Ubuntu has issued security notices for several vulnerabilities affecting various packages across different releases. The affected packages include Radare2, which contained memory leaks that could cause denial of service attacks; python-apt, which could crash when opening specially crafted files; and Netty, which had issues with HTTP message parsing and memory management. FontTools was also found to be vulnerable to XML External Entity (XEE) attacks and path traversal attacks that could lead to remote code execution. To fix these vulnerabilities, users are advised to update their systems to the latest package versions as specified in the security notices.

[USN-7915-1] Radare2 vulnerabilities
[USN-7916-1] python-apt vulnerability
[USN-7918-1] Netty vulnerabilities
[USN-7917-1] fontTools vulnerabilities

[USN-7915-1] Radare2 vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7915-1
December 08, 2025

radare2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in radare2.

Software Description:
- radare2: free and advanced command line hexadecimal editor

Details:

It was discovered that Radare2 contained several memory leaks. An attacker
could possibly use these issues to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
radare2 5.9.8+dfsg-2ubuntu0.25.10.2

Ubuntu 25.04
radare2 5.9.8+dfsg-2ubuntu0.25.04.2

Ubuntu 24.04 LTS
radare2 5.5.0+dfsg-1.1ubuntu3+esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
radare2 4.2.1+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
radare2 2.3.0+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7915-1
CVE-2025-60359, CVE-2025-60360, CVE-2025-60361

Package Information:
https://launchpad.net/ubuntu/+source/radare2/5.9.8+dfsg-2ubuntu0.25.10.2
https://launchpad.net/ubuntu/+source/radare2/5.9.8+dfsg-2ubuntu0.25.04.2

[USN-7916-1] python-apt vulnerability

==========================================================================
Ubuntu Security Notice USN-7916-1
December 09, 2025

python-apt vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

python-apt could be made to crash if it opened a specially crafted
file.

Software Description:
- python-apt: Python interface to libapt-pkg

Details:

Julian Andres Klode discovered that python-apt incorrectly handled
deb822 configuration files. An attacker could use this issue to cause
python-apt to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
python-apt-dev 3.0.0ubuntu1.1
python3-apt 3.0.0ubuntu1.1

Ubuntu 25.04
python-apt-dev 3.0.0ubuntu0.25.04.1
python3-apt 3.0.0ubuntu0.25.04.1

Ubuntu 24.04 LTS
python-apt-dev 2.7.7ubuntu5.1
python3-apt 2.7.7ubuntu5.1

Ubuntu 22.04 LTS
python-apt-dev 2.4.0ubuntu4.1
python3-apt 2.4.0ubuntu4.1

Ubuntu 20.04 LTS
python-apt 2.0.1ubuntu0.20.04.1+esm1
Available with Ubuntu Pro
python-apt-dev 2.0.1ubuntu0.20.04.1+esm1
Available with Ubuntu Pro
python3-apt 2.0.1ubuntu0.20.04.1+esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
python-apt 1.6.6ubuntu0.1~esm1
Available with Ubuntu Pro
python-apt-dev 1.6.6ubuntu0.1~esm1
Available with Ubuntu Pro
python3-apt 1.6.6ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
python-apt 1.1.0~beta1ubuntu0.16.04.12+esm1
Available with Ubuntu Pro
python-apt-dev 1.1.0~beta1ubuntu0.16.04.12+esm1
Available with Ubuntu Pro
python3-apt 1.1.0~beta1ubuntu0.16.04.12+esm1
Available with Ubuntu Pro

Ubuntu 14.04 LTS
python-apt 0.9.3.5ubuntu3+esm5
Available with Ubuntu Pro
python-apt-dev 0.9.3.5ubuntu3+esm5
Available with Ubuntu Pro
python3-apt 0.9.3.5ubuntu3+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7916-1
CVE-2025-6966

Package Information:
https://launchpad.net/ubuntu/+source/python-apt/3.0.0ubuntu1.1
https://launchpad.net/ubuntu/+source/python-apt/3.0.0ubuntu0.25.04.1
https://launchpad.net/ubuntu/+source/python-apt/2.7.7ubuntu5.1
https://launchpad.net/ubuntu/+source/python-apt/2.4.0ubuntu4.1

[USN-7918-1] Netty vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7918-1
December 09, 2025

netty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Netty.

Software Description:
- netty: event-driven asynchronous network application framework

Details:

Jeppe Bonde Weikop discovered that Netty incorrectly parsed HTTP
messages. When Netty is used with certain reverse proxies, a
remote attacker could possibly use this issue to perform HTTP request
smuggling attacks. (CVE-2025-58056)

Jonas Konrad discovered that Netty did not properly manage memory when
decoding compressed data. A remote attacker could possibly use this
issue to cause Netty to consume excessive memory, resulting in a denial
of service. This issue was only addressed in Ubuntu 18.04 LTS, Ubuntu
20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and
Ubuntu 25.10. (CVE-2025-58057)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
libnetty-java 1:4.1.48-10ubuntu0.25.10.2

Ubuntu 25.04
libnetty-java 1:4.1.48-10ubuntu0.25.04.2

Ubuntu 24.04 LTS
libnetty-java 1:4.1.48-9ubuntu0.1

Ubuntu 22.04 LTS
libnetty-java 1:4.1.48-4+deb11u2ubuntu0.1

Ubuntu 20.04 LTS
libnetty-java 1:4.1.45-1ubuntu0.1~esm4
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libnetty-java 1:4.1.7-4ubuntu0.1+esm5
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libnetty-java 1:4.0.34-1ubuntu0.1~esm3
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7918-1
CVE-2025-58056, CVE-2025-58057

Package Information:
https://launchpad.net/ubuntu/+source/netty/1:4.1.48-10ubuntu0.25.10.2
https://launchpad.net/ubuntu/+source/netty/1:4.1.48-10ubuntu0.25.04.2
https://launchpad.net/ubuntu/+source/netty/1:4.1.48-9ubuntu0.1
https://launchpad.net/ubuntu/+source/netty/1:4.1.48-4+deb11u2ubuntu0.1

[USN-7917-1] fontTools vulnerabilities

==========================================================================
Ubuntu Security Notice USN-7917-1
December 09, 2025

fonttools vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in fontTools.

Software Description:
- fonttools: a library for manipulating fonts, written in Python

Details:

It was discovered that the subsetting module of fontTools was vulnerable to
an XML External Entity (XEE) attack. An unauthenticated remote attacker
could possibly use this issue to include arbitrary files from the file
system or make web requests from the host system. This issue only affected
Ubuntu 22.04 LTS. (CVE-2023-45139)

It was discovered that fontTools was vulnerable to path traversal attacks.
If a user or automated system were tricked into extracting a specially
crafted .designspace file, an attacker could possibly use this issue to
write arbitrary files outside the target directory, resulting in remote
code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04
and Ubuntu 25.10. (CVE-2025-66034)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
fonttools 4.55.3-2ubuntu0.25.10.1
python3-fonttools 4.55.3-2ubuntu0.25.10.1

Ubuntu 25.04
fonttools 4.55.3-2ubuntu0.25.04.1
python3-fonttools 4.55.3-2ubuntu0.25.04.1

Ubuntu 24.04 LTS
fonttools 4.46.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-fonttools 4.46.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
fonttools 4.29.1-2ubuntu0.1~esm1
Available with Ubuntu Pro
python3-fonttools 4.29.1-2ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7917-1
CVE-2023-45139, CVE-2025-66034

Package Information:
https://launchpad.net/ubuntu/+source/fonttools/4.55.3-2ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/fonttools/4.55.3-2ubuntu0.25.04.1