[USN-8482-1] Roundcube Webmail vulnerability
[USN-8485-1] libyang vulnerability
[USN-8483-1] HPLIP vulnerabilities
[USN-8486-1] libssh2 vulnerabilities
[USN-8484-1] GD.pm vulnerability
[USN-8477-1] tar vulnerability
[USN-8478-1] Ruby vulnerabilities
[USN-8487-1] curl vulnerabilities
[USN-8482-1] Roundcube Webmail vulnerability
==========================================================================
Ubuntu Security Notice USN-8482-1
June 30, 2026
roundcube vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
Summary:
Roundcube Webmail could be made to run programs as your login if it opened
a malicious website.
Software Description:
- roundcube: skinnable AJAX based webmail solution for IMAP servers - metapack
Details:
It was discovered that Roundcube Webmail was prone to a Cross-Site-Scripting
(XSS) vulnerability via the animate tag in an SVG document. An attacker
could use this issue to execute arbitrary web script in the context of an
affected user's session.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
roundcube 1.6.11+dfsg-1ubuntu0.26.04.1~esm1
Available with Ubuntu Pro
roundcube-core 1.6.11+dfsg-1ubuntu0.26.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8482-1
CVE-2025-68461
[USN-8485-1] libyang vulnerability
==========================================================================
Ubuntu Security Notice USN-8485-1
June 30, 2026
libyang vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
libyang could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- libyang: parser toolkit for IETF YANG data modeling
Details:
It was discovered that libyang incorrectly handled certain metadata list
pointers. An attacker could use this issue to cause libyang to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libyang3 3.13.6-1ubuntu0.1
Ubuntu 25.10
libyang3 3.13.5-2ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8485-1
CVE-2026-41401
Package Information:
https://launchpad.net/ubuntu/+source/libyang/3.13.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libyang/3.13.5-2ubuntu0.1
[USN-8483-1] HPLIP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8483-1
June 30, 2026
hplip vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in HPLIP.
Software Description:
- hplip: HP Linux Printing and Imaging System (HPLIP)
Details:
It was discovered that HPLIP incorrectly handled certain print data. An
attacker could possibly use this issue to cause HPLIP to execute arbitrary
code. (CVE-2026-8631)
It was discovered that HPLIP incorrectly handled certain inputs. A local
attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-8632)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
hplip 3.24.4+dfsg0-0ubuntu8.1
Ubuntu 25.10
hplip 3.24.4+dfsg0-0ubuntu5.2
Ubuntu 24.04 LTS
hplip 3.23.12+dfsg0-0ubuntu5.1
Ubuntu 22.04 LTS
hplip 3.21.12+dfsg0-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8483-1
CVE-2026-8631, CVE-2026-8632
Package Information:
https://launchpad.net/ubuntu/+source/hplip/3.24.4+dfsg0-0ubuntu8.1
https://launchpad.net/ubuntu/+source/hplip/3.24.4+dfsg0-0ubuntu5.2
https://launchpad.net/ubuntu/+source/hplip/3.23.12+dfsg0-0ubuntu5.1
https://launchpad.net/ubuntu/+source/hplip/3.21.12+dfsg0-1ubuntu0.1
[USN-8486-1] libssh2 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8486-1
June 30, 2026
libssh2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in libssh2.
Software Description:
- libssh2: Client-side C library implementing the SSH2 protocol
Details:
It was discovered that libssh2 incorrectly handled the sftp_symlink()
function. A malicious SSH server or machine-in-the-middle attacker could
possibly use this issue to obtain sensitive information or cause a denial
of service. (CVE-2025-15661)
It was discovered that libssh2 had a pre-authentication denial of service
vulnerability in the SSH_MSG_EXT_INFO handler. A malicious SSH server could
possibly use this issue to cause a client CPU exhaustion loop, resulting in
a denial of service. (CVE-2026-55199)
It was discovered that libssh2 incorrectly handled packet length fields. A
remote attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS.
(CVE-2026-55200)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libssh2-1t64 1.11.1-1ubuntu0.26.04.2
Ubuntu 25.10
libssh2-1t64 1.11.1-1ubuntu0.25.10.2
Ubuntu 24.04 LTS
libssh2-1t64 1.11.0-4.1ubuntu0.24.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8486-1
CVE-2025-15661, CVE-2026-55199, CVE-2026-55200
Package Information:
https://launchpad.net/ubuntu/+source/libssh2/1.11.1-1ubuntu0.26.04.2
https://launchpad.net/ubuntu/+source/libssh2/1.11.1-1ubuntu0.25.10.2
https://launchpad.net/ubuntu/+source/libssh2/1.11.0-4.1ubuntu0.24.04.2
[USN-8484-1] GD.pm vulnerability
==========================================================================
Ubuntu Security Notice USN-8484-1
June 30, 2026
libgd-perl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
GD.pm could be made to run programs or overwrite files if it opened a
specially crafted file.
