[USN-8362-1] XZ Utils vulnerability
[USN-8282-2] Unbound vulnerabilities
[USN-8374-1] Linux kernel vulnerabilities
[USN-8238-2] EditorConfig vulnerability
[USN-8372-1] age vulnerability
[USN-8366-1] Luanti vulnerabilities
[USN-8368-1] libeconf vulnerability
[USN-8367-1] tar-fs vulnerabilities
[USN-8369-1] Apache Tomcat Connectors vulnerability
[USN-8364-1] Apache Commons Lang vulnerability
[USN-8365-1] Dovecot vulnerabilities
[USN-8362-1] XZ Utils vulnerability
==========================================================================
Ubuntu Security Notice USN-8362-1
June 02, 2026
xz-utils vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
XZ Utils could be made to crash or run programs as your login if it
received specially crafted input.
Software Description:
- xz-utils: XZ-format compression utilities
Details:
It was discovered that XZ Utils did not properly manage memory when
attempting to append data to a decoded index that contained no records.
An attacker could possibly use this issue to cause XZ Utils to crash,
resulting in a denial of service, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
liblzma5 5.8.1-1ubuntu0.1
xz-utils 5.8.1-1ubuntu0.1
xzdec 5.8.1-1ubuntu0.1
Ubuntu 24.04 LTS
liblzma5 5.6.1+really5.4.5-1ubuntu0.3
xz-utils 5.6.1+really5.4.5-1ubuntu0.3
xzdec 5.6.1+really5.4.5-1ubuntu0.3
Ubuntu 22.04 LTS
liblzma5 5.2.5-2ubuntu1.1
xz-utils 5.2.5-2ubuntu1.1
xzdec 5.2.5-2ubuntu1.1
Ubuntu 20.04 LTS
liblzma5 5.2.4-1ubuntu1.1+esm1
Available with Ubuntu Pro
xz-utils 5.2.4-1ubuntu1.1+esm1
Available with Ubuntu Pro
xzdec 5.2.4-1ubuntu1.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
liblzma5 5.2.2-1.3ubuntu0.1+esm1
Available with Ubuntu Pro
xz-utils 5.2.2-1.3ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
liblzma5 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2
Available with Ubuntu Pro
xz-utils 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2
Available with Ubuntu Pro
xzdec 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2
Available with Ubuntu Pro
Ubuntu 14.04 LTS
liblzma5 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2
Available with Ubuntu Pro
xz-utils 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2
Available with Ubuntu Pro
xzdec 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8362-1
CVE-2026-34743
Package Information:
https://launchpad.net/ubuntu/+source/xz-utils/5.8.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/xz-utils/5.6.1+really5.4.5-1ubuntu0.3
https://launchpad.net/ubuntu/+source/xz-utils/5.2.5-2ubuntu1.1
[USN-8282-2] Unbound vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8282-2
June 02, 2026
unbound vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Unbound.
Software Description:
- unbound: validating, recursive, caching DNS resolver
Details:
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622)
Qifan Zhang discovered that Unbound did not properly limit processing of
long EDNS option lists. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-41292)
Qifan Zhang discovered that Unbound incorrectly handled jostle logic under
certain circumstances. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42534)
Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash
calculations. A remote attacker could possibly use this issue to cause
Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42923)
Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS
options in certain situations. A remote attacker could possibly use this
issue to cause Unbound to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
of malicious content. A remote attacker could possibly use this issue to
cause Unbound to crash, resulting in a denial of service.
(CVE-2026-42959)
TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound
incorrectly handled delegation processing in certain situations. A remote
attacker could possibly use this issue to poison the DNS cache and obtain
sensitive information. (CVE-2026-42960)
Qifan Zhang discovered that Unbound did not properly bound name
compression in certain cases. A remote attacker could possibly use this
issue to cause Unbound to use excessive resources, leading to a denial of
service. (CVE-2026-44390)
Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ
handling. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service, or execute arbitrary code.
