0~16.04.18+esm18
Available with Ubuntu Pro
python2.7 2.7.12-1ubuntu0~16.04.18+esm18
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7015-7
https://ubuntu.com/security/notices/USN-7015-6
https://ubuntu.com/security/notices/USN-7015-5
https://ubuntu.com/security/notices/USN-7015-4
https://ubuntu.com/security/notices/USN-7015-3
https://ubuntu.com/security/notices/USN-7015-2
https://ubuntu.com/security/notices/USN-7015-1
CVE-2023-27043, https://launchpad.net/bugs/2125702
[USN-7782-1] Ghostscript vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7782-1
September 29, 2025
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled opening a file to
write. An attacker could possibly use this issue to cause Ghostscript to
crash, resulting in a denial of service (CVE-2025-7462)
It was discovered that Ghostscript incorrectly handled writing certain
files. An attacker could possibly use this issue to cause Ghostscript to
crash, resulting in a denial of service (CVE-2025-59798, CVE-2025-59799)
It was discovered that Ghostscript incorrectly handled performing OCR on
certain files. An attacker could use this issue to cause Ghostscript to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2025-59800)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
ghostscript 10.05.0dfsg1-0ubuntu1.2
libgs10 10.05.0dfsg1-0ubuntu1.2
Ubuntu 24.04 LTS
ghostscript 10.02.1~dfsg1-0ubuntu7.8
libgs10 10.02.1~dfsg1-0ubuntu7.8
Ubuntu 22.04 LTS
ghostscript 9.55.0~dfsg1-0ubuntu5.13
libgs9 9.55.0~dfsg1-0ubuntu5.13
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7782-1
CVE-2025-59798, CVE-2025-59799, CVE-2025-59800, CVE-2025-7462
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.05.0dfsg1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.8
https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.13
[USN-5495-2] curl regression
==========================================================================
Ubuntu Security Notice USN-5495-2
September 29, 2025
curl regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
USN-5495-1 introduced a regression in curl
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-5495-1 fixed vulnerabilities in curl. The fix for CVE-2022-32205
miscalculated the maximum cookie size, causing a regression. This update
fixes the problem.
Original advisory details:
Harry Sintonen discovered that curl incorrectly handled certain cookies.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 21.10, and Ubuntu 22.04 LTS. (CVE-2022-32205)
Harry Sintonen discovered that curl incorrectly handled certain HTTP compressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2022-32206)
Harry Sintonen incorrectly handled certain file permissions.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 21.10, and Ubuntu 22.04 LTS. (CVE-2022-32207)
Harry Sintonen discovered that curl incorrectly handled certain FTP-KRB messages.
An attacker could possibly use this to perform a machine-in-the-middle attack.
(CVE-2022-32208)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.21
libcurl3-gnutls 7.81.0-1ubuntu1.21
libcurl3-nss 7.81.0-1ubuntu1.21
libcurl4 7.81.0-1ubuntu1.21
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5495-2
https://ubuntu.com/security/notices/USN-5495-1
https://launchpad.net/bugs/2118865
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.21
[USN-7785-1] Open VM Tools vulnerability
==========================================================================
Ubuntu Security Notice USN-7785-1
September 29, 2025
open-vm-tools vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Open VM Tools could be made to run programs as an administrator.
Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware
Details:
It was discovered that Open VM Tools incorrectly handled permissions with
version checking. An attacker could possibly use this issue to escalate
privileges inside a virtual machine.
This update disables the SDMP get-versions.sh script, so version
information may no longer be made available.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
open-vm-tools 2:12.5.0-1ubuntu0.2
Ubuntu 24.04 LTS
open-vm-tools 2:12.5.0-1~ubuntu0.24.04.2
Ubuntu 22.04 LTS
open-vm-tools 2:12.3.5-3~ubuntu0.22.04.3
Ubuntu 20.04 LTS
open-vm-tools 2:11.3.0-2ubuntu0~ubuntu20.04.8+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7785-1
CVE-2025-41244
Package Information:
https://launchpad.net/ubuntu/+source/open-vm-tools/2:12.5.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/open-vm-tools/2:12.5.0-1~ubuntu0.24.04.2
https://launchpad.net/ubuntu/+source/open-vm-tools/2:12.3.5-3~ubuntu0.22.04.3
[USN-7784-1] Rack vulnerability
==========================================================================
Ubuntu Security Notice USN-7784-1
September 29, 2025
ruby-rack vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
Summary:
Rack could be made to crash if it received specially crafted network
traffic.
Software Description:
- ruby-rack: modular Ruby webserver interface
Details:
It was discovered that Rack incorrectly handled limiting the amount of
parameters. An attacker could possibly use this issue to bypass the
params_limit value, leading to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
ruby-rack 2.2.7-1.1ubuntu0.25.04.3
Ubuntu 24.04 LTS
ruby-rack 2.2.7-1ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7784-1
CVE-2025-59830
Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1.1ubuntu0.25.04.3
https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.4
[USN-7783-1] LibTIFF vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7783-1
September 29, 2025
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in LibTIFF.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
Xudong Cao and Yuqing Zhang discovered that LibTIFF incorrectly handled
memory when parsing malformed TIFF images. An attacker could possibly use
this issue to cause LibTIFF to crash, resulting in a denial of service.
(CVE-2025-8961)
Xudong Cao and Yuqing Zhang discovered that LibTIFF incorrectly handled
memory when parsing malformed TIFF image headers. An attacker could
possibly use this issue to cause LibTIFF to leak memory, resulting in a
denial of service. (CVE-2025-9165)
It was discovered that LibTIFF incorrectly handled memory when parsing
malformed TIFF image metadata. An attacker could possibly use this issue to
cause a denial of service, obtain sensitive information, or execute
arbitrary code. (CVE-2025-9900)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
libtiff6 4.5.1+git230720-4ubuntu4.2
Ubuntu 24.04 LTS
libtiff6 4.5.1+git230720-4ubuntu2.4
Ubuntu 22.04 LTS
libtiff5 4.3.0-6ubuntu0.12
Ubuntu 20.04 LTS
libtiff5 4.1.0+git191117-2ubuntu0.20.04.14+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libtiff5 4.0.9-5ubuntu0.10+esm9
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libtiff5 4.0.6-1ubuntu0.8+esm19
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libtiff5 4.0.3-7ubuntu0.11+esm16
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7783-1
CVE-2025-8961, CVE-2025-9165, CVE-2025-9900
Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.5.1+git230720-4ubuntu4.2
https://launchpad.net/ubuntu/+source/tiff/4.5.1+git230720-4ubuntu2.4
https://launchpad.net/ubuntu/+source/tiff/4.3.0-6ubuntu0.12
