[USN-8555-1] Ubuntu Advantage Tools (pro client) vulnerabilities
[USN-8554-1] NTFS-3G vulnerabilities
[USN-8556-1] Ruby vulnerabilities
[USN-8477-2] tar regression
[USN-8557-1] Authlib vulnerabilities
[USN-8555-1] Ubuntu Advantage Tools (pro client) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8555-1
July 16, 2026
ubuntu-advantage-tools vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ubuntu Advantage Tools.
Software Description:
- ubuntu-advantage-tools: Management tools for Ubuntu Pro
Details:
Bilal Teke discovered that Ubuntu Advantage Tools exposed the Pro bearer
token in command-line arguments when validating APT credentials. A local
attacker could possibly use this issue to obtain sensitive information
and gain unauthorized access to Ubuntu Pro repositories. (CVE-2026-9494)
Frederick Jerusha discovered that Ubuntu Advantage Tools did not properly
validate data received from the contract server when writing APT source
files. An attacker could possibly use this issue to inject arbitrary APT
configuration and execute arbitrary code. (CVE-2026-11386)
Mateusz Gierblinski discovered that Ubuntu Advantage Tools did not
properly handle symbolic links when collecting diagnostic logs. A local
attacker could possibly use this issue to obtain sensitive information
from files owned by the administrator. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-12391)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
ubuntu-advantage-pro 37.2ubuntu0.1
ubuntu-advantage-tools 37.2ubuntu0.1
ubuntu-pro-auto-attach 37.2ubuntu0.1
ubuntu-pro-client 37.2ubuntu0.1
ubuntu-pro-client-l10n 37.2ubuntu0.1
Ubuntu 24.04 LTS
ubuntu-advantage-pro 37.2ubuntu~24.04.1
ubuntu-advantage-tools 37.2ubuntu~24.04.1
ubuntu-pro-auto-attach 37.2ubuntu~24.04.1
ubuntu-pro-client 37.2ubuntu~24.04.1
ubuntu-pro-client-l10n 37.2ubuntu~24.04.1
Ubuntu 22.04 LTS
ubuntu-advantage-pro 37.2ubuntu~22.04.1
ubuntu-advantage-tools 37.2ubuntu~22.04.1
ubuntu-pro-auto-attach 37.2ubuntu~22.04.1
ubuntu-pro-client 37.2ubuntu~22.04.1
ubuntu-pro-client-l10n 37.2ubuntu~22.04.1
Ubuntu 20.04 LTS
ubuntu-advantage-pro 37.1ubuntu0~20.04.1
ubuntu-advantage-tools 37.1ubuntu0~20.04.1
ubuntu-pro-auto-attach 37.1ubuntu0~20.04.1
ubuntu-pro-client 37.1ubuntu0~20.04.1
ubuntu-pro-client-l10n 37.1ubuntu0~20.04.1
Ubuntu 18.04 LTS
ubuntu-advantage-pro 37.1ubuntu0~18.04.1
ubuntu-advantage-tools 37.1ubuntu0~18.04.1
ubuntu-pro-auto-attach 37.1ubuntu0~18.04.1
ubuntu-pro-client 37.1ubuntu0~18.04.1
ubuntu-pro-client-l10n 37.1ubuntu0~18.04.1
Ubuntu 16.04 LTS
ubuntu-advantage-pro 37.1ubuntu0~16.04.1
ubuntu-advantage-tools 37.1ubuntu0~16.04.1
ubuntu-pro-auto-attach 37.1ubuntu0~16.04.1
ubuntu-pro-client 37.1ubuntu0~16.04.1
ubuntu-pro-client-l10n 37.1ubuntu0~16.04.1
Ubuntu 14.04 LTS
ubuntu-advantage-tools 19.7ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8555-1
CVE-2026-11386, CVE-2026-12391, CVE-2026-9494
Package Information:
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/37.2ubuntu0.1
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/37.2ubuntu~24.04.1
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/37.2ubuntu~22.04.1
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/37.1ubuntu0~20.04.1
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/37.1ubuntu0~18.04.1
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/37.1ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/19.7ubuntu0.1
[USN-8554-1] NTFS-3G vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8554-1
July 16, 2026
ntfs-3g vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in NTFS-3G.