This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04
LTS. (CVE-2026-44608)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
libunbound8 1.9.4-2ubuntu1.11+esm1
Available with Ubuntu Pro
unbound 1.9.4-2ubuntu1.11+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libunbound2 1.6.7-1ubuntu2.6+esm4
Available with Ubuntu Pro
unbound 1.6.7-1ubuntu2.6+esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libunbound2 1.5.8-1ubuntu1.1+esm3
Available with Ubuntu Pro
unbound 1.5.8-1ubuntu1.1+esm3
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libunbound2 1.4.22-1ubuntu4.14.04.3+esm3
Available with Ubuntu Pro
unbound 1.4.22-1ubuntu4.14.04.3+esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8282-2
https://ubuntu.com/security/notices/USN-8282-1
CVE-2026-41292, CVE-2026-42959, CVE-2026-42960
[USN-8374-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8374-1
June 02, 2026
linux-aws-6.17, linux-gcp, linux-gcp-6.17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-aws-6.17: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp-6.17: Linux kernel for Google Cloud Platform (GCP) systems
Details:
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-2026-43503,
CVE-2026-46300)
Qualys discovered that a race condition existed in the ptrace subsystem of
the Linux kernel when privileged processes are exiting. An unprivileged
local attacker could use this issue to expose sensitive information.
(CVE-2026-46333)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contain a memory leak when handling AppArmor notifications. A local
attacker could use this to cause resource exhaustion. (CVE-2026-47326)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contain a NULL pointer dereference when handling AppArmor notifications. A
local attacker could use this to cause a kernel oops. (CVE-2026-47327)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contained an invalid free when handling AppArmor notifications. A local
attacker could use this to corrupt kernel memory. (CVE-2026-47328)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contained insufficient validation of AppArmor notification responses. A
local attacker could use this to allow crafted responses to be processed.
(CVE-2026-47329)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0 used
an uninitialized variable when handling AppArmor notifications. A local
attacker could use this to cause incorrect caching of data.
(CVE-2026-47330)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contained an out-of-bounds (OOB) read when handling AppArmor notifications.
A local attacker could use this to cause information disclosure of kernel
memory. (CVE-2026-47332)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contained a out-of-bounds (OOB) read when handling AppArmor notifications.
A local attacker could use this to cause kernel memory corruption and,
theoretically, influence processing of AppArmor policies. (CVE-2026-47333)
Tristan Madani discovered that Ubuntu Linux kernel 6.8, 6.17 and 7.0
contained incorrect holding of locks when handling AppArmor notifications.
A local attacker could use this to cause a kernel panic or deadlock.
(CVE-2026-47334)
Tristan Madani and Trevor Lawrence have each independently discovered that
Ubuntu Linux kernel 6.8, 6.17 and 7.0 contained a NULL pointer dereference
when handling AppArmor network socket mediation. A local attacker could use
this to cause a kernel oops. (CVE-2026-47337)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- S390 architecture;
- Cryptographic API;
- GPU drivers;
- Ethernet bonding driver;
- Network file system (NFS) server daemon;
- Distributed Switch Architecture;
- Netfilter;
- Control group (cgroup);
- Kernel kexec() syscall;
- Memory management;
- MAC80211 subsystem;
- Multipath TCP;
- Packet sockets;
- RDS protocol;
- RxRPC session sockets;
- TLS protocol;
- Unix domain sockets;
- AppArmor security module;
(CVE-2025-71088, CVE-2025-71090, CVE-2025-71127, CVE-2025-71134,
CVE-2025-71139, CVE-2025-71141, CVE-2025-71142, CVE-2025-71144,
CVE-2025-71152, CVE-2025-71155, CVE-2026-23274, CVE-2026-23351,
CVE-2026-23394, CVE-2026-31419, CVE-2026-31504, CVE-2026-31533,
CVE-2026-31676, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078,
