[USN-7735-1] RubyGems vulnerabilities
[USN-7648-3] PHP regression
[USN-7736-1] Django vulnerability
[USN-7738-1] FFmpeg vulnerability
[USN-7735-1] RubyGems vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7735-1
September 03, 2025
rubygems vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in RubyGems.
Software Description:
- rubygems: package management framework for Ruby libraries/applications
Details:
It was discovered that RubyGems incorrectly handled certain regular
expressions. An attacker could use this issue to cause RubyGems to crash,
resulting in a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2023-28755)
It was discovered that RubyGems incorrectly handled decompressed domain
names within a DNS packet. An attacker could use this issue to cause
RubyGems to crash, resulting in a denial of service. This issue only
affected Ubuntu 25.04. (CVE-2025-24294)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
ruby-rubygems 3.6.3-1ubuntu0.1
Ubuntu 22.04 LTS
ruby-rubygems 3.3.5-2ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7735-1
CVE-2023-28755, CVE-2025-24294
Package Information:
https://launchpad.net/ubuntu/+source/rubygems/3.6.3-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rubygems/3.3.5-2ubuntu1.1
[USN-7648-3] PHP regression
==========================================================================
Ubuntu Security Notice USN-7648-3
September 04, 2025
php7.0, php7.2, php7.4 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
USN-7648-2 introduced a regression in PHP
Software Description:
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
USN-7648-2 fixed vulnerabilities in PHP. The patch for CVE-2025-1735
caused a regression in php7.0, php7.2 and php7.4. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that PHP incorrectly handled certain hostnames containing
null characters. A remote attacker could possibly use this issue to bypass
certain hostname validation checks. (CVE-2025-1220)
It was discovered that PHP incorrectly handled the pgsql and pdo_pgsql
escaping functions. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2025-1735)
It was discovered that PHP incorrectly handled parsing certain XML data in
SOAP extensions. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2025-6491)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
php7.4 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-cgi 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-cli 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-common 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-fpm 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
php7.4-pgsql 7.4.3-4ubuntu2.29+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
php7.2 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-cgi 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-cli 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-fpm 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
php7.2-pgsql 7.2.24-0ubuntu0.18.04.17+esm11
Available with Ubuntu Pro
Ubuntu 16.04 LTS
php7.0 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-cgi 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-cli 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-common 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-fpm 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
php7.0-pgsql 7.0.33-0ubuntu0.16.04.16+esm18
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7648-3
https://ubuntu.com/security/notices/USN-7648-2
https://ubuntu.com/security/notices/USN-7648-1
CVE-2025-1735, https://launchpad.net/bugs/2121643
[USN-7736-1] Django vulnerability
=======================================================================
Ubuntu Security Notice USN-7736-1
September 03, 2025
python-django vulnerability
=======================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Django could be SQL injected if it received a suitably
crafted dictionary.
Software Description:
- python-django: High-level Python web development framework
Details:
It was discovered that Django incorrectly handled certain inputs.
An attacker could possibly use this issue to perform a SQL injection.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
python3-django 3:4.2.18-1ubuntu1.4
Ubuntu 24.04 LTS
python3-django 3:4.2.11-1ubuntu1.10
Ubuntu 22.04 LTS
python3-django 2:3.2.12-2ubuntu1.21
Ubuntu 20.04 LTS
python3-django 2:2.2.12-1ubuntu0.29+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-7736-1
CVE-2025-57833
Package Information:
https://launchpad.net/ubuntu/+source/python-django/3:4.2.18-1ubuntu1.4
https://launchpad.net/ubuntu/+source/python-django/3:4.2.11-1ubuntu1.10
https://launchpad.net/ubuntu/+source/python-django/2:3.2.12-2ubuntu1.21
[USN-7738-1] FFmpeg vulnerability
==========================================================================
Ubuntu Security Notice USN-7738-1
September 04, 2025
ffmpeg vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
FFmpeg could be made to crash if it received specially crafted input.
Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files
Details:
It was discovered that FFmpeg incorrectly handled the calculation of
LPC order, which could lead to a stack-based buffer overflow. An attacker
could possibly use this issue to cause FFmpeg to crash, resulting in a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
ffmpeg 7:7.1.1-1ubuntu1.2
libavcodec-dev 7:7.1.1-1ubuntu1.2
Ubuntu 24.04 LTS
ffmpeg 7:6.1.1-3ubuntu5+esm4
Available with Ubuntu Pro
libavcodec-dev 7:6.1.1-3ubuntu5+esm4
Available with Ubuntu Pro
Ubuntu 22.04 LTS
ffmpeg 7:4.4.2-0ubuntu0.22.04.1+esm8
Available with Ubuntu Pro
libavcodec-dev 7:4.4.2-0ubuntu0.22.04.1+esm8
Available with Ubuntu Pro
Ubuntu 20.04 LTS
ffmpeg 7:4.2.7-0ubuntu0.1+esm9
Available with Ubuntu Pro
libavcodec-dev 7:4.2.7-0ubuntu0.1+esm9
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ffmpeg 7:3.4.11-0ubuntu0.1+esm9
Available with Ubuntu Pro
libavcodec-dev 7:3.4.11-0ubuntu0.1+esm9
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ffmpeg 7:2.8.17-0ubuntu0.1+esm11
Available with Ubuntu Pro
libavcodec-dev 7:2.8.17-0ubuntu0.1+esm11
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7738-1
CVE-2025-1594
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/7:7.1.1-1ubuntu1.2