Software Description:
- libgd-perl: Perl module wrapper for libgd
Details:
It was discovered that GD.pm incorrectly handled filename arguments. An
attacker could possibly use this issue to execute arbitrary commands or
overwrite files.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libgd-perl 2.84-2ubuntu0.1
Ubuntu 25.10
libgd-perl 2.78-1ubuntu0.25.10.1
Ubuntu 24.04 LTS
libgd-perl 2.78-1ubuntu0.24.04.1
Ubuntu 22.04 LTS
libgd-perl 2.76-2ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8484-1
CVE-2026-11526
Package Information:
https://launchpad.net/ubuntu/+source/libgd-perl/2.84-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libgd-perl/2.78-1ubuntu0.25.10.1
https://launchpad.net/ubuntu/+source/libgd-perl/2.78-1ubuntu0.24.04.1
https://launchpad.net/ubuntu/+source/libgd-perl/2.76-2ubuntu0.1
[USN-8477-1] tar vulnerability
==========================================================================
Ubuntu Security Notice USN-8477-1
June 25, 2026
tar vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
tar could be made to overwrite files if it opened a specially crafted
archive.
Software Description:
- tar: GNU tar archive utility
Details:
It was discovered that tar incorrectly handled certain crafted archive files.
An attacker could possibly use this to inject hidden files with
attacker-controlled content, bypassing pre-extraction inspection mechanisms.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
tar 1.35+dfsg-4ubuntu0.1
Ubuntu 24.04 LTS
tar 1.35+dfsg-3ubuntu0.1
Ubuntu 22.04 LTS
tar 1.34+dfsg-1ubuntu0.1.22.04.3
Ubuntu 20.04 LTS
tar 1.30+dfsg-7ubuntu0.20.04.4+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
tar 1.29b-2ubuntu0.4+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
tar 1.28-2.1ubuntu0.2+esm4
Available with Ubuntu Pro
Ubuntu 14.04 LTS
tar 1.27.1-1ubuntu0.1+esm5
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8477-1
CVE-2026-5704
Package Information:
https://launchpad.net/ubuntu/+source/tar/1.35+dfsg-4ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.35+dfsg-3ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.34+dfsg-1ubuntu0.1.22.04.3
[USN-8478-1] Ruby vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8478-1
June 29, 2025
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Ruby could allow unintended access to network services.
Software Description:
- ruby3.3: Object-oriented scripting language
- ruby3.2: Object-oriented scripting language
- ruby3.0: Object-oriented scripting language
- ruby2.7: Object-oriented scripting language
Details:
It was discovered that Ruby's Net::IMAP library did not properly verify
that TLS encryption was started after issuing a STARTTLS command. A remote
attacker could use this to perform a machine-in-the-middle attack and silently
bypass TLS encryption. (CVE-2026-42246)
It was discovered that Ruby's Net::IMAP library did not validate
string arguments passed to certain commands. A remote attacker could use
this to inject arbitrary IMAP commands. (CVE-2026-42257)
It was discovered that Ruby's Net::IMAP library was vulnerable to a
denial of service attack when authenticating with SCRAM-SHA1 or
SCRAM-SHA256. A hostile server could send a very large iteration count
value to cause excessive computation in the client. This issue only
affected ruby3.3. (CVE-2026-42256)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libruby3.3 3.3.8-2ubuntu3.1
ruby3.3 3.3.8-2ubuntu3.1
Ubuntu 24.04 LTS
libruby3.2 3.2.3-1ubuntu0.24.04.8
ruby3.2 3.2.3-1ubuntu0.24.04.8
Ubuntu 22.04 LTS
libruby3.0 3.0.2-7ubuntu2.13
ruby3.0 3.0.2-7ubuntu2.13
Ubuntu 20.04 LTS
libruby2.7 2.7.0-5ubuntu1.18+esm5
Available with Ubuntu Pro
ruby2.7 2.7.0-5ubuntu1.18+esm5
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8478-1
CVE-2026-42246, CVE-2026-42256, CVE-2026-42257
Package Information:
https://launchpad.net/ubuntu/+source/ruby3.3/3.3.8-2ubuntu3.1
https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.8
https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.13
[USN-8487-1] curl vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8487-1
June 30, 2026
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Andrew Nesbitt discovered that curl could reuse an existing live
connection during STARTTLS-based connection upgrades even when the TLS
configuration did not match. A remote attacker could possibly use this
issue to cause curl to use an unintended TLS configuration.