CVE-2026-43494, CVE-2026-45966, CVE-2026-46028)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
linux-image-6.17.0-1018-gcp 6.17.0-1018.19
linux-image-6.17.0-1018-gcp-64k 6.17.0-1018.19
linux-image-gcp 6.17.0-1018.19
linux-image-gcp-6.17 6.17.0-1018.19
linux-image-gcp-64k 6.17.0-1018.19
linux-image-gcp-64k-6.17 6.17.0-1018.19
Ubuntu 24.04 LTS
linux-image-6.17.0-1017-aws 6.17.0-1017.17~24.04.1
linux-image-6.17.0-1017-aws-64k 6.17.0-1017.17~24.04.1
linux-image-6.17.0-1018-gcp 6.17.0-1018.19~24.04.1
linux-image-6.17.0-1018-gcp-64k 6.17.0-1018.19~24.04.1
linux-image-aws 6.17.0-1017.17~24.04.1
linux-image-aws-6.17 6.17.0-1017.17~24.04.1
linux-image-aws-64k 6.17.0-1017.17~24.04.1
linux-image-aws-64k-6.17 6.17.0-1017.17~24.04.1
linux-image-gcp 6.17.0-1018.19~24.04.1
linux-image-gcp-6.17 6.17.0-1018.19~24.04.1
linux-image-gcp-64k 6.17.0-1018.19~24.04.1
linux-image-gcp-64k-6.17 6.17.0-1018.19~24.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-8374-1
CVE-2025-71088, CVE-2025-71090, CVE-2025-71127, CVE-2025-71134,
CVE-2025-71139, CVE-2025-71141, CVE-2025-71142, CVE-2025-71144,
CVE-2025-71152, CVE-2025-71155, CVE-2026-23274, CVE-2026-23351,
CVE-2026-23394, CVE-2026-31419, CVE-2026-31431, CVE-2026-31504,
CVE-2026-31533, CVE-2026-31676, CVE-2026-43033, CVE-2026-43077,
CVE-2026-43078, CVE-2026-43284, CVE-2026-43494, CVE-2026-43500,
CVE-2026-43503, CVE-2026-45966, CVE-2026-45998, CVE-2026-46000,
CVE-2026-46028, CVE-2026-46300, CVE-2026-46333, CVE-2026-47326,
CVE-2026-47327, CVE-2026-47328, CVE-2026-47329, CVE-2026-47330,
CVE-2026-47332, CVE-2026-47333, CVE-2026-47334, CVE-2026-47337
Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp/6.17.0-1018.19
https://launchpad.net/ubuntu/+source/linux-aws-6.17/6.17.0-1017.17~24.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-6.17/6.17.0-1018.19~24.04.1
[USN-8238-2] EditorConfig vulnerability
==========================================================================
Ubuntu Security Notice USN-8238-2
June 02, 2026
editorconfig-core vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
EditorConfig could be made to crash if it opened a specially crafted file.
Software Description:
- editorconfig-core: coding style indenter across editors
Details:
USN-8238-1 fixed a vulnerability in EditorConfig. This update contains the
corresponding fix for Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
and Ubuntu 22.04 LTS.
Original advisory details:
It was discovered that EditorConfig incorrectly handled specially crafted
configuration files. A local attacker could possibly use this issue to
cause EditorConfig to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
editorconfig 0.12.5-2ubuntu0.1~esm3
Available with Ubuntu Pro
editorconfig-doc 0.12.5-2ubuntu0.1~esm3
Available with Ubuntu Pro
libeditorconfig-dev 0.12.5-2ubuntu0.1~esm3
Available with Ubuntu Pro
libeditorconfig0 0.12.5-2ubuntu0.1~esm3
Available with Ubuntu Pro
Ubuntu 20.04 LTS
editorconfig 0.12.1-1.1+deb11u1ubuntu0.1~esm1
Available with Ubuntu Pro
editorconfig-doc 0.12.1-1.1+deb11u1ubuntu0.1~esm1
Available with Ubuntu Pro
libeditorconfig-dev 0.12.1-1.1+deb11u1ubuntu0.1~esm1
Available with Ubuntu Pro
libeditorconfig0 0.12.1-1.1+deb11u1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
editorconfig 0.12.1-1.1ubuntu0.18.04.1~esm3
Available with Ubuntu Pro
editorconfig-doc 0.12.1-1.1ubuntu0.18.04.1~esm3
Available with Ubuntu Pro
libeditorconfig-dev 0.12.1-1.1ubuntu0.18.04.1~esm3
Available with Ubuntu Pro
libeditorconfig0 0.12.1-1.1ubuntu0.18.04.1~esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
editorconfig 0.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
editorconfig-doc 0.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
libeditorconfig-dev 0.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
libeditorconfig0 0.12.0-2ubuntu0.1~esm3
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8238-2
https://ubuntu.com/security/notices/USN-8238-1
CVE-2026-40489
[USN-8372-1] age vulnerability
==========================================================================
Ubuntu Security Notice USN-8372-1
June 02, 2026
age vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
age could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- age: A simple, modern and secure file encryption tool, format, and Go library.