Software Description:
- ntfs-3g: read/write NTFS driver for FUSE
Details:
It was discovered that NTFS-3G had a heap buffer overflow when reading
certain NTFS images. A local attacker could possibly use this issue to
execute arbitrary code. (CVE-2026-42616)
It was discovered that NTFS-3G had multiple heap buffer overflows when
processing certain NTFS images. A local attacker could possibly use these
issues to execute arbitrary code. (CVE-2026-42617, CVE-2026-42618,
CVE-2026-46569, CVE-2026-46570, CVE-2026-46572, CVE-2026-56135)
It was discovered that NTFS-3G had out-of-bounds reads when processing
certain NTFS images. A local attacker could possibly use these issues to
obtain sensitive information. (CVE-2026-46571, CVE-2026-56136)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libntfs-3g89t64 1:2022.10.3-5ubuntu1.1
ntfs-3g 1:2022.10.3-5ubuntu1.1
Ubuntu 24.04 LTS
libntfs-3g89t64 1:2022.10.3-1.2ubuntu3.2
ntfs-3g 1:2022.10.3-1.2ubuntu3.2
Ubuntu 22.04 LTS
libntfs-3g89 1:2021.8.22-3ubuntu1.4
ntfs-3g 1:2021.8.22-3ubuntu1.4
In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-8554-1
CVE-2026-42616, CVE-2026-42617, CVE-2026-42618, CVE-2026-46569,
CVE-2026-46570, CVE-2026-46571, CVE-2026-46572, CVE-2026-56135,
CVE-2026-56136
Package Information:
https://launchpad.net/ubuntu/+source/ntfs-3g/1:2022.10.3-5ubuntu1.1
https://launchpad.net/ubuntu/+source/ntfs-3g/1:2022.10.3-1.2ubuntu3.2
https://launchpad.net/ubuntu/+source/ntfs-3g/1:2021.8.22-3ubuntu1.4
[USN-8556-1] Ruby vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8556-1
July 16, 2026
ruby2.3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.3: Object-oriented scripting language
Details:
It was discovered that the Net::IMAP client in Ruby did not properly
sanitize Symbol arguments passed to IMAP commands. A remote attacker
controlling a malicious IMAP server, or able to influence command
arguments, could use this to inject arbitrary IMAP commands via CRLF
sequences. (CVE-2026-42258)
It was discovered that the Zlib::GzipReader in Ruby did not correctly
ensure sufficient buffer capacity in the zstream_buffer_ungets function.
An attacker could use this to craft a gzip stream that, when processed,
could cause a buffer overflow, resulting in memory corruption and possibly
arbitrary code execution. (CVE-2026-27820)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS
libruby2.3 2.3.1-2~ubuntu16.04.16+esm15
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8556-1
CVE-2026-27820, CVE-2026-42258
[USN-8477-2] tar regression
==========================================================================
Ubuntu Security Notice USN-8477-2
July 16, 2026
tar regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-8477-1 introduced a regression in tar
Software Description:
- tar: GNU tar archive utility
Details:
USN-8477-1 fixed a vulnerability in tar. The update introduced a regression
that could cause tar to fail to extract certain valid files.
This update fixes the problem.
Original advisory details:
It was discovered that tar incorrectly handled certain crafted archive files.
An attacker could possibly use this to inject hidden files with
attacker-controlled content, bypassing pre-extraction inspection mechanisms.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
tar 1.35+dfsg-4ubuntu0.3
Ubuntu 24.04 LTS
tar 1.35+dfsg-3ubuntu0.3
Ubuntu 22.04 LTS
tar 1.34+dfsg-1ubuntu0.1.22.04.5
Ubuntu 20.04 LTS
tar 1.30+dfsg-7ubuntu0.20.04.4+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
tar 1.29b-2ubuntu0.4+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
tar 1.28-2.1ubuntu0.2+esm5
Available with Ubuntu Pro
Ubuntu 14.04 LTS
tar 1.27.1-1ubuntu0.1+esm6
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8477-2
https://ubuntu.com/security/notices/USN-8477-1
CVE-2026-5704, https://launchpad.net/bugs/2160650
Package Information:
https://launchpad.net/ubuntu/+source/tar/1.35+dfsg-4ubuntu0.3
https://launchpad.net/ubuntu/+source/tar/1.35+dfsg-3ubuntu0.3
https://launchpad.net/ubuntu/+source/tar/1.34+dfsg-1ubuntu0.1.22.04.5
[USN-8557-1] Authlib vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8557-1
July 16, 2026
python-authlib vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Authlib.
Software Description:
- python-authlib: Python library for building OAuth and OpenID Connect servers
Details:
Jay Neiva and Mauro Carrillo discovered that Authlib did not properly
validate cryptographic keys embedded in JWT headers. An attacker could
possibly use this issue to forge trusted tokens, resulting in
authentication and authorization bypass. (CVE-2026-27962)
Jay Neiva and Mauro Carrillo discovered that Authlib incorrectly handled
RSA1_5 encrypted tokens. An attacker could possibly use this issue to
recover sensitive encrypted information, resulting in information
disclosure. (CVE-2026-28490)
Jay Neiva and Mauro Carrillo discovered that Authlib did not properly
reject unsupported cryptographic algorithms when validating OpenID
Connect ID tokens. An attacker could possibly use this issue to bypass
token integrity checks, resulting in authentication bypass.
(CVE-2026-28498)
Johnny Deuss discovered that Authlib did not provide cross-site request
forgery protection for the OAuth cache feature in its Starlette
integration. An attacker could possibly use this issue to perform
unauthorized OAuth actions, resulting in cross-site request forgery.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS.
(CVE-2026-41425)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
python3-authlib 1.6.7-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 24.04 LTS
python3-authlib 1.3.0-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
python3-authlib 0.15.5-1ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8557-1
CVE-2026-27962, CVE-2026-28490, CVE-2026-28498, CVE-2026-41425