(CVE-2026-8286)
Muhamad Arga Reksapati discovered that curl incorrectly reused
connections for Negotiate-authenticated requests when different services
were involved. A remote attacker could possibly use this issue to access
resources authenticated for another service. This issue only affected
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-8458)
It was discovered that curl incorrectly handled cookie parsing in
certain circumstances. A remote attacker could possibly use this issue
to set cookies that would be transmitted to unrelated third-party
domains. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and
Ubuntu 26.04 LTS. (CVE-2026-8924)
Joshua Rogers discovered that curl could double-free a GSASL context
when handling SASL authentication. A remote attacker could possibly use
this issue to cause a denial of service, or execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and
Ubuntu 26.04 LTS. (CVE-2026-8925)
Joshua Rogers discovered that curl could select the wrong password from
a .netrc file when a username was specified in the URL without a
password. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-8926)
Ady Elouej discovered that curl did not clear proxy authentication
state between requests when reusing a handle with environment-variable
proxy configuration. A remote attacker could possibly use this issue to
obtain sensitive credentials. (CVE-2026-8927)
Guannan Wang, Zhanpeng Liu, Jiashuo Liang, and Guancheng Li discovered
that curl did not properly clear proxy authentication credentials when
instructed to do so. A remote attacker could possibly use this issue to
obtain sensitive credentials. This issue only affected Ubuntu 25.10 and
Ubuntu 26.04 LTS. (CVE-2026-9079)
Joshua Rogers discovered that curl contained a use-after-free when
curl_easy_pause() was called within the event-based socket callback. A
remote attacker could possibly use this issue to cause a denial of service
or possibly execute arbitrary code. This issue only affected Ubuntu 25.10
and Ubuntu 26.04 LTS. (CVE-2026-9080)
Eunsoo Kim discovered that curl could send early data on a resumed TLS
session before enforcing certificate verification failure. A
machine-in-the-middle attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 25.10 and Ubuntu
26.04 LTS. (CVE-2026-9545)
Joshua Rogers discovered that curl did not properly reject host key
type mismatches when using the SSH key callback for SCP and SFTP
transfers. A machine-in-the-middle attacker could possibly use this
issue to impersonate a trusted server. This issue only affected Ubuntu
22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS.
(CVE-2026-9547)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
curl 8.18.0-1ubuntu2.2
libcurl3t64-gnutls 8.18.0-1ubuntu2.2
libcurl4-gnutls-dev 8.18.0-1ubuntu2.2
libcurl4-openssl-dev 8.18.0-1ubuntu2.2
libcurl4t64 8.18.0-1ubuntu2.2
Ubuntu 25.10
curl 8.14.1-2ubuntu1.4
libcurl3t64-gnutls 8.14.1-2ubuntu1.4
libcurl4-gnutls-dev 8.14.1-2ubuntu1.4
libcurl4-openssl-dev 8.14.1-2ubuntu1.4
libcurl4t64 8.14.1-2ubuntu1.4
Ubuntu 24.04 LTS
curl 8.5.0-2ubuntu10.10
libcurl3t64-gnutls 8.5.0-2ubuntu10.10
libcurl4-gnutls-dev 8.5.0-2ubuntu10.10
libcurl4-openssl-dev 8.5.0-2ubuntu10.10
libcurl4t64 8.5.0-2ubuntu10.10
Ubuntu 22.04 LTS
curl 7.81.0-1ubuntu1.25
libcurl3-gnutls 7.81.0-1ubuntu1.25
libcurl3-nss 7.81.0-1ubuntu1.25
libcurl4 7.81.0-1ubuntu1.25
libcurl4-gnutls-dev 7.81.0-1ubuntu1.25
libcurl4-nss-dev 7.81.0-1ubuntu1.25
libcurl4-openssl-dev 7.81.0-1ubuntu1.25
Ubuntu 20.04 LTS
curl 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
libcurl3-gnutls 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
libcurl3-nss 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
libcurl4 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
libcurl4-nss-dev 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
libcurl4-openssl-dev 7.68.0-1ubuntu2.25+esm4
Available with Ubuntu Pro
Ubuntu 18.04 LTS
curl 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
libcurl3-gnutls 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
libcurl3-nss 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
libcurl4 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
libcurl4-nss-dev 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
libcurl4-openssl-dev 7.58.0-2ubuntu3.24+esm9
Available with Ubuntu Pro
Ubuntu 16.04 LTS
curl 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
libcurl3 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
libcurl3-nss 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
libcurl4-nss-dev 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
libcurl4-openssl-dev 7.47.0-1ubuntu2.19+esm16
Available with Ubuntu Pro
Ubuntu 14.04 LTS
curl 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
libcurl3 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
libcurl3-nss 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
libcurl4-gnutls-dev 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
libcurl4-nss-dev 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
libcurl4-openssl-dev 7.35.0-1ubuntu2.20+esm20
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8487-1
CVE-2026-8286, CVE-2026-8458, CVE-2026-8924, CVE-2026-8925,
CVE-2026-8926, CVE-2026-8927, CVE-2026-9079, CVE-2026-9080,
CVE-2026-9545, CVE-2026-9547
Package Information:
https://launchpad.net/ubuntu/+source/curl/8.18.0-1ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/8.14.1-2ubuntu1.4
https://launchpad.net/ubuntu/+source/curl/8.5.0-2ubuntu10.10
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.25