Details:
It was discovered that age did not properly validate plugin names. An
attacker could possibly use this issue to cause execution of an
arbitrary program by supplying a crafted recipient or identity string.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
age 1.1.1-1ubuntu0.24.04.3+esm1
Available with Ubuntu Pro
golang-filippo-age-dev 1.1.1-1ubuntu0.24.04.3+esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8372-1
CVE-2024-56327
[USN-8366-1] Luanti vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8366-1
June 02, 2026
luanti vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
Summary:
Several security issues were fixed in Luanti.
Software Description:
- luanti: free and open-source voxel game engine
Details:
It was discovered that Luanti, when using LuaJIT, did not properly
enforce Lua sandbox restrictions. An attacker could possibly use
this issue to execute arbitrary code. (CVE-2026-40959)
It was discovered that Luanti did not properly restrict access to
insecure environments. An attacker could possibly use this issue to
obtain unintended access to the insecure environment or HTTP API.
(CVE-2026-40960)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
luanti 5.10.0+dfsg-5+deb13u1build0.26.04.1
luanti-data 5.10.0+dfsg-5+deb13u1build0.26.04.1
luanti-server 5.10.0+dfsg-5+deb13u1build0.26.04.1
Ubuntu 25.10
luanti 5.10.0+dfsg-5+deb13u1build0.25.10.1
luanti-data 5.10.0+dfsg-5+deb13u1build0.25.10.1
luanti-server 5.10.0+dfsg-5+deb13u1build0.25.10.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8366-1
CVE-2026-40959, CVE-2026-40960
Package Information:
https://launchpad.net/ubuntu/+source/luanti/5.10.0+dfsg-5+deb13u1build0.26.04.1
https://launchpad.net/ubuntu/+source/luanti/5.10.0+dfsg-5+deb13u1build0.25.10.1
[USN-8368-1] libeconf vulnerability
==========================================================================
Ubuntu Security Notice USN-8368-1
June 02, 2026
libeconf vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
libeconf could be made to crash if it received specially crafted
input.
Software Description:
- libeconf: highly flexible and configurable library to parse and manage key=value configuration files
Details:
It was discovered that libeconf did not properly check the size of
input when copying data to a buffer. An attacker could possibly use
this issue to cause libeconf to crash, resulting in a denial of
service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
libeconf0 0.3.8-1+deb11u1build0.22.04.1
In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-8368-1
CVE-2023-22652
Package Information:
https://launchpad.net/ubuntu/+source/libeconf/0.3.8-1+deb11u1build0.22.04.1
[USN-8367-1] tar-fs vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8367-1
June 02, 2026
node-tar-fs vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in tar-fs.
Software Description:
- node-tar-fs: File system bindings for tar-stream
Details:
It was discovered that tar-fs did not properly limit paths when
extracting crafted tar files. An attacker could possibly use this
issue to write or overwrite files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-12905)
It was discovered that tar-fs did not properly validate extraction
paths for certain crafted tar archives. An attacker could possibly
use this issue to write files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2025-48387)
It was discovered that tar-fs had a symlink validation bypass when
extracting crafted tar files. An attacker could possibly use this
issue to write files outside the intended extraction directory.
(CVE-2025-59343)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
node-tar-fs 3.0.9+~cs2.0.4-1+deb13u1build0.25.10.1
Ubuntu 24.04 LTS
node-tar-fs 2.1.1-6ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
node-tar-fs 2.1.1-6ubuntu0.22.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8367-1
CVE-2024-12905, CVE-2025-48387, CVE-2025-59343
Package Information:
https://launchpad.net/ubuntu/+source/node-tar-fs/3.0.9+~cs2.0.4-1+deb13u1build0.25.10.1
[USN-8369-1] Apache Tomcat Connectors vulnerability
==========================================================================
Ubuntu Security Notice USN-8369-1
June 02, 2026
libapache-mod-jk vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Apache Tomcat Connectors could allow local users to expose sensitive
information or cause a denial of service.
Software Description:
- libapache-mod-jk: Apache 2 connector for the Tomcat Java servlet engine
Details:
It was discovered that Apache Tomcat Connectors used incorrect default
permissions for shared memory on Unix-like systems. A local attacker
could possibly use this issue to view or modify mod_jk configuration
data in shared memory, resulting in sensitive information exposure or a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libapache2-mod-jk 1:1.2.49-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libapache2-mod-jk 1:1.2.48-1ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libapache2-mod-jk 1:1.2.46-1ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libapache2-mod-jk 1:1.2.43-1ubuntu0.1~esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libapache2-mod-jk 1:1.2.41-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8369-1
CVE-2024-46544
[USN-8364-1] Apache Commons Lang vulnerability
==========================================================================
Ubuntu Security Notice USN-8364-1
June 02, 2026
libcommons-lang-java, libcommons-lang3-java vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Apache Commons Lang could be made to crash if it received specially crafted input.
Software Description:
- libcommons-lang-java: an extension of the java.lang package
- libcommons-lang3-java: an extension of the java.lang package
Details:
It was discovered that Apache Commons Lang incorrectly handled recursion
in the ClassUtils.getClass method. An attacker could possibly use this
issue to cause Apache Commons Lang to crash, resulting in a denial of
service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
libcommons-lang-java 2.6-10ubuntu0.1
libcommons-lang3-java 3.14.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libcommons-lang-java 2.6-9ubuntu0.22.04.1
libcommons-lang3-java 3.11-1ubuntu0.1
Ubuntu 20.04 LTS
libcommons-lang-java 2.6-9ubuntu0.20.04.1~esm1
Available with Ubuntu Pro
libcommons-lang3-java 3.8-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libcommons-lang-java 2.6-8ubuntu0.1~esm1
Available with Ubuntu Pro
libcommons-lang3-java 3.8-1~18.04.2+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libcommons-lang-java 2.6-6ubuntu2+esm1
Available with Ubuntu Pro
libcommons-lang3-java 3.4-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 14.04 LTS
libcommons-lang-java 2.6-3ubuntu2+esm1
Available with Ubuntu Pro
libcommons-lang3-java 3.2.1-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8364-1
CVE-2025-48924
Package Information:
https://launchpad.net/ubuntu/+source/libcommons-lang-java/2.6-9ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/libcommons-lang3-java/3.11-1ubuntu0.1
[USN-8365-1] Dovecot vulnerabilities
==========================================================================
Ubuntu Security Notice USN-8365-1
June 02, 2026
dovecot vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Dovecot.
Software Description:
- dovecot: IMAP and POP3 email server
Details:
It was discovered that Dovecot incorrectly treated some variable expansion
pipelines as safe in authentication filters. An attacker could possibly use
this issue to perform SQL or LDAP injection attacks. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-27851)
It was discovered that Dovecot incorrectly verified SCRAM TLS channel
binding in certain base64 exchanges. A remote attacker could possibly use
this issue to obtain sensitive information in a machine-in-the-middle
attack. (CVE-2026-33603)
It was discovered that Dovecot incorrectly enforced Sieve script CPU
limits. An attacker could possibly use this issue to cause Dovecot to use
excessive resources, leading to a denial of service. (CVE-2026-40016)
It was discovered that Dovecot incorrectly handled certain IMAP SETACL
commands. An attacker could possibly use this issue to spam folders to
other users. (CVE-2026-40020)
It was discovered that Dovecot incorrectly handled excessive IMAP bracing.
An attacker could possibly use this issue to cause Dovecot to use excessive
resources, leading to a denial of service. (CVE-2026-42006)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
dovecot-core 1:2.4.2+dfsg1-3ubuntu2.1
Ubuntu 25.10
dovecot-core 1:2.4.1+dfsg1-5ubuntu4.2
Ubuntu 24.04 LTS
dovecot-core 1:2.3.21+dfsg1-2ubuntu6.5
Ubuntu 22.04 LTS
dovecot-core 1:2.3.16+dfsg1-3ubuntu2.9
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8365-1
CVE-2026-27851, CVE-2026-33603, CVE-2026-40016, CVE-2026-40020,
CVE-2026-42006
Package Information:
https://launchpad.net/ubuntu/+source/dovecot/1:2.4.2+dfsg1-3ubuntu2.1
https://launchpad.net/ubuntu/+source/dovecot/1:2.4.1+dfsg1-5ubuntu4.2
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.21+dfsg1-2ubuntu6.5
https://launchpad.net/ubuntu/+source/dovecot/1:2.3.16+dfsg1-3ubuntu2.